Skip to content

deps: update github actions (major) #3919

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

deps: update github actions (major) #3919

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/actions/deploy-keptn-on-cluster/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,15 @@
using: "composite"
steps:
- name: Set up Go 1.x
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
cache-dependency-path: '**/go.sum'
check-latest: true

- name: Download artifacts
uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
path: ~/download/artifacts

Expand All @@ -57,7 +57,7 @@
for image in $(ls | grep image.tar);
do
echo "Importing image: $image"
kind load image-archive $image/$image -n ${{ inputs.cluster-name }}

Check failure on line 60 in .github/actions/deploy-keptn-on-cluster/action.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.cluster-name is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this action to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=keptn_lifecycle-toolkit&issues=AZ0nRCAJWQuldiv-AKCZ&open=AZ0nRCAJWQuldiv-AKCZ&pullRequest=3919
done

- name: Install cert-manager.io
Expand Down Expand Up @@ -98,8 +98,8 @@

cd .github/actions/deploy-keptn-on-cluster

export TAG=${{ inputs.runtime_tag }}

Check failure on line 101 in .github/actions/deploy-keptn-on-cluster/action.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.runtime_tag is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this action to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=keptn_lifecycle-toolkit&issues=AZmsUylCAom4jasxQoOC&open=AZmsUylCAom4jasxQoOC&pullRequest=3919
envsubst < values/${{ inputs.values-file }} > tmp.yaml

Check failure on line 102 in .github/actions/deploy-keptn-on-cluster/action.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.values-file is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this action to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=keptn_lifecycle-toolkit&issues=AZ0nRCAJWQuldiv-AKCa&open=AZ0nRCAJWQuldiv-AKCa&pullRequest=3919

echo "installing with values.yaml file:"
cat tmp.yaml
Expand Down
26 changes: 13 additions & 13 deletions .github/workflows/CI.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
- ".github/actions/spelling/*"

# Declare default permissions as read only.
permissions: read-all

Check warning on line 20 in .github/workflows/CI.yaml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Replace "read-all" with specific permissions (e.g., "contents: read"). 


See more on https://sonarcloud.io/project/issues?id=keptn_lifecycle-toolkit&issues=AZu1slSdcGEomHMuCdDK&open=AZu1slSdcGEomHMuCdDK&pullRequest=3919

env:
GO_VERSION: "~1.23"
Expand All @@ -42,7 +42,7 @@

steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Extract branch name
id: extract_branch
Expand Down Expand Up @@ -88,10 +88,10 @@
folder: "keptn-cert-manager/"
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Set up Go 1.x
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
Expand All @@ -103,7 +103,7 @@
run: make unit-test

- name: Report code coverage
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3
with:
flags: ${{ matrix.config.name }}
token: ${{ secrets.CODECOV_TOKEN }}
Expand Down Expand Up @@ -135,21 +135,21 @@
folder: "keptn-cert-manager/"
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Cache build tools
id: cache-build-tools
uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
with:
path: ./${{ matrix.config.folder }}bin
key: build-tools-${{ github.ref_name }}

- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4

- name: Build Docker Image
uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
context: ${{ matrix.config.folder }}
platforms: linux/amd64,linux/arm64
Expand All @@ -168,7 +168,7 @@
outputs: type=oci,dest=/tmp/${{ matrix.config.name }}-image.tar

- name: Upload image as artifact
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: ${{ matrix.config.name }}-image.tar
path: /tmp/${{ matrix.config.name }}-image.tar
Expand All @@ -184,7 +184,7 @@
run: echo "" > tag

- name: Upload tag for tests
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: dev-${{ env.DATETIME }}
path: tag
Expand Down Expand Up @@ -281,10 +281,10 @@
runs-on: ubuntu-24.04
steps:
- name: Check out keptn repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Check out helm-charts repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: 'keptn/lifecycle-toolkit-charts'
path: ./helm-charts-repository
Expand All @@ -306,7 +306,7 @@
run: rsync -av --delete --exclude='charts/*.tgz' ./${{ matrix.config.path }}/ ./helm-charts-repository/charts/${{ matrix.config.name }}/

- name: Create Pull Request
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
with:
token: ${{ secrets.KEPTN_BOT_TOKEN }}
path: ./helm-charts-repository
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/component-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
required: false

# Declare default permissions as read only.
permissions: read-all

Check warning on line 9 in .github/workflows/component-test.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Replace "read-all" with specific permissions (e.g., "contents: read"). 


See more on https://sonarcloud.io/project/issues?id=keptn_lifecycle-toolkit&issues=AZu1slT8cGEomHMuCdDM&open=AZu1slT8cGEomHMuCdDM&pullRequest=3919

env:
GO_VERSION: "~1.23"
Expand All @@ -19,10 +19,10 @@
runs-on: ubuntu-24.04
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Set up Go 1.x
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
Expand All @@ -34,7 +34,7 @@
run: make component-test

- name: Report code coverage
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3
with:
flags: component-tests
token: ${{ secrets.CODECOV_TOKEN }}
4 changes: 2 additions & 2 deletions .github/workflows/e2e-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
required: true

# Declare default permissions as read only.
permissions: read-all

Check warning on line 11 in .github/workflows/e2e-test.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Replace "read-all" with specific permissions (e.g., "contents: read"). 


