Skip to content

Commit 41bcee7

Browse files
authored
Merge pull request #11 from stevebeattie/security/psec-923-chainguard-migration-demo
fix(ci): GitHub Actions security hardening
2 parents cfa1e51 + e112dff commit 41bcee7

4 files changed

Lines changed: 55 additions & 33 deletions

File tree

.github/actionlint.yaml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
# Repo-wide actionlint configuration.
2+
#
3+
# Suppression rationale:
4+
# - SC2129 is a shellcheck *style* finding suggesting `{ cmd1; cmd2; } >> file`
5+
# instead of N individual `>> file` redirects. The linearized form is more
6+
# readable in GitHub Actions `run:` blocks where conditional logic is
7+
# interleaved between redirects (e.g., updates.yaml's create_pr_update
8+
# flag), so we suppress this rule repo-wide rather than refactor every
9+
# block.
10+
paths:
11+
'.github/workflows/**':
12+
ignore:
13+
- 'shellcheck reported issue.*SC2129'

.github/workflows/release.yaml

Lines changed: 15 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ jobs:
3232

3333
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
3434
with:
35+
persist-credentials: false
3536
fetch-depth: 1
3637

3738
- name: Install Cosign
@@ -53,13 +54,13 @@ jobs:
5354
run: |
5455
CURRENT_UNIQUE_IMAGE=$(yq '.image.tag' helm/redis/values.yaml)
5556
echo "Extracted Unique Tags: $CURRENT_UNIQUE_IMAGE"
56-
echo "CURRENT_UNIQUE_TAG=$CURRENT_UNIQUE_IMAGE" >> $GITHUB_ENV
57+
echo "CURRENT_UNIQUE_TAG=$CURRENT_UNIQUE_IMAGE" >> "$GITHUB_ENV"
5758
5859
- name: Setup image full ref env var
5960
id: setup_full_image_ref
6061
run: |
61-
REDIS_IMAGE_FULL_REF="${{ env.REDIS_IMAGE_NAME }}:${{ env.CURRENT_UNIQUE_TAG }}"
62-
echo "REDIS_IMAGE_FULL_REF=$REDIS_IMAGE_FULL_REF" >> $GITHUB_ENV
62+
REDIS_IMAGE_FULL_REF="${REDIS_IMAGE_NAME}:${CURRENT_UNIQUE_TAG}"
63+
echo "REDIS_IMAGE_FULL_REF=$REDIS_IMAGE_FULL_REF" >> "$GITHUB_ENV"
6364
6465
- name: 'Verify Redis Image Signature && pre-pull image'
6566
run: |
@@ -70,8 +71,8 @@ jobs:
7071
cosign verify \
7172
--certificate-oidc-issuer=https://issuer.enforce.dev \
7273
--certificate-identity-regexp="https://issuer.enforce.dev/(${CATALOG_SYNCER}|${APKO_BUILDER})" \
73-
${{ env.REDIS_IMAGE_FULL_REF }} | jq
74-
docker pull ${{ env.REDIS_IMAGE_FULL_REF }}
74+
"${REDIS_IMAGE_FULL_REF}" | jq
75+
docker pull "${REDIS_IMAGE_FULL_REF}"
7576
7677
- name: Add Bitnami Helm repository
7778
run: |
@@ -85,7 +86,7 @@ jobs:
8586

