diff --git a/.github/linters/trivy.yaml b/.github/linters/trivy.yaml new file mode 100644 index 00000000..f1c68657 --- /dev/null +++ b/.github/linters/trivy.yaml @@ -0,0 +1,3 @@ +scan: + skip-dirs: + - "vendor/*" diff --git a/.github/workflows/base_image_update.yaml b/.github/workflows/base_image_update.yaml index 835f5096..8599c7ae 100644 --- a/.github/workflows/base_image_update.yaml +++ b/.github/workflows/base_image_update.yaml @@ -27,6 +27,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install script dependencies run: pip install -r ./requirements.txt diff --git a/.github/workflows/build_test_images.yaml b/.github/workflows/build_test_images.yaml index 56f70d03..8464848e 100644 --- a/.github/workflows/build_test_images.yaml +++ b/.github/workflows/build_test_images.yaml @@ -20,6 +20,8 @@ jobs: steps: - name: Check out the repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install script dependencies run: pip install -r ./requirements.txt @@ -47,6 +49,7 @@ jobs: uses: actions/checkout@v4 with: submodules: recursive + persist-credentials: false - name: Write OpenStack credentials run: echo "$OS_CLOUDS" > ./clouds.yaml @@ -93,14 +96,18 @@ jobs: run: sudo apt-get -y install libguestfs-tools - name: mkdir for mount - run: sudo mkdir -p './${{ steps.publish-image.outputs.image-name }}' + run: sudo mkdir -p './${STEPS_PUBLISH_IMAGE_OUTPUTS_IMAGE_NAME}' + env: + STEPS_PUBLISH_IMAGE_OUTPUTS_IMAGE_NAME: ${{ steps.publish-image.outputs.image-name }} - name: mount qcow2 file run: > sudo guestmount -a - ${{ steps.publish-image.outputs.image-name }}.qcow2 + "${STEPS_PUBLISH_IMAGE_OUTPUTS_IMAGE_NAME}.qcow2" -i --ro -o allow_other - './${{ steps.publish-image.outputs.image-name }}' + './${STEPS_PUBLISH_IMAGE_OUTPUTS_IMAGE_NAME}' + env: + STEPS_PUBLISH_IMAGE_OUTPUTS_IMAGE_NAME: ${{ steps.publish-image.outputs.image-name }} - name: Fail if scan has CRITICAL vulnerabilities uses: aquasecurity/trivy-action@0.29.0 @@ -139,6 +146,8 @@ jobs: steps: - name: Check out the repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Read matrix outputs id: matrix-outputs @@ -252,6 +261,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install s3cmd run: | diff --git a/.github/workflows/kubernetes_update.yaml b/.github/workflows/kubernetes_update.yaml index 7c072a7c..518ea8d8 100644 --- a/.github/workflows/kubernetes_update.yaml +++ b/.github/workflows/kubernetes_update.yaml @@ -22,6 +22,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install script dependencies run: pip install -r ./requirements.txt @@ -57,6 +59,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install script dependencies run: pip install -r ./requirements.txt @@ -94,6 +98,7 @@ jobs: uses: actions/checkout@v4 with: submodules: recursive + persist-credentials: false - name: Check for most recent image-builder release id: next @@ -106,8 +111,10 @@ jobs: working-directory: ./vendor/image-builder - name: Update image-builder submodule - run: git checkout ${{ steps.next.outputs.version }} + run: git checkout "${STEPS_NEXT_OUTPUTS_VERSION}" working-directory: ./vendor/image-builder + env: + STEPS_NEXT_OUTPUTS_VERSION: ${{ steps.next.outputs.version }} - name: Generate app token for PR uses: azimuth-cloud/github-actions/generate-app-token@master diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 5aaec3da..0bc420aa 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -27,6 +27,7 @@ jobs: # list of files that changed across commits fetch-depth: 0 submodules: true + persist-credentials: false - name: Run ansible-lint uses: ansible/ansible-lint@v25.4.0 @@ -41,7 +42,7 @@ jobs: if: always() - name: Run super-linter - uses: super-linter/super-linter@v7.3.0 + uses: super-linter/super-linter@v8.2.1 if: always() env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 95cc5da4..aa9d6b3d 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -57,6 +57,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install s3cmd run: | diff --git a/.github/workflows/purge_defunct_images.yaml b/.github/workflows/purge_defunct_images.yaml index e9dfa114..c34ad643 100644 --- a/.github/workflows/purge_defunct_images.yaml +++ b/.github/workflows/purge_defunct_images.yaml @@ -17,6 +17,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install script dependencies run: pip install -r ./requirements.txt diff --git a/.github/workflows/tag.yaml b/.github/workflows/tag.yaml index 81352584..8ebe98e3 100644 --- a/.github/workflows/tag.yaml +++ b/.github/workflows/tag.yaml @@ -15,6 +15,8 @@ jobs: steps: - name: Check out the repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install s3cmd run: | diff --git a/.github/workflows/update-dependencies.yaml b/.github/workflows/update-dependencies.yaml index adf90c74..495b601f 100644 --- a/.github/workflows/update-dependencies.yaml +++ b/.github/workflows/update-dependencies.yaml @@ -87,6 +87,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Check for most recent GitHub release id: next diff --git a/super-linter.env b/super-linter.env index 451758e0..0016965b 100644 --- a/super-linter.env +++ b/super-linter.env @@ -18,3 +18,15 @@ VALIDATE_YAML_PRETTIER=false # Set to the default filename for yamllint YAML_CONFIG_FILE=.yamllint.yml + +# Don't validate python files with Black as it conflicts +# with Ruff +VALIDATE_PYTHON_BLACK=false + +# Don't validate files with Biome as it conflicts with +# many other linters +VALIDATE_BIOME_FORMAT=false +VALIDATE_BIOME_LINT=false + +# Don't run Zizmor GHA linter and static analysis tool +VALIDATE_GITHUB_ACTIONS_ZIZMOR=false