From ef65138bb9e873e948f23ab998bd7d716789c642 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Mon, 6 Jul 2026 16:43:55 +0200 Subject: [PATCH 1/3] ci: zizmor workflow Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/zizmor.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..708c8a70d0 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,28 @@ +name: zizmor + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +on: + workflow_dispatch: + push: + branches: + - 'main' + tags: + - 'v*' + pull_request: + +jobs: + zizmor: + uses: crazy-max/.github/.github/workflows/zizmor.yml@46267a6e61cd56aac2fc79943df180152f4c89d6 # v1.10.1 + permissions: + contents: read + security-events: write + with: + min-severity: medium + min-confidence: medium + persona: pedantic From 9eda2d1e48d42e64d94d9282023c763bffdaffb8 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Mon, 6 Jul 2026 16:44:06 +0200 Subject: [PATCH 2/3] chore: setup dependabot for github actions Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8810a07021..e96d6f0ae7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -25,3 +25,10 @@ updates: - dependency-name: go.opentelemetry.io/* schedule: interval: daily + - package-ecosystem: github-actions + open-pull-requests-limit: 10 + directory: "/" + schedule: + interval: daily + cooldown: + default-days: 7 From 81423ae244522cea16423caa5740b56943404113 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Mon, 6 Jul 2026 16:50:21 +0200 Subject: [PATCH 3/3] fix zizmor findings Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/ci.yml | 44 ++++++++++++------------- .github/workflows/docs-upstream.yml | 10 ++---- .github/workflows/merge.yml | 6 ++-- .github/workflows/pr-review-trigger.yml | 11 ++++--- .github/workflows/pr-review.yml | 12 ++++--- .github/workflows/scorecards.yml | 9 +++-- .github/workflows/stale.yml | 10 ++---- 7 files changed, 49 insertions(+), 53 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9c4c673f0b..b60989108e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,8 @@ name: ci +permissions: + contents: read # to fetch code (actions/checkout) + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -18,9 +21,6 @@ on: required: false default: "false" -permissions: - contents: read # to fetch code (actions/checkout) - jobs: validate: runs-on: ubuntu-latest @@ -35,10 +35,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Run run: | @@ -67,7 +67,7 @@ jobs: steps: - name: Download artifacts - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: /tmp/compose-output name: ${{ needs.binary.outputs.artifact-name }} @@ -103,7 +103,7 @@ jobs: done - name: Upload artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: release path: ./bin/release/* @@ -132,10 +132,10 @@ jobs: steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Test - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: test set: | @@ -143,7 +143,7 @@ jobs: *.cache-to=type=gha,scope=test - name: Gather coverage data - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: coverage-data-unit path: bin/coverage/unit/ @@ -185,7 +185,7 @@ jobs: echo "MODE_ENGINE_PAIR=${mode}-${engine}" >> $GITHUB_ENV - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install Docker ${{ matrix.engine }} run: | @@ -199,7 +199,7 @@ jobs: run: docker --version - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Set up Docker Model run: | @@ -207,7 +207,7 @@ jobs: docker model version - name: Set up Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: '.go-version' check-latest: true @@ -217,7 +217,7 @@ jobs: run: make example-provider - name: Build - uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: source: . targets: binary-with-coverage @@ -244,7 +244,7 @@ jobs: - name: Gather coverage data if: ${{ matrix.mode == 'plugin' }} - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: coverage-data-e2e-${{ env.MODE_ENGINE_PAIR }} path: bin/coverage/e2e/ @@ -271,20 +271,20 @@ jobs: steps: # codecov won't process the report without the source code available - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: '.go-version' check-latest: true - name: Download unit test coverage - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: coverage-data-unit path: coverage/unit merge-multiple: true - name: Download E2E test coverage - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: coverage-data-e2e-* path: coverage/e2e @@ -293,7 +293,7 @@ jobs: run: | go tool covdata textfmt -i=./coverage/unit,./coverage/e2e -o ./coverage.txt - name: Store coverage report in GitHub Actions - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: go-covdata-txt path: ./coverage.txt @@ -312,10 +312,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download artifacts - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: ./bin/release name: release diff --git a/.github/workflows/docs-upstream.yml b/.github/workflows/docs-upstream.yml index b68501cb1d..f4e726c859 100644 --- a/.github/workflows/docs-upstream.yml +++ b/.github/workflows/docs-upstream.yml @@ -2,12 +2,6 @@ # to check if yaml reference docs used in this repo are valid name: docs-upstream -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -34,10 +28,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Upload reference YAML docs - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: docs-yaml path: docs/reference diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index ed9696f19a..ee8df35b24 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -1,5 +1,8 @@ name: merge +permissions: + contents: read # to fetch code (actions/checkout) + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -11,9 +14,6 @@ on: tags: - 'v*' -permissions: - contents: read # to fetch code (actions/checkout) - env: REPO_SLUG: "docker/compose-bin" diff --git a/.github/workflows/pr-review-trigger.yml b/.github/workflows/pr-review-trigger.yml index 827013152f..a650abffea 100644 --- a/.github/workflows/pr-review-trigger.yml +++ b/.github/workflows/pr-review-trigger.yml @@ -1,9 +1,4 @@ name: PR Review - Trigger -on: - pull_request: - types: [ready_for_review, opened, review_requested] - pull_request_review_comment: - types: [created] permissions: {} @@ -15,6 +10,12 @@ concurrency: group: pr-review-trigger-${{ github.event.pull_request.number }} cancel-in-progress: true +on: + pull_request: + types: [ready_for_review, opened, review_requested] + pull_request_review_comment: + types: [created] + jobs: save-context: # Only run on fork PRs; skip GitHub App bot accounts (Dependabot, Renovate, etc.) early. diff --git a/.github/workflows/pr-review.yml b/.github/workflows/pr-review.yml index acffed05c0..c06834ff34 100644 --- a/.github/workflows/pr-review.yml +++ b/.github/workflows/pr-review.yml @@ -1,14 +1,18 @@ name: PR Review -on: + +permissions: + contents: read # Required at top-level to give `issue_comment` events access to the secrets below. + +# workflow_run is used deliberately here: the unprivileged "PR Review - Trigger" +# workflow runs on the fork PR and this privileged one only consumes its +# artifacts, never checks out or executes fork code. +on: # zizmor: ignore[dangerous-triggers] issue_comment: types: [ created ] workflow_run: workflows: [ "PR Review - Trigger" ] types: [ completed ] -permissions: - contents: read # Required at top-level to give `issue_comment` events access to the secrets below. - jobs: review: if: | diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index b9fc388f27..237a1f520c 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -1,4 +1,7 @@ name: Scorecards supply-chain security + +permissions: {} + on: # Only the default branch is supported. branch_protection_rule: @@ -31,7 +34,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -50,7 +53,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: SARIF file path: results.sarif @@ -58,6 +61,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2 + uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1 with: sarif_file: results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 6c2349b8d0..b573405dd0 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,17 +1,12 @@ name: 'Close stale issues' -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read on: schedule: - cron: '0 0 * * 0,3' # at midnight UTC every Sunday and Wednesday + jobs: stale: runs-on: ubuntu-latest @@ -19,7 +14,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10 + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: > @@ -30,4 +25,3 @@ jobs: days-before-issue-close: 30 # closes 1 month after being marked with no action stale-issue-label: "stale" exempt-issue-labels: "kind/feature,kind/enhancement" - \ No newline at end of file