CI updates (#9440)

* add labels to dependabot prs Signed-off-by: cpanato <ctadeu@gmail.com> * sync hashes and versions dependabot can update the version comment now Signed-off-by: cpanato <ctadeu@gmail.com> Signed-off-by: cpanato <ctadeu@gmail.com>
2022-12-22 16:37:26 +01:00 · 2022-12-22 16:37:26 +01:00 · bb60e02e96
commit bb60e02e96
parent 21aa7f55a3
11 changed files with 125 additions and 119 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -5,7 +5,15 @@ updates:
    directory: "/"
    schedule:
      interval: "weekly"
    labels:
      - "area/dependency"
      - "release-note-none"
      - "ok-to-test"
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    labels:
      - "area/dependency"
      - "release-note-none"
      - "ok-to-test"
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -33,9 +33,9 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
-      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2
+      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
        id: filter
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
@ -59,10 +59,10 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
      - name: Run Gosec Security Scanner
-        uses: securego/gosec@1af1d5bb49259b62e45c505db397dd2ada5d74f8 # master
+        uses: securego/gosec@1af1d5bb49259b62e45c505db397dd2ada5d74f8 # v2.14.0
        with:
          # G601 for zz_generated.deepcopy.go
          # G306 TODO: Expect WriteFile permissions to be 0600 or less
@ -76,24 +76,23 @@ jobs:
    if: |
      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.charts == 'true') || ${{ inputs.run_e2e }}
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
-      - name: Set up Go 1.19.4
+      - name: Set up Go
        id: go
-        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
-          go-version: '1.19.4'
+          go-version: '1.19'
          check-latest: true
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 #v2.0.0
+        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
      - name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.0.0
+        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
        with:
          version: latest
@ -104,7 +103,7 @@ jobs:
        run: |
          sudo apt-get -qq update || true
          sudo apt-get install -y pigz
-          curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.17.0/bin/linux/amd64/kubectl
+          curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.25.5/bin/linux/amd64/kubectl
          chmod +x ./kubectl
          sudo mv ./kubectl /usr/local/bin/kubectl
@ -145,17 +144,17 @@ jobs:
        k8s: [v1.23.13, v1.24.7, v1.25.3]
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
      - name: Setup Go
-        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
-          go-version: '1.19.4'
+          go-version: '1.19'
          check-latest: true
      - name: cache
-        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3
+        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1
        with:
          name: docker.tar.gz
@ -192,7 +191,7 @@ jobs:
        run: |
          kind create cluster --image=kindest/node:${{ matrix.k8s }}
-      - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v1
+      - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0
        with:
          name: docker.tar.gz
          failOnError: false
@ -211,7 +210,6 @@ jobs:
          kind get kubeconfig > $HOME/.kube/kind-config-kind
          make kind-e2e-chart-tests
  kubernetes:
    name: Kubernetes
    runs-on: ubuntu-latest
@ -226,12 +224,11 @@ jobs:
        k8s: [v1.23.13, v1.24.7, v1.25.3]
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
      - name: cache
-        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v2
+        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1
        with:
          name: docker.tar.gz
@ -240,7 +237,7 @@ jobs:
        run: |
          kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml
-      - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v1
+      - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0
        with:
          name: docker.tar.gz
          failOnError: false
@ -260,7 +257,7 @@ jobs:
          make kind-e2e-test
      - name: Uplaod e2e junit-reports
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
        if: success() || failure()
        with:
          name: e2e-test-reports-${{ matrix.k8s }}
@ -282,10 +279,10 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
      - name: cache
-        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7
+        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1
        with:
          name: docker.tar.gz
@ -294,7 +291,7 @@ jobs:
        run: |
          kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml
-      - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af
+      - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0
        with:
          name: docker.tar.gz
          failOnError: false
@ -315,7 +312,7 @@ jobs:
          make kind-e2e-test
      - name: Uplaod e2e junit-reports
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
        if: success() || failure()
        with:
          name: e2e-test-reports-chroot-${{ matrix.k8s }}
@ -331,9 +328,9 @@ jobs:
      PLATFORMS: linux/amd64,linux/arm64
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
-      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2
+      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
        id: filter-images
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
@ -388,7 +385,6 @@ jobs:
        run: |
          cd images/ext-auth-example-authsvc && make build
  test-image:
    permissions:
      contents: read  # for dorny/paths-filter to fetch a list of changed files
@ -405,9 +401,9 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
-      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2
+      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
        id: filter-images
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
@ -421,12 +417,13 @@ jobs:
        run: |
          kind create cluster --image=kindest/node:${{ matrix.k8s }}
