diff --git a/.actionlint.yaml b/.actionlint.yaml new file mode 100644 index 000000000..a46d0d860 --- /dev/null +++ b/.actionlint.yaml @@ -0,0 +1,3 @@ +self-hosted-runner: + labels: + - ubuntu-latest-8-core diff --git a/.github/dependabot.yml b/.github/dependabot.yml index da3c4a26a..494c8eebe 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,6 +4,8 @@ updates: directory: "/" schedule: interval: daily + cooldown: + default-days: 3 open-pull-requests-limit: 10 groups: gomod: @@ -15,6 +17,8 @@ updates: directory: "/" schedule: interval: daily + cooldown: + default-days: 3 open-pull-requests-limit: 10 groups: actions: diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index 4185ebd2f..053bc9f87 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -24,7 +24,7 @@ jobs: name: Action lint runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 93b39d4e3..ef74a412e 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -17,7 +17,7 @@ jobs: contents: read steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -35,6 +35,8 @@ jobs: sum.golang.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index ff9b6f549..f1c88f2bc 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -38,11 +38,13 @@ jobs: --cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: "go.mod" @@ -58,9 +60,11 @@ jobs: ./melange keygen - name: Build package + env: + MATRIX_CFG: ${{ matrix.cfg }} run: | - path=examples/${{matrix.cfg}} - if [ "${{matrix.cfg}}" == "melange.yaml" ]; then + path=examples/$MATRIX_CFG + if [ "$MATRIX_CFG" == "melange.yaml" ]; then path="melange.yaml" fi ./melange build $path --arch=x86_64 --namespace=wolfi diff --git a/.github/workflows/go-tests.yaml b/.github/workflows/go-tests.yaml index f1b078c97..6100e1c51 100644 --- a/.github/workflows/go-tests.yaml +++ b/.github/workflows/go-tests.yaml @@ -16,7 +16,7 @@ jobs: contents: read steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -47,6 +47,8 @@ jobs: translationproject.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: diff --git a/.github/workflows/melange-test-pipelines.yaml b/.github/workflows/melange-test-pipelines.yaml index 079c199d9..6d0654a45 100644 --- a/.github/workflows/melange-test-pipelines.yaml +++ b/.github/workflows/melange-test-pipelines.yaml @@ -17,7 +17,7 @@ jobs: contents: read steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -35,6 +35,8 @@ jobs: sum.golang.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: @@ -61,7 +63,7 @@ jobs: contents: read steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -105,6 +107,8 @@ jobs: us.download.nvidia.com:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # Grab the melange we uploaded above, and install it. - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -113,8 +117,10 @@ jobs: path: ${{ github.workspace }}/.melange-dir run-id: ${{ github.run_id }} - - run: | - sudo mv ${{ github.workspace }}/.melange-dir/melange /usr/bin/melange + - env: + GITHUB_WORKSPACE: ${{ github.workspace }} + run: | + sudo mv "$GITHUB_WORKSPACE"/.melange-dir/melange /usr/bin/melange sudo chmod a+x /usr/bin/melange melange version @@ -122,12 +128,14 @@ jobs: sudo apt-get -y install bubblewrap - uses: ./.github/actions/setup-bubblewrap - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: "./go.mod" check-latest: true - - uses: cue-lang/setup-cue@a93fa358375740cd8b0078f76355512b9208acb1 + - uses: cue-lang/setup-cue@a93fa358375740cd8b0078f76355512b9208acb1 # v1.0.1 - name: Install QEMU/KVM run: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2f48a946a..1ac1c06f1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -18,7 +18,7 @@ jobs: contents: write steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -45,26 +45,28 @@ jobs: uploads.github.com:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Check if any changes since last release id: check env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - git fetch --tags + git fetch --tags # no creds needed: repo is public; if this ever goes private, pass token explicitly here TAG=$(git tag --points-at HEAD) if [ -z "$TAG" ]; then echo "No tag