See more on https://sonarcloud.io/project/issues?id=keptn_lifecycle-toolkit&issues=AZu1slZBcGEomHMuCdDU&open=AZu1slZBcGEomHMuCdDU&pullRequest=3919

env:
GO_VERSION: "~1.23"
Expand All @@ -27,7 +27,7 @@
folder: "lifecycle-operator/"
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Setup cluster
uses: ./.github/actions/deploy-keptn-on-cluster
Expand All @@ -45,7 +45,7 @@

- name: Upload ${{ matrix.config.name }} cluster logs
if: always()
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: logs-e2e-tests-${{ matrix.config.name }}
path: .github/scripts/logs
6 changes: 3 additions & 3 deletions .github/workflows/golangci-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
- "!docs/**"

# Declare default permissions as read only.
permissions: read-all

Check warning on line 20 in .github/workflows/golangci-lint.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Replace "read-all" with specific permissions (e.g., "contents: read"). 


See more on https://sonarcloud.io/project/issues?id=keptn_lifecycle-toolkit&issues=AZu1slafcGEomHMuCdDZ&open=AZu1slafcGEomHMuCdDZ&pullRequest=3919

env:
# renovate: datasource=github-releases depName=golangci/golangci-lint
Expand All @@ -39,15 +39,15 @@
folder: "keptn-cert-manager/"
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true

- name: golangci-lint
uses: golangci/golangci-lint-action@4696ba8babb6127d732c3c6dde519db15edab9ea # v6
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
with:
working-directory: ${{ matrix.config.folder }}
version: ${{ env.GOLANGCI_LINT_VERSION }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/htmltest.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
- 'docs/**'

# Declare default permissions as read only.
permissions: read-all

Check warning on line 18 in .github/workflows/htmltest.yaml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Replace "read-all" with specific permissions (e.g., "contents: read"). 


See more on https://sonarcloud.io/project/issues?id=keptn_lifecycle-toolkit&issues=AZu1slZZcGEomHMuCdDV&open=AZu1slZZcGEomHMuCdDV&pullRequest=3919

jobs:
htmltest:
Expand All @@ -25,13 +25,13 @@
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
submodules: true
fetch-depth: 0

- name: Cache HTMLTest packages
uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
with:
path: |
tmp/.htmltest
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/integration-test-component.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
required: true

# Declare default permissions as read only.
permissions: read-all

Check warning on line 15 in .github/workflows/integration-test-component.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Replace "read-all" with specific permissions (e.g., "contents: read"). 


See more on https://sonarcloud.io/project/issues?id=keptn_lifecycle-toolkit&issues=AZu1slbicGEomHMuCdDc&open=AZu1slbicGEomHMuCdDc&pullRequest=3919

env:
GO_VERSION: "~1.23"
Expand All @@ -26,7 +26,7 @@
runs-on: ubuntu-24.04
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Setup cluster
uses: ./.github/actions/deploy-keptn-on-cluster
Expand All @@ -42,7 +42,7 @@

- name: Run Integration Tests ${{ inputs.type }}
working-directory: .
run: make integration-test-${{ inputs.type }}

Check failure on line 45 in .github/workflows/integration-test-component.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.type is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=keptn_lifecycle-toolkit&issues=AZmsUykzAom4jasxQoOB&open=AZmsUykzAom4jasxQoOB&pullRequest=3919

- name: Create reports
if: failure()
Expand All @@ -51,7 +51,7 @@

- name: Upload cluster logs
if: failure()
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: logs-integration-tests-${{ inputs.type }}
path: .github/scripts/logs
4 changes: 2 additions & 2 deletions .github/workflows/integration-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
default: "cert_manager_io_off"

# Declare default permissions as read only.
permissions: read-all

Check warning on line 15 in .github/workflows/integration-test.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Replace "read-all" with specific permissions (e.g., "contents: read"). 


See more on https://sonarcloud.io/project/issues?id=keptn_lifecycle-toolkit&issues=AZu1slW2cGEomHMuCdDP&open=AZu1slW2cGEomHMuCdDP&pullRequest=3919

env:
GO_VERSION: "~1.23"
Expand All @@ -26,7 +26,7 @@
runs-on: ubuntu-24.04
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Setup cluster
uses: ./.github/actions/deploy-keptn-on-cluster
Expand All @@ -52,7 +52,7 @@

- name: Upload cluster logs
if: failure()
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: logs-integration-tests-${{ inputs.cert-manager-io-enabled }}
path: .github/scripts/logs
8 changes: 4 additions & 4 deletions .github/workflows/load-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
required: true

# Declare default permissions as read only.
permissions: read-all

Check warning on line 11 in .github/workflows/load-test.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Replace "read-all" with specific permissions (e.g., "contents: read"). 


