diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index db0d71ee53..a176e1e0bf 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -28,34 +28,34 @@ jobs: image_digest: ${{ steps.build-push.outputs.digest }} steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: ref: ${{ inputs.tag != '' && format('refs/tags/v{0}', inputs.tag) || github.ref }} fetch-depth: 0 - name: Fetch Cached Artifacts - uses: actions/cache@v3 + uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}-multi - name: Setup QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 with: platforms: arm,arm64,ppc64le,s390x if: github.event_name != 'pull_request' - name: Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1 - name: DockerHub Login - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} if: github.event_name != 'pull_request' - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -63,7 +63,7 @@ jobs: if: github.event_name != 'pull_request' - name: Login to Public ECR - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: registry: public.ecr.aws username: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -71,7 +71,7 @@ jobs: if: github.event_name != 'pull_request' - name: Login to Quay.io - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} @@ -88,7 +88,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea # v4.1.1 with: images: | name=nginx/nginx-ingress @@ -118,7 +118,7 @@ jobs: io.artifacthub.package.keywords=kubernetes,ingress,nginx,controller - name: Build Docker image - uses: docker/build-push-action@v3 + uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0 id: build-push with: file: build/Dockerfile @@ -138,7 +138,7 @@ jobs: IC_VERSION=${{ github.event_name == 'pull_request' && 'CI' || steps.meta.outputs.version }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.8.0 + uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # 0.8.0 continue-on-error: true with: image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }} @@ -147,13 +147,13 @@ jobs: ignore-unfixed: 'true' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@678fc3afe258fb2e0cdc165ccf77b85719de7b3c # v2.1.33 continue-on-error: true with: sarif_file: 'trivy-results-${{ inputs.image }}.sarif' - name: Upload Scan Results - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 continue-on-error: true with: name: 'trivy-results-${{ inputs.image }}.sarif' diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index ecd60fc951..d6c321ba54 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -20,32 +20,38 @@ defaults: run: shell: bash +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: build: + permissions: + contents: read # for docker/build-push-action to read repo content + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-22.04 steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: fetch-depth: 0 - name: Fetch Cached Artifacts - uses: actions/cache@v3 + uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11 with: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}-multi - name: Setup QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 with: platforms: arm64 if: github.event_name != 'pull_request' - name: Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1 - name: GCR Login - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: registry: gcr.io username: _json_key @@ -53,7 +59,7 @@ jobs: if: github.event_name != 'pull_request' - name: Login to ECR - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: registry: 709825985650.dkr.ecr.us-east-1.amazonaws.com username: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -62,7 +68,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea # v4.1.1 with: images: | name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}/nginx-plus-ingress @@ -94,7 +100,7 @@ jobs: if: ${{ inputs.nap_modules != '' }} - name: Build Plus Docker image - uses: docker/build-push-action@v3 + uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0 with: file: build/Dockerfile context: '.' @@ -120,7 +126,7 @@ jobs: ${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} - name: Load image for Trivy - uses: docker/build-push-action@v3 + uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0 with: file: build/Dockerfile context: '.' @@ -140,7 +146,7 @@ jobs: ${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.8.0 + uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # 0.8.0 continue-on-error: true with: image-ref: docker.io/${{ inputs.image }}:${{ steps.meta.outputs.version }} @@ -149,13 +155,13 @@ jobs: ignore-unfixed: 'true' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@678fc3afe258fb2e0cdc165ccf77b85719de7b3c # v2.1.33 continue-on-error: true with: sarif_file: 'trivy-results-${{ inputs.image }}.sarif' - name: Upload Scan Results - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 continue-on-error: true with: name: 'trivy-results-${{ inputs.image }}.sarif' diff --git a/.github/workflows/updates-notification.yml b/.github/workflows/updates-notification.yml index 70129cf808..12bab1fe64 100644 --- a/.github/workflows/updates-notification.yml +++ b/.github/workflows/updates-notification.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: ref: ${{ inputs.sha_long }} - name: Get variables for Slack @@ -36,7 +36,7 @@ jobs: echo "date=$(date +%s)" >> $GITHUB_OUTPUT echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - name: Send Notification - uses: 8398a7/action-slack@v3 + uses: 8398a7/action-slack@a189acbf0b7ea434558662ae25a0de71df69a435 # v3.14.0 with: status: custom custom_payload: |