Backport Supply Chain Hardening and immutable Release changes (#4932)

Author: thardeck

.github/scripts/determine-cache-key.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Install crust-gather from a pinned release, verifying the SHA-256 checksum
+# before placing the binary on PATH.
+#
+# renovate: datasource=github-releases depName=crust-gather/crust-gather
+CRUST_GATHER_VERSION="v0.13.0"
+# Strip leading 'v' for the archive name
+CRUST_GATHER_VER="${CRUST_GATHER_VERSION#v}"
+
+# shellcheck disable=SC2034
+# renovate: datasource=github-release-attachments depName=crust-gather/crust-gather digestVersion=v0.13.0
+CRUST_GATHER_SUM_amd64="a5870ca76387d1c24ffceaa614671a92823a49113fb3ecd0f33dd23acf975f7c"
+# shellcheck disable=SC2034
+# renovate: datasource=github-release-attachments depName=crust-gather/crust-gather digestVersion=v0.13.0
+CRUST_GATHER_SUM_arm64="103deb2d2d67da03859125031caa34d1938974bb0e160dbbdbb23e41521d2a47"
+
+set -euo pipefail
+
+ARCH=$(uname -m)
+case "${ARCH}" in
+  x86_64)  ARCH="amd64" ;;
+  aarch64) ARCH="arm64" ;;
+  *) echo "Unsupported architecture: ${ARCH}"; exit 1 ;;
+esac
+
+DEST="${INSTALL_DIR:-${HOME}/.local/bin}"
+mkdir -p "${DEST}"
+TMPDIR=$(mktemp -d)
+trap 'rm -rf "${TMPDIR}"' EXIT
+
+ARCHIVE="kubectl-crust-gather_${CRUST_GATHER_VER}_linux_${ARCH}.tar.gz"
+curl -sSfL \
+  "https://github.com/crust-gather/crust-gather/releases/download/${CRUST_GATHER_VERSION}/${ARCHIVE}" \
+  -o "${TMPDIR}/${ARCHIVE}"
+
+SUM_VAR="CRUST_GATHER_SUM_${ARCH}"
+echo "${!SUM_VAR}  ${TMPDIR}/${ARCHIVE}" | sha256sum -c -
+
+tar -xzf "${TMPDIR}/${ARCHIVE}" -C "${TMPDIR}" kubectl-crust-gather
+install -m 0755 "${TMPDIR}/kubectl-crust-gather" "${DEST}/crust-gather"
+echo "Installed crust-gather ${CRUST_GATHER_VERSION} (${ARCH}) to ${DEST}/crust-gather"

.github/scripts/install-crust-gather.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+# Install k3d from a pinned release, verifying the SHA-256 checksum before
+# placing the binary on PATH.
+#
+# renovate: datasource=github-releases depName=k3d-io/k3d
+K3D_VERSION="v5.8.3"
+
+# shellcheck disable=SC2034
+# renovate: datasource=github-release-attachments depName=k3d-io/k3d digestVersion=v5.8.3
+K3D_SUM_amd64="dbaa79a76ace7f4ca230a1ff41dc7d8a5036a8ad0309e9c54f9bf3836dbe853e"
+# shellcheck disable=SC2034
+# renovate: datasource=github-release-attachments depName=k3d-io/k3d digestVersion=v5.8.3
+K3D_SUM_arm64="0b8110f2229631af7402fb828259330985918b08fefd38b7f1b788a1c8687216"
+
+set -euo pipefail
+
+ARCH=$(uname -m)
+case "${ARCH}" in
+  x86_64)  ARCH="amd64" ;;
+  aarch64) ARCH="arm64" ;;
+  *) echo "Unsupported architecture: ${ARCH}"; exit 1 ;;
+esac
+
+DEST="${INSTALL_DIR:-${HOME}/.local/bin}"
+mkdir -p "${DEST}"
+TMPDIR=$(mktemp -d)
+trap 'rm -rf "${TMPDIR}"' EXIT
+
+curl -sSfL \
+  "https://github.com/k3d-io/k3d/releases/download/${K3D_VERSION}/k3d-linux-${ARCH}" \
+  -o "${TMPDIR}/k3d"
+
+K3D_SUM_VAR="K3D_SUM_${ARCH}"
+echo "${!K3D_SUM_VAR}  ${TMPDIR}/k3d" | sha256sum -c -
+
+install -m 0755 "${TMPDIR}/k3d" "${DEST}/k3d"
+echo "Installed k3d ${K3D_VERSION} (${ARCH}) to ${DEST}/k3d"

.github/scripts/install-k3d.sh

@@ -15,7 +15,7 @@ jobs:
     if: >
       github.repository == 'rancher/fleet'
     steps:
-      - uses: actions/add-to-project@main
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/rancher/projects/12
           github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}