See more on https://sonarcloud.io/project/issues?id=keptn_lifecycle-toolkit&issues=AZu1slYMcGEomHMuCdDS&open=AZu1slYMcGEomHMuCdDS&pullRequest=3919

env:
GO_VERSION: "~1.23"
Expand All @@ -24,11 +24,11 @@
runs-on: ubuntu-24.04
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Cache build tools
id: cache-build-tools
uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
with:
path: /usr/local/bin/kube-burner
key: kube-burner-${{ env.KUBE_BURNER_VERSION }}
Expand Down Expand Up @@ -57,7 +57,7 @@

- name: Upload results
if: always()
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: load-tests-results
path: ./collected-metrics
Expand All @@ -69,7 +69,7 @@

- name: Upload cluster logs
if: failure()
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: logs-load-tests
path: .github/scripts/logs
8 changes: 4 additions & 4 deletions .github/workflows/markdown-checks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
- 'metrics-operator/api/**'

# Declare default permissions as read only.
permissions: read-all

Check warning on line 22 in .github/workflows/markdown-checks.yaml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Replace "read-all" with specific permissions (e.g., "contents: read"). 


See more on https://sonarcloud.io/project/issues?id=keptn_lifecycle-toolkit&issues=AZu1slTfcGEomHMuCdDL&open=AZu1slTfcGEomHMuCdDL&pullRequest=3919

env:
GO_VERSION: "~1.23"
Expand All @@ -32,7 +32,7 @@
markdown-link-check:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1
with:
config-file: '.github/mlc_config.json'
Expand All @@ -45,7 +45,7 @@
runs-on: ubuntu-24.04
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Run TOC generation
run: |
Expand All @@ -72,10 +72,10 @@
runs-on: ubuntu-24.04
steps:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Set up Go 1.x
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/release-examples.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,24 +19,24 @@
required: false

# Declare default permissions as read only.
permissions: read-all

Check warning on line 22 in .github/workflows/release-examples.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Replace "read-all" with specific permissions (e.g., "contents: read"). 


See more on https://sonarcloud.io/project/issues?id=keptn_lifecycle-toolkit&issues=AZu1slUZcGEomHMuCdDN&open=AZu1slUZcGEomHMuCdDN&pullRequest=3919

jobs:
release-examples:
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Checkout examples repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: keptn-sandbox/lifecycle-toolkit-examples
path: ${{ inputs.examples_dir }}
token: ${{ secrets.KEPTN_BOT_TOKEN }}

- name: Get Latest Release Information
uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
uses: octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae # v3.0.0
id: latest_release
with:
route: GET /repos/:owner/:repository/releases/latest
Expand All @@ -47,11 +47,11 @@

- name: Move old latest release examples folder
if: ${{ fromJson(steps.latest_release.outputs.data).tag_name == inputs.tag_name }}
run: cp -R ./examples/* "${{ inputs.examples_dir }}"

Check failure on line 50 in .github/workflows/release-examples.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.examples_dir is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=keptn_lifecycle-toolkit&issues=AZmsUyjmAom4jasxQoOA&open=AZmsUyjmAom4jasxQoOA&pullRequest=3919

- name: Push content
if: inputs.dry_run != true
uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9
uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321 # v10
with:
default_author: github_actions
cwd: ${{ inputs.examples_dir }}
Expand Down
16 changes: 8 additions & 8 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
workflow_dispatch:

# Declare default permissions as read only.
permissions: read-all

Check warning on line 11 in .github/workflows/release.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Replace "read-all" with specific permissions (e.g., "contents: read"). 


See more on https://sonarcloud.io/project/issues?id=keptn_lifecycle-toolkit&issues=AZu1slXVcGEomHMuCdDQ&open=AZu1slXVcGEomHMuCdDQ&pullRequest=3919

defaults:
run:
Expand Down Expand Up @@ -37,7 +37,7 @@
BUILD_TIME: ${{ steps.get_datetime.outputs.BUILD_TIME }}
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Extract branch name
id: extract_branch
Expand Down Expand Up @@ -77,7 +77,7 @@

- name: Create release matrix
id: build-matrix
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
env:
CHANGED_ITEMS: ${{ steps.release.outputs.paths_released }}
KEPTN_TAG: ${{ steps.release.outputs.tag_name }}
Expand Down Expand Up @@ -146,23 +146,23 @@
DOCKER_BUILD_RECORD_UPLOAD: "false"
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
submodules: recursive

- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4

- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: "ghcr.io"
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Set up Cosign
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0

- name: Clean up image tag
id: clean-image-tag
Expand All @@ -179,7 +179,7 @@

- name: Build Docker Image
id: docker_build_image
uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
context: ${{ matrix.config.folder }}
platforms: linux/amd64,linux/arm64
Expand Down Expand Up @@ -234,7 +234,7 @@
${{ env.IMAGE_NAME }}@${{ env.IMAGE_DIGEST }}

- name: Upload verification log as artifact
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: cosign-attest-verification-log
path: ./cosign-attest-output.json
Expand Down
Loading
Loading