diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index d6653141c84..9eb86f456dd 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -16,7 +16,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup-deps # Generate the install manifests first so it can checked # for errors while running `make -k lint` @@ -27,28 +27,28 @@ jobs: gen-check: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup-deps - run: make -k gen-check license-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup-deps - run: make -k licensecheck coverage-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup-deps # test - name: Run Coverage Tests run: make go.test.coverage - name: Upload coverage to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 with: fail_ci_if_error: true files: ./coverage.xml @@ -59,14 +59,14 @@ jobs: runs-on: ubuntu-latest needs: [lint, gen-check, license-check, coverage-test] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup-deps - name: Build EG Multiarch Binaries run: make build-multiarch PLATFORMS="linux_amd64 linux_arm64" - name: Upload EG Binaries - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: envoy-gateway path: bin/ @@ -78,11 +78,11 @@ jobs: matrix: version: [ v1.27.3, v1.28.0, v1.29.0 ] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries - uses: actions/download-artifact@v4 + uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 with: name: envoy-gateway path: bin/ @@ -106,11 +106,11 @@ jobs: matrix: version: [ v1.27.3, v1.28.0, v1.29.0 ] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries - uses: actions/download-artifact@v4 + uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 with: name: envoy-gateway path: bin/ @@ -131,11 +131,11 @@ jobs: runs-on: ubuntu-latest needs: [conformance-test, e2e-test] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries - uses: actions/download-artifact@v4 + uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 with: name: envoy-gateway path: bin/ @@ -148,7 +148,7 @@ jobs: # build and push image - name: Login to DockerHub if: github.event_name == 'push' - uses: docker/login-action@v3 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} diff --git a/.github/workflows/cherrypick.yaml b/.github/workflows/cherrypick.yaml index 073cddc7979..967b025b891 100644 --- a/.github/workflows/cherrypick.yaml +++ b/.github/workflows/cherrypick.yaml @@ -12,11 +12,11 @@ jobs: if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v0.6') && github.event.pull_request.merged == true }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Cherry pick into release/v0.6 - uses: carloscastrojumo/github-cherry-pick-action@v1.0.9 + uses: carloscastrojumo/github-cherry-pick-action@a145da1b8142e752d3cbc11aaaa46a535690f0c5 # v1.0.9 with: branch: release/v0.6 title: "[release/v0.6] {old_title}" diff --git a/.github/workflows/command.yaml b/.github/workflows/command.yaml index 33b614d4d19..99527951ac5 100644 --- a/.github/workflows/command.yaml +++ b/.github/workflows/command.yaml @@ -22,7 +22,7 @@ jobs: pull-requests: write actions: write steps: - - uses: envoyproxy/toolshed/gh-actions/github/command@actions-v0.2.18 + - uses: envoyproxy/toolshed/gh-actions/github/command@0c093e23192533019cf131e0016adb0ac73adc97 # actions-v0.2.18 name: Parse command from comment id: command with: @@ -31,7 +31,7 @@ jobs: ^/(retest) # retest - - uses: envoyproxy/toolshed/gh-actions/retest@actions-v0.2.20 + - uses: envoyproxy/toolshed/gh-actions/retest@6b3ddd1e42c252d68fb98973760c0ee1943c9c21 # actions-v0.2.20 if: ${{ steps.command.outputs.command == 'retest' }} with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 20c3013dbba..40c5a4ef245 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -18,12 +18,12 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.pull_request.head.sha }} - name: Run markdown linter - uses: nosborn/github-action-markdown-cli@v3.3.0 + uses: nosborn/github-action-markdown-cli@9b5e871c11cc0649c5ac2526af22e23525fa344d # v3.3.0 with: files: site/content/* config_file: ".github/markdown_lint_config.json" @@ -35,19 +35,19 @@ jobs: contents: write steps: - name: Git checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true ref: ${{ github.event.pull_request.head.sha }} - name: Setup Hugo - uses: peaceiris/actions-hugo@v2 + uses: peaceiris/actions-hugo@16361eb4acea8698b220b76c0d4e84e1fd22c61d # v2.6.0 with: hugo-version: 'latest' extended: true - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.1.0 with: node-version: '18' @@ -56,7 +56,7 @@ jobs: # Upload docs for GitHub Pages - name: Upload GitHub Pages artifact - uses: actions/upload-pages-artifact@v3.0.0 + uses: actions/upload-pages-artifact@0252fc4ba7626f0298f0cf00902a25c6afc77fa8 # v3.0.0 with: # Path of the directory containing the static assets. path: site/public @@ -83,4 +83,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4.0.2 + uses: actions/deploy-pages@7a9bd943aa5e5175aeb8502edcc6c1c02d398e10 # v4.0.2 diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml index 028681e3313..a5825dbdcb8 100644 --- a/.github/workflows/experimental_conformance.yaml +++ b/.github/workflows/experimental_conformance.yaml @@ -17,7 +17,7 @@ jobs: matrix: version: [ v1.26.6, v1.27.3, v1.28.0 ] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup-deps # gateway api experimental conformance @@ -29,7 +29,7 @@ jobs: run: make experimental-conformance - name: Upload Conformance Report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: conformance-report-k8s-${{ matrix.version }} path: ./test/conformance/conformance-report-k8s-${{ matrix.version }}.yaml diff --git a/.github/workflows/issue-comment.yaml b/.github/workflows/issue-comment.yaml index fb8655fa5ad..bca22129e19 100644 --- a/.github/workflows/issue-comment.yaml +++ b/.github/workflows/issue-comment.yaml @@ -15,7 +15,7 @@ jobs: issues: write pull-requests: write steps: - - uses: jpmcb/prow-github-actions@v1.1.3 + - uses: jpmcb/prow-github-actions@f4d01dd4b13f289014c23fe5a19878a2479cb35b # v1.1.3 with: prow-commands: '/assign /unassign diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index f261e061786..4dfd0611e08 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -11,7 +11,7 @@ jobs: latest-release: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup-deps - name: Generate Release Manifests @@ -50,7 +50,7 @@ jobs: GITHUB_REPOSITORY: ${{ github.repository_owner }}/${{ github.event.repository.name }} - name: Recreate the Latest Release and Tag - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 with: draft: false prerelease: true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 3879d6dd036..cff6ad59d56 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -9,7 +9,7 @@ jobs: release: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Extract Release Tag and Commit SHA id: vars @@ -19,7 +19,7 @@ jobs: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} @@ -34,7 +34,7 @@ jobs: run: OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push - name: Upload Release Manifests - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 with: files: | release-artifacts/install.yaml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000000..8c4bb04b2ba --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,45 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '33 13 * * 5' + push: + branches: + - "main" + +permissions: + contents: read + + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-22.04 + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + with: + sarif_file: results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index f13fbcbec0e..2cf20bea925 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Prune Stale - uses: actions/stale@v9 + uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} # Different amounts of days for issues/PRs are not currently supported but there is a PR diff --git a/README.md b/README.md index 16afa3784a9..dec6d31280f 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,6 @@ # Envoy Gateway +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/envoyproxy/gateway/badge)](https://api.securityscorecards.dev/projects/github.com/envoyproxy/gateway) [![Build and Test](https://github.com/envoyproxy/gateway/actions/workflows/build_and_test.yaml/badge.svg)](https://github.com/envoyproxy/gateway/actions/workflows/build_and_test.yaml) [![codecov](https://codecov.io/gh/envoyproxy/gateway/branch/main/graph/badge.svg)](https://codecov.io/gh/envoyproxy/gateway) diff --git a/site/content/en/latest/contributions/RELEASING.md b/site/content/en/latest/contributions/RELEASING.md index f81d5be457d..50d2db76abd 