Description
The GitHub Actions workflows should be updated to:
-
Use ubuntu-24.04 runner: Update all jobs from ubuntu-22.04 to ubuntu-24.04 to use the latest LTS Ubuntu runner.
-
Pin actions with commit SHAs: Replace all action version tags with commit SHAs for better security and reproducibility. Include version comments after each SHA for maintainability.
Changes needed
For all workflow files (e.g., build-publish.yaml, release.yaml):
Update runners:
runs-on: ubuntu-24.04 # was: ubuntu-22.04
Pin actions with SHAs (examples):
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2
- uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1
- uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2
Benefits
- Security: Pinning to exact commits prevents supply chain attacks through tag manipulation
- Reproducibility: Ensures consistent behavior across workflow runs
- Maintainability: Version comments make it easy to see which version each SHA corresponds to
- Up-to-date runner: Ubuntu 24.04 provides the latest LTS features and security updates
Reference
These changes have been implemented in the extension-pack-kubernetes repository and can serve as a reference.
Description
The GitHub Actions workflows should be updated to:
Use ubuntu-24.04 runner: Update all jobs from
ubuntu-22.04toubuntu-24.04to use the latest LTS Ubuntu runner.Pin actions with commit SHAs: Replace all action version tags with commit SHAs for better security and reproducibility. Include version comments after each SHA for maintainability.
Changes needed
For all workflow files (e.g.,
build-publish.yaml,release.yaml):Update runners:
Pin actions with SHAs (examples):
Benefits
Reference
These changes have been implemented in the extension-pack-kubernetes repository and can serve as a reference.