8687
- name: Check if image is available in kind cluster
8788
run: |
88-
kind load docker-image ${{ env.REDIS_IMAGE_FULL_REF }} --name kind-smoke-test
89+
kind load docker-image "${REDIS_IMAGE_FULL_REF}" --name kind-smoke-test
8990
echo "Image loaded into Kind cluster"
9091
9192
- name: Deploy Redis Image using Helm
@@ -104,17 +105,17 @@ jobs:
104105
- name: Build Docker image
105106
run: |
106107
docker build \
107-
--build-arg BUILDER_IMAGE=${{ env.JAVA_BUILDER_IMAGE }} \
108-
--build-arg PACKAGE_MANAGER=${{ env.JAVA_BUILDER_IMAGE_PACKAGE_MANAGER }} \
109-
--build-arg PACKAGE_MANAGER_CMD=${{ env.JAVA_BUILDER_IMAGE_PACKAGE_MANAGER_CMD }} \
110-
--build-arg PACKAGE_MANAGER_CMD_FLAG=${{ env.JAVA_BUILDER_IMAGE_PACKAGE_MANAGER_CMD_FLAG }} \
111-
--build-arg RUNTIME_IMAGE=${{ env.JAVA_RUNTIME_IMAGE }} \
108+
--build-arg "BUILDER_IMAGE=${JAVA_BUILDER_IMAGE}" \
109+
--build-arg "PACKAGE_MANAGER=${JAVA_BUILDER_IMAGE_PACKAGE_MANAGER}" \
110+
--build-arg "PACKAGE_MANAGER_CMD=${JAVA_BUILDER_IMAGE_PACKAGE_MANAGER_CMD}" \
111+
--build-arg "PACKAGE_MANAGER_CMD_FLAG=${JAVA_BUILDER_IMAGE_PACKAGE_MANAGER_CMD_FLAG}" \
112+
--build-arg "RUNTIME_IMAGE=${JAVA_RUNTIME_IMAGE}" \
112113
-f docker/vertx/vertx-redis-client-Dockerfile \
113-
-t localhost:5000/${{ env.VERTX_IMAGE_NAME }} .
114-
114+
-t "localhost:5000/${VERTX_IMAGE_NAME}" .
115+
115116
- name: Sign the Vertx Redis Client image with GitHub OIDC Token
116117
run: |
117-
cosign sign --yes localhost:5000/${{ env.VERTX_IMAGE_NAME }}
118+
cosign sign --yes "localhost:5000/${VERTX_IMAGE_NAME}"
118119
119120
# - name: Load the Vert.x Redis Client image into Kind
120121
# run: |

.github/workflows/updates.yaml

Lines changed: 20 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ jobs:
3232
- name: Checkout repository
3333
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
3434
with:
35+
persist-credentials: false
3536
ref: main
3637

