diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index 9ac4b1436..ec3afd705 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -15,25 +15,44 @@ jobs: build-push: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + disable-sudo: true + egress-policy: audit + allowed-endpoints: > + api.github.com:443 + github.com:443 + auth.docker.io:443 + registry-1.docker.io:443 + production.cloudflare.docker.com:443 + gcr.io:443 + golang.org:443 + go.dev:443 + proxy.golang.org:443 + sum.golang.org:443 + *.githubusercontent.com:443 + storage.googleapis.com:443 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Docker Meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: linode/cluster-api-provider-linode - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Build and Push to Docker Hub - uses: docker/build-push-action@v6 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: . build-args: VERSION=${{ github.ref_name == 'main' && format('main-{0}', github.sha) || github.ref_name }} diff --git a/.github/workflows/build_test_ci.yml b/.github/workflows/build_test_ci.yml index d954bd573..21fcf15fc 100644 --- a/.github/workflows/build_test_ci.yml +++ b/.github/workflows/build_test_ci.yml @@ -23,18 +23,19 @@ jobs: # Expose matched filters as job 'src' output variable paths: ${{ steps.filter.outputs.changes }} steps: - - uses: actions/checkout@v6 - with: - ref: ${{ github.event.pull_request.head.sha }} - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo: true egress-policy: block allowed-endpoints: > api.github.com:443 github.com:443 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + ref: ${{ github.event.pull_request.head.sha || github.sha }} + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: filters: .github/filters.yml @@ -46,7 +47,7 @@ jobs: if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }} steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -64,18 +65,19 @@ jobs: dl.k8s.io:443 cdn.dl.k8s.io:443 - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false + ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: 'go.mod' check-latest: true - name: Install devbox - uses: jetify-com/devbox-install-action@v0.14.0 + uses: jetify-com/devbox-install-action@8c6a66ed6273138b1915457069de78cb52fe3bd7 # v0.15.0 with: enable-cache: 'true' refresh-cli: 'false' @@ -84,7 +86,7 @@ jobs: run: devbox run make test - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 with: files: ./coverage.out fail_ci_if_error: false diff --git a/.github/workflows/e2e-test.yaml b/.github/workflows/e2e-test.yaml index 626d44737..7339e53bc 100644 --- a/.github/workflows/e2e-test.yaml +++ b/.github/workflows/e2e-test.yaml @@ -57,18 +57,19 @@ jobs: # Expose matched filters as job 'src' output variable paths: ${{ steps.filter.outputs.changes }} steps: - - uses: actions/checkout@v6 - with: - ref: ${{ github.event.pull_request.head.sha }} - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo: true egress-policy: block allowed-endpoints: > api.github.com:443 github.com:443 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + ref: ${{ github.event.pull_request.head.sha || github.sha }} + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: filters: .github/filters.yml @@ -83,9 +84,9 @@ jobs: LINODE_TOKEN: ${{ secrets.LINODE_TOKEN }} steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - egress-policy: audit + egress-policy: block allowed-endpoints: > *:6443 api.linode.com:443 @@ -117,23 +118,24 @@ jobs: dl.k8s.io:443 cdn.dl.k8s.io:443 - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false + ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: 'go.mod' check-latest: true - name: Docker cache - uses: ScribeMD/docker-cache@0.5.0 + uses: ScribeMD/docker-cache@fb28c93772363301b8d0a6072ce850224b73f74e # 0.5.0 with: key: docker-${{ runner.os }}-${{ hashFiles('go.sum') }} - name: Install devbox - uses: jetify-com/devbox-install-action@v0.14.0 + uses: jetify-com/devbox-install-action@8c6a66ed6273138b1915457069de78cb52fe3bd7 # v0.15.0 with: enable-cache: 'true' refresh-cli: 'false' @@ -159,7 +161,7 @@ jobs: if: ${{ always() }} run: docker cp tilt-control-plane:/var/log .logs - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: ${{ always() }} with: name: ${{ inputs.e2e-selector }}-logs diff --git a/.github/workflows/e2e-upgrade-test.yaml b/.github/workflows/e2e-upgrade-test.yaml index 62d7bb73f..e75e3bc53 100644 --- a/.github/workflows/e2e-upgrade-test.yaml +++ b/.github/workflows/e2e-upgrade-test.yaml @@ -22,16 +22,18 @@ jobs: # Expose matched filters as job 'src' output variable paths: ${{ steps.filter.outputs.changes }} steps: - - uses: actions/checkout@v6 - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo: true egress-policy: block allowed-endpoints: > api.github.com:443 github.com:443 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: filters: .github/filters.yml @@ -45,10 +47,10 @@ jobs: LINODE_TOKEN: ${{ secrets.LINODE_TOKEN }} steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo: true - egress-policy: audit + egress-policy: block allowed-endpoints: > *:6443 api.linode.com:443 @@ -80,12 +82,13 @@ jobs: dl.k8s.io:443 cdn.dl.k8s.io:443 - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: 'go.mod' check-latest: true diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 7e245376b..84b1f18f0 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -16,14 +16,18 @@ permissions: jobs: generate-docs: runs-on: ubuntu-latest - container: docker.io/node:24-bullseye-slim timeout-minutes: 2 steps: - - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + disable-sudo: true + egress-policy: audit + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup mdBook run: | - apt-get update - apt-get install curl -y mkdir mdbook curl -sSL https://github.com/rust-lang/mdbook/releases/download/v0.4.37/mdbook-v0.4.37-x86_64-unknown-linux-gnu.tar.gz | tar -xz --directory=./mdbook curl -sSL https://github.com/tommilligan/mdbook-admonish/releases/download/v1.15.0/mdbook-admonish-v1.15.0-x86_64-unknown-linux-gnu.tar.gz | tar -xz --directory=./mdbook @@ -33,9 +37,9 @@ jobs: cd docs mdbook build - name: Setup Pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0 - name: Upload artifact - uses: actions/upload-pages-artifact@v4 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: path: 'docs/book' @@ -47,6 +51,11 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 2 steps: + - name: Harden Runner + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + disable-sudo: true + egress-policy: audit - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/workflows/go-analyze.yml b/.github/workflows/go-analyze.yml index 1419a3b2a..e1697a338 100644 --- a/.github/workflows/go-analyze.yml +++ b/.github/workflows/go-analyze.yml @@ -20,17 +20,18 @@ jobs: # Expose matched filters as job 'src' output variable src: ${{ steps.filter.outputs.src }} steps: - - uses: actions/checkout@v6 - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo: true egress-policy: block allowed-endpoints: > api.github.com:443 github.com:443 - *.githubusercontent.com:443 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: predicate-quantifier: 'every' @@ -41,7 +42,7 @@ jobs: if: ${{ needs.changes.outputs.src == 'true' }} steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo: true egress-policy: block @@ -63,16 +64,18 @@ jobs: registry-1.docker.io:443 auth.docker.io:443 - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: 'go.mod' check-latest: true - name: lint - uses: golangci/golangci-lint-action@v9 + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 - name: lint-api run: make lint-api diff --git a/.github/workflows/link-checker.yml b/.github/workflows/link-checker.yml index a791e0694..4a6fc067a 100644 --- a/.github/workflows/link-checker.yml +++ b/.github/workflows/link-checker.yml @@ -17,12 +17,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: + disable-sudo: true egress-policy: audit - - uses: actions/checkout@v6 - - uses: gaurav-nelson/github-action-markdown-link-check@v1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: gaurav-nelson/github-action-markdown-link-check@3c3b66f1f7d0900e37b71eca45b63ea9eedfce31 # 1.0.17 with: use-quiet-mode: 'yes' config-file: .markdownlinkcheck.json diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml index 5088d5e4b..e7f0aa31b 100644 --- a/.github/workflows/pr-labeler.yml +++ b/.github/workflows/pr-labeler.yml @@ -12,16 +12,18 @@ jobs: label-pr: name: Update PR labels permissions: - contents: write pull-requests: write runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - fetch-depth: 0 + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 - name: Label PR - uses: release-drafter/release-drafter@v6 + uses: release-drafter/release-drafter@563bf132657a13ded0b01fcb723c5a58cdd824e2 # v7.2.1 with: disable-releaser: github.ref != 'refs/heads/main' env: diff --git a/.github/workflows/pull_request_ci.yaml b/.github/workflows/pull_request_ci.yaml index f1296ab04..f0837b468 100644 --- a/.github/workflows/pull_request_ci.yaml +++ b/.github/workflows/pull_request_ci.yaml @@ -20,16 +20,18 @@ jobs: # Expose matched filters as job 'src' output variable paths: ${{ steps.filter.outputs.changes }} steps: - - uses: actions/checkout@v6 - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo: true egress-policy: block allowed-endpoints: > api.github.com:443 github.com:443 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: filters: .github/filters.yml @@ -39,7 +41,17 @@ jobs: needs: changes if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }} steps: - - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Validate YAML file run: yamllint templates @@ -49,7 +61,7 @@ jobs: if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }} steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -61,22 +73,21 @@ jobs: sum.golang.org:443 *.githubusercontent.com:443 storage.googleapis.com:443 - cli.codecov.io:443 - api.codecov.io:443 - ingest.codecov.io:443 dl.k8s.io:443 cdn.dl.k8s.io:443 - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: 'go.mod' check-latest: true - name: Install devbox - uses: jetify-com/devbox-install-action@v0.14.0 + uses: jetify-com/devbox-install-action@8c6a66ed6273138b1915457069de78cb52fe3bd7 # v0.15.0 with: enable-cache: 'true' refresh-cli: 'false' @@ -93,7 +104,7 @@ jobs: if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }} steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo: true egress-policy: block @@ -112,10 +123,12 @@ jobs: gcr.io:443 storage.googleapis.com:443 - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Docker cache - uses: ScribeMD/docker-cache@0.5.0 + uses: ScribeMD/docker-cache@fb28c93772363301b8d0a6072ce850224b73f74e # 0.5.0 with: key: docker-${{ runner.os }}-${{ hashFiles('go.sum') }} diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index cf85d7e3b..ae21ddbc3 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -16,6 +16,13 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: release-drafter/release-drafter@v6 + - name: Harden Runner + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + - uses: release-drafter/release-drafter@563bf132657a13ded0b01fcb723c5a58cdd824e2 # v7.2.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index df3489c0b..e62dc19a3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,11 +12,29 @@ jobs: release: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + uploads.github.com:443 + golang.org:443 + go.dev:443 + proxy.golang.org:443 + sum.golang.org:443 + *.githubusercontent.com:443 + storage.googleapis.com:443 + dl.k8s.io:443 + cdn.dl.k8s.io:443 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: 'go.mod' check-latest: true @@ -25,7 +43,7 @@ jobs: env: RELEASE_TAG: ${{ github.ref_name }} - name: Upload Release Artifacts - uses: softprops/action-gh-release@v2.4.2 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 with: files: | ./infrastructure-linode/* diff --git a/.gitignore b/.gitignore index 7a2e0d96b..34c85049c 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ infrastructure-*-linode/* vendor/ .vscode/ .tool-versions +.opencode/ diff --git a/renovate.json5 b/renovate.json5 index 74bdc70ba..9cd3b8db0 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -2,6 +2,8 @@ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "config:recommended", + "helpers:pinGitHubActionDigests", + "helpers:githubDigestChangelogs", ], "schedule": [ "* 0 1,15 * *",