From 41156f86c614c35607483b4e412947836155afd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Andr=C3=A9?= Date: Tue, 31 Mar 2026 15:50:38 +0200 Subject: [PATCH 1/9] ci: pin all GitHub Actions to commit SHAs Pin all GitHub Actions references to specific commit SHAs to prevent supply chain attacks via tag mutation. This ensures workflows always use the exact verified version of each action. Actions pinned: - actions/checkout v6 -> v6.0.2 (de0fac2) - actions/setup-go v6.2.0 -> v6.4.0 (4a36011) - actions/upload-artifact v6 -> v7 (bbbca2d) - actions/labeler v6 (634933e) - helm/kind-action (ef37e7f) - joelanford/go-apidiff (tag comment added) --- .github/workflows/container_image.yaml | 2 +- .github/workflows/e2e.yaml | 6 +++--- .github/workflows/generate.yaml | 2 +- .github/workflows/go-lint.yaml | 4 ++-- .github/workflows/label-pr.yaml | 8 ++++---- .github/workflows/release_image.yaml | 2 +- .github/workflows/unit.yml | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/container_image.yaml b/.github/workflows/container_image.yaml index eed5f71da..ba0e859fd 100644 --- a/.github/workflows/container_image.yaml +++ b/.github/workflows/container_image.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 - run: | docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 3cc044e21..1e3fb1c06 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-${{ matrix.ubuntu_version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 - name: Deploy devstack uses: EmilienM/devstack-action@60ca1042045c0c9e3e001c64575d381654ffcba1 @@ -38,7 +38,7 @@ jobs: enabled_services: "openstack-cli-server" - name: Deploy a Kind Cluster - uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc + uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # tag=v1.14.0 with: cluster_name: orc @@ -63,7 +63,7 @@ jobs: - name: Upload logs artifacts on failure if: failure() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # tag=v7 with: name: e2e-${{ matrix.name }}-${{ github.run_id }} path: /tmp/artifacts/* diff --git a/.github/workflows/generate.yaml b/.github/workflows/generate.yaml index 9a1eb5807..117db7d96 100644 --- a/.github/workflows/generate.yaml +++ b/.github/workflows/generate.yaml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 - run: | make generate diff --git a/.github/workflows/go-lint.yaml b/.github/workflows/go-lint.yaml index f88b3a130..e0ea9cd9b 100644 --- a/.github/workflows/go-lint.yaml +++ b/.github/workflows/go-lint.yaml @@ -12,14 +12,14 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 - name: Calculate go version id: vars run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT - name: Set up Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # tag=v6.3.0 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # tag=v6.4.0 with: go-version: ${{ steps.vars.outputs.go_version }} diff --git a/.github/workflows/label-pr.yaml b/.github/workflows/label-pr.yaml index e226f3263..7d5613fe4 100644 --- a/.github/workflows/label-pr.yaml +++ b/.github/workflows/label-pr.yaml @@ -13,7 +13,7 @@ jobs: semver: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} @@ -32,7 +32,7 @@ jobs: run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT - name: Set up Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # tag=v6.3.0 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # tag=v6.4.0 with: go-version: ${{ steps.vars.outputs.go_version }} @@ -41,7 +41,7 @@ jobs: # if semver=major, this will return RC=1, so let's ignore the failure so label # can be set later. We check for actual errors in the next step. continue-on-error: true - uses: joelanford/go-apidiff@60c4206be8f84348ebda2a3e0c3ac9cb54b8f685 + uses: joelanford/go-apidiff@60c4206be8f84348ebda2a3e0c3ac9cb54b8f685 # tag=v0.8.3 # go-apidiff returns RC=1 when semver=major, which makes the workflow to return # a failure. Instead let's just return a failure if go-apidiff failed to run. @@ -89,4 +89,4 @@ jobs: edits: runs-on: ubuntu-latest steps: - - uses: actions/labeler@v6 + - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # tag=v6 diff --git a/.github/workflows/release_image.yaml b/.github/workflows/release_image.yaml index d72e9f0cb..cef8bc100 100644 --- a/.github/workflows/release_image.yaml +++ b/.github/workflows/release_image.yaml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 - run: | docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml index 671b53086..827df344e 100644 --- a/.github/workflows/unit.yml +++ b/.github/workflows/unit.yml @@ -16,14 +16,14 @@ jobs: - '1' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 - name: Calculate go version id: vars run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT - name: Set up Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # tag=v6.3.0 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # tag=v6.4.0 with: go-version: ${{ steps.vars.outputs.go_version }} From 898380a5b4f9690765f3c8aec09df45f76c2be3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Andr=C3=A9?