Github workflow security issues (high-priority) (#117)

Author: vigneshintel

.github/workflows/post-merge-admin.yml

@@ -15,7 +15,7 @@ on:
 
 jobs:
   post-merge-pipeline:
-    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@main
+    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@3418f8ec5279259494a2da98d5995c561a951a3a
     with:
       bootstrap_tools: "base,helm,yq,jq"
       run_version_check: true

.github/workflows/post-merge-app-orch.yml

@@ -15,7 +15,7 @@ on:
 
 jobs:
   post-merge-pipeline:
-    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@main
+    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@3418f8ec5279259494a2da98d5995c561a951a3a
     with:
       bootstrap_tools: "base,helm,yq,jq"
       run_version_check: true

.github/workflows/post-merge-cluster-orch.yml

@@ -15,7 +15,7 @@ on:
 
 jobs:
   post-merge-pipeline:
-    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@main
+    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@3418f8ec5279259494a2da98d5995c561a951a3a
     with:
       bootstrap_tools: "base,helm,yq,jq"
       run_version_check: true

.github/workflows/post-merge-infra.yml

@@ -15,7 +15,7 @@ on:
 
 jobs:
   post-merge-pipeline:
-    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@main
+    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@3418f8ec5279259494a2da98d5995c561a951a3a
     with:
       bootstrap_tools: "base,helm,yq,jq"
       run_version_check: true

.github/workflows/post-merge-root.yml

@@ -15,7 +15,7 @@ on:
 
 jobs:
   post-merge-pipeline:
-    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@main
+    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@3418f8ec5279259494a2da98d5995c561a951a3a
     with:
       bootstrap_tools: "base,helm,yq,jq"
       run_version_check: true

.github/workflows/post-merge-tests.yml

@@ -15,7 +15,7 @@ on:
 
 jobs:
   post-merge-pipeline:
-    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@main
+    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@3418f8ec5279259494a2da98d5995c561a951a3a
     with:
       bootstrap_tools: "base,helm,yq,jq"
       run_version_check: true

.github/workflows/pr-checks.yml

@@ -20,15 +20,15 @@ jobs:
         run: git config --global --add safe.directory $GITHUB_WORKSPACE
 
       - name: Discover changed files at root level
-        uses: open-edge-platform/orch-ci/discover-changed-files@main
+        uses: open-edge-platform/orch-ci/discover-changed-files@3418f8ec5279259494a2da98d5995c561a951a3a
         id: root-file-changes
 
       - name: Discover changed folders at root level
-        uses: open-edge-platform/orch-ci/discover-changed-subfolders@main
+        uses: open-edge-platform/orch-ci/discover-changed-subfolders@3418f8ec5279259494a2da98d5995c561a951a3a
         id: discover-changes
 
       - name: Discover changed apps
-        uses: open-edge-platform/orch-ci/discover-changed-subfolders@main
+        uses: open-edge-platform/orch-ci/discover-changed-subfolders@3418f8ec5279259494a2da98d5995c561a951a3a
         id: discover-changes-apps
         with:
           project_folder: "apps"
@@ -87,7 +87,7 @@ jobs:
       fail-fast: false
       matrix:
         project_folder: ${{ (needs.setup-conditions.outputs.common_condition == 'true' && fromJson('["admin", "app-orch", "cluster-orch", "infra", "root"]')) || fromJson(needs.detect-changed-folders.outputs.changed_apps) }}
-    uses: open-edge-platform/orch-ci/.github/workflows/pre-merge.yml@feature/push-dev-images
+    uses: open-edge-platform/orch-ci/.github/workflows/pre-merge.yml@3418f8ec5279259494a2da98d5995c561a951a3a
     with:
       bootstrap_tools: "base,helm,yq,jq"
       run_security_scans: true

apps/admin/deploy/templates/deployment.yaml

@@ -52,6 +52,7 @@ spec:
               mountPath: /usr/share/nginx/html/runtime-config.js
               subPath: runtime-config.js
           securityContext:
+            readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
             capabilities:
               drop: ["ALL"]

apps/app-orch/deploy/templates/deployment.yaml

@@ -52,6 +52,7 @@ spec:
               mountPath: /usr/share/nginx/html/runtime-config.js
               subPath: runtime-config.js
           securityContext:
+            readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
             capabilities:
               drop: ["ALL"]

apps/cluster-orch/deploy/templates/deployment.yaml

@@ -52,6 +52,7 @@ spec:
               mountPath: /usr/share/nginx/html/runtime-config.js
               subPath: runtime-config.js
           securityContext:
+            readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
             capabilities:
               drop: ["ALL"]