Require read-only runtime cache delegates

MaxRink · MaxRink · commit f048786b261f · 2026-06-18T23:53:06.000+02:00
diff --git a/.github/workflows/spell-check.yaml b/.github/workflows/spell-check.yaml
@@ -2,20 +2,15 @@
 name: Spell Checking
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, reopened, synchronize]
 
 jobs:
   spelling:
     name: Run spell check
     permissions:
       contents: read
-      pull-requests: read
-      actions: read
-    outputs:
-      followup: ${{ steps.spelling.outputs.followup }}
     runs-on: ubuntu-latest
-    if: "contains(github.event_name, 'pull_request') || github.event_name == 'push'"
     concurrency:
       group: spelling-${{ github.event.pull_request.number || github.ref }}
       # note: If you use only_check_changed_files, you do not want cancel-in-progress
@@ -40,22 +35,3 @@ jobs:
             cspell:software-terms/src/software-tools.txt
             cspell:companies/src/companies.txt
             mondoo:mondoo_dictionary.txt
-
-  comment:
-    name: Report
-    runs-on: ubuntu-latest
-    needs: spelling
-    permissions:
-      actions: read
-      contents: read
-      pull-requests: write
-    if: (success() || failure()) && needs.spelling.outputs.followup
-    steps:
-      - name: comment
-        uses: check-spelling/check-spelling@cfb6f7e75bbfc89c71eaa30366d0c166f1bd9c8c # v0.0.26
-        env:
-          INPUT_IGNORE_SECURITY_ADVISORY: Sorry. https://github.com/jsoref/2026-06-16-credential-leak/blob/main/README.md
-        with:
-          checkout: true
-          ignore_security_advisory: Sorry. https://github.com/jsoref/2026-06-16-credential-leak/blob/main/README.md
-          task: ${{ needs.spelling.outputs.followup }}
diff --git a/controllers/container_image/runtime_cache/resources.go b/controllers/container_image/runtime_cache/resources.go
@@ -442,6 +442,9 @@ func Validate(cache v1alpha2.RuntimeCacheScanner) error {
 		if !strings.HasPrefix(delegate.HostPath, "/") {
 			return fmt.Errorf("containers.runtimeCache.delegates[%s].hostPath must be absolute", delegate.Name)
 		}
+		if delegate.ReadOnly != nil && !*delegate.ReadOnly {
+			return fmt.Errorf("containers.runtimeCache.delegates[%s].readOnly must be true", delegate.Name)
+		}
 	}
 	return nil
 }
diff --git a/controllers/container_image/runtime_cache/resources_test.go b/controllers/container_image/runtime_cache/resources_test.go
@@ -60,6 +60,10 @@ func TestValidateRuntimeCache(t *testing.T) {
 	cfg.Delegates[0].HostPath = "relative.sock"
 	assert.ErrorContains(t, Validate(cfg), "hostPath must be absolute")
 
+	cfg = runtimeCacheAuditConfig().Spec.Containers.RuntimeCache
+	cfg.Delegates[0].ReadOnly = ptr.To(false)
+	assert.ErrorContains(t, Validate(cfg), "readOnly must be true")
+
 	cfg = runtimeCacheAuditConfig().Spec.Containers.RuntimeCache
 	cfg.Delegates[0].Name = strings.Repeat("a", 64)
 	assert.ErrorContains(t, Validate(cfg), "must be a valid DNS label")

Original file line number	Diff line number	Diff line change
`@@ -442,6 +442,9 @@ func Validate(cache v1alpha2.RuntimeCacheScanner) error {`
`442`	`442`	`if !strings.HasPrefix(delegate.HostPath, "/") {`
`443`	`443`	`return fmt.Errorf("containers.runtimeCache.delegates[%s].hostPath must be absolute", delegate.Name)`
`444`	`444`	`}`
	`445`	`+ if delegate.ReadOnly != nil && !*delegate.ReadOnly {`
	`446`	`+ return fmt.Errorf("containers.runtimeCache.delegates[%s].readOnly must be true", delegate.Name)`
	`447`	`+ }`
`445`	`448`	`}`
`446`	`449`	`return nil`
`447`	`450`	`}`