3738
- name: Setup Go environment
@@ -66,60 +67,60 @@ jobs:
6667
run: |
6768
CURRENT_UNIQUE_IMAGE=$(yq '.image.tag' helm/redis/values.yaml)
6869
echo "Extracted Unique Tags: $CURRENT_UNIQUE_IMAGE"
69-
echo "CURRENT_UNIQUE_TAG=$CURRENT_UNIQUE_IMAGE" >> $GITHUB_ENV
70+
echo "CURRENT_UNIQUE_TAG=$CURRENT_UNIQUE_IMAGE" >> "$GITHUB_ENV"
7071
7172
- name: Get latest unique tag
7273
id: get_current_unique_tag
7374
run: |
74-
LATEST_UNIQUE_TAG=$(crane ls ${{ env.REDIS_IMAGE }} | grep -E '^[^ ]+-[0-9]{12}$' | grep -v '^latest' | grep -v '\-dev' | sort -Vr | head -n 1)
75-
echo "LATEST_UNIQUE_TAG=${LATEST_UNIQUE_TAG}" >> $GITHUB_ENV
75+
LATEST_UNIQUE_TAG=$(crane ls "${REDIS_IMAGE}" | grep -E '^[^ ]+-[0-9]{12}$' | grep -v '^latest' | grep -v '\-dev' | sort -Vr | head -n 1)
76+
echo "LATEST_UNIQUE_TAG=${LATEST_UNIQUE_TAG}" >> "$GITHUB_ENV"
7677
7778
- name: Compare unique tags
7879
id: compare_unique_tags
7980
run: |
80-
echo "CURRENT_UNIQUE_TAG=${{ env.CURRENT_UNIQUE_TAG }}"
81-
echo "LATEST_UNIQUE_TAG=${{ env.LATEST_UNIQUE_TAG }}"
82-
if [ "${{ env.CURRENT_UNIQUE_TAG }}" != "${{ env.LATEST_UNIQUE_TAG }}" ]; then
83-
echo "UNIQUE_TAGS_CHANGED=true" >> $GITHUB_ENV
81+
echo "CURRENT_UNIQUE_TAG=${CURRENT_UNIQUE_TAG}"
82+
echo "LATEST_UNIQUE_TAG=${LATEST_UNIQUE_TAG}"
83+
if [ "${CURRENT_UNIQUE_TAG}" != "${LATEST_UNIQUE_TAG}" ]; then
84+
echo "UNIQUE_TAGS_CHANGED=true" >> "$GITHUB_ENV"
8485
else
85-
echo "UNIQUE_TAGS_CHANGED=false" >> $GITHUB_ENV
86+
echo "UNIQUE_TAGS_CHANGED=false" >> "$GITHUB_ENV"
8687
fi
8788
8889
- name: Run chainctl images diff
8990
if: env.UNIQUE_TAGS_CHANGED == 'true'
9091
id: diff_vulnerabilities
9192
run: |
92-
OLD_IMAGE="${{ env.REDIS_IMAGE }}:${{ env.CURRENT_UNIQUE_TAG }}"
93-
NEW_IMAGE="${{ env.REDIS_IMAGE }}:${{ env.LATEST_UNIQUE_TAG }}"
93+
OLD_IMAGE="${REDIS_IMAGE}:${CURRENT_UNIQUE_TAG}"
94+
NEW_IMAGE="${REDIS_IMAGE}:${LATEST_UNIQUE_TAG}"
9495
95-
CVE_LIST_JSON=$(chainctl images diff $OLD_IMAGE $NEW_IMAGE 2>/dev/null | jq -c '[.vulnerabilities.removed[] | select(.severity == "Critical" or .severity == "High") | .id]')
96-
echo "CVE_LIST=$CVE_LIST_JSON" >> $GITHUB_ENV
96+
CVE_LIST_JSON=$(chainctl images diff "$OLD_IMAGE" "$NEW_IMAGE" 2>/dev/null | jq -c '[.vulnerabilities.removed[] | select(.severity == "Critical" or .severity == "High") | .id]')
97+
echo "CVE_LIST=$CVE_LIST_JSON" >> "$GITHUB_ENV"
9798
9899
if [ -n "$CVE_LIST_JSON" ]; then
99100
echo "Found CVE fixes for the following CVES: $CVE_LIST_JSON"
100-
echo "FIX_CVE=true" >> $GITHUB_ENV
101+
echo "FIX_CVE=true" >> "$GITHUB_ENV"
101102
else
102103
echo "No CVE fixes available"
103-
echo "FIX_CVE=false" >> $GITHUB_ENV
104+
echo "FIX_CVE=false" >> "$GITHUB_ENV"
104105
fi
105-
106+
106107
- env:
107108
GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
108109
run: |
109110
gh repo list
110-
111+
111112
- name: Update Helm Values
112113
shell: bash
113-
run: yq -i ".image.tag = \"${{ env.LATEST_UNIQUE_TAG }}\"" helm/redis/values.yaml
114+
run: yq -i ".image.tag = strenv(LATEST_UNIQUE_TAG)" helm/redis/values.yaml
114115

115116
- name: Run git diff
116117
id: create_pr_update
117118
shell: bash
118119
run: |
119120
git diff --stat
120-
echo "create_pr_update=false" >> $GITHUB_OUTPUT
121+
echo "create_pr_update=false" >> "$GITHUB_OUTPUT"
121122
if [[ $(git diff --stat) != '' ]]; then
122-
echo "create_pr_update=true" >> $GITHUB_OUTPUT
123+
echo "create_pr_update=true" >> "$GITHUB_OUTPUT"
123124
echo "diff<<EOF" >> "${GITHUB_OUTPUT}"
124125
git diff >> "${GITHUB_OUTPUT}"
125126
echo "EOF" >> "${GITHUB_OUTPUT}"

.github/zizmor.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,3 +7,10 @@ rules:
77
dependabot-cooldown:
88
config:
99
days: 3
10+
# Cosmetic pedantic-only findings — suppressed across the campaign.
11+
anonymous-definition:
12+
disable: true
13+
undocumented-permissions:
14+
disable: true
15+
concurrency-limits:
16+
disable: true

0 commit comments

Comments
 (0)