Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,10 @@ updates:
- dependency-name: go.opentelemetry.io/*
schedule:
interval: daily
- package-ecosystem: github-actions
open-pull-requests-limit: 10
directory: "/"
schedule:
interval: daily
cooldown:
default-days: 7
44 changes: 22 additions & 22 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: ci

permissions:
contents: read # to fetch code (actions/checkout)

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
Expand All @@ -18,9 +21,6 @@ on:
required: false
default: "false"

permissions:
contents: read # to fetch code (actions/checkout)

jobs:
validate:
runs-on: ubuntu-latest
Expand All @@ -35,10 +35,10 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-
name: Run
run: |
Expand Down Expand Up @@ -67,7 +67,7 @@ jobs:
steps:
-
name: Download artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
path: /tmp/compose-output
name: ${{ needs.binary.outputs.artifact-name }}
Expand Down Expand Up @@ -103,7 +103,7 @@ jobs:
done
-
name: Upload artifacts
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: release
path: ./bin/release/*
Expand Down Expand Up @@ -132,18 +132,18 @@ jobs:
steps:
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-
name: Test
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
targets: test
set: |
*.cache-from=type=gha,scope=test
*.cache-to=type=gha,scope=test
-
name: Gather coverage data
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: coverage-data-unit
path: bin/coverage/unit/
Expand Down Expand Up @@ -185,7 +185,7 @@ jobs:
echo "MODE_ENGINE_PAIR=${mode}-${engine}" >> $GITHUB_ENV

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Install Docker ${{ matrix.engine }}
run: |
Expand All @@ -199,15 +199,15 @@ jobs:
run: docker --version

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

- name: Set up Docker Model
run: |
sudo apt-get install docker-model-plugin
docker model version

- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: '.go-version'
check-latest: true
Expand All @@ -217,7 +217,7 @@ jobs:
run: make example-provider

- name: Build
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
with:
source: .
targets: binary-with-coverage
Expand All @@ -244,7 +244,7 @@ jobs:

- name: Gather coverage data
if: ${{ matrix.mode == 'plugin' }}
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: coverage-data-e2e-${{ env.MODE_ENGINE_PAIR }}
path: bin/coverage/e2e/
Expand All @@ -271,20 +271,20 @@ jobs:
steps:
# codecov won't process the report without the source code available
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: '.go-version'
check-latest: true
- name: Download unit test coverage
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: coverage-data-unit
path: coverage/unit
merge-multiple: true
- name: Download E2E test coverage
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: coverage-data-e2e-*
path: coverage/e2e
Expand All @@ -293,7 +293,7 @@ jobs:
run: |
go tool covdata textfmt -i=./coverage/unit,./coverage/e2e -o ./coverage.txt
- name: Store coverage report in GitHub Actions
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: go-covdata-txt
path: ./coverage.txt
Expand All @@ -312,10 +312,10 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Download artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
path: ./bin/release
name: release
Expand Down
10 changes: 2 additions & 8 deletions .github/workflows/docs-upstream.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,6 @@
# to check if yaml reference docs used in this repo are valid
name: docs-upstream

# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read

Expand All @@ -34,10 +28,10 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Upload reference YAML docs
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: docs-yaml
path: docs/reference
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/merge.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: merge

permissions:
contents: read # to fetch code (actions/checkout)

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
Expand All @@ -11,9 +14,6 @@ on:
tags:
- 'v*'

permissions:
contents: read # to fetch code (actions/checkout)

env:
REPO_SLUG: "docker/compose-bin"

Expand Down
11 changes: 6 additions & 5 deletions .github/workflows/pr-review-trigger.yml
Original file line number Diff line number Diff line change
@@ -1,9 +1,4 @@
name: PR Review - Trigger
on:
pull_request:
types: [ready_for_review, opened, review_requested]
pull_request_review_comment:
types: [created]

permissions: {}

Expand All @@ -15,6 +10,12 @@ concurrency:
group: pr-review-trigger-${{ github.event.pull_request.number }}
cancel-in-progress: true

on:
pull_request:
types: [ready_for_review, opened, review_requested]
pull_request_review_comment:
types: [created]

jobs:
save-context:
# Only run on fork PRs; skip GitHub App bot accounts (Dependabot, Renovate, etc.) early.
Expand Down
12 changes: 8 additions & 4 deletions .github/workflows/pr-review.yml
Original file line number Diff line number Diff line change
@@ -1,14 +1,18 @@
name: PR Review
on:

permissions:
contents: read # Required at top-level to give `issue_comment` events access to the secrets below.

# workflow_run is used deliberately here: the unprivileged "PR Review - Trigger"
# workflow runs on the fork PR and this privileged one only consumes its
# artifacts, never checks out or executes fork code.
on: # zizmor: ignore[dangerous-triggers]
issue_comment:
types: [ created ]
workflow_run:
workflows: [ "PR Review - Trigger" ]
types: [ completed ]

permissions:
contents: read # Required at top-level to give `issue_comment` events access to the secrets below.

jobs:
review:
if: |
Comment thread
crazy-max marked this conversation as resolved.
Expand Down
9 changes: 6 additions & 3 deletions .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
name: Scorecards supply-chain security

permissions: {}

on:
# Only the default branch is supported.
branch_protection_rule:
Expand Down Expand Up @@ -31,7 +34,7 @@

steps:
- name: "Checkout code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

Expand All @@ -50,14 +53,14 @@
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2
uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1

Check failure

Code scanning / zizmor

action has a known vulnerability: GHSA-vqf5-2xx6-9wfm Error

action has a known vulnerability: GHSA-vqf5-2xx6-9wfm

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will be fixed in #13896

with:
sarif_file: results.sarif
10 changes: 2 additions & 8 deletions .github/workflows/stale.yml
Original file line number Diff line number Diff line change
@@ -1,25 +1,20 @@
name: 'Close stale issues'

# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read

on:
schedule:
- cron: '0 0 * * 0,3' # at midnight UTC every Sunday and Wednesday

jobs:
stale:
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
- uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
- uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: >
Expand All @@ -30,4 +25,3 @@ jobs:
days-before-issue-close: 30 # closes 1 month after being marked with no action
stale-issue-label: "stale"
exempt-issue-labels: "kind/feature,kind/enhancement"

28 changes: 28 additions & 0 deletions .github/workflows/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: zizmor

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

on:
workflow_dispatch:
push:
branches:
- 'main'
tags:
- 'v*'
pull_request:

jobs:
zizmor:
uses: crazy-max/.github/.github/workflows/zizmor.yml@46267a6e61cd56aac2fc79943df180152f4c89d6 # v1.10.1
permissions:
contents: read
security-events: write
with:
min-severity: medium
min-confidence: medium
persona: pedantic
Loading