Skip to content

Commit 1af4fab

Browse files
committed
Add zizmor workflow
Signed-off-by: smoshiur1237 <moshiur.rahman@est.tech>
1 parent 5cea8c7 commit 1af4fab

File tree

5 files changed

+86
-27
lines changed

5 files changed

+86
-27
lines changed

.github/dependabot.yml

Lines changed: 34 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -12,10 +12,12 @@ updates:
1212
target-branch: main
1313
groups:
1414
all-github-actions:
15-
patterns: ["*"]
15+
patterns: [ "*" ]
1616
commit-message:
1717
prefix: ":seedling:"
1818
include: scope
19+
cooldown:
20+
default-days: 7
1921
labels:
2022
- "area/dependency"
2123
- "ok-to-test"
@@ -30,20 +32,22 @@ updates:
3032
target-branch: main
3133
groups:
3234
all-go-mod-patch-and-minor:
33-
patterns: ["*"]
34-
update-types: ["patch", "minor"]
35+
patterns: [ "*" ]
36+
update-types: [ "patch", "minor" ]
3537
commit-message:
3638
prefix: ":seedling:"
3739
include: scope
3840
ignore:
3941
# Ignore controller-runtime major and minor bumps as its upgraded manually.
4042
- dependency-name: "sigs.k8s.io/controller-runtime"
41-
update-types: ["version-update:semver-major", "version-update:semver-minor"]
43+
update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
4244
# Ignore k8s major and minor bumps and its transitives modules
4345
- dependency-name: "k8s.io/*"
44-
update-types: ["version-update:semver-major", "version-update:semver-minor"]
46+
update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
4547
- dependency-name: "sigs.k8s.io/controller-tools"
46-
update-types: ["version-update:semver-major", "version-update:semver-minor"]
48+
update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
49+
cooldown:
50+
default-days: 7
4751
labels:
4852
- "area/dependency"
4953
- "ok-to-test"
@@ -58,10 +62,12 @@ updates:
5862
target-branch: release-0.14
5963
groups:
6064
all-github-actions:
61-
patterns: ["*"]
65+
patterns: [ "*" ]
6266
commit-message:
6367
prefix: ":seedling:"
6468
include: scope
69+
cooldown:
70+
default-days: 7
6571
labels:
6672
- "area/dependency"
6773
- "ok-to-test"
@@ -76,23 +82,25 @@ updates:
7682
target-branch: release-0.14
7783
groups:
7884
all-go-mod-patch-and-minor:
79-
patterns: ["*"]
80-
update-types: ["patch", "minor"]
85+
patterns: [ "*" ]
86+
update-types: [ "patch", "minor" ]
8187
commit-message:
8288
prefix: ":seedling:"
8389
include: scope
8490
ignore:
8591
# Ignore CAPI major and minor bumps
8692
- dependency-name: "sigs.k8s.io/cluster-api*"
87-
update-types: ["version-update:semver-major", "version-update:semver-minor"]
93+
update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
8894
# Ignore controller-runtime major and minor bumps as its upgraded manually.
8995
- dependency-name: "sigs.k8s.io/controller-runtime"
90-
update-types: ["version-update:semver-major", "version-update:semver-minor"]
96+
update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
9197
# Ignore k8s major and minor bumps and its transitives modules
9298
- dependency-name: "k8s.io/*"
93-
update-types: ["version-update:semver-major", "version-update:semver-minor"]
99+
update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
94100
- dependency-name: "sigs.k8s.io/controller-tools"
95-
update-types: ["version-update:semver-major", "version-update:semver-minor"]
101+
update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
102+
cooldown:
103+
default-days: 7
96104
labels:
97105
- "area/dependency"
98106
- "ok-to-test"
@@ -107,10 +115,12 @@ updates:
107115
target-branch: release-0.13
108116
groups:
109117
all-github-actions:
110-
patterns: ["*"]
118+
patterns: [ "*" ]
111119
commit-message:
112120
prefix: ":seedling:"
113121
include: scope
122+
cooldown:
123+
default-days: 7
114124
labels:
115125
- "area/dependency"
116126
- "ok-to-test"
@@ -125,27 +135,30 @@ updates:
125135
target-branch: release-0.13
126136
groups:
127137
all-go-mod-patch-and-minor:
128-
patterns: ["*"]
129-
update-types: ["patch", "minor"]
138+
patterns: [ "*" ]
139+
update-types: [ "patch", "minor" ]
130140
commit-message:
131141
prefix: ":seedling:"
132142
include: scope
133143
ignore:
134144
# Ignore CAPI major and minor bumps
135145
- dependency-name: "sigs.k8s.io/cluster-api*"
136-
update-types: ["version-update:semver-major", "version-update:semver-minor"]
146+
update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
137147
# Ignore controller-runtime major and minor bumps as its upgraded manually.
138148
- dependency-name: "sigs.k8s.io/controller-runtime"
139-
update-types: ["version-update:semver-major", "version-update:semver-minor"]
149+
update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
140150
# Ignore k8s major and minor bumps and its transitives modules
141151
- dependency-name: "k8s.io/*"
142-
update-types: ["version-update:semver-major", "version-update:semver-minor"]
152+
update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
143153
- dependency-name: "sigs.k8s.io/controller-tools"
144-
update-types: ["version-update:semver-major", "version-update:semver-minor"]
154+
update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
145155
# Ignore ORC major and minor bumps to prevent cascading k8s.io and controller-runtime updates
146156
- dependency-name: "github.com/k-orc/openstack-resource-controller*"
147-
update-types: ["version-update:semver-major", "version-update:semver-minor"]
157+
update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
158+
cooldown:
159+
default-days: 7
148160
labels:
149161
- "area/dependency"
150162
- "ok-to-test"
163+
151164
## release-0.13 branch config ends here

