From f97e056b5da77f4692ef48013c8ea6588bcebd92 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:22:21 +0600 Subject: [PATCH 1/5] Harden GitHub Actions workflows - Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha --- .github/workflows/deploy.yml | 16 ++++++++++------ .github/workflows/freshen-images.yml | 6 +++--- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 5e4d6dc1a1..b89b88523c 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -20,6 +20,7 @@ jobs: steps: - uses: actions/checkout@v6 with: + fetch-tags: true fetch-depth: 0 - id: check_docs_only # Since PR's are squashed prior to merging to the branch checked out (default branch), @@ -41,6 +42,7 @@ jobs: - name: checkout uses: actions/checkout@v6 with: + fetch-tags: true fetch-depth: 0 - name: install @@ -77,14 +79,14 @@ jobs: steps: - name: set up qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: set up buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: quay.io login if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} @@ -94,6 +96,7 @@ jobs: - name: checkout uses: actions/checkout@v6 with: + fetch-tags: true fetch-depth: 0 - name: create tags @@ -123,14 +126,14 @@ jobs: steps: - name: set up qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: set up buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: quay.io login if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} @@ -140,6 +143,7 @@ jobs: - name: checkout uses: actions/checkout@v6 with: + fetch-tags: true fetch-depth: 0 - name: create tags diff --git a/.github/workflows/freshen-images.yml b/.github/workflows/freshen-images.yml index aa3dde2ff0..425d48b175 100644 --- a/.github/workflows/freshen-images.yml +++ b/.github/workflows/freshen-images.yml @@ -35,11 +35,11 @@ jobs: id: ["operator-sdk", "helm-operator", "scorecard-test"] steps: - name: set up qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: set up buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: quay.io login - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} From 12025cdf4595277d1ad4463593035a4419acd032 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 12 May 2026 20:07:18 +0600 Subject: [PATCH 2/5] Restrict /ok-to-test to org members Signed-off-by: Tamal Saha --- .github/workflows/rerun.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/rerun.yml b/.github/workflows/rerun.yml index cc2942a3da..44e0a718bf 100644 --- a/.github/workflows/rerun.yml +++ b/.github/workflows/rerun.yml @@ -5,7 +5,9 @@ on: jobs: rerun_tests: name: rerun_pr_tests - if: ${{ github.event.issue.pull_request }} + if: | + github.event.issue.pull_request && + (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER') runs-on: ubuntu-24.04 steps: - uses: operator-framework/rerun-actions@v0.4.0 From 3ca9e3d7a8b72689f8b7f4ceb622a9a6607a586c Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 12 May 2026 20:29:22 +0600 Subject: [PATCH 3/5] Pin GitHub Actions to commit SHAs Signed-off-by: Tamal Saha --- .github/workflows/rerun.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rerun.yml b/.github/workflows/rerun.yml index 44e0a718bf..b30b154217 100644 --- a/.github/workflows/rerun.yml +++ b/.github/workflows/rerun.yml @@ -10,7 +10,7 @@ jobs: (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER') runs-on: ubuntu-24.04 steps: - - uses: operator-framework/rerun-actions@v0.4.0 + - uses: operator-framework/rerun-actions@6660c16a6581b198ac59545c06531a6077bf7be6 # v0.4.0 with: repo_token: ${{ secrets.GITHUB_TOKEN }} comment_id: ${{ github.event.comment.id }} From 7613329887af7c1d6e586bf3e470ab60634c50a0 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:31:39 +0600 Subject: [PATCH 4/5] Pin docker/login-action to v4.1.0 Signed-off-by: Tamal Saha --- .github/workflows/deploy.yml | 4 ++-- .github/workflows/freshen-images.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index b89b88523c..7e39eae5a0 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -86,7 +86,7 @@ jobs: - name: quay.io login if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} @@ -133,7 +133,7 @@ jobs: - name: quay.io login if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} diff --git a/.github/workflows/freshen-images.yml b/.github/workflows/freshen-images.yml index 425d48b175..04465c9ab2 100644 --- a/.github/workflows/freshen-images.yml +++ b/.github/workflows/freshen-images.yml @@ -39,7 +39,7 @@ jobs: - name: set up buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: quay.io login - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} From 58c58c989dc8dd1d8ccdfec019198e9df35fdceb Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Fri, 15 May 2026 14:26:36 +0600 Subject: [PATCH 5/5] Pin actions to commit SHAs Signed-off-by: Tamal Saha --- .github/workflows/deploy.yml | 14 +++++++------- .github/workflows/freshen-images.yml | 6 +++--- .github/workflows/integration.yml | 6 +++--- .github/workflows/olm-check.yml | 2 +- .github/workflows/test-go.yml | 10 +++++----- .github/workflows/test-helm.yml | 6 +++--- .github/workflows/test-sample-go.yml | 6 +++--- .github/workflows/test-sanity.yml | 8 ++++---- 8 files changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 7e39eae5a0..2a262425c9 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -18,7 +18,7 @@ jobs: outputs: skip: ${{ steps.check_docs_only.outputs.skip }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-tags: true fetch-depth: 0 @@ -40,13 +40,13 @@ jobs: environment: deploy steps: - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-tags: true fetch-depth: 0 - name: install - uses: actions/setup-go@v6 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version-file: "go.mod" @@ -86,7 +86,7 @@ jobs: - name: quay.io login if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} @@ -94,7 +94,7 @@ jobs: # Check out repo before tag step for script. - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-tags: true fetch-depth: 0 @@ -133,7 +133,7 @@ jobs: - name: quay.io login if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} @@ -141,7 +141,7 @@ jobs: # Check out repo before tag step for script. - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-tags: true fetch-depth: 0 diff --git a/.github/workflows/freshen-images.yml b/.github/workflows/freshen-images.yml index 04465c9ab2..ce316eb2d9 100644 --- a/.github/workflows/freshen-images.yml +++ b/.github/workflows/freshen-images.yml @@ -18,7 +18,7 @@ jobs: git_tags: ${{ steps.tags.outputs.git_tags }} steps: - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - id: tags @@ -39,13 +39,13 @@ jobs: - name: set up buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: quay.io login - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} registry: quay.io - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 1 - name: build and push diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index ceab50c55d..428e8894b0 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -9,7 +9,7 @@ jobs: outputs: skip: ${{ steps.check_docs_only.outputs.skip }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - id: check_docs_only @@ -26,7 +26,7 @@ jobs: needs: check_docs_only if: needs.check_docs_only.outputs.skip != 'true' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 @@ -34,7 +34,7 @@ jobs: run: | .github/workflows/clean-unused-disk-space.sh - - uses: actions/setup-go@v6 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version-file: "go.mod" - run: make test-e2e-integration diff --git a/.github/workflows/olm-check.yml b/.github/workflows/olm-check.yml index 2a10b7ccf3..edba3dbb56 100644 --- a/.github/workflows/olm-check.yml +++ b/.github/workflows/olm-check.yml @@ -12,7 +12,7 @@ jobs: name: check-olm-minor-releases runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - id: run-check-olm run: ./hack/check-olm.sh diff --git a/.github/workflows/test-go.yml b/.github/workflows/test-go.yml index 8e71b894fa..dd898dca25 100644 --- a/.github/workflows/test-go.yml +++ b/.github/workflows/test-go.yml @@ -12,7 +12,7 @@ jobs: outputs: skip: ${{ steps.check_docs_only.outputs.skip }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - id: check_docs_only @@ -29,7 +29,7 @@ jobs: needs: check_docs_only if: needs.check_docs_only.outputs.skip != 'true' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 @@ -37,7 +37,7 @@ jobs: run: | .github/workflows/clean-unused-disk-space.sh - - uses: actions/setup-go@v6 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version-file: "go.mod" - run: sudo rm -rf /usr/local/bin/kustomize @@ -49,7 +49,7 @@ jobs: needs: check_docs_only if: needs.check_docs_only.outputs.skip != 'true' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 @@ -57,7 +57,7 @@ jobs: run: | .github/workflows/clean-unused-disk-space.sh - - uses: actions/setup-go@v6 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version-file: "go.mod" - run: make test-unit diff --git a/.github/workflows/test-helm.yml b/.github/workflows/test-helm.yml index 11e5a6c086..1371a2fc7e 100644 --- a/.github/workflows/test-helm.yml +++ b/.github/workflows/test-helm.yml @@ -9,7 +9,7 @@ jobs: outputs: skip: ${{ steps.check_docs_only.outputs.skip }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - id: check_docs_only @@ -26,7 +26,7 @@ jobs: needs: check_docs_only if: needs.check_docs_only.outputs.skip != 'true' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 @@ -34,7 +34,7 @@ jobs: run: | .github/workflows/clean-unused-disk-space.sh - - uses: actions/setup-go@v6 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version-file: "go.mod" - run: sudo rm -rf /usr/local/bin/kustomize diff --git a/.github/workflows/test-sample-go.yml b/.github/workflows/test-sample-go.yml index 3d0a7a355b..ce05f7aaef 100644 --- a/.github/workflows/test-sample-go.yml +++ b/.github/workflows/test-sample-go.yml @@ -9,7 +9,7 @@ jobs: outputs: skip: ${{ steps.check_docs_only.outputs.skip }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - id: check_docs_only @@ -26,7 +26,7 @@ jobs: needs: check_docs_only if: needs.check_docs_only.outputs.skip != 'true' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 @@ -34,7 +34,7 @@ jobs: run: | .github/workflows/clean-unused-disk-space.sh - - uses: actions/setup-go@v6 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version-file: "go.mod" - run: sudo rm -rf /usr/local/bin/kustomize diff --git a/.github/workflows/test-sanity.yml b/.github/workflows/test-sanity.yml index 34f9f5fd82..6dea8cc99b 100644 --- a/.github/workflows/test-sanity.yml +++ b/.github/workflows/test-sanity.yml @@ -9,7 +9,7 @@ jobs: outputs: skip: ${{ steps.check_docs_only.outputs.skip }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - id: check_docs_only @@ -26,7 +26,7 @@ jobs: needs: check_docs_only if: needs.check_docs_only.outputs.skip != 'true' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 @@ -34,7 +34,7 @@ jobs: run: | .github/workflows/clean-unused-disk-space.sh - - uses: actions/setup-go@v6 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version-file: "go.mod" id: go @@ -45,7 +45,7 @@ jobs: name: docs runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 submodules: recursive