.github/workflows/add_issue_to_project.yml

@@ -24,7 +24,6 @@ concurrency:
 env:
   GOARCH: amd64
   CGO_ENABLED: 0
-  SETUP_K3D_VERSION: "v5.8.3"
   SETUP_K3S_VERSION: "v1.35.1-k3s1"
   # Defaults for both manual and scheduled runs
   BENCH_TIMEOUT: ${{ github.event.inputs.timeout || '2m' }}
@@ -45,7 +44,6 @@ jobs:
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
-          check-latest: true
 
       # No extra host dependencies required
 
@@ -60,8 +58,24 @@ jobs:
           docker --version
           docker info
 
+      - name: Cache k3d CLI
+        id: cache-k3d
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        with:
+          path: ~/.local/bin/k3d
+          key: ${{ runner.os }}-k3d-${{ hashFiles('.github/scripts/install-k3d.sh') }}
+          restore-keys: |
+            ${{ runner.os }}-k3d-
+
       - name: Install k3d
-        run: curl --silent --fail https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | TAG=${{ env.SETUP_K3D_VERSION }} bash
+        run: |
+          if [ "${{ steps.cache-k3d.outputs.cache-hit }}" != "true" ]; then
+            ./.github/scripts/install-k3d.sh
+          else
+            echo "Using cached k3d"
+            chmod +x ~/.local/bin/k3d
+          fi
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
 
       - name: Verify k3d installation
         run: |
@@ -109,7 +123,7 @@ jobs:
           echo "Found report: $safe_file"
 
       - name: Upload benchmark JSON
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: benchmark-report
           path: ${{ steps.report.outputs.report }}

.github/workflows/benchmark.yml

@@ -2,6 +2,9 @@ name: Check for unallowed changes
 
 on:
   pull_request:
+  push:
+    branches:
+    - '*-hotfix-*'
 
 env:
   MAIN_BRANCH: origin/main
@@ -21,7 +24,6 @@ jobs:
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: 'go.mod'
-          check-latest: true
       -
         name: Install Ginkgo CLI
         run: go install github.com/onsi/ginkgo/v2/ginkgo
@@ -33,4 +35,5 @@ jobs:
         run: ./.github/scripts/check-for-auto-generated-changes.sh
       -
         name: known-hosts
-        run: ./.github/scripts/check-for-known-hosts-changes.sh $GITHUB_BASE_REF
+        if: github.event_name == 'pull_request'
+        run: ./.github/scripts/check-for-known-hosts-changes.sh "$GITHUB_BASE_REF"

.github/workflows/check-changes.yml

@@ -6,7 +6,7 @@ on:
   pull_request:
   push:
     branches:
-    - 'release/*'
+    - '*-hotfix-*'
 
 env:
   GOARCH: amd64
@@ -37,7 +37,6 @@ jobs:
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: 'go.mod'
-          check-latest: true
       -
         name: unit-test
         run: go test -shuffle=on $(go list ./... | grep -v -e /e2e -e /integrationtests -e /benchmarks)
@@ -53,7 +52,6 @@ jobs:
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: 'go.mod'
-          check-latest: true
       -
         name: Install Ginkgo CLI
         run: go install github.com/onsi/ginkgo/v2/ginkgo
@@ -75,7 +73,6 @@ jobs:
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: 'go.mod'
-          check-latest: true
       -
         name: Install Ginkgo CLI
         run: go install github.com/onsi/ginkgo/v2/ginkgo

.github/workflows/ci.yml

@@ -5,12 +5,11 @@ on:
   pull_request:
   push:
     branches:
-    - 'release/*'
+    - '*-hotfix-*'
 
 env:
   GOARCH: amd64
   CGO_ENABLED: 0
-  SETUP_K3D_VERSION: 'v5.8.3'
 
