From c2bdaad5f1c39218fecfd3f44b340884b93b249b Mon Sep 17 00:00:00 2001 From: macie Date: Sun, 15 Jun 2025 10:34:49 +0200 Subject: [PATCH 1/3] ci: Update CI/CD dependencies This is a cumulative update of CI/CD deps. The awalsh128/cache-apt-pkgs-action is excluded as a temporary fix for (older versions don't want to work due to broken dependencies). Closes #96, closes #98, closes #101, closes #102, closes #103 --- .github/workflows/check.yml | 33 ++++++++++++++------- .github/workflows/codeql.yml | 18 ++++++----- .github/workflows/dependency-review.yml | 4 +-- .github/workflows/e2e.yml | 33 ++++++++++++--------- .github/workflows/publish.yml | 24 ++++++++------- .github/workflows/supply-chain_security.yml | 18 ++++++----- 6 files changed, 78 insertions(+), 52 deletions(-) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index a214ffd..bc20a91 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: block allowed-endpoints: > @@ -25,16 +25,23 @@ jobs: objects.githubusercontent.com:443 proxy.golang.org:443 sum.golang.org:443 + ppa.launchpadcontent.net:443 + packages.microsoft.com:443 + azure.archive.ubuntu.com:80 + motd.ubuntu.com:443 + esm.ubuntu.com:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Setup seccomp - uses: awalsh128/cache-apt-pkgs-action@a6c3917cc929dd0345bfb2d3feaf9101823370ad # v1.4.2 - with: - packages: libseccomp-dev + - name: Setup OS +# uses: awalsh128/cache-apt-pkgs-action@a6c3917cc929dd0345bfb2d3feaf9101823370ad # v1.4.2 +# with: +# packages: libseccomp-dev + run: sudo apt-get update && sudo apt-get install -y libseccomp-dev - name: Setup Go - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: 'stable' @@ -50,7 +57,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: disable-sudo: true egress-policy: block @@ -60,11 +67,17 @@ jobs: objects.githubusercontent.com:443 proxy.golang.org:443 sum.golang.org:443 + ppa.launchpadcontent.net:443 + packages.microsoft.com:443 + azure.archive.ubuntu.com:80 + motd.ubuntu.com:443 + esm.ubuntu.com:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Go - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: 'stable' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 37ccd40..05d0b4f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,7 +41,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: block allowed-endpoints: > @@ -50,6 +50,7 @@ jobs: objects.githubusercontent.com:443 proxy.golang.org:443 sum.golang.org:443 + storage.googleapis.com:443 ppa.launchpadcontent.net:443 packages.microsoft.com:443 azure.archive.ubuntu.com:80 @@ -61,18 +62,19 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup OS - uses: awalsh128/cache-apt-pkgs-action@a6c3917cc929dd0345bfb2d3feaf9101823370ad # v1.4.2 - with: - packages: libseccomp-dev +# uses: awalsh128/cache-apt-pkgs-action@a6c3917cc929dd0345bfb2d3feaf9101823370ad # v1.4.2 +# with: +# packages: libseccomp-dev + run: sudo apt-get update && sudo apt-get install -y libseccomp-dev - name: Install Go - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version-file: go.mod # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 + uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -82,7 +84,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 + uses: github/codeql-action/autobuild@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -95,6 +97,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 + uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 3b79ba6..0d76a2c 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: disable-sudo: true egress-policy: block @@ -30,4 +30,4 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 + uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 9aa3a89..0d266e0 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: block allowed-endpoints: > @@ -28,15 +28,17 @@ jobs: motd.ubuntu.com:443 esm.ubuntu.com:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Setup seccomp - uses: awalsh128/cache-apt-pkgs-action@a6c3917cc929dd0345bfb2d3feaf9101823370ad # v1.4.2 - with: - packages: libseccomp-dev + - name: Setup OS +# uses: awalsh128/cache-apt-pkgs-action@a6c3917cc929dd0345bfb2d3feaf9101823370ad # v1.4.2 +# with: +# packages: libseccomp-dev + run: sudo apt-get update && sudo apt-get install -y libseccomp-dev - name: Setup Go - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: 'stable' @@ -56,14 +58,15 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Go - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: 'stable' @@ -83,7 +86,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: block allowed-endpoints: > @@ -96,6 +99,7 @@ jobs: www.google.com:443 raw.githubusercontent.com:443 objects.githubusercontent.com:443 + release-assets.githubusercontent.com:443 time.cloudflare.com:443 ppa.launchpadcontent.net:443 packages.microsoft.com:443 @@ -105,10 +109,11 @@ jobs: pypi.org:443 files.pythonhosted.org:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Go - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: 'stable' @@ -119,7 +124,7 @@ jobs: run: make sortof-openbsd_amd64 - name: Run E2E tests inside VM - uses: vmactions/openbsd-vm@0cfe06e734a0ea3a546fca7ebf200b984b94d58a # v1.1.4 + uses: vmactions/openbsd-vm@0d65352eee1508bab7cb12d130536d3a556be487 # v1.1.8 with: run: | make CLI=sortof-openbsd_amd64 e2e diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d845b07..fbfa1f3 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: block allowed-endpoints: > @@ -30,17 +30,19 @@ jobs: motd.ubuntu.com:443 esm.ubuntu.com:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Go - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: 'stable' - - name: Setup seccomp - uses: awalsh128/cache-apt-pkgs-action@a6c3917cc929dd0345bfb2d3feaf9101823370ad # v1.4.2 - with: - packages: libseccomp-dev + - name: Setup OS +# uses: awalsh128/cache-apt-pkgs-action@a6c3917cc929dd0345bfb2d3feaf9101823370ad # v1.4.2 +# with: +# packages: libseccomp-dev + run: sudo apt-get update && sudo apt-get install -y libseccomp-dev - name: Install dependencies run: make @@ -48,7 +50,7 @@ jobs: - run: make dist - name: Save build artifacts - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: binaries path: dist/ @@ -66,7 +68,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: disable-sudo: true egress-policy: block @@ -75,12 +77,12 @@ jobs: uploads.github.com:443 - name: Extract build artifacts - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: binaries - name: Prepare release - uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 + uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0 with: allowUpdates: true generateReleaseNotes: true diff --git a/.github/workflows/supply-chain_security.yml b/.github/workflows/supply-chain_security.yml index 0e94a93..e418d73 100644 --- a/.github/workflows/supply-chain_security.yml +++ b/.github/workflows/supply-chain_security.yml @@ -1,3 +1,7 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + name: Scorecard supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See @@ -8,7 +12,7 @@ on: schedule: - cron: '23 2 * * 0' push: - branches: [ "dev" ] + branches: ["dev"] # Declare default permissions as read only. permissions: read-all @@ -28,7 +32,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: disable-sudo: true egress-policy: block @@ -40,8 +44,8 @@ jobs: oss-fuzz-build-logs.storage.googleapis.com:443 api.osv.dev:443 fulcio.sigstore.dev:443 - tuf-repo-cdn.sigstore.dev:443 rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 api.scorecard.dev:443 api.securityscorecards.dev:443 @@ -51,13 +55,13 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 with: results_file: results.sarif results_format: sarif # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecard on a *private* repository + # - you are installing Scorecards on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. # repo_token: ${{ secrets.SCORECARD_TOKEN }} @@ -73,7 +77,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: SARIF file path: results.sarif @@ -81,6 +85,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 + uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 with: sarif_file: results.sarif From 0cc30f1cddad387bb2da8c45c44c783229faa158 Mon Sep 17 00:00:00 2001 From: macie Date: Sun, 15 Jun 2025 10:49:51 +0200 Subject: [PATCH 2/3] refactor: Upgrade app dependencies To ensure security and performance improvements. Closes #104, closes #105 --- go.mod | 8 +++++--- go.sum | 8 ++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index ad6a455..30df36c 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,10 @@ module github.com/macie/sortof -go 1.21.0 +go 1.24.0 + +toolchain go1.24.4 require ( - github.com/seccomp/libseccomp-golang v0.10.0 - golang.org/x/sys v0.26.0 + github.com/seccomp/libseccomp-golang v0.11.0 + golang.org/x/sys v0.33.0 ) diff --git a/go.sum b/go.sum index fc711f6..37b763e 100644 --- a/go.sum +++ b/go.sum @@ -1,4 +1,4 @@ -github.com/seccomp/libseccomp-golang v0.10.0 h1:aA4bp+/Zzi0BnWZ2F1wgNBs5gTpm+na2rWM6M9YjLpY= -github.com/seccomp/libseccomp-golang v0.10.0/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= -golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= -golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +github.com/seccomp/libseccomp-golang v0.11.0 h1:SDkcBRqGLP+sezmMACkxO1EfgbghxIxnRKfd6mHUEis= +github.com/seccomp/libseccomp-golang v0.11.0/go.mod h1:5m1Lk8E9OwgZTTVz4bBOer7JuazaBa+xTkM895tDiWc= +golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= +golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= From 8f4ec05e8cdfafa2cead9531f4eb4388b9a73324 Mon Sep 17 00:00:00 2001 From: macie Date: Sun, 15 Jun 2025 10:55:21 +0200 Subject: [PATCH 3/3] ci: Check github-actions deps every 3 months GitHub Actions are updated frequently, but are important mostly during releasing (which is rare). Go modlues are updated rarely. Lower check frequency means less time spent on merges. The check is performend every ~90 days to satisfy Scorecard `MaintainedID` rule. See: . --- .github/dependabot.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 054cfc0..af131c3 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,9 +3,11 @@ updates: - package-ecosystem: github-actions directory: / schedule: - interval: monthly + interval: "cron" + cronjob: "6 4 2 */3 *" - package-ecosystem: gomod directory: / schedule: - interval: monthly + interval: "cron" + cronjob: "6 4 2 */3 *"