DONOTMERGE: do not merge: test parent repo workflow security

.github/actions/link-check/config.json

@@ -0,0 +1,3 @@
+{
+  "aliveStatusCodes": [429, 200, 406]
+}

.github/env

@@ -1,4 +1,4 @@
-golang-version=1.23.1
+golang-version=1.24.3
 operator-sdk-version=v1.33.0
 MONDOO_ORG_MRN=//captain.api.mondoo.app/organizations/mondoo-operator-testing
 MONDOO_GQL_ENDPOINT=https://api.mondoo.com/query

.github/workflows/cla.yaml

@@ -11,7 +11,7 @@ jobs:
     steps:
       - name: "CLA Assistant"
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the Mondoo CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: contributor-assistant/github-action@v2.6.1
+        uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_ACCESS_TOKEN }}

.github/workflows/cloud-tests.yaml

@@ -55,15 +55,15 @@ jobs:
         k8s-version: ["1.27", "1.28", "1.29"]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0 # fetch is needed for "git tag --list" in the Makefile
 
       - name: Import environment variables from file
         run: cat ".github/env" >> $GITHUB_ENV
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
 
       - name: Terraform init
         run: terraform init
@@ -81,7 +81,7 @@ jobs:
           TF_VAR_k8s_version: ${{ matrix.k8s-version }}
         working-directory: .github/terraform/aks
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: "${{ env.golang-version }}"
           cache: true
@@ -106,7 +106,7 @@ jobs:
         if: success() || failure()
 
       - name: Upload cloud test results
-        uses: actions/upload-artifact@v4  # upload test results
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: success() || failure()        # run this step even if previous step failed
         with:                             # upload a combined archive with unit and integration test results
           name: cloud-test-results-aks-${{ matrix.k8s-version }}
@@ -115,7 +115,7 @@ jobs:
             .github/terraform/aks/aks-${{ matrix.k8s-version }}.json
 
       - name: Upload test logs artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: failure()
         with:
           name: test-logs-aks-${{ matrix.k8s-version }}
@@ -138,15 +138,15 @@ jobs:
       AWS_REGION: us-east-2
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0 # fetch is needed for "git tag --list" in the Makefile
 
       - name: Import environment variables from file
         run: cat ".github/env" >> $GITHUB_ENV
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
 
       - run: terraform init
         working-directory: .github/terraform/aws
@@ -163,7 +163,7 @@ jobs:
           TF_VAR_kubernetes_version: ${{ matrix.k8s-version }}
         working-directory: .github/terraform/aws
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: "${{ env.golang-version }}"
           cache: true
@@ -188,14 +188,14 @@ jobs:
         if: success() || failure()
 
       - name: Upload test results
-        uses: actions/upload-artifact@v4  # upload test results
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: success() || failure()        # run this step even if previous step failed
         with:                             # upload a combined archive with unit and integration test results
           name: cloud-test-results-eks-${{ matrix.k8s-version }}
           path: integration-tests-eks-${{ matrix.k8s-version }}.xml
 
       - name: Upload test logs artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: failure()
         with:
           name: test-logs-eks-${{ matrix.k8s-version }}
@@ -215,7 +215,7 @@ jobs:
       KUBECONFIG: ${{ format('{0}/{1}', github.workspace, '.github/terraform/gke/kubeconfig') }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0 # fetch is needed for "git tag --list" in the Makefile
 
@@ -226,7 +226,7 @@ jobs:
         run: echo ${{ secrets.GCP_SERVICE_ACCOUNT }} | base64 -d > gcp_sa.json
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
 
       - run: terraform init
         working-directory: .github/terraform/gke
@@ -243,7 +243,7 @@ jobs:
           TF_VAR_k8s_version: ${{ matrix.k8s-version }}
         working-directory: .github/terraform/gke
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: "${{ env.golang-version }}"
           cache: true
@@ -272,14 +272,14 @@ jobs:
         if: success() || failure()
 
       - name: Upload test results
-        uses: actions/upload-artifact@v4  # upload test results
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: success() || failure()        # run this step even if previous step failed
         with:                             # upload a combined archive with unit and integration test results
           name: cloud-test-results-gke-${{ matrix.k8s-version }}
           path: integration-tests-gke-${{ matrix.k8s-version }}.xml
 
       - name: Upload test logs artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: failure()
         with:
           name: test-logs-gke-${{ matrix.k8s-version }}
@@ -292,13 +292,13 @@ jobs:
     if: always()
     steps:
     - name: Download test results
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         pattern: cloud-test-results-*
         merge-multiple: true
 
     - name: Publish Test Results
-      uses: EnricoMi/publish-unit-test-result-action@v2
+      uses: EnricoMi/publish-unit-test-result-action@3a74b2957438d0b6e2e61d67b05318aa25c9e6c6 # v2.20.0
       with:
         commit: ${{ github.event.workflow_run.head_sha }}
         event_file: ${{ github.event_path }}
@@ -312,7 +312,7 @@ jobs:
     # Run only if the previous job has failed and only if it's running against the main branch
     if: ${{ always() && contains(join(needs.*.result, ','), 'fail') && github.ref_name == 'main' }}
     steps:
-      - uses: sarisia/actions-status-discord@v1
+      - uses: sarisia/actions-status-discord@11a0bfe3b50977e38aa2bd4a4ebd296415e83c19 # v1.15.4
         with:
           webhook: ${{ secrets.DISCORD_WEBHOOK }}
           status: Failure

