Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump and pin github actions' dependencies #738

Merged
merged 1 commit into from
Dec 2, 2021
Merged

Bump and pin github actions' dependencies #738

merged 1 commit into from
Dec 2, 2021

Conversation

pjbgf
Copy link
Member

@pjbgf pjbgf commented Dec 1, 2021
edited
Loading

What type of PR is this?

/kind cleanup

What this PR does

Why we need it:

Pinned dependencies reduce several security risks:

  • They ensure that checking and deployment are all done with the same software, reducing deployment risks, simplifying debugging, and enabling reproducibility.
  • They can help mitigate compromised dependencies from undermining the security of the project (in the case where you've evaluated the pinned dependency, you are confident it's not compromised, and a later version is released that is compromised).
  • They are one way to counter dependency confusion (aka substitution) attacks, in which an application uses multiple feeds to acquire software packages (a "hybrid configuration"), and attackers fool the user into using a malicious package via a feed that was not expected for that package.

More information refer to ossf

Which issue(s) this PR fixes:

Partially fixes #653
Relates to #725

Does this PR have test?

N/A

Special notes for your reviewer:

Running the latest version of buildah on ubuntu-18.04 led to the error: "fuse-overlayfs" is not found. Hence why the motivation of doing both changes together.

Does this PR introduce a user-facing change?

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Dec 1, 2021
@pjbgf pjbgf changed the title WIP: Pin github action dependencies WIP: Pin github actions' dependencies Dec 1, 2021
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 1, 2021
@pjbgf
Copy link
Member Author

pjbgf commented Dec 1, 2021

/test pull-security-profiles-operator-test-e2e

@pjbgf pjbgf changed the title WIP: Pin github actions' dependencies Pin github actions' dependencies Dec 1, 2021
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 1, 2021
@pjbgf pjbgf changed the title Pin github actions' dependencies WIP: Pin github actions' dependencies Dec 1, 2021
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 1, 2021
@pjbgf pjbgf force-pushed the pin-deps branch 2 times, most recently from 66de061 to 97c813d Compare December 1, 2021 23:00
@codecov-commenter
Copy link

codecov-commenter commented Dec 1, 2021
edited
Loading

Codecov Report

Merging #738 (77e16ff) into main (c2c7fcf) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #738   +/-   ##
=======================================
  Coverage   53.94%   53.94%           
=======================================
  Files          41       41           
  Lines        4121     4121           
=======================================
  Hits         2223     2223           
  Misses       1831     1831           
  Partials       67       67

@pjbgf
Copy link
Member Author

pjbgf commented Dec 2, 2021

/test pull-security-profiles-operator-test-e2e

@pjbgf pjbgf changed the title WIP: Pin github actions' dependencies Pin github actions' dependencies Dec 2, 2021
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 2, 2021
@pjbgf
Copy link
Member Author

pjbgf commented Dec 2, 2021

Looking into the test failure as it is not the usual flake test - potentially this PR will require further changes.

/hold

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Dec 2, 2021
@pjbgf
Bump and pin github actions' dependencies
9fd8544 
Signed-off-by: Paulo Gomes <pjbgf@linux.com>
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 2, 2021
@pjbgf pjbgf changed the title Pin github actions' dependencies Bump and pin github actions' dependencies Dec 2, 2021
@pjbgf
Copy link
Member Author

pjbgf commented Dec 2, 2021

/test pull-security-profiles-operator-test-e2e

1 similar comment
@pjbgf
Copy link
Member Author

pjbgf commented Dec 2, 2021

/test pull-security-profiles-operator-test-e2e

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 2, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pjbgf, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [pjbgf,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@pjbgf
Copy link
Member Author

pjbgf commented Dec 2, 2021

/test pull-security-profiles-operator-test-e2e

1 similar comment
@pjbgf
Copy link
Member Author

pjbgf commented Dec 2, 2021

/test pull-security-profiles-operator-test-e2e

@pjbgf
Copy link
Member Author

pjbgf commented Dec 2, 2021

/unhold

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 2, 2021
@k8s-ci-robot k8s-ci-robot merged commit e1231d2 into kubernetes-sigs:main Dec 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saschagrunert saschagrunert saschagrunert approved these changes

@cmurphy cmurphy Awaiting requested review from cmurphy

@hasheddan hasheddan Awaiting requested review from hasheddan

Assignees

@saschagrunert saschagrunert

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Improve visibility of SPO's security posture
4 participants
@pjbgf @codecov-commenter @k8s-ci-robot @saschagrunert