[release/v1.4] sync changes from main

.github/renovate.json

@@ -1,135 +1,30 @@
 {
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "github>rancher/renovate-config#release"
+    "github>rancher/renovate-config//rancher-main#main"
   ],
   "baseBranches": [
-    "main", 
-    "release/v1.1", 
-    "release/v1.2", 
-    "release/v1.3",
-    "release/v1.4"
+    "main"
   ],
   "ignoreDeps":[
     "github.com/rancher/lasso"
   ],
-  "prHourlyLimit": 4,
   "packageRules": [
     {
-      "matchBaseBranches": [
-        "main",
-        "release/v1.4"
-      ],
-      "matchDepNames": [
-        "k8s.io/api",
-        "k8s.io/apiextensions-apiserver",
-        "k8s.io/apimachinery",
-        "k8s.io/client-go"
-      ],
-      "allowedVersions": "<0.33.0"
-    },
-    {
-      "matchBaseBranches": [
-        "release/v1.3"
-      ],
-      "matchDepNames": [
-        "k8s.io/api",
-        "k8s.io/apiextensions-apiserver",
-        "k8s.io/apimachinery",
-        "k8s.io/client-go"
-      ],
-      "allowedVersions": "<0.32.0"
-    },
-    {
-      "matchBaseBranches": [
-        "release/v1.4"
-      ],
-      "matchDepNames": [
-        "github.com/rancher/security-scan"
-      ],
-      "allowedVersions": "<v0.7.0"
-    },
-    {
-      "matchBaseBranches": [
-        "release/v1.3"
-      ],
-      "matchDepNames": [
-        "github.com/rancher/security-scan"
-      ],
-      "allowedVersions": "<v0.6.0"
-    },
-    {
-      "matchBaseBranches": ["release/v1.2"],
-      "matchDepNames": [
-        "k8s.io/api",
-        "k8s.io/apiextensions-apiserver",
-        "k8s.io/apimachinery",
-        "k8s.io/client-go"
-      ],
-      "allowedVersions": "<0.31.0"
-    },
-    {
-      "matchBaseBranches": ["release/v1.2"],
-      "matchDepNames": [
-        "github.com/rancher/security-scan"
-      ],
-      "allowedVersions": "<v0.5.0"
-    },
-    {
-      "matchBaseBranches": ["release/v1.1"],
-      "matchDepNames": [
-        "k8s.io/api",
-        "k8s.io/apiextensions-apiserver",
-        "k8s.io/apimachinery",
-        "k8s.io/client-go"
-      ],
-      "allowedVersions": "<0.31.0"
-    },
-    {
-      "matchBaseBranches": ["release/v1.1"],
-      "matchDepNames": [
-        "github.com/rancher/security-scan"
-      ],
-      "allowedVersions": "<v0.4.0"
+      "matchBaseBranches": ["release/v1.4"],
+      "extends": ["github>rancher/renovate-config//rancher-2.11#main"]
     },
     {
       "matchBaseBranches": ["release/v1.3"],
-      "matchDepNames": [
-        "github.com/prometheus-operator/prometheus-operator/pkg/client",
-        "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring"
-      ],
-      "allowedVersions": "<v0.79.0"
+      "extends": ["github>rancher/renovate-config//rancher-2.10#main"]
     },
     {
-      "matchBaseBranches": [
-        "release/v1.1",
-        "release/v1.2"
-      ],
-      "matchDepNames": [
-        "github.com/prometheus-operator/prometheus-operator/pkg/client",
-        "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring"
-      ],
-      "allowedVersions": "<v0.75.0"
-    },
-    {
-      "matchBaseBranches": [
-        "release/v1.1",
-        "release/v1.2",
-        "release/v1.3"
-      ],
-      "matchDepNames": [
-        "github.com/urfave/cli"
-      ],
-      "allowedVersions": "<v2.0.0"
-    },
-    {
-      "matchBaseBranches": [
-        "release/v1.1",
-        "release/v1.2"
-      ],
-      "matchDepNames": [
-        "github.com/rancher/wrangler"
-      ],
-      "allowedVersions": "<v3.0.1"
+      "matchBaseBranches": ["release/v1.2"],
+      "extends": ["github>rancher/renovate-config//rancher-2.9#main"]
     }
-  ]
+  ],
+  "vulnerabilityAlerts": {
+    "enabled": true
+  },
+  "osvVulnerabilityAlerts": true
 }

.github/workflows/codeql.yml

@@ -0,0 +1,48 @@
+name: CodeQL
+on:
+  workflow_call:
+  pull_request:
+
+  push:
+    branches:
+    - main
+
+  schedule:
+    - cron: '00 9 * * 2'
+
+permissions: {}
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go', 'actions' ]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
+        with:
+          languages: ${{ matrix.language }}
+          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # xref: https://codeql.github.com/codeql-query-help/go/
+          queries: security-and-quality
+
+      - name: Manual Build
+        run: go build ./...
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/label-all-new-issues.yml

@@ -5,12 +5,13 @@ on:
       - opened
       - reopened
 
-permissions:
-  issues: write
+permissions: {}
 
 jobs:
   label_issues:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: Label issue
         id: run

.github/workflows/release.yml

@@ -5,6 +5,8 @@ on:
     tags:
       - 'v*'
 
+permissions: {}
+
 jobs:
 
   publish:
@@ -32,7 +34,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Load Secrets from Vault
       uses: rancher-eio/read-vault-secrets@main
@@ -68,7 +70,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - run: make upload
       env:

.github/workflows/renovate-vault.yml

@@ -5,16 +5,35 @@ on:
       logLevel:
         description: "Override default log level"
         required: false
-        default: "info"
-        type: string
+        default: info
+        type: choice
+        options:
+          - info
+          - debug
       overrideSchedule:
         description: "Override all schedules"
         required: false
         default: "false"
+        type: choice
+        options:
+          - "false"
+          - "true"
+      configMigration:
+        description: "Toggle PRs for config migration"
+        required: false
+        default: "true"
+        type: choice
+        options:
+          - "false"
+          - "true"
+      renovateConfig:
+        description: "Define a custom renovate config file"
+        required: false
+        default: ".github/renovate.json"
         type: string
-  # Run twice in the early morning (UTC) for initial and follow up steps (create pull request and merge)
+
   schedule:
-    - cron: '30 4,6 * * *'
+    - cron: '30 4,6 * * 2-4'
 
 permissions:
   contents: read
@@ -24,6 +43,9 @@ jobs:
   call-workflow:
     uses: rancher/renovate-config/.github/workflows/renovate-vault.yml@release
     with:
+      configMigration: ${{ inputs.configMigration || 'true' }}
       logLevel: ${{ inputs.logLevel || 'info' }}
       overrideSchedule: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }}
-    secrets: inherit
+      renovateConfig: ${{ inputs.renovateConfig || '.github/renovate.json' }}
+    secrets:
+      override-token: "${{ secrets.RENOVATE_FORK_GH_TOKEN || '' }}"

.github/workflows/scorecard.yml

@@ -0,0 +1,62 @@
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '20 5 * * 0'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
+        with:
+          sarif_file: results.sarif

.github/workflows/tests.yml

@@ -12,10 +12,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
         go-version: 'stable'
     - run: make validate
@@ -33,10 +33,10 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
         go-version: 'stable'
 
@@ -60,11 +60,11 @@ jobs:
         brew install docker
         colima start
     - name: Setup QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
     - name: Setup Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Test building images
       run: make test-image