100644 --- a/site/content/en/latest/contributions/RELEASING.md +++ b/site/content/en/latest/contributions/RELEASING.md @@ -84,11 +84,11 @@ Configuration looks like following: if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v0.4') && github.event.pull_request.merged == true }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Cherry pick into release/v0.4 - uses: carloscastrojumo/github-cherry-pick-action@v1.0.9 + uses: carloscastrojumo/github-cherry-pick-action@a145da1b8142e752d3cbc11aaaa46a535690f0c5 # v1.0.9 with: branch: release/v0.4 title: "[release/v0.4] {old_title}" diff --git a/site/content/en/v0.2.0/contributions/RELEASING.md b/site/content/en/v0.2.0/contributions/RELEASING.md index 013707d4569..eb566306141 100644 --- a/site/content/en/v0.2.0/contributions/RELEASING.md +++ b/site/content/en/v0.2.0/contributions/RELEASING.md @@ -84,11 +84,11 @@ Configuration looks like following: if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v0.4') && github.event.pull_request.merged == true }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Cherry pick into release/v0.4 - uses: carloscastrojumo/github-cherry-pick-action@v1.0.9 + uses: carloscastrojumo/github-cherry-pick-action@a145da1b8142e752d3cbc11aaaa46a535690f0c5 # v1.0.9 with: branch: release/v0.4 title: "[release/v0.4] {old_title}" diff --git a/site/content/en/v0.3.0/contributions/RELEASING.md b/site/content/en/v0.3.0/contributions/RELEASING.md index 013707d4569..eb566306141 100644 --- a/site/content/en/v0.3.0/contributions/RELEASING.md +++ b/site/content/en/v0.3.0/contributions/RELEASING.md @@ -84,11 +84,11 @@ Configuration looks like following: if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v0.4') && github.event.pull_request.merged == true }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Cherry pick into release/v0.4 - uses: carloscastrojumo/github-cherry-pick-action@v1.0.9 + uses: carloscastrojumo/github-cherry-pick-action@a145da1b8142e752d3cbc11aaaa46a535690f0c5 # v1.0.9 with: branch: release/v0.4 title: "[release/v0.4] {old_title}" diff --git a/site/content/en/v0.4.0/contributions/RELEASING.md b/site/content/en/v0.4.0/contributions/RELEASING.md index 013707d4569..eb566306141 100644 --- a/site/content/en/v0.4.0/contributions/RELEASING.md +++ b/site/content/en/v0.4.0/contributions/RELEASING.md @@ -84,11 +84,11 @@ Configuration looks like following: if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v0.4') && github.event.pull_request.merged == true }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Cherry pick into release/v0.4 - uses: carloscastrojumo/github-cherry-pick-action@v1.0.9 + uses: carloscastrojumo/github-cherry-pick-action@a145da1b8142e752d3cbc11aaaa46a535690f0c5 # v1.0.9 with: branch: release/v0.4 title: "[release/v0.4] {old_title}" diff --git a/site/content/en/v0.5.0/contributions/RELEASING.md b/site/content/en/v0.5.0/contributions/RELEASING.md index f5ec7954f27..f84f711b068 100644 --- a/site/content/en/v0.5.0/contributions/RELEASING.md +++ b/site/content/en/v0.5.0/contributions/RELEASING.md @@ -84,11 +84,11 @@ Configuration looks like following: if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v0.4') && github.event.pull_request.merged == true }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Cherry pick into release/v0.4 - uses: carloscastrojumo/github-cherry-pick-action@v1.0.9 + uses: carloscastrojumo/github-cherry-pick-action@a145da1b8142e752d3cbc11aaaa46a535690f0c5 # v1.0.9 with: branch: release/v0.4 title: "[release/v0.4] {old_title}" diff --git a/site/content/en/v0.6.0/contributions/RELEASING.md b/site/content/en/v0.6.0/contributions/RELEASING.md index f81d5be457d..50d2db76abd 100644 --- a/site/content/en/v0.6.0/contributions/RELEASING.md +++ b/site/content/en/v0.6.0/contributions/RELEASING.md @@ -84,11 +84,11 @@ Configuration looks like following: if: ${{ contains(github.event.pull_request.labels.*.name, 'cherrypick/release-v0.4') && github.event.pull_request.merged == true }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Cherry pick into release/v0.4 - uses: carloscastrojumo/github-cherry-pick-action@v1.0.9 + uses: carloscastrojumo/github-cherry-pick-action@a145da1b8142e752d3cbc11aaaa46a535690f0c5 # v1.0.9 with: branch: release/v0.4 title: "[release/v0.4] {old_title}"