= Date: Tue, 31 Mar 2026 15:51:56 +0200 Subject: [PATCH 2/9] ci: set persist-credentials: false on all checkout actions Prevent the GITHUB_TOKEN from being persisted in the local git config after checkout. This reduces the risk of token exposure in subsequent steps that may execute untrusted code. --- .github/workflows/container_image.yaml | 2 ++ .github/workflows/e2e.yaml | 2 ++ .github/workflows/generate.yaml | 2 ++ .github/workflows/go-lint.yaml | 2 ++ .github/workflows/release_image.yaml | 2 ++ .github/workflows/unit.yml | 2 ++ 6 files changed, 12 insertions(+) diff --git a/.github/workflows/container_image.yaml b/.github/workflows/container_image.yaml index ba0e859fd..2c4f9f17e 100644 --- a/.github/workflows/container_image.yaml +++ b/.github/workflows/container_image.yaml @@ -18,6 +18,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + with: + persist-credentials: false - run: | docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 1e3fb1c06..d45297520 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -29,6 +29,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + with: + persist-credentials: false - name: Deploy devstack uses: EmilienM/devstack-action@60ca1042045c0c9e3e001c64575d381654ffcba1 diff --git a/.github/workflows/generate.yaml b/.github/workflows/generate.yaml index 117db7d96..b347c5f34 100644 --- a/.github/workflows/generate.yaml +++ b/.github/workflows/generate.yaml @@ -13,6 +13,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + with: + persist-credentials: false - run: | make generate diff --git a/.github/workflows/go-lint.yaml b/.github/workflows/go-lint.yaml index e0ea9cd9b..6d9e2aee8 100644 --- a/.github/workflows/go-lint.yaml +++ b/.github/workflows/go-lint.yaml @@ -13,6 +13,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + with: + persist-credentials: false - name: Calculate go version id: vars diff --git a/.github/workflows/release_image.yaml b/.github/workflows/release_image.yaml index cef8bc100..7cd45d893 100644 --- a/.github/workflows/release_image.yaml +++ b/.github/workflows/release_image.yaml @@ -17,6 +17,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + with: + persist-credentials: false - run: | docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml index 827df344e..e59c6d2b8 100644 --- a/.github/workflows/unit.yml +++ b/.github/workflows/unit.yml @@ -17,6 +17,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + with: + persist-credentials: false - name: Calculate go version id: vars From de95d58e30af32ea830c65c7e8a6ae5676562f3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Andr=C3=A9?= Date: Tue, 31 Mar 2026 15:52:51 +0200 Subject: [PATCH 3/9] ci: scope down workflow permissions to least privilege Set workflow-level permissions to empty ({}) for check-pr-labels and label-pr workflows, and grant only the minimum required permissions at the job level. This follows the principle of least privilege and reduces the blast radius if a workflow is compromised. --- .github/workflows/check-pr-labels.yaml | 2 ++ .github/workflows/label-pr.yaml | 11 ++++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/check-pr-labels.yaml b/.github/workflows/check-pr-labels.yaml index 4fbb7fc0b..2a98d5ff4 100644 --- a/.github/workflows/check-pr-labels.yaml +++ b/.github/workflows/check-pr-labels.yaml @@ -8,6 +8,8 @@ on: - synchronize - unlabeled +permissions: {} + jobs: hold: if: github.event.pull_request.merged == false diff --git a/.github/workflows/label-pr.yaml b/.github/workflows/label-pr.yaml index 7d5613fe4..ab9cc4b16 100644 --- a/.github/workflows/label-pr.yaml +++ b/.github/workflows/label-pr.yaml @@ -5,13 +5,15 @@ on: - opened - synchronize - reopened -permissions: - contents: read - pull-requests: write + +permissions: {} jobs: semver: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 with: @@ -88,5 +90,8 @@ jobs: edits: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # tag=v6 From 386f8efbea0f425aca3b1f19f70751d964d20461 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Andr=C3=A9?= Date: Tue, 31 Mar 2026 15:53:18 +0200 Subject: [PATCH 4/9] ci: fix template injection in label-pr workflow Replace direct use of ${{ github.base_ref }} in a run: block with an environment variable. Attacker-controlled GitHub context values used directly in shell scripts can lead to script injection attacks. --- .github/workflows/label-pr.