From 5782307e7fc1867d8e66ed3e9e89ae26c9cfd3e5 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Sat, 5 Aug 2023 05:51:26 +0000 Subject: [PATCH] fix: apply security best practices by pinning dependencies --- .github/workflows/build.yml | 2 +- .github/workflows/lint.yml | 6 +++--- .github/workflows/release.yml | 24 ++++++++++++------------ .github/workflows/test.yml | 8 ++++---- Dockerfile | 4 ++-- 5 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index dc84a3976..fd9a38bfa 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Build Container run: make docker diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index aabe9c5d4..e61df4861 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,12 +7,12 @@ jobs: name: lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Install Go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: 1.20.x - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0 with: args: --timeout 61m0s --verbose diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index aec1418e7..a64e3b739 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,8 +10,8 @@ jobs: release-version: ${{ steps.semantic.outputs.release-version }} new-release-published: ${{ steps.semantic.outputs.new-release-published }} steps: - - uses: actions/checkout@v3 - - uses: codfish/semantic-release-action@v1 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: codfish/semantic-release-action@cbd853afe12037afb1306caca9d6b1ab6a58cf2a # v1.10.0 id: semantic env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -19,12 +19,12 @@ jobs: runs-on: ubuntu-latest needs: semantic-release steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Install Go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: v1.20.x - - uses: actions/cache@v2 + - uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2 with: path: | ~/go/pkg/mod @@ -37,7 +37,7 @@ jobs: env: VERSION: v${{ needs.semantic-release.outputs.release-version }} - name: Upload binaries to release - uses: svenstaro/upload-release-action@v2 + uses: svenstaro/upload-release-action@1beeb572c19a9242f4361f4cee78f8e0d9aec5df # v2 with: repo_token: ${{ secrets.GITHUB_TOKEN }} file: ./.release/* @@ -48,14 +48,14 @@ jobs: needs: semantic-release runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Set version # Always use git tags as semantic release can fail due to rate limit run: | git fetch --prune --unshallow echo "RELEASE_VERSION=$(git describe --abbrev=0 --tags | sed -e 's/^v//')" >> $GITHUB_ENV - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@43dc228e327224b2eda11c8883232afd5b34943b # v5 with: name: flanksource/incident-commander username: ${{ secrets.DOCKER_USERNAME }} @@ -68,26 +68,26 @@ jobs: runs-on: ubuntu-latest needs: [semantic-release, docker] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Set version # Always use git tags as semantic release can fail due to rate limit run: | git fetch --prune --unshallow echo "RELEASE_VERSION=$(git describe --abbrev=0 --tags | sed -e 's/^v//')" >> $GITHUB_ENV - - uses: actions/checkout@v3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: repository: "${{ github.repository_owner }}/mission-control-chart" token: ${{ secrets.FLANKBOT }} path: ./incident-commander-chart - name: Update image tags - uses: mikefarah/yq@master + uses: mikefarah/yq@9b4082919bf50bb6be38742adf46f888e9f5683a # master with: cmd: yq -i e '.image.tag = "v${{ env.RELEASE_VERSION }}"' incident-commander-chart/chart/values.yaml - name: Update CRDs run: | cp config/crds/* incident-commander-chart/chart/crds/ - name: Push changes to chart repo - uses: stefanzweifel/git-auto-commit-action@v4 + uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4.16.0 with: commit_message: "chore: update incident-commander image version to ${{ env.RELEASE_VERSION }}" repository: ./incident-commander-chart diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 39e178159..a4b0c839c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -7,12 +7,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Install Go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: 1.20.x - name: Checkout code - uses: actions/checkout@v2 - - uses: actions/cache@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + - uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2 with: path: | ~/go/pkg/mod @@ -24,7 +24,7 @@ jobs: - name: Test run: make test - name: Publish Unit Test Results - uses: EnricoMi/publish-unit-test-result-action@v1 + uses: EnricoMi/publish-unit-test-result-action@b9f6c61d965bcaa18acc02d6daf706373a448f02 # v1.40 if: always() && github.event.repository.fork == 'false' with: files: test/test-results.xml diff --git a/Dockerfile b/Dockerfile index e1dae41f5..191a79844 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.20 as builder +FROM golang:1.20@sha256:bc5f0b5e43282627279fe5262ae275fecb3d2eae3b33977a7fd200c7a760d6f1 as builder WORKDIR /app ARG VERSION @@ -8,7 +8,7 @@ RUN go mod download COPY ./ ./ RUN make build -FROM ubuntu:jammy +FROM ubuntu:jammy@sha256:0bced47fffa3361afa981854fcabcd4577cd43cebbb808cea2b1f33a3dd7f508 WORKDIR /app COPY --from=builder /app/.bin/incident-commander /app