From 69d495c5d876ba7b714d9d1666abef58afc47d52 Mon Sep 17 00:00:00 2001 From: Khaja Omer Date: Mon, 4 May 2026 12:12:28 -0500 Subject: [PATCH] chore(ci): harden GitHub Actions workflows Move step-security/harden-runner ahead of checkout and other executable steps so outbound network controls are active before third-party actions or checked-out code run. Pair that with persist-credentials=false, narrower permissions, and tighter allowlists to reduce the chance that a compromised dependency or misconfigured workflow can reuse the job token or exfiltrate data. Pin all external GitHub Actions to full SHAs and update them to current stable releases so workflow execution is tied to reviewed commits instead of mutable tags, while Renovate keeps future action updates digest-pinned automatically. This also keeps maintainer-approved fork PR test paths intact, removes endpoints that are not used by the jobs that declared them, removes the gh-pages container that bypassed Harden Runner before the first step, and leaves the remaining high-variance jobs in audit mode until observed egress can be converted into minimal block-mode allowlists. --- .github/workflows/build-push.yml | 31 +++++++++++++++---- .github/workflows/build_test_ci.yml | 24 ++++++++------- .github/workflows/e2e-test.yaml | 28 +++++++++-------- .github/workflows/e2e-upgrade-test.yaml | 17 +++++----- .github/workflows/gh-pages.yml | 23 +++++++++----- .github/workflows/go-analyze.yml | 19 +++++++----- .github/workflows/link-checker.yml | 9 ++++-- .github/workflows/pr-labeler.yml | 12 +++++--- .github/workflows/pull_request_ci.yaml | 41 ++++++++++++++++--------- .github/workflows/release-drafter.yml | 9 +++++- .github/workflows/release.yml | 24 +++++++++++++-- .gitignore | 1 + renovate.json5 | 2 ++ 13 files changed, 162 insertions(+), 78 deletions(-) diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index 9ac4b1436..ec3afd705 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -15,25 +15,44 @@ jobs: build-push: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + disable-sudo: true + egress-policy: audit + allowed-endpoints: > + api.github.com:443 + github.com:443 + auth.docker.io:443 + registry-1.docker.io:443 + production.cloudflare.docker.com:443 + gcr.io:443 + golang.org:443 + go.dev:443 + proxy.golang.org:443 + sum.golang.org:443 + *.githubusercontent.com:443 + storage.googleapis.com:443 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Docker Meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: linode/cluster-api-provider-linode - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Build and Push to Docker Hub - uses: docker/build-push-action@v6 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: . build-args: VERSION=${{ github.ref_name == 'main' && format('main-{0}', github.sha) || github.ref_name }} diff --git a/.github/workflows/build_test_ci.yml b/.github/workflows/build_test_ci.yml index d954bd573..21fcf15fc 100644 --- a/.github/workflows/build_test_ci.yml +++ b/.github/workflows/build_test_ci.yml @@ -23,18 +23,19 @@ jobs: # Expose matched filters as job 'src' output variable paths: ${{ steps.filter.outputs.changes }} steps: - - uses: actions/checkout@v6 - with: - ref: ${{ github.event.pull_request.head.sha }} - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo: true egress-policy: block allowed-endpoints: > api.github.com:443 github.com:443 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + ref: ${{ github.event.pull_request.head.sha || github.sha }} + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: filters: .github/filters.yml @@ -46,7 +47,7 @@ jobs: if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }} steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -64,18 +65,19 @@ jobs: dl.k8s.io:443 cdn.dl.k8s.io:443 - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false + ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: 'go.mod' check-latest: true - name: Install devbox - uses: jetify-com/devbox-install-action@v0.14.0 + uses: jetify-com/devbox-install-action@8c6a66ed6273138b1915457069de78cb52fe3bd7 # v0.15.0 with: enable-cache: 'true' refresh-cli: 'false' @@ -84,7 +86,7 @@ jobs: run: devbox run make test - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 with: files: ./coverage.out fail_ci_if_error: false diff --git a/.github/workflows/e2e-test.yaml b/.github/workflows/e2e-test.yaml index 626d44737..7339e53bc 100644 --- a/.github/workflows/e2e-test.yaml +++ b/.github/workflows/e2e-test.yaml @@ -57,18 +57,19 @@ jobs: # Expose matched filters as job 'src' output variable paths: ${{ steps.filter.outputs.changes }} steps: - - uses: actions/checkout@v6 - with: - ref: ${{ github.event.pull_request.head.sha }} - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo: true egress-policy: block allowed-endpoints: > api.github.com:443 github.com:443 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + ref: ${{ github.event.pull_request.head.sha || github.sha }} + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: filters: .github/filters.yml @@ -83,9 +84,9 @@ jobs: LINODE_TOKEN: ${{ secrets.LINODE_TOKEN }} steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - egress-policy: audit + egress-policy: block allowed-endpoints: > *:6443 api.linode.com:443 @@ -117,23 +118,24 @@ jobs: dl.k8s.io:443 cdn.dl.k8s.io:443 - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false + ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: 'go.mod' check-latest: true - name: Docker cache - uses: ScribeMD/docker-cache@0.5.0 + uses: ScribeMD/docker-cache@fb28c93772363301b8d0a6072ce850224b73f74e # 0.5.0 with: key: docker-${{ runner.os }}-${{ hashFiles('go.sum') }} - name: Install devbox - uses: jetify-com/devbox-install-action@v0.14.0 + uses: jetify-com/devbox-install-action@8c6a66ed6273138b1915457069de78cb52fe3bd7 # v0.15.0 with: enable-cache: 'true' refresh-cli: 'false' @@ -159,7 +161,7 @@ jobs: if: ${{ always() }} run: docker cp tilt-control-plane:/var/log .logs - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: ${{ always() }} with: name: ${{ inputs.e2e-selector }}-logs diff --git a/.github/workflows/e2e-upgrade-test.yaml b/.github/workflows/e2e-upgrade-test.yaml index 62d7bb73f..e75e3bc53 100644 --- a/.github/workflows/e2e-upgrade-test.yaml +++ b/.github/workflows/e2e-upgrade-test.yaml @@ -22,16 +22,18 @@ jobs: # Expose matched filters as job 'src' output variable paths: ${{ steps.filter.outputs.changes }} steps: - - uses: actions/checkout@v6 - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo: true egress-policy: block allowed-endpoints: > api.github.com:443 github.com:443 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: filters: .github/filters.yml @@ -45,10 +47,10 @@ jobs: LINODE_TOKEN: ${{ secrets.LINODE_TOKEN }} steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo: true - egress-policy: audit + egress-policy: block allowed-endpoints: > *:6443 api.linode.com:443 @@ -80,12 +82,13 @@ jobs: dl.k8s.io:443 cdn.dl.k8s.io:443 - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: 'go.mod' check-latest: true diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 7e245376b..84b1f18f0 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -16,14 +16,18 @@ permissions: jobs: generate-docs: runs-on: ubuntu-latest - container: docker.io/node:24-bullseye-slim timeout-minutes: 2 steps: - - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + disable-sudo: true + egress-policy: audit + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup mdBook run: | - apt-get update - apt-get install curl -y mkdir mdbook curl -sSL https://github.com/rust-lang/mdbook/releases/download/v0.4.37/mdbook-v0.4.37-x86_64-unknown-linux-gnu.tar.gz | tar -xz --directory=./mdbook curl -sSL https://github.com/tommilligan/mdbook-admonish/releases/download/v1.15.0/mdbook-admonish-v1.15.0-x86_64-unknown-linux-gnu.tar.gz | tar -xz --directory=./mdbook @@ -33,9 +37,9 @@ jobs: cd docs mdbook build - name: Setup Pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0 - name: Upload artifact - uses: actions/upload-pages-artifact@v4 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: path: 'docs/book' @@ -47,6 +51,11 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 2 steps: + - name: Harden Runner + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + disable-sudo: true + egress-policy: audit - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/workflows/go-analyze.yml b/.github/workflows/go-analyze.yml index 1419a3b2a..e1697a338 100644 --- a/.github/workflows/go-analyze.yml +++ b/.github/workflows/go-analyze.yml @@ -20,17 +20,18 @@ jobs: # Expose matched filters as job 'src' output variable src: ${{ steps.filter.outputs.src }} steps: - - uses: actions/checkout@v6 - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo: true egress-policy: block allowed-endpoints: > api.github.com:443 github.com:443 - *.githubusercontent.com:443 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: predicate-quantifier: 'every' @@ -41,7 +42,7 @@ jobs: if: ${{ needs.changes.outputs.src == 'true' }} steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo: true egress-policy: block @@ -63,16 +64,18 @@ jobs: registry-1.docker.io:443 auth.docker.io:443 - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: 'go.mod' check-latest: true - name: lint - uses: golangci/golangci-lint-action@v9 + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 - name: lint-api run: make lint-api diff --git a/.github/workflows/link-checker.yml