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/label-pr.yaml b/.github/workflows/label-pr.yaml index ab9cc4b16..6cc8d6843 100644 --- a/.github/workflows/label-pr.yaml +++ b/.github/workflows/label-pr.yaml @@ -21,13 +21,14 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} token: ${{ secrets.GITHUB_TOKEN }} - - name: Rebase the PR against origin/github.base_ref to ensure actual API compatibility + - name: Rebase the PR against base ref to ensure actual API compatibility run: | git config --global user.email "localrebase@k-orc.cloud" git config --global user.name "Local rebase" - git rebase -i origin/${{ github.base_ref }} + git rebase -i origin/$BASE_REF env: GIT_SEQUENCE_EDITOR: '/usr/bin/true' + BASE_REF: ${{ github.base_ref }} - name: Calculate go version id: vars From db69dbcfdf5630f160868c162b5668759c00d23c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Andr=C3=A9?= Date: Tue, 31 Mar 2026 15:54:29 +0200 Subject: [PATCH 5/9] ci: split semver analysis from label-pr to fix pull_request_target security issue The previous label-pr workflow used pull_request_target to check out and execute code from the PR head with elevated privileges. This is a security risk as pull_request_target has write access to the base repo. Split into two workflows: - semver.yaml: runs the actual analysis under the safe pull_request trigger with read-only permissions - label-pr.yaml: consumes the results via workflow_run trigger to apply labels with write permissions, without ever checking out or executing untrusted code --- .github/workflows/label-pr.yaml | 88 ++++++++++++++------------------- .github/workflows/semver.yaml | 68 +++++++++++++++++++++++++ 2 files changed, 104 insertions(+), 52 deletions(-) create mode 100644 .github/workflows/semver.yaml diff --git a/.github/workflows/label-pr.yaml b/.github/workflows/label-pr.yaml index 6cc8d6843..b6334413f 100644 --- a/.github/workflows/label-pr.yaml +++ b/.github/workflows/label-pr.yaml @@ -5,91 +5,75 @@ on: - opened - synchronize - reopened + workflow_run: + workflows: ["Semver analysis"] + types: + - completed permissions: {} jobs: - semver: + semver-label: + if: github.event_name == 'workflow_run' runs-on: ubuntu-latest permissions: - contents: read + actions: read pull-requests: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + - name: Download semver results + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # tag=v8.0.1 with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - token: ${{ secrets.GITHUB_TOKEN }} + name: semver-results + run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Read PR number + id: pr + run: echo "number=$(cat pr-number)" >> $GITHUB_OUTPUT - - name: Rebase the PR against base ref to ensure actual API compatibility + - name: Report failure + if: github.event.workflow_run.conclusion == 'failure' run: | - git config --global user.email "localrebase@k-orc.cloud" - git config --global user.name "Local rebase" - git rebase -i origin/$BASE_REF + gh pr edit "$NUMBER" --remove-label "semver:major,semver:minor,semver:patch" + gh issue comment "$NUMBER" --body "$BODY" env: - GIT_SEQUENCE_EDITOR: '/usr/bin/true' - BASE_REF: ${{ github.base_ref }} - - - name: Calculate go version - id: vars - run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT - - - name: Set up Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # tag=v6.4.0 - with: - go-version: ${{ steps.vars.outputs.go_version }} - - - name: Checking Go API Compatibility - id: go-apidiff - # if semver=major, this will return RC=1, so let's ignore the failure so label - # can be set later. We check for actual errors in the next step. - continue-on-error: true - uses: joelanford/go-apidiff@60c4206be8f84348ebda2a3e0c3ac9cb54b8f685 # tag=v0.8.3 + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + NUMBER: ${{ steps.pr.outputs.number }} + BODY: > + Failed to assess the semver bump. See [logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }}) for details. - # go-apidiff returns RC=1 when semver=major, which makes the workflow to return - # a failure. Instead let's just return a failure if go-apidiff failed to run. - - name: Return an error if Go API Compatibility couldn't be verified - if: steps.go-apidiff.outcome != 'success' && steps.go-apidiff.outputs.semver-type != 'major' - run: exit 1 + - name: Read semver type + if: github.event.workflow_run.conclusion == 'success' + id: semver + run: echo "type=$(cat semver-type)" >> $GITHUB_OUTPUT - name: Add label semver:patch - if: steps.go-apidiff.outputs.semver-type == 