.github/workflows/cnspec.yaml

@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Sanitize version input (Workflow Dispatch)
         if: github.event_name == 'workflow_dispatch'
@@ -45,34 +45,34 @@ jobs:
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       - name: Log into registry ghcr.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Authenticate with Google Cloud
-        uses: "google-github-actions/auth@v2"
+        uses: "google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093" # v3.0.0
         with:
           credentials_json: "${{ secrets.GCP_ARTIFACT_REGISTRY_SA }}"
 
       - name: "Set up Cloud SDK"
-        uses: "google-github-actions/setup-gcloud@v2"
+        uses: "google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db" # v3.0.1
 
       - name: Docker Login (GCR)
         run: |
           gcloud auth configure-docker us-docker.pkg.dev
       - name: "Setup Docker Buildx"
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
         with:
           images: |
             ${{ env.GHCR_IMAGE }}
@@ -86,12 +86,12 @@ jobs:
 
       - name: Build and push cnspec image
         id: build-and-push-operator
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           file: cnspec.Dockerfile
           build-args: VERSION=${{ env.VERSION }}${{ matrix.suffix }}
           platforms: linux/amd64,linux/arm64
           push: true
           labels: ${{ steps.meta.outputs.labels }}
-          tags: ${{ steps.meta.outputs.tags }}
+          tags: ${{ steps.meta.outputs.tags }}

.github/workflows/integration-tests.yaml

@@ -26,11 +26,11 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        k8s-version: [v1.28.9, v1.29.4] #v1.30.0] k3d doesn't support 1.30 yet
+        k8s-version: [v1.31.9, v1.32.9, v1.33.5, v1.34.1]
         k8s-distro: [minikube, k3d]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           persist-credentials: false
@@ -46,13 +46,13 @@ jobs:
           kubernetes-version: ${{ matrix.k8s-version }}
 
       - name: Start k3d
-        uses: nolar/setup-k3d-k3s@v1
+        uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96 # v1.0.9
         if: matrix.k8s-distro == 'k3d'
         with:
           version: ${{ matrix.k8s-version }}
           k3d-args: --k3s-arg=--disable=traefik@server:*
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: "${{ env.golang-version }}"
 
@@ -76,14 +76,14 @@ jobs:
       - run: mv integration-tests.xml integration-tests-${{ matrix.k8s-distro }}-${{ matrix.k8s-version }}.xml
         if: success() || failure()
 
-      - uses: actions/upload-artifact@v4  # upload test results
-        if: success() || failure()        # run this step even if previous step failed
-        with:                             # upload a combined archive with unit and integration test results
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: success() || failure() # run this step even if previous step failed
+        with: # upload a combined archive with unit and integration test results
           name: test-results-${{ matrix.k8s-distro }}-${{ matrix.k8s-version }}
           path: integration-tests-${{ matrix.k8s-distro }}-${{ matrix.k8s-version }}.xml
 
       - name: Upload test logs artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: failure()
         with:
           name: test-logs-${{ matrix.k8s-distro }}-${{ matrix.k8s-version }}
@@ -96,7 +96,7 @@ jobs:
     # Run only if the previous job has failed and only if it's running against the main branch
     if: ${{ always() && contains(join(needs.*.result, ','), 'fail') && github.ref_name == 'main' }}
     steps:
-      - uses: sarisia/actions-status-discord@v1
+      - uses: sarisia/actions-status-discord@11a0bfe3b50977e38aa2bd4a4ebd296415e83c19 # v1.15.4
         with:
           webhook: ${{ secrets.DISCORD_WEBHOOK }}
           status: Failure

.github/workflows/leftover-spaces-cleaner.yaml

@@ -0,0 +1,27 @@
+name: Leftover spaces cleanup
+
+on:
+  schedule:
+    # Every Sunday at 11PM
+    - cron: '0 23 * * 0'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    name: Leftover spaces cleanup 
+    steps:
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+    - name: Set up Go
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      with:
+        go-version: '1.24'
+
+    - name: Run leftover spaces cleanup
+      run: go run cmd/test-space-cleaner/main.go
+      env:
+        MONDOO_API_TOKEN: ${{ secrets.MONDOO_TEST_ORG_TOKEN }}
+        MONDOO_ORG_MRN: '//captain.api.mondoo.app/organizations/mondoo-operator-testing'
+        MONDOO_GQL_ENDPOINT: 'https://api.mondoo.com/query'
+
+

.github/workflows/link-check.yaml

@@ -1,19 +1,20 @@
 ---
-    name: Link Checking
+name: Link Checking
 
-    "on":
-      pull_request:
-      push:
-        branches: [main]
+"on":
+  pull_request:
+  push:
+    branches: [main]
 
-    jobs:
-      md-links:
-        name: Run markdown link check
-        runs-on: ubuntu-latest
-        steps:
-          - name: Check out code
-            uses: actions/checkout@v4
-          - name: markdown-link-check
-            uses: gaurav-nelson/github-action-markdown-link-check@v1
-            with:
-              use-verbose-mode: "yes"
+jobs:
+  md-links:
+    name: Run markdown link check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: markdown-link-check
+        uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368
+        with:
+          use-verbose-mode: "yes"
+          config-file: ".github/actions/link-check/config.json"