-      - name: Set up Go 1.19.4
+      - name: Set up Go
        id: go
        if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
-        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
-          go-version: '1.19.4'
+          go-version: '1.19'
          check-latest: true
      - name: kube-webhook-certgen image build
        if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
--- a/.github/workflows/depreview.yaml
+++ b/.github/workflows/depreview.yaml
@ -9,6 +9,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b #v3.0.2
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
      - name: 'Dependency Review'
-        uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730 #v2.0.2
+        uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730 # v3.0.2
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@ -22,11 +22,10 @@ jobs:
      charts: ${{ steps.filter.outputs.charts }}
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b #v3.0.2
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
-      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2
+      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
        id: filter
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
@ -47,9 +46,8 @@ jobs:
      contents: write # needed to write releases
    steps:
      - name: Checkout master
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b #v3.0.2
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
      - name: Deploy
        uses: ./.github/actions/mkdocs
--- a/.github/workflows/helm.yaml
+++ b/.github/workflows/helm.yaml
@ -22,11 +22,10 @@ jobs:
      charts: ${{ steps.filter.outputs.charts }}
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
-      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2
+      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
        id: filter
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
@ -49,9 +48,8 @@ jobs:
      (needs.changes.outputs.charts == 'true')
    steps:
      - name: Checkout master
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
        with:
          # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896
          fetch-depth: 0
--- a/.github/workflows/junit-reports.yaml
+++ b/.github/workflows/junit-reports.yaml
@ -1,4 +1,5 @@
 name: 'E2E Test Report'
 on:
  workflow_run:
    workflows: ['CI']                     # runs after CI workflow
@ -8,7 +9,7 @@ jobs:
  report:
    runs-on: ubuntu-latest
    steps:
-    - uses: dorny/test-reporter@v1
+      - uses: dorny/test-reporter@c9b3d0e2bd2a4e96aaf424dbaa31c46b42318226 # v1.6.0
        with:
          artifact: /e2e-test-reports-(.*)/
          name: JEST Tests $1               # Name of the check run which will be created
--- a/.github/workflows/perftest.yaml
+++ b/.github/workflows/perftest.yaml
@ -1,4 +1,5 @@
 name: Performance Test
 on:
  workflow_dispatch:
    inputs:
@ -18,7 +19,7 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
      - name: Install K6
        run: |
--- a/.github/workflows/plugin.yaml
+++ b/.github/workflows/plugin.yaml
@ -17,17 +17,18 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
        with:
          fetch-depth: 0
      - name: Set up Go
-        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
-          go-version: 1.19.4
+          go-version: 1.19
          check-latest: true
      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v3.0.0
+        uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0
        with:
          version: latest
          args: release --rm-dist
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@ -1,11 +1,13 @@
 name: Scorecards supply-chain security
 on:
  # Only the default branch is supported.
  branch_protection_rule:
  schedule:
    - cron: '20 11 * * 5'
  push:
-    branches: [ "main" ]
+    branches:
      - "main"
 # Declare default permissions as read only.
 permissions: read-all
@ -25,12 +27,12 @@ jobs:
    steps:
      - name: "Checkout code"
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.0
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
        with:
          persist-credentials: false
      - name: "Run analysis"
-        uses: ossf/scorecard-action@937ffa90d79c7d720498178154ad4c7ba1e4ad8c # v1.1.1
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
        with:
          results_file: results.sarif
          results_format: sarif
@ -49,7 +51,7 @@ jobs:
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: "Upload artifact"
-        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.0.0
+        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
        with:
          name: SARIF file
          path: results.sarif
@ -57,6 +59,6 @@ jobs:
      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.14
+        uses: github/codeql-action/upload-sarif@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2.1.37
        with:
          sarif_file: results.sarif
--- a/.github/workflows/vulnerability-scans.yaml
+++ b/.github/workflows/vulnerability-scans.yaml
@ -22,7 +22,7 @@ jobs:
      versions: ${{ steps.version.outputs.TAGS }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
        with:
          fetch-depth: 0
@ -52,7 +52,7 @@ jobs:
        versions: ${{ fromJSON(needs.version.outputs.versions) }}
    steps:
      - name: Checkout code
-      uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
      - shell: bash
        id: test
@ -60,7 +60,7 @@ jobs:
      - name: Scan image with AquaSec/Trivy
        id: scan
-      uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 #v0.5.1
+        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # v0.8.0
        with:
          image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
          format: 'sarif'
@ -75,7 +75,7 @@ jobs:
      # This step checks out a copy of your repository.
      - name: Upload SARIF file
-      uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394
+        uses: github/codeql-action/upload-sarif@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2.1.37
        with:
          token: ${{ github.token }}
          # Path to SARIF file relative to the root of the repository