'patch' + if: github.event.workflow_run.conclusion == 'success' && steps.semver.outputs.type == 'patch' run: gh pr edit "$NUMBER" --add-label "semver:patch" --remove-label "semver:major,semver:minor" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} - NUMBER: ${{ github.event.pull_request.number }} + NUMBER: ${{ steps.pr.outputs.number }} - name: Add label semver:minor - if: steps.go-apidiff.outputs.semver-type == 'minor' + if: github.event.workflow_run.conclusion == 'success' && steps.semver.outputs.type == 'minor' run: gh pr edit "$NUMBER" --add-label "semver:minor" --remove-label "semver:major,semver:patch" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} - NUMBER: ${{ github.event.pull_request.number }} + NUMBER: ${{ steps.pr.outputs.number }} - name: Add label semver:major - if: steps.go-apidiff.outputs.semver-type == 'major' + if: github.event.workflow_run.conclusion == 'success' && steps.semver.outputs.type == 'major' run: gh pr edit "$NUMBER" --add-label "semver:major" --remove-label "semver:minor,semver:patch" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} - NUMBER: ${{ github.event.pull_request.number }} - - - name: Report failure - if: failure() - run: | - gh pr edit "$NUMBER" --remove-label "semver:major,semver:minor,semver:patch" - gh issue comment "$NUMBER" --body "$BODY" - exit 1 - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_REPO: ${{ github.repository }} - NUMBER: ${{ github.event.pull_request.number }} - BODY: > - Failed to assess the semver bump. See [logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details. + NUMBER: ${{ steps.pr.outputs.number }} edits: + if: github.event_name == 'pull_request_target' runs-on: ubuntu-latest permissions: contents: read diff --git a/.github/workflows/semver.yaml b/.github/workflows/semver.yaml new file mode 100644 index 000000000..42c5d6a8c --- /dev/null +++ b/.github/workflows/semver.yaml @@ -0,0 +1,68 @@ +name: Semver analysis +on: + pull_request: + types: + - opened + - synchronize + - reopened + +permissions: + contents: read + +jobs: + analyze: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false + + - name: Rebase the PR against base ref to ensure actual API compatibility + run: | + git config --global user.email "localrebase@k-orc.cloud" + git config --global user.name "Local rebase" + git rebase -i origin/$BASE_REF + env: + GIT_SEQUENCE_EDITOR: '/usr/bin/true' + BASE_REF: ${{ github.base_ref }} + + - name: Calculate go version + id: vars + run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT + + - name: Set up Go + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # tag=v6.4.0 + with: + go-version: ${{ steps.vars.outputs.go_version }} + + - name: Checking Go API Compatibility + id: go-apidiff + # if semver=major, this will return RC=1, so let's ignore the failure so label + # can be set later. We check for actual errors in the next step. + continue-on-error: true + uses: joelanford/go-apidiff@60c4206be8f84348ebda2a3e0c3ac9cb54b8f685 # tag=v0.8.3 + + # go-apidiff returns RC=1 when semver=major, which makes the workflow to return + # a failure. Instead let's just return a failure if go-apidiff failed to run. + - name: Return an error if Go API Compatibility couldn't be verified + if: steps.go-apidiff.outcome != 'success' && steps.go-apidiff.outputs.semver-type != 'major' + run: exit 1 + + - name: Save semver result + if: always() + run: | + mkdir -p semver-results + echo "$SEMVER_TYPE" > semver-results/semver-type + echo "$PR_NUMBER" > semver-results/pr-number + env: + SEMVER_TYPE: ${{ steps.go-apidiff.outputs.semver-type }} + PR_NUMBER: ${{ github.event.pull_request.number }} + + - name: Upload semver results + if: always() + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # tag=v7 + with: + name: semver-results + path: semver-results/ From 657196abf038a65ebf3e05ab8333d3022a790f10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Andr=C3=A9?= Date: Tue, 31 Mar 2026 15:54:54 +0200 Subject: [PATCH 6/9] ci: replace pull_request_target with pull_request in check-pr-labels This workflow has no permissions, checks out no code, and accesses no secrets. It only reads the event payload to check for the hold label. pull_request is sufficient and avoids the security concerns of pull_request_target. --- .github/workflows/check-pr-labels.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-pr-labels.yaml b/.github/workflows/check-pr-labels.yaml index 2a98d5ff4..a6a68e880 100644 --- a/.github/workflows/check-pr-labels.yaml +++ b/.github/workflows/check-pr-labels.yaml @@ -1,6 +1,6 @@ name: Ready on: - pull_request_target: + pull_request: types: - labeled - opened From 8e95482727eeddc7c7262c3f0db900263dfc62d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Andr=C3=A9?