rancher
diff --git a/‎.github/renovate.json‎
Lines changed: 24 additions & 2 deletions b/‎.github/renovate.json‎
Lines changed: 24 additions & 2 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 48 additions & 0 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎.github/workflows/label-all-new-issues.yml‎
Lines changed: 3 additions & 2 deletions b/‎.github/workflows/label-all-new-issues.yml‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 4 additions & 2 deletions b/‎.github/workflows/release.yml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎.github/workflows/renovate-vault.yml‎
Lines changed: 27 additions & 5 deletions b/‎.github/workflows/renovate-vault.yml‎
Lines changed: 27 additions & 5 deletions
diff --git a/‎.github/workflows/scorecard.yml‎
Lines changed: 62 additions & 0 deletions b/‎.github/workflows/scorecard.yml‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎.github/workflows/tests.yml‎
Lines changed: 7 additions & 7 deletions b/‎.github/workflows/tests.yml‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎chart/Chart.yaml‎
Lines changed: 2 additions & 2 deletions b/‎chart/Chart.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎chart/values.yaml‎
Lines changed: 3 additions & 3 deletions b/‎chart/values.yaml‎
Lines changed: 3 additions & 3 deletions
@@ -1,9 +1,31 @@
 {
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "github>rancher/renovate-config#release"
+    "github>rancher/renovate-config//rancher-main#main"
   ],
   "baseBranches": [
     "main"
   ],
-  "prHourlyLimit": 2
+  "prHourlyLimit": 2,
+  "ignoreDeps":[
+    "github.com/rancher/lasso"
+  ],
+  "packageRules": [
+    {
+      "matchBaseBranches": ["release/v1.4"],
+      "extends": ["github>rancher/renovate-config//rancher-2.11#main"]
+    },
+    {
+      "matchBaseBranches": ["release/v1.3"],
+      "extends": ["github>rancher/renovate-config//rancher-2.10#main"]
+    },
+    {
+      "matchBaseBranches": ["release/v1.2"],
+      "extends": ["github>rancher/renovate-config//rancher-2.9#main"]
+    }
+  ],
+  "vulnerabilityAlerts": {
+    "enabled": true
+  },
+  "osvVulnerabilityAlerts": true
 }
@@ -0,0 +1,48 @@
+name: CodeQL
+on:
+  workflow_call:
+  pull_request:
+
+  push:
+    branches:
+    - main
+
+  schedule:
+    - cron: '00 9 * * 2'
+
+permissions: {}
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go', 'actions' ]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
+        with:
+          languages: ${{ matrix.language }}
+          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # xref: https://codeql.github.com/codeql-query-help/go/
+          queries: security-and-quality
+
+      - name: Manual Build
+        run: go build ./...
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
+        with:
+          category: "/language:${{matrix.language}}"
@@ -5,12 +5,13 @@ on:
       - opened
       - reopened
 
-permissions:
-  issues: write
+permissions: {}
 
 jobs:
   label_issues:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: Label issue
         id: run
 
@@ -5,6 +5,8 @@ on:
     tags:
       - 'v*'
 
+permissions: {}
+
 jobs:
 
   publish:
@@ -32,7 +34,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Load Secrets from Vault
       uses: rancher-eio/read-vault-secrets@main
@@ -68,7 +70,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - run: make upload
       env:
 
@@ -5,16 +5,35 @@ on:
       logLevel:
         description: "Override default log level"
         required: false
-        default: "info"
-        type: string
+        default: info
+        type: choice
+        options:
+          - info
+          - debug
       overrideSchedule:
         description: "Override all schedules"
         required: false
         default: "false"
+        type: choice
+        options:
+          - "false"
+          - "true"
+      configMigration:
+        description: "Toggle PRs for config migration"
+        required: false
+        default: "true"
+        type: choice
+        options:
+          - "false"
+          - "true"
+      renovateConfig:
+        description: "Define a custom renovate config file"
+        required: false
+        default: ".github/renovate.json"
         type: string
-  # Run twice in the early morning (UTC) for initial and follow up steps (create pull request and merge)
+
   schedule:
-    - cron: '30 4,6 * * *'
+    - cron: '30 4,6 * * 2-4'
 
 permissions:
   contents: read
@@ -24,6 +43,9 @@ jobs:
   call-workflow:
     uses: rancher/renovate-config/.github/workflows/renovate-vault.yml@release
     with:
+      configMigration: ${{ inputs.configMigration || 'true' }}
       logLevel: ${{ inputs.logLevel || 'info' }}
       overrideSchedule: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }}
-    secrets: inherit
+      renovateConfig: ${{ inputs.renovateConfig || '.github/renovate.json' }}
+    secrets:
+      override-token: "${{ secrets.RENOVATE_FORK_GH_TOKEN || '' }}"
@@ -0,0 +1,62 @@
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '20 5 * * 0'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
+        with:
+          sarif_file: results.sarif
@@ -12,10 +12,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
         go-version: 'stable'
     - run: make validate
@@ -33,10 +33,10 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
         go-version: 'stable'
 
@@ -60,11 +60,11 @@ jobs:
         brew install docker
         colima start
     - name: Setup QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
     - name: Setup Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Test building images
       run: make test-image
 
@@ -1,4 +1,4 @@
-# cis-operator
+# cis-operator [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/rancher/cis-operator/badge)](https://scorecard.dev/viewer/?uri=github.com/rancher/cis-operator)
 
 The cis-operator enables running CIS benchmark security scans on a Kubernetes cluster and generate compliance reports that can be downloaded.
 Benchmarks tests and the execution logic lives on [rancher/security-scan].
 
@@ -12,11 +12,11 @@ annotations:
   catalog.cattle.io/type: cluster-tool
   catalog.cattle.io/ui-component: rancher-cis-benchmark
 apiVersion: v1
-appVersion: v6.8.0
+appVersion: v6.9.0-rc.1
 description: The cis-operator enables running CIS benchmark security scans on a kubernetes
   cluster
 icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
 keywords:
 - security
 name: rancher-cis-benchmark
-version: 6.8.0
+version: 6.9.0-rc.1
@@ -5,10 +5,10 @@
 image:
   cisoperator:
     repository: rancher/cis-operator
-    tag: v1.2.6
+    tag: v1.2.7-rc.1
   securityScan:
     repository: rancher/security-scan
-    tag: v0.4.4
+    tag: v0.4.5-rc.1
   sonobuoy:
     repository: rancher/mirrored-sonobuoy-sonobuoy
     tag: v0.57.3
@@ -45,7 +45,7 @@ global:
     clusterName: ""
   kubectl:
     repository: rancher/kubectl
-    tag: v1.29.14
+    tag: v1.29.15
 
 alerts:
   enabled: false
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# cis-operator`
	`1`	`+# cis-operator [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/rancher/cis-operator/badge)](https://scorecard.dev/viewer/?uri=github.com/rancher/cis-operator)`
`2`	`2`
`3`	`3`	`The cis-operator enables running CIS benchmark security scans on a Kubernetes cluster and generate compliance reports that can be downloaded.`
`4`	`4`	`Benchmarks tests and the execution logic lives on [rancher/security-scan].`