From 3b7d15ffcfde385ec85989a3dc7096220d12c81e Mon Sep 17 00:00:00 2001
From: Bart Smykla <bartek@smykla.com>
Date: Wed, 8 Jan 2025 12:09:56 +0100
Subject: [PATCH] ci(security): resolve security alerts (#12466)

Scorecard has some security alerts that need to be addressed.

- Pinned git commit hashes for scripts sourced from GitHub repositories
in `mk/dependencies/*.sh` scripts.
- Pinned hashes for some GitHub Actions.
- Added comments to cron schedules for CodeQL and Scorecard GitHub
Actions.
- Removed unnecessary `contents: read` permission in the CodeQL GitHub
Action.

> Changelog: skip

<!--
Uncomment the above section to explicitly set a [`> Changelog:` entry
here](https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#submitting-a-patch)?
-->

---------

Signed-off-by: Bart Smykla <bartek@smykla.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
---
 .github/workflows/codeql.yaml    | 3 +--
 .github/workflows/e2e.yaml       | 2 +-
 .github/workflows/scorecard.yml  | 2 +-
 mk/dependencies/deps.lock        | 2 +-
 mk/dependencies/golangci-lint.sh | 2 +-
 mk/dependencies/helm.sh          | 2 +-
 mk/dependencies/k3d.sh           | 3 +--
 7 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index 44ceab13371b..533d67b579e3 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -2,7 +2,7 @@ name: "CodeQL"
 on:
   workflow_dispatch: {}
   schedule:
-    - cron: '35 3 * * *'
+    - cron: '35 3 * * *' # Runs daily at 3:35 AM UTC
 permissions:
   contents: read
 jobs:
@@ -11,7 +11,6 @@ jobs:
     runs-on: ubuntu-24.04
     permissions:
       actions: read
-      contents: read
       security-events: write
     strategy:
       fail-fast: false
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 361d2cd922fd..ecfc3cda2385 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -58,7 +58,7 @@ jobs:
           make build
       - run: |
           make -j build/distributions
-      - uses: nick-fields/retry@v3
+      - uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
         id: retry
         with:
           max_attempts: 3
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 59191c6cee14..b6e746f6af47 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -7,7 +7,7 @@ on:
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
-    - cron: '35 3 * * *'
+    - cron: '35 3 * * *' # Runs daily at 3:35 AM UTC
 # Declare default permissions as read only.
 permissions: read-all
 jobs:
diff --git a/mk/dependencies/deps.lock b/mk/dependencies/deps.lock
index e9ce5f326f32..72992ef3410b 100644
--- a/mk/dependencies/deps.lock
+++ b/mk/dependencies/deps.lock
@@ -1 +1 @@
-dbbf3720d787255a5b12b1e740d8418f92b69c6b
+e1ebef060c19050f02b6e1a8c5d7375fc49f135f
diff --git a/mk/dependencies/golangci-lint.sh b/mk/dependencies/golangci-lint.sh
index ce19d15f65d4..b235566c8da8 100755
--- a/mk/dependencies/golangci-lint.sh
+++ b/mk/dependencies/golangci-lint.sh
@@ -14,4 +14,4 @@ if [ -e "${golangcilint}" ] && [ "v$(${golangcilint} version --format short)" ==
   echo "golangci-lint ${VERSION} is already installed at ${OUTPUT_BIN_DIR}"
   exit
 fi
-curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${OUTPUT_BIN_DIR}" "${VERSION}"
+curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/e68d278319b6d0a68680e3389bc0576ef39ec02b/install.sh | sh -s -- -b "${OUTPUT_BIN_DIR}" "${VERSION}"
diff --git a/mk/dependencies/helm.sh b/mk/dependencies/helm.sh
index e39475dc78f8..c5511c03ce4e 100755
--- a/mk/dependencies/helm.sh
+++ b/mk/dependencies/helm.sh
@@ -5,7 +5,7 @@ set -e
 OUTPUT_DIR=$1/bin
 VERSION="3.8.2"
 export PATH="$OUTPUT_DIR:$PATH" # install script checks if helm is in your path
-curl --fail --location -s https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | \
+curl --fail --location -s https://raw.githubusercontent.com/helm/helm/ad9768402951f48f61e1ecbea0c1894456d63a2a/scripts/get-helm-3 | \
 	HELM_INSTALL_DIR=${OUTPUT_DIR} DESIRED_VERSION=v${VERSION} USE_SUDO=false bash
 
 CR_VERSION="1.3.0"
diff --git a/mk/dependencies/k3d.sh b/mk/dependencies/k3d.sh
index ba178a4c1b8a..2595a04be8b4 100755
--- a/mk/dependencies/k3d.sh
+++ b/mk/dependencies/k3d.sh
@@ -8,7 +8,6 @@ VERSION="5.4.7"
 if [[ $2 == "get-version" ]]; then
   echo ${VERSION}
 else
-  # see https://raw.githubusercontent.com/rancher/k3d/main/install.sh
-  curl --fail --location -s https://raw.githubusercontent.com/rancher/k3d/main/install.sh | \
+  curl --fail --location -s https://raw.githubusercontent.com/rancher/k3d/4709d6adb24b23721f471e667e7301fa673b5efc/install.sh | \
             PATH=${OUTPUT_DIR}:${PATH} TAG=v${VERSION} USE_SUDO="false" K3D_INSTALL_DIR="${OUTPUT_DIR}" bash
 fi