= Date: Tue, 31 Mar 2026 15:55:49 +0200 Subject: [PATCH 7/9] ci: add zizmor ignore comments for legitimate findings Add inline suppression comments for zizmor (GitHub Actions security scanner) findings that are intentional: - label-pr.yaml: pull_request_target and workflow_run triggers are safe because the jobs never check out or execute untrusted code - container_image.yaml, release_image.yaml: secrets used in docker login command line are acceptable here --- .github/workflows/container_image.yaml | 2 +- .github/workflows/label-pr.yaml | 2 ++ .github/workflows/release_image.yaml | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container_image.yaml b/.github/workflows/container_image.yaml index 2c4f9f17e..7c59e8e37 100644 --- a/.github/workflows/container_image.yaml +++ b/.github/workflows/container_image.yaml @@ -22,7 +22,7 @@ jobs: persist-credentials: false - run: | - docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io + docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io # zizmor: ignore[secrets-outside-env] docker build -t ${{ env.image_tag_branch }} . docker push ${{ env.image_tag_branch }} diff --git a/.github/workflows/label-pr.yaml b/.github/workflows/label-pr.yaml index b6334413f..723dc1f87 100644 --- a/.github/workflows/label-pr.yaml +++ b/.github/workflows/label-pr.yaml @@ -1,10 +1,12 @@ name: Label PR on: + # zizmor: ignore[dangerous-triggers] edits job only runs actions/labeler, no code checkout pull_request_target: types: - opened - synchronize - reopened + # zizmor: ignore[dangerous-triggers] semver-label job never checks out or executes untrusted code workflow_run: workflows: ["Semver analysis"] types: diff --git a/.github/workflows/release_image.yaml b/.github/workflows/release_image.yaml index 7cd45d893..affdb6f3c 100644 --- a/.github/workflows/release_image.yaml +++ b/.github/workflows/release_image.yaml @@ -21,7 +21,7 @@ jobs: persist-credentials: false - run: | - docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io + docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io # zizmor: ignore[secrets-outside-env] docker build -t ${{ env.image_tag }} . docker push ${{ env.image_tag }} From 2583cbc9e045cac00f6af693aaafe5aaf4ee6715 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Andr=C3=A9?= Date: Tue, 31 Mar 2026 15:56:35 +0200 Subject: [PATCH 8/9] ci: update e2e workflow - Update devstack-action URL from EmilienM to gophercloud (new home) - Deploy ORC with LOGLEVEL=5 for better debugging on CI failures --- .github/workflows/e2e.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index d45297520..4ff55e984 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -33,7 +33,7 @@ jobs: persist-credentials: false - name: Deploy devstack - uses: EmilienM/devstack-action@60ca1042045c0c9e3e001c64575d381654ffcba1 + uses: gophercloud/devstack-action@60ca1042045c0c9e3e001c64575d381654ffcba1 # tag=v0.19 with: enable_workaround_docker_io: 'false' branch: ${{ matrix.openstack_version }} @@ -52,7 +52,7 @@ jobs: - name: Deploy orc run: | kubectl config use-context kind-orc - make deploy IMG=${{ env.image_tag }} + make deploy IMG=${{ env.image_tag }} LOGLEVEL=5 - name: Run e2e tests run: make test-e2e From 7dc6dc2193ed39654999520465333a119fb86c00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Andr=C3=A9?= Date: Tue, 31 Mar 2026 16:04:11 +0200 Subject: [PATCH 9/9] ci: disable Go module caching to prevent cache poisoning Disable the default caching behavior of actions/setup-go in workflows that use both pull_request and push triggers. This prevents a potential cache poisoning attack where a malicious PR could inject a compromised cache that is then used by trusted push runs on protected branches. --- .github/workflows/go-lint.yaml | 1 + .github/workflows/unit.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/go-lint.yaml b/.github/workflows/go-lint.yaml index 6d9e2aee8..c1dfd6ba8 100644 --- a/.github/workflows/go-lint.yaml +++ b/.github/workflows/go-lint.yaml @@ -24,6 +24,7 @@ jobs: uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # tag=v6.4.0 with: go-version: ${{ steps.vars.outputs.go_version }} + cache: false - run: | make lint diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml index e59c6d2b8..7716dd504 100644 --- a/.github/workflows/unit.yml +++ b/.github/workflows/unit.yml @@ -28,6 +28,7 @@ jobs: uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # tag=v6.4.0 with: go-version: ${{ steps.vars.outputs.go_version }} + cache: false - run: | make test