Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(GHA): Pin azure/setup-helm #11493

Open
wants to merge 3 commits into
base: dev
Choose a base branch
from
Open

feat(GHA): Pin azure/setup-helm #11493

wants to merge 3 commits into from
+1 −1

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Jan 2, 2025

Add pinact which is able to detect unpinned GHA

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jan 2, 2025
edited
Loading

DryRun Security Summary

The GitHub Actions workflows were updated to improve security and reliability by implementing SHA pinning, defining specific triggered events, and automating the Helm chart release process with pinned dependency versions.

Expand for full summary

Summary:

The provided code changes focus on improving the security and reliability of the GitHub Actions (GHA) workflows used in the repository. The key changes include:

  1. SHA Pinning: The .github/workflows/gha-pin.yml workflow uses the suzuki-shunsuke/pinact-action GitHub Action to check the SHA pins of the GitHub Actions used in the workflow. This helps ensure that the specific versions of the actions are used, reducing the risk of unintended changes or potential security vulnerabilities.

  2. Triggered Events: The .github/workflows/gha-pin.yml workflow is triggered on three events: workflow_dispatch (manual trigger), push, and pull_request. This ensures that the SHA pin check is performed whenever changes are made to the repository.

  3. Helm Chart Release Process: The .github/workflows/release-x-manual-helm-chart.yml workflow automates the release process for a Helm chart. It includes steps to update the Docker image tag in the Helm chart values, create a new GitHub release with the packaged Helm chart, and update the Helm repository index file. The workflow also pins the versions of the dependencies used, such as the "azure/setup-helm" and "mikefarah/yq" actions.

These changes demonstrate a strong focus on security and reliability, ensuring that the GitHub Actions used in the repository are well-managed and the Helm chart release process is secure and automated.

Files Changed:

  1. .github/workflows/gha-pin.yml: This workflow checks the SHA pins of the GitHub Actions used in the repository, helping to maintain the integrity of the actions and reduce the risk of security vulnerabilities.

  2. .github/workflows/release-x-manual-helm-chart.yml: This workflow automates the release process for a Helm chart, including steps to update the Docker image tag, create a new GitHub release, and update the Helm repository index file. The workflow also pins the versions of the dependencies used, improving security and reliability.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@kiblik kiblik marked this pull request as draft January 3, 2025 11:20
Maffooch
Maffooch requested changes Jan 3, 2025
View reviewed changes
.github/workflows/gha-pin.yml Outdated Show resolved Hide resolved
@kiblik kiblik changed the title feat(GHA): Add pinact (gha pin checker) feat(GHA): Pin azure/setup-helm Jan 25, 2025
@kiblik
Copy link
Contributor Author

kiblik commented Jan 25, 2025

I dropped pinact-action because it wasn't possible to use it without pinning another pinning: suzuki-shunsuke/pinact-action#505

The pin is not missing that often. Keeping another config would just increase overhead.

@kiblik kiblik requested a review from Maffooch January 25, 2025 16:14
@kiblik kiblik marked this pull request as ready for review January 25, 2025 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kiblik @Maffooch