Ian Littman
18256bdf0e
Add missing step-security hardening action, bump to current version ( #38470 )
...
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Upgraded security protections across build and deployment workflows
for enhanced runner environment hardening.
* Strengthened CI/CD infrastructure security measures throughout
automated processes.
* No direct user-facing changes.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-01-19 15:10:48 -06:00
Lucas Manuel Rodriguez
6e097988d5
Update ubuntu-20.04 to ubuntu-22.04 on CI actions due to deprecation ( #26466 )
...
> We will soon start the deprecation process for Ubuntu 20.04. While the
image is being deprecated, you may experience longer queue times during
peak usage hours. Deprecation will begin on 2025-02-01 and the image
will be fully unsupported by 2025-04-01.
From https://github.com/actions/runner-images/issues/11101 .
2025-02-21 13:11:50 -03:00
Luke Heath
6ebc308eb4
[StepSecurity] ci: Harden GitHub Actions ( #17780 )
2024-03-22 15:32:23 -05:00
Luke Heath
204f082fe5
Pin all workflow actions versions by commit ( #13462 )
2023-08-31 12:09:21 -05:00
Luke Heath
1f455055a1
Use actions token during helm-publish workflow ( #12430 )
2023-06-21 09:30:25 -06:00
Luke Heath
1f8ca0bbb4
Use personal access token for workflows ( #12118 )
2023-06-02 16:23:23 -05:00
dependabot[bot]
673a4465cc
Bump stefanprodan/helm-gh-pages from 1.5.0 to 1.7.0 ( #8804 )
...
Bumps
[stefanprodan/helm-gh-pages](https://github.com/stefanprodan/helm-gh-pages )
from 1.5.0 to 1.7.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/stefanprodan/helm-gh-pages/releases ">stefanprodan/helm-gh-pages's
releases</a>.</em></p>
<blockquote>
<h2>v1.7.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Allow private helm repo auth in dependencies by <a
href="https://github.com/zzorica "><code>@zzorica</code></a> in <a
href="https://github-redirect.dependabot.com/stefanprodan/helm-gh-pages/pull/35 ">stefanprodan/helm-gh-pages#35</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/zzorica "><code>@zzorica</code></a> made
their first contribution in <a
href="https://github-redirect.dependabot.com/stefanprodan/helm-gh-pages/pull/35 ">stefanprodan/helm-gh-pages#35</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/stefanprodan/helm-gh-pages/compare/v1.6.0...v1.7.0 ">https://github.com/stefanprodan/helm-gh-pages/compare/v1.6.0...v1.7.0 </a></p>
<h2>v1.6.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Add support for alias:<!-- raw HTML omitted --> in dependencies
check by <a
href="https://github.com/paulcarlton-ww "><code>@paulcarlton-ww</code></a>
in <a
href="https://github-redirect.dependabot.com/stefanprodan/helm-gh-pages/pull/32 ">stefanprodan/helm-gh-pages#32</a></li>
<li>Update Helm to v3.10.0 by <a
href="https://github.com/stefanprodan "><code>@stefanprodan</code></a>
in <a
href="https://github-redirect.dependabot.com/stefanprodan/helm-gh-pages/pull/33 ">stefanprodan/helm-gh-pages#33</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/stefanprodan/helm-gh-pages/compare/v1.5.0...v1.6.0 ">https://github.com/stefanprodan/helm-gh-pages/compare/v1.5.0...v1.6.0 </a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="0ad2bb3773https://github-redirect.dependabot.com/stefanprodan/helm-gh-pages/issues/35 ">#35</a>
from zzorica/allow-private-helm-repo-auth-in-dependencies</li>
<li><a
href="86e9903900a5c9252781https://github-redirect.dependabot.com/stefanprodan/helm-gh-pages/issues/33 ">#33</a>
from stefanprodan/helm-3.10.0</li>
<li><a
href="844812954cb97c7e37c5https://github-redirect.dependabot.com/stefanprodan/helm-gh-pages/issues/32 ">#32</a>
from paulcarlton-ww/debug</li>
<li><a
href="84568715a3aa53926042a77eeb9630ce5cd1646e13eb32b03bb43a8719cc...0ad2bb3773https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=stefanprodan/helm-gh-pages&package-manager=github_actions&previous-version=1.5.0&new-version=1.7.0 )](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-02-27 18:17:32 -08:00
Michal Nicpon
56f3cb62ef
add concurrency to ci ( #8271 )
...
* add concurrency to ci
* add readme for workflows
2022-10-24 14:01:00 -06:00
Michal Nicpon
9056b22874
set default shell in workflows ( #8108 )
...
* wait for mysql in workflows
2022-10-07 09:43:56 -06:00
dependabot[bot]
200ddfaaff
Bump actions/checkout from 2 to 3.0.2 ( #7301 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 2 to 3.0.2.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v2...2541b1294d2704b0964813337f33b291d3f8596b )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-08-31 07:44:22 -03:00
dependabot[bot]
87d96c24e1
Bump stefanprodan/helm-gh-pages from 1.4.1 to 1.5.0 ( #4635 )
...
Bumps [stefanprodan/helm-gh-pages](https://github.com/stefanprodan/helm-gh-pages ) from 1.4.1 to 1.5.0.
- [Release notes](https://github.com/stefanprodan/helm-gh-pages/releases )
- [Commits](f1701eb82e...b43a8719cc
2022-04-18 17:52:54 -07:00
Guillaume Ross
e6c6b7e840
Added explicit read permissions + tweaked permissions ( #4843 )
...
* Added explicit read permissions + tweaked permissions
As a part of #4698 - this should fix the remaining warnings we get from the OSSF scorecard in relation to github workflows. They now all have explicit read permissions with more granular permissions granted in jobs.
* Update tfsec.yml
New workflow that I had not fixed in this PR.
2022-03-28 16:20:31 -04:00
Guillaume Ross
62d3b9145f
4620 pin action dependencies ( #4622 )
...
* Update build-binaries.yaml
Pin action versions + add read only token to build-binaries.yaml
* Update codeql-analysis.yml
Pin dependencies with hash for codeql-analysis.yml
* Update deploy-fleet-website.yml
Pin dependencies in deploy-fleet-website.yml
* Update docs.yml
Pin dependencies for docs.yml
* Update fleet-and-orbit.yml
Pinning dependencies for fleet-and-orbit.yml
* Update generate-osqueryd-app-tar-gz.yml
Pin dependencies for generate-osqueryd-app-tar-gz.yml
* Pin dependencies in goreleaser workflows
Pinned dependencies in the 3 goreleaser workflows
* Update integration.yml
Pinned dependencies with hash
* Update pr-helm.yaml
Pinned dependencies with hash
* Update push-osquery-perf-to-ecr.yml
Pinned dependencies with a hash
* Update release-helm.yaml
Pinned one dependency with a hash
* Update semgrep-analysis.yml
Pinned dependencies with hashes
* Update test-go.yaml
Pinned dependencies with hash
* Update test-packaging.yml
Pinned dependencies with hashes
* Update test-website.yml
Pinned dependencies with hashes
* Update test.yml
Pinned dependencies with hashes
2022-03-16 15:42:28 -04:00
Zach Wasserman
a3958ac24c
Add write permission for release-helm Action ( #1259 )
...
- Also pin the Action to specific commit hash.
2021-06-29 12:43:13 -07:00
James Alseth
1da89ea987
Publish Helm chart ( #475 )
...
This adds a GH Action to publish the updated Helm chart with each new release. It can also be triggered manually if needed.
Fixes #345
2021-03-17 11:09:01 -07:00