.github/workflows/pr-link-check.yaml

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -30,20 +30,27 @@ jobs:
3030
git fetch upstream
3131
3232
- name: Checkout base branch
33-
run: git checkout "upstream/${{ github.event.pull_request.base.ref }}"
33+
env:
34+
BASE_REF: ${{ github.event.pull_request.base.ref }}
35+
run: git checkout "upstream/${BASE_REF}"
3436

3537
- name: Get list of changed Markdown files
3638
id: changed-files
39+
env:
40+
BASE_REF: ${{ github.event.pull_request.base.ref }}
41+
HEAD_REF: ${{ github.head_ref }}
3742
run: |
38-
git diff --name-only "upstream/${{ github.event.pull_request.base.ref }}...${{ github.head_ref }}" -- "*.md" > changed-files.txt
43+
git diff --name-only "upstream/${BASE_REF}...${HEAD_REF}" -- "*.md" > changed-files.txt
3944
cat changed-files.txt
4045
if [[ -s "changed-files.txt" ]]; then
4146
echo "Changed md files found"
4247
echo "foundFiles=true" >> "${GITHUB_ENV}"
4348
fi
4449
4550
- name: Switch to PR branch
46-
run: git checkout ${{ github.head_ref }}
51+
env:
52+
HEAD_REF: ${{ github.head_ref }}
53+
run: git checkout "${HEAD_REF}"
4754

4855
- name: Check links in changed files
4956
if: env.foundFiles == 'true'

.github/workflows/release.yaml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
release_tag: ${{ steps.release-version.outputs.release_version }}
2020
if: github.repository == 'kubernetes-sigs/cluster-api-provider-openstack'
2121
steps:
22-
- name: Checkout code
22+
- name: Checkout code # zizmor: ignore[artipacked]
2323
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
2424
with:
2525
fetch-depth: 0
@@ -92,7 +92,7 @@ jobs:
9292
run: echo "RELEASE_TAG=${RELEASE_TAG}" >> ${GITHUB_ENV}
9393
env:
9494
RELEASE_TAG: ${{needs.push_release_tags.outputs.release_tag}}
95-
- name: checkout code
95+
- name: checkout code # zizmor: ignore[artipacked]
9696
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
9797
with:
9898
fetch-depth: 0
@@ -103,6 +103,7 @@ jobs:
103103
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # tag=v6.3.0
104104
with:
105105
go-version: ${{ env.go_version }}
106+
cache: false
106107
- name: generate release artifacts
107108
run: |
108109
make release

.github/workflows/update-golangci-lint.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,8 +36,10 @@ jobs:
3636
echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_OUTPUT
3737
- name: Update Makefile if needed
3838
if: ${{ steps.check_version.outputs.current_version != steps.get_version.outputs.latest_version }}
39+
env:
40+
LATEST_VERSION: ${{ steps.get_version.outputs.latest_version }}
3941
run: |
40-
sed -i "s/GOLANGCI_LINT_VERSION ?= .*/GOLANGCI_LINT_VERSION ?= ${{ steps.get_version.outputs.latest_version }}/" hack/tools/Makefile
42+
sed -i "s/GOLANGCI_LINT_VERSION ?= .*/GOLANGCI_LINT_VERSION ?= ${LATEST_VERSION}/" hack/tools/Makefile
4143
- name: Create Pull Request
4244
if: ${{ steps.check_version.outputs.current_version != steps.get_version.outputs.latest_version }}
4345
uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # tag=v8.1.0

.github/workflows/zizmor.yml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
---
2+
# Static analysis for GitHub Actions workflows
3+
# https://docs.zizmor.sh/
4+
name: zizmor
5+
6+
on:
7+
push:
8+
branches:
9+
- main
10+
pull_request:
11+
branches:
12+
- main
13+
14+
permissions: {}
15+
16+
jobs:
17+
zizmor:
18+
runs-on: ubuntu-latest
19+
permissions:
20+
contents: read
21+
security-events: write
22+
steps:
23+
- name: Checkout repository
24+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
25+
with:
26+
persist-credentials: false
27+
# Upload SARIF to Security tab on push to main
28+
- name: Run zizmor (SARIF)
29+
if: github.event_name == 'push'
30+
uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
31+
# Block PRs with findings
32+
- name: Run zizmor (PR check)
33+
if: github.event_name == 'pull_request'
34+
uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
35+
with:
36+
advanced-security: false

0 commit comments

Comments
 (0)