ci(security): resolve security alerts (#12466)

Scorecard has some security alerts that need to be addressed. - Pinned git commit hashes for scripts sourced from GitHub repositories in `mk/dependencies/*.sh` scripts. - Pinned hashes for some GitHub Actions. - Added comments to cron schedules for CodeQL and Scorecard GitHub Actions. - Removed unnecessary `contents: read` permission in the CodeQL GitHub Action. > Changelog: skip  --------- Signed-off-by: Bart Smykla <[email protected]> Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
kumahq · Jan 9, 2025 · 3b7d15f · 3b7d15f
1 parent 78fb3e3
commit 3b7d15f
Show file tree

Hide file tree

Showing 7 changed files with 7 additions and 9 deletions.
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -2,7 +2,7 @@ name: "CodeQL"
 on:
   workflow_dispatch: {}
   schedule:
-    - cron: '35 3 * * *'
+    - cron: '35 3 * * *' # Runs daily at 3:35 AM UTC
 permissions:
   contents: read
 jobs:
@@ -11,7 +11,6 @@ jobs:
     runs-on: ubuntu-24.04
     permissions:
       actions: read
-      contents: read
       security-events: write
     strategy:
       fail-fast: false

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -58,7 +58,7 @@ jobs:
           make build
       - run: |
           make -j build/distributions
-      - uses: nick-fields/retry@v3
+      - uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
         id: retry
         with:
           max_attempts: 3

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -7,7 +7,7 @@ on:
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
-    - cron: '35 3 * * *'
+    - cron: '35 3 * * *' # Runs daily at 3:35 AM UTC
 # Declare default permissions as read only.
 permissions: read-all
 jobs:

diff --git a/mk/dependencies/deps.lock b/mk/dependencies/deps.lock
@@ -1 +1 @@
-dbbf3720d787255a5b12b1e740d8418f92b69c6b
+e1ebef060c19050f02b6e1a8c5d7375fc49f135f
diff --git a/mk/dependencies/golangci-lint.sh b/mk/dependencies/golangci-lint.sh
@@ -14,4 +14,4 @@ if [ -e "${golangcilint}" ] && [ "v$(${golangcilint} version --format short)" ==
   echo "golangci-lint ${VERSION} is already installed at ${OUTPUT_BIN_DIR}"
   exit
 fi
-curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${OUTPUT_BIN_DIR}" "${VERSION}"
+curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/e68d278319b6d0a68680e3389bc0576ef39ec02b/install.sh | sh -s -- -b "${OUTPUT_BIN_DIR}" "${VERSION}"
diff --git a/mk/dependencies/helm.sh b/mk/dependencies/helm.sh
@@ -5,7 +5,7 @@ set -e
 OUTPUT_DIR=$1/bin
 VERSION="3.8.2"
 export PATH="$OUTPUT_DIR:$PATH" # install script checks if helm is in your path
-curl --fail --location -s https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | \
+curl --fail --location -s https://raw.githubusercontent.com/helm/helm/ad9768402951f48f61e1ecbea0c1894456d63a2a/scripts/get-helm-3 | \
 	HELM_INSTALL_DIR=${OUTPUT_DIR} DESIRED_VERSION=v${VERSION} USE_SUDO=false bash
 
 CR_VERSION="1.3.0"

diff --git a/mk/dependencies/k3d.sh b/mk/dependencies/k3d.sh
@@ -8,7 +8,6 @@ VERSION="5.4.7"
 if [[ $2 == "get-version" ]]; then
   echo ${VERSION}
 else
-  # see https://raw.githubusercontent.com/rancher/k3d/main/install.sh
-  curl --fail --location -s https://raw.githubusercontent.com/rancher/k3d/main/install.sh | \
+  curl --fail --location -s https://raw.githubusercontent.com/rancher/k3d/4709d6adb24b23721f471e667e7301fa673b5efc/install.sh | \
             PATH=${OUTPUT_DIR}:${PATH} TAG=v${VERSION} USE_SUDO="false" K3D_INSTALL_DIR="${OUTPUT_DIR}" bash
 fi
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		dbbf3720d787255a5b12b1e740d8418f92b69c6b
		e1ebef060c19050f02b6e1a8c5d7375fc49f135f