 jobs:
   e2e-fleet-test:
@@ -47,43 +46,28 @@ jobs:
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: 'go.mod'
-          check-latest: true
       -
         name: Install Ginkgo CLI
         run: go install github.com/onsi/ginkgo/v2/ginkgo
-      -
-        name: Determine cache key
-        id: cache-key
-        run: ./.github/scripts/determine-cache-key.sh
       -
         name: Cache crust-gather CLI
         id: cache-crust
         uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: ~/.local/bin/crust-gather
-          key: ${{ runner.os }}-crust-gather-${{ steps.cache-key.outputs.value }}
+          key: ${{ runner.os }}-crust-gather-${{ hashFiles('.github/scripts/install-crust-gather.sh') }}
           restore-keys: |
             ${{ runner.os }}-crust-gather-
       -
         name: Install crust-gather CLI
         run: |
           if [ "${{ steps.cache-crust.outputs.cache-hit }}" != "true" ]; then
-            echo "Cache not found, downloading from source"
-            mkdir -p ~/.local/bin
-            if curl -sSfL https://github.com/crust-gather/crust-gather/raw/main/install.sh | sh -s -- --yes; then
-              # Cache the binary for future runs
-              if [ ! -f ~/.local/bin/crust-gather ]; then
-                which crust-gather && cp $(which crust-gather) ~/.local/bin/
-              fi
-            else
-              echo "Failed to download crust-gather"
-              exit 1
-            fi
+            ./.github/scripts/install-crust-gather.sh
           else
             echo "Using cached crust-gather CLI"
             chmod +x ~/.local/bin/crust-gather
-            sudo ln -sf ~/.local/bin/crust-gather /usr/local/bin/
           fi
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
       -
         name: Build Fleet
         run: |
@@ -99,9 +83,24 @@ jobs:
           cd e2e/assets/gitrepo
           # Buildkit needed here for proper here-document support
           DOCKER_BUILDKIT=1 docker build -f Dockerfile.gitserver -t nginx-git:test --build-arg="passwd=$(openssl passwd foo)" .
+      -
+        name: Cache k3d CLI
+        id: cache-k3d
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        with:
+          path: ~/.local/bin/k3d
+          key: ${{ runner.os }}-k3d-${{ hashFiles('.github/scripts/install-k3d.sh') }}
+          restore-keys: |
+            ${{ runner.os }}-k3d-
       -
         name: Install k3d
-        run: curl --silent --fail https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | TAG=${{ env.SETUP_K3D_VERSION }} bash
+        run: |
+          if [ "${{ steps.cache-k3d.outputs.cache-hit }}" != "true" ]; then
+            ./.github/scripts/install-k3d.sh
+          else
+            echo "Using cached k3d"
+            chmod +x ~/.local/bin/k3d
+          fi
       -
         name: Provision k3d Cluster
         run: |
@@ -270,7 +269,7 @@ jobs:
           ginkgo --github-output --trace e2e/require-secrets
       -
         name: Upload Logs
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: failure()
         with:
           name: gha-fleet-e2e-logs-${{ github.sha }}-${{ matrix.k3s.version }}-${{ matrix.test_type.name }}-${{ github.run_id }}

.github/workflows/e2e-ci.yml

@@ -9,7 +9,6 @@ on:
 env:
   GOARCH: amd64
   CGO_ENABLED: 0
-  SETUP_K3D_VERSION: 'v5.8.3'
 
 jobs:
   fleet-upgrade-test:
@@ -31,46 +30,46 @@ jobs:
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: 'go.mod'
-          check-latest: true
       -
         name: Install Ginkgo CLI
         run: go install github.com/onsi/ginkgo/v2/ginkgo
-      -
-        name: Determine cache key
-        id: cache-key
-        run: ./.github/scripts/determine-cache-key.sh
       -
         name: Cache crust-gather CLI
         id: cache-crust
         uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: ~/.local/bin/crust-gather
-          key: ${{ runner.os }}-crust-gather-${{ steps.cache-key.outputs.value }}
+          key: ${{ runner.os }}-crust-gather-${{ hashFiles('.github/scripts/install-crust-gather.sh') }}
           restore-keys: |
             ${{ runner.os }}-crust-gather-
       -
         name: Install crust-gather CLI
         run: |
           if [ "${{ steps.cache-crust.outputs.cache-hit }}" != "true" ]; then
-            echo "Cache not found, downloading from source"
-            mkdir -p ~/.local/bin
-            if curl -sSfL https://github.com/crust-gather/crust-gather/raw/main/install.sh | sh -s -- --yes; then
-              # Cache the binary for future runs
-              if [ ! -f ~/.local/bin/crust-gather ]; then
-                which crust-gather && cp $(which crust-gather) ~/.local/bin/
-              fi
-            else
-              echo "Failed to download crust-gather"
-              exit 1
-            fi
+            ./.github/scripts/install-crust-gather.sh
           else
             echo "Using cached crust-gather CLI"
             chmod +x ~/.local/bin/crust-gather
-            sudo ln -sf ~/.local/bin/crust-gather /usr/local/bin/
           fi
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+      -
+        name: Cache k3d CLI
+        id: cache-k3d
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        with:
+          path: ~/.local/bin/k3d
+          key: ${{ runner.os }}-k3d-${{ hashFiles('.github/scripts/install-k3d.sh') }}
+          restore-keys: |
+            ${{ runner.os }}-k3d-
       -
         name: Install k3d
-        run: curl --silent --fail https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | TAG=${{ env.SETUP_K3D_VERSION }} bash
+        run: |
+          if [ "${{ steps.cache-k3d.outputs.cache-hit }}" != "true" ]; then
+            ./.github/scripts/install-k3d.sh
+          else
+            echo "Using cached k3d"
+            chmod +x ~/.local/bin/k3d
+          fi
       -
         name: Provision k3d Cluster
         run: |
@@ -116,7 +115,7 @@ jobs:
           ginkgo --github-output --trace --label-filter="!multi-cluster" e2e/installation
       -
         name: Upload Logs
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: failure()
         with:
           name: gha-fleet-e2e-logs-${{ github.sha }}-${{ matrix.k3s.version }}-${{ github.run_id }}