points at HEAD, so we need a new tag and then a new release." - echo "need_release=yes" >> $GITHUB_OUTPUT + echo "need_release=yes" >> "$GITHUB_OUTPUT" else RELEASE=$(gh release view "$TAG" --json tagName --jq '.tagName' || echo "none") if [ "$RELEASE" == "$TAG" ]; then echo "A release exists for tag $TAG, which has the latest changes, so no need for a new tag or release." - echo "need_release=no" >> $GITHUB_OUTPUT + echo "need_release=no" >> "$GITHUB_OUTPUT" else echo "Tag $TAG exists, but no release is associated. Need a new release." - echo "need_release=yes" >> $GITHUB_OUTPUT - echo "existing_tag=$TAG" >> $GITHUB_OUTPUT + echo "need_release=yes" >> "$GITHUB_OUTPUT" + echo "existing_tag=$TAG" >> "$GITHUB_OUTPUT" fi fi @@ -79,6 +81,7 @@ jobs: if: steps.check.outputs.need_release == 'yes' with: ref: ${{ steps.check.outputs.existing_tag || steps.create_tag.outputs.new_tag }} + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 if: steps.check.outputs.need_release == 'yes' diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml index 87dc6445e..602a4edb0 100644 --- a/.github/workflows/verify.yaml +++ b/.github/workflows/verify.yaml @@ -17,7 +17,7 @@ jobs: contents: read steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -36,6 +36,8 @@ jobs: sum.golang.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: diff --git a/.github/workflows/wolfi-presubmit.yaml b/.github/workflows/wolfi-presubmit.yaml index a76a18760..7c38ca4bd 100644 --- a/.github/workflows/wolfi-presubmit.yaml +++ b/.github/workflows/wolfi-presubmit.yaml @@ -17,7 +17,7 @@ jobs: contents: read steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -34,6 +34,8 @@ jobs: sum.golang.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: @@ -96,7 +98,7 @@ jobs: - tini steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -166,6 +168,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: wolfi-dev/os + persist-credentials: false - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -173,8 +176,10 @@ jobs: path: ${{ github.workspace }}/.melange-dir run-id: ${{ github.run_id }} - - run: | - sudo mv ${{ github.workspace }}/.melange-dir/melange /usr/bin/melange + - env: + GITHUB_WORKSPACE: ${{ github.workspace }} + run: | + sudo mv "$GITHUB_WORKSPACE"/.melange-dir/melange /usr/bin/melange sudo chmod a+x /usr/bin/melange melange version @@ -184,8 +189,10 @@ jobs: # this need to point to main to always get the latest action - uses: wolfi-dev/actions/install-wolfictl@d8faf0b2bf2a7c6eefc571567ef370faae5baed2 # last commit that had the scan command - - run: | - wolfictl bump ${{ matrix.package }} + - env: + MATRIX_PACKAGE: ${{ matrix.package }} + run: | + wolfictl bump "$MATRIX_PACKAGE" - if: matrix.runner == 'bubblewrap' run: | @@ -194,14 +201,19 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: melange-src + persist-credentials: false - if: matrix.runner == 'bubblewrap' uses: ./melange-src/.github/actions/setup-bubblewrap - if: matrix.runner == 'bubblewrap' + env: + MATRIX_PACKAGE: ${{ matrix.package }} run: | - make SHELL="/bin/bash" MELANGE="sudo melange" MELANGE_RUNNER="bubblewrap" MELANGE_EXTRA_OPTS="--generate-provenance" package/${{ matrix.package }} + make SHELL="/bin/bash" MELANGE="sudo melange" MELANGE_RUNNER="bubblewrap" MELANGE_EXTRA_OPTS="--generate-provenance" package/"$MATRIX_PACKAGE" - if: matrix.runner == 'bubblewrap' + env: + MATRIX_PACKAGE: ${{ matrix.package }} run: | - make SHELL="/bin/bash" MELANGE="sudo melange" MELANGE_RUNNER="docker" test/${{ matrix.package }} + make SHELL="/bin/bash" MELANGE="sudo melange" MELANGE_RUNNER="docker" test/"$MATRIX_PACKAGE" - name: Download kernel for VMs if: matrix.runner == 'qemu' @@ -224,8 +236,10 @@ jobs: sudo udevadm control --reload-rules sudo udevadm trigger --name-match=kvm - - name: Make package ${{matrix.package}} with QEMU Runner + - name: Make package ${{ matrix.package }} with QEMU Runner if: matrix.runner == 'qemu' + env: + MATRIX_PACKAGE: ${{ matrix.package }} run: | make \ SHELL="/bin/bash" \ @@ -233,7 +247,7 @@ jobs: QEMU_KERNEL_MODULES=/tmp/kernel/lib/modules/ \ MELANGE="/usr/bin/melange" \ MELANGE_EXTRA_OPTS="--runner qemu --generate-provenance" \ - package/${{ matrix.package }} + package/"$MATRIX_PACKAGE" - name: Output SLSA provenance run: | @@ -246,11 +260,15 @@ jobs: - name: Run tests to verify xattrs with bubblewrap runner if: matrix.runner == 'bubblewrap' && matrix.package == 'fping' + env: + MATRIX_PACKAGE: ${{ matrix.package }} run: | - make SHELL="/bin/bash" MELANGE="sudo melange" MELANGE_RUNNER="bubblewrap" test/${{ matrix.package }} + make SHELL="/bin/bash" MELANGE="sudo melange" MELANGE_RUNNER="bubblewrap" test/"$MATRIX_PACKAGE" - name: Run tests with QEMU runner if: matrix.runner == 'qemu' + env: + MATRIX_PACKAGE: ${{ matrix.package }} run: | make \ SHELL="/bin/bash" \ @@ -258,7 +276,7 @@ jobs: QEMU_KERNEL_MODULES=/tmp/kernel/lib/modules/ \ MELANGE="/usr/bin/melange" \ MELANGE_EXTRA_OPTS="--runner qemu" \ - test/${{ matrix.package }} + test/"$MATRIX_PACKAGE" - name: Check package ${{ matrix.package }} xattrs for QEMU-built package if: matrix.runner == 'qemu' && matrix.package == 'fping' @@ -277,18 +295,20 @@ jobs: ls -hal packages/x86_64/usr/bin/sudo - name: Test installable and Scan for CVEs + env: + MATRIX_PACKAGE: ${{ matrix.package }} run: | - if [[ "${{ matrix.package }}" == "fping" ]]; then - docker run --rm -v $(pwd):/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/${{ matrix.package }}-*.apk; apk add libcap-utils; getcap /usr/sbin/fping" - elif [[ "${{ matrix.package }}" == "sudo" ]]; then - docker run --rm -v $(pwd):/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/${{ matrix.package }}-*.apk; ls -hal /usr/bin/sudo" - elif [[ "${{ matrix.package }}" == "postfix" ]]; then - docker run --rm -v $(pwd):/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/${{ matrix.package }}-*.apk; ls -hal /var/spool/postfix; ls -hal /var/lib/postfix" + if [[ "$MATRIX_PACKAGE" == "fping" ]]; then + docker run --rm -v "$(pwd)":/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/$MATRIX_PACKAGE-*.apk; apk add libcap-utils; getcap /usr/sbin/fping" + elif [[ "$MATRIX_PACKAGE" == "sudo" ]]; then + docker run --rm -v "$(pwd)":/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/$MATRIX_PACKAGE-*.apk; ls -hal /usr/bin/sudo" + elif [[ "$MATRIX_PACKAGE" == "postfix" ]]; then + docker run --rm -v "$(pwd)":/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/$MATRIX_PACKAGE-*.apk; ls -hal /var/spool/postfix; ls -hal /var/lib/postfix" else - docker run --rm -v $(pwd):/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/${{ matrix.package }}-*.apk" + docker run --rm -v "$(pwd)":/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/$MATRIX_PACKAGE-*.apk" fi # There is a huge fixed cost for every wolfictl scan invocation for grype DB init. # Do this outside of the loop in one invocation with every package. wolfictl scan \ - packages/x86_64/${{ matrix.package }}-*.apk \ + packages/x86_64/"$MATRIX_PACKAGE"-*.apk \ 2> /dev/null # The error message renders strangely on GitHub Actions, and the important information is already being sent to stdout. diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index 49fe93e4d..ba8512a36 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -9,11 +9,15 @@ on: paths: - '.github/workflows/**' - '.github/actions/**' + - '.github/dependabot.yml' + - '.github/zizmor.yml' push: branches: ['main'] paths: - '.github/workflows/**' - '.github/actions/**' + - '.github/dependabot.yml' + - '.github/zizmor.yml' permissions: {} @@ -26,7 +30,7 @@ jobs: contents: read # Clone the repository security-events: write # Upload SARIF results to Code Scanning steps: - - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -42,3 +46,5 @@ jobs: - name: Run zizmor uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + persona: pedantic diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000..2835f5178 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,10 @@ +rules: + dependabot-cooldown: + config: + days: 3 + anonymous-definition: + disable: true + undocumented-permissions: + disable: true + concurrency-limits: + disable: true