diff --git a/.github/workflows/auto-add-issues-to-project.yml b/.github/workflows/auto-add-issues-to-project.yml index ebdfd52a6c6..bb88e2511a6 100644 --- a/.github/workflows/auto-add-issues-to-project.yml +++ b/.github/workflows/auto-add-issues-to-project.yml @@ -3,6 +3,9 @@ on: issues: types: - opened +permissions: + contents: read + jobs: track_issue: runs-on: ubuntu-latest diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index 7fd93ee6752..9dec43588aa 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -13,6 +13,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -24,13 +27,13 @@ jobs: - run: go version - name: Get branch name id: branch-name - uses: tj-actions/branch-names@v8 - - uses: fossas/fossa-action@main + uses: tj-actions/branch-names@6871f53176ad61624f978536bbf089c574dc19a2 # v8.0.1 + - uses: fossas/fossa-action@d61e2f7aeb88d20f89dcbfaa97d30bb7786b824d # main name: Scanning with FOSSA with: api-key: ${{ env.fossa-key }} branch: ${{ steps.branch-name.outputs.current_branch }} - - uses: fossas/fossa-action@main + - uses: fossas/fossa-action@d61e2f7aeb88d20f89dcbfaa97d30bb7786b824d # main name: Executing tests with FOSSA with: api-key: ${{ env.fossa-key }} diff --git a/.github/workflows/main-build.yml b/.github/workflows/main-build.yml index 39be7f802da..7ec42fa89e2 100644 --- a/.github/workflows/main-build.yml +++ b/.github/workflows/main-build.yml @@ -3,6 +3,8 @@ on: push: branches: - main +permissions: + contents: read jobs: build: name: build @@ -47,7 +49,7 @@ jobs: run: make test - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: # Username used to log in to a Docker registry. If not set then no login will occur username: ${{ github.repository_owner }} @@ -57,14 +59,14 @@ jobs: registry: ghcr.io - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - name: Publish on GitHub Container Registry run: make publish-multiarch # https://github.com/sigstore/cosign-installer - name: Install Cosign - uses: sigstore/cosign-installer@v3 + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - name: Check Cosign install! run: cosign version diff --git a/.github/workflows/nightly-e2e.yml b/.github/workflows/nightly-e2e.yml index a5e8576400b..833aeceda39 100644 --- a/.github/workflows/nightly-e2e.yml +++ b/.github/workflows/nightly-e2e.yml @@ -3,6 +3,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: validate: uses: kedacore/keda/.github/workflows/template-main-e2e-test.yml@main diff --git a/.github/workflows/pr-e2e.yml b/.github/workflows/pr-e2e.yml index a9b65e4c33e..8eb35b5bf8b 100644 --- a/.github/workflows/pr-e2e.yml +++ b/.github/workflows/pr-e2e.yml @@ -18,7 +18,7 @@ jobs: steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - - uses: tspascoal/get-user-teams-membership@v2 + - uses: tspascoal/get-user-teams-membership@ba78054988f58bea69b7c6136d563236f8ed2fc0 # v2.1.0 id: checkUserMember with: username: ${{ github.actor }} @@ -108,7 +108,7 @@ jobs: make e2e-regex-check - name: React to comment with failure - uses: dkershner6/reaction-action@v2 + uses: dkershner6/reaction-action@97ede302a1b145b3739dec3ca84a489a34ef48b5 # v2.2.1 if: steps.regex-validation.outcome != 'success' with: token: ${{ secrets.GITHUB_TOKEN }} @@ -130,7 +130,7 @@ jobs: run: exit 1 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: # Username used to log in to a Docker registry. If not set then no login will occur username: ${{ github.repository_owner }} @@ -173,7 +173,7 @@ jobs: gh pr checkout ${{ needs.triage.outputs.pr_num }} git checkout ${{ needs.triage.outputs.commit_sha }} - - uses: oNaiPs/secrets-to-env-action@v1 + - uses: oNaiPs/secrets-to-env-action@2fe98aa2e8f610341c3dd916aff27b218b92f6f8 # v1 with: secrets: ${{ toJSON(secrets) }} @@ -218,7 +218,7 @@ jobs: TEST_CLUSTER_NAME: keda-e2e-cluster-pr - name: React to comment with success - uses: dkershner6/reaction-action@v2 + uses: dkershner6/reaction-action@97ede302a1b145b3739dec3ca84a489a34ef48b5 # v2.2.1 if: steps.test.outcome == 'success' with: token: ${{ secrets.GITHUB_TOKEN }} @@ -236,7 +236,7 @@ jobs: details_url: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}} - name: React to comment with failure - uses: dkershner6/reaction-action@v2 + uses: dkershner6/reaction-action@97ede302a1b145b3739dec3ca84a489a34ef48b5 # v2.2.1 if: steps.test.outcome != 'success' with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index 4928cd0f565..9a858f30e5f 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -69,12 +69,15 @@ jobs: run: make test - name: Create test Summary - uses: test-summary/action@v2 + uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4 with: paths: "report.xml" if: always() validate-dockerfiles: + permissions: + contents: read # for dorny/paths-filter to fetch a list of changed files + pull-requests: read # for dorny/paths-filter to read pull requests name: validate-dockerfiles - ${{ matrix.name }} runs-on: ${{ matrix.runner }} container: ghcr.io/kedacore/keda-tools:1.22.5 @@ -106,6 +109,9 @@ jobs: run: make docker-build validate-dev-container: + permissions: + contents: read # for dorny/paths-filter to fetch a list of changed files + pull-requests: read # for dorny/paths-filter to read pull requests name: Validate dev-container - ${{ matrix.name }} runs-on: ${{ matrix.runner }} container: ghcr.io/kedacore/keda-tools:1.22.5 @@ -146,7 +152,7 @@ jobs: go-version: "1.22" - name: Get golangci run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.59.1 - - uses: pre-commit/action@v3.0.0 + - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507 # v3.0.0 trivy-scan: uses: kedacore/keda/.github/workflows/template-trivy-scan.yml@main diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index 0e4523c6979..a15bf0499d5 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -3,6 +3,9 @@ on: push: tags: - 'v*' +permissions: + contents: read + jobs: build: name: Push Release @@ -44,7 +47,7 @@ jobs: run: go mod tidy -compat=1.22 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: # Username used to log in to a Docker registry. If not set then no login will occur username: ${{ github.repository_owner }} @@ -63,7 +66,7 @@ jobs: VERSION: ${{ steps.get_version.outputs.VERSION }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - name: Publish KEDA images on GitHub Container Registry run: make publish-multiarch @@ -72,7 +75,7 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install Cosign - uses: sigstore/cosign-installer@v3 + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - name: Check Cosign install! run: cosign version @@ -87,7 +90,7 @@ jobs: # Get release information to determine id of the current release - name: Get Release id: get-release-info - uses: bruceadams/get-release@v1.3.2 + uses: bruceadams/get-release@74c3d60f5a28f358ccf241a00c9021ea16f0569f # v1.3.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/static-analysis-codeql.yml b/.github/workflows/static-analysis-codeql.yml index 076a7857ad3..ccdfc4594c7 100644 --- a/.github/workflows/static-analysis-codeql.yml +++ b/.github/workflows/static-analysis-codeql.yml @@ -9,6 +9,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: codeQl: name: Analyze CodeQL Go @@ -22,16 +25,16 @@ jobs: run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 with: languages: go # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs queries: +security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 with: category: "/language:go" diff --git a/.github/workflows/static-analysis-semgrep.yml b/.github/workflows/static-analysis-semgrep.yml index 1b68a04d000..a2cbfcb034f 100644 --- a/.github/workflows/static-analysis-semgrep.yml +++ b/.github/workflows/static-analysis-semgrep.yml @@ -35,7 +35,7 @@ jobs: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} - name: Upload SARIF file for GitHub Advanced Security Dashboard - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 with: sarif_file: semgrep.sarif if: ${{ github.event.number == '' && !cancelled() }} diff --git a/.github/workflows/template-main-e2e-test.yml b/.github/workflows/template-main-e2e-test.yml index 2196cceafc2..df93846f752 100644 --- a/.github/workflows/template-main-e2e-test.yml +++ b/.github/workflows/template-main-e2e-test.yml @@ -19,7 +19,7 @@ jobs: - name: Register workspace path run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - - uses: oNaiPs/secrets-to-env-action@v1 + - uses: oNaiPs/secrets-to-env-action@2fe98aa2e8f610341c3dd916aff27b218b92f6f8 # v1 with: secrets: ${{ toJSON(secrets) }} diff --git a/.github/workflows/template-smoke-tests.yml b/.github/workflows/template-smoke-tests.yml index b4998101bfd..694e104fc18 100644 --- a/.github/workflows/template-smoke-tests.yml +++ b/.github/workflows/template-smoke-tests.yml @@ -12,6 +12,9 @@ on: kindImage: required: true type: string +permissions: + contents: read + jobs: smoke-tests: name: Validate k8s-${{ inputs.kubernetesVersion }} @@ -35,7 +38,7 @@ jobs: fetch-depth: 1 - name: Create k8s ${{ inputs.kubernetesVersion }} Kind Cluster - uses: helm/kind-action@v1.10.0 + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 with: node_image: ${{ inputs.kindImage }} cluster_name: smoke-tests-cluster-${{ inputs.kubernetesVersion }} diff --git a/.github/workflows/template-trivy-scan.yml b/.github/workflows/template-trivy-scan.yml index 990e8be436b..27664b66844 100644 --- a/.github/workflows/template-trivy-scan.yml +++ b/.github/workflows/template-trivy-scan.yml @@ -31,6 +31,9 @@ on: required: true type: boolean +permissions: + contents: read + jobs: trivy-scan: name: Trivy - ${{ inputs.runs-on }} - ${{ inputs.scan-type }} ${{ inputs.image-ref }} @@ -51,7 +54,7 @@ jobs: trivy-config: trivy.yml - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 if: ${{ inputs.publish }} with: sarif_file: ${{ inputs.output }} diff --git a/.github/workflows/v1-build.yml b/.github/workflows/v1-build.yml index ea70ec4c36d..f43188cee8f 100644 --- a/.github/workflows/v1-build.yml +++ b/.github/workflows/v1-build.yml @@ -3,6 +3,9 @@ on: push: branches: - v1 +permissions: + contents: read + jobs: validate: name: Validate diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e7d28889e2..0778a5140bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -72,6 +72,7 @@ Here is an overview of all new **experimental** features: ### Fixes - TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX)) +- **General**: Fixed the token-permission and pinned-dependencies issue reported by the scorecard. ([#6085](https://github.com/kedacore/keda/issues/6085)) ### Deprecations