b/.github/workflows/link-checker.yml index a791e0694..4a6fc067a 100644 --- a/.github/workflows/link-checker.yml +++ b/.github/workflows/link-checker.yml @@ -17,12 +17,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: + disable-sudo: true egress-policy: audit - - uses: actions/checkout@v6 - - uses: gaurav-nelson/github-action-markdown-link-check@v1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: gaurav-nelson/github-action-markdown-link-check@3c3b66f1f7d0900e37b71eca45b63ea9eedfce31 # 1.0.17 with: use-quiet-mode: 'yes' config-file: .markdownlinkcheck.json diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml index 5088d5e4b..e7f0aa31b 100644 --- a/.github/workflows/pr-labeler.yml +++ b/.github/workflows/pr-labeler.yml @@ -12,16 +12,18 @@ jobs: label-pr: name: Update PR labels permissions: - contents: write pull-requests: write runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - fetch-depth: 0 + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 - name: Label PR - uses: release-drafter/release-drafter@v6 + uses: release-drafter/release-drafter@563bf132657a13ded0b01fcb723c5a58cdd824e2 # v7.2.1 with: disable-releaser: github.ref != 'refs/heads/main' env: diff --git a/.github/workflows/pull_request_ci.yaml b/.github/workflows/pull_request_ci.yaml index f1296ab04..f0837b468 100644 --- a/.github/workflows/pull_request_ci.yaml +++ b/.github/workflows/pull_request_ci.yaml @@ -20,16 +20,18 @@ jobs: # Expose matched filters as job 'src' output variable paths: ${{ steps.filter.outputs.changes }} steps: - - uses: actions/checkout@v6 - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo: true egress-policy: block allowed-endpoints: > api.github.com:443 github.com:443 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter with: filters: .github/filters.yml @@ -39,7 +41,17 @@ jobs: needs: changes if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }} steps: - - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Validate YAML file run: yamllint templates @@ -49,7 +61,7 @@ jobs: if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }} steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -61,22 +73,21 @@ jobs: sum.golang.org:443 *.githubusercontent.com:443 storage.googleapis.com:443 - cli.codecov.io:443 - api.codecov.io:443 - ingest.codecov.io:443 dl.k8s.io:443 cdn.dl.k8s.io:443 - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: 'go.mod' check-latest: true - name: Install devbox - uses: jetify-com/devbox-install-action@v0.14.0 + uses: jetify-com/devbox-install-action@8c6a66ed6273138b1915457069de78cb52fe3bd7 # v0.15.0 with: enable-cache: 'true' refresh-cli: 'false' @@ -93,7 +104,7 @@ jobs: if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }} steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo: true egress-policy: block @@ -112,10 +123,12 @@ jobs: gcr.io:443 storage.googleapis.com:443 - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Docker cache - uses: ScribeMD/docker-cache@0.5.0 + uses: ScribeMD/docker-cache@fb28c93772363301b8d0a6072ce850224b73f74e # 0.5.0 with: key: docker-${{ runner.os }}-${{ hashFiles('go.sum') }} diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index cf85d7e3b..ae21ddbc3 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -16,6 +16,13 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: release-drafter/release-drafter@v6 + - name: Harden Runner + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + - uses: release-drafter/release-drafter@563bf132657a13ded0b01fcb723c5a58cdd824e2 # v7.2.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index df3489c0b..e62dc19a3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,11 +12,29 @@ jobs: release: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + uploads.github.com:443 + golang.org:443 + go.dev:443 + proxy.golang.org:443 + sum.golang.org:443 + *.githubusercontent.com:443 + storage.googleapis.com:443 + dl.k8s.io:443 + cdn.dl.k8s.io:443 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: 'go.mod' check-latest: true @@ -25,7 +43,7 @@ jobs: env: RELEASE_TAG: ${{ github.ref_name }} - name: Upload Release Artifacts - uses: softprops/action-gh-release@v2.4.2 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 with: files: | ./infrastructure-linode/* diff --git a/.gitignore b/.gitignore index 7a2e0d96b..34c85049c 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ infrastructure-*-linode/* vendor/ .vscode/ .tool-versions +.opencode/ diff --git a/renovate.json5 b/renovate.json5 index 74bdc70ba..9cd3b8db0 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -2,6 +2,8 @@ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "config:recommended", + "helpers:pinGitHubActionDigests", + "helpers:githubDigestChangelogs", ], "schedule": [ "* 0 1,15 * *",