From c1cb92dc69a4615b46af3c9c43c796459c20acff Mon Sep 17 00:00:00 2001
From: Bart Smykla <bartek@smykla.com>
Date: Thu, 9 Jan 2025 14:03:34 +0100
Subject: [PATCH] ci(security): resolve security alerts from scorecard (#12492)

## Motivation

It's a backport of changes which resolved most of the scorecard alerts
in master

- # 12466
- # 12477
- # 12480

---------

Signed-off-by: Bart Smykla <bartek@smykla.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
---
 .github/workflows/_build_publish.yaml        |  1 -
 .github/workflows/_e2e.yaml                  |  2 +-
 .github/workflows/_provenance.yaml           | 15 ++++++++-----
 .github/workflows/build-test-distribute.yaml | 23 +++++---------------
 .github/workflows/ci-stability.yaml          |  3 ++-
 .github/workflows/codeql.yaml                |  3 +--
 .github/workflows/scorecard.yml              |  2 +-
 mk/dependencies/deps.lock                    |  2 +-
 mk/dependencies/golangci-lint.sh             |  2 +-
 mk/dependencies/helm.sh                      |  2 +-
 mk/dependencies/k3d.sh                       |  3 +--
 11 files changed, 24 insertions(+), 34 deletions(-)

diff --git a/.github/workflows/_build_publish.yaml b/.github/workflows/_build_publish.yaml
index fe7638604747..0dbf23a7b840 100644
--- a/.github/workflows/_build_publish.yaml
+++ b/.github/workflows/_build_publish.yaml
@@ -32,7 +32,6 @@ on:
         value: ${{ jobs.digest-images.outputs.DIGESTS }}
 permissions:
   contents: read
-  id-token: write # Required for image signing
 env:
   CI_TOOLS_DIR: "/home/runner/work/kuma/kuma/.ci_tools"
   FULL_MATRIX: ${{ inputs.FULL_MATRIX }}
diff --git a/.github/workflows/_e2e.yaml b/.github/workflows/_e2e.yaml
index 51b52cc7221a..7f145dff4b33 100644
--- a/.github/workflows/_e2e.yaml
+++ b/.github/workflows/_e2e.yaml
@@ -57,7 +57,7 @@ jobs:
           make build
       - run: |
           make -j build/distributions
-      - uses: nick-fields/retry@v3
+      - uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
         id: retry
         with:
           max_attempts: 3
diff --git a/.github/workflows/_provenance.yaml b/.github/workflows/_provenance.yaml
index 7e12c57d20da..7724358f3ad6 100644
--- a/.github/workflows/_provenance.yaml
+++ b/.github/workflows/_provenance.yaml
@@ -22,13 +22,13 @@ on:
         required: true
         type: string
         description: notary repository
-permissions:
-  contents: write
-  id-token: write # needed for signing the images
-  actions: read # For getting workflow run info to build provenance
-  packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
+permissions: {}
 jobs:
   artifact-provenance:
+    permissions:
+      contents: write # To add assets to a release
+      actions: read # For getting workflow run info to build provenance
+      id-token: write # needed for signing the images
     # need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
     with:
@@ -47,6 +47,11 @@ jobs:
   # TODO:
   #   Split provenance jobs for internal / official releases when repositories are split
   images-provenance:
+    permissions:
+      contents: read
+      actions: read # For getting workflow run info to build provenance
+      id-token: write # needed for signing the images
+      packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
     strategy:
       fail-fast: true
       matrix:
diff --git a/.github/workflows/build-test-distribute.yaml b/.github/workflows/build-test-distribute.yaml
index 2f1a0ee944cd..a867e098ac9d 100644
--- a/.github/workflows/build-test-distribute.yaml
+++ b/.github/workflows/build-test-distribute.yaml
@@ -7,10 +7,7 @@ on:
     branches: ["master", "release-*"]
   workflow_dispatch: # Allows manual trigger from GitHub Actions UI or via REST call
 permissions:
-  contents: write # To upload assets
-  id-token: write # For using token to sign images
-  actions: read # For getting workflow run info to build provenance
-  packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
+  contents: read
 env:
   KUMA_DIR: "."
   CI_TOOLS_DIR: "/home/runner/work/kuma/kuma/.ci_tools"
@@ -21,8 +18,7 @@ jobs:
   check:
     permissions:
       contents: read
-      # golangci-lint-action
-      checks: write
+      checks: write # needed for golangci/golangci-lint-action to add code annotations in PRs
     timeout-minutes: 25
     runs-on: ubuntu-24.04
     env:
@@ -82,8 +78,6 @@ jobs:
           echo "version=$(make build/info/version)" >> $GITHUB_OUTPUT
           echo "distribution_repository=$(make build/info/cloudsmith_repository)" >> $GITHUB_OUTPUT
   test:
-    permissions:
-      contents: read
     needs: ["check"]
     uses: ./.github/workflows/_test.yaml
     with:
@@ -93,7 +87,7 @@ jobs:
   build_publish:
     permissions:
       contents: read
-      id-token: write
+      id-token: write # Required for image signing
     needs: ["check", "test"]
     uses: ./.github/workflows/_build_publish.yaml
     if: ${{ fromJSON(needs.check.outputs.BUILD) }}
@@ -113,9 +107,9 @@ jobs:
     uses: ./.github/workflows/_provenance.yaml
     secrets: inherit
     permissions:
-      contents: write
-      id-token: write # For using token to sign images
       actions: read # For getting workflow run info to build provenance
+      contents: write # To add assets to a release
+      id-token: write # For using token to sign images
       packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
     with:
       BINARY_ARTIFACTS_HASH_AS_FILE: ${{ needs.build_publish.outputs.BINARY_ARTIFACT_DIGEST_BASE64 }}
@@ -128,9 +122,6 @@ jobs:
     timeout-minutes: 10
     if: ${{ always() }}
     runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-      actions: read # For getting workflow run info
     env:
       SECURITY_ASSETS_DOWNLOAD_PATH: "${{ github.workspace }}/security-assets"
       SECURITY_ASSETS_PACKAGE_NAME: "security-assets" # Cloudsmith package for hosting security assets
@@ -150,8 +141,6 @@ jobs:
           path: ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}
           pattern: "*sbom.{cyclonedx,spdx}.json"
           merge-multiple: true
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Download binary artifact provenance"
         if: ${{ needs.provenance.result == 'success' && github.ref_type == 'tag' }}
         id: collect_provenance
@@ -160,8 +149,6 @@ jobs:
           path: ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}
           pattern: ${{ github.event.repository.name }}.intoto.jsonl
           merge-multiple: true
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Generate security assets TAR"
         if: ${{ needs.build_publish.result == 'success' }}
         id: security_assets_metadata
diff --git a/.github/workflows/ci-stability.yaml b/.github/workflows/ci-stability.yaml
index 89069ee3840d..180e09342088 100644
--- a/.github/workflows/ci-stability.yaml
+++ b/.github/workflows/ci-stability.yaml
@@ -16,6 +16,7 @@ on:
 env:
   GH_USER: "github-actions[bot]"
   GH_EMAIL: "<41898282+github-actions[bot]@users.noreply.github.com>"
+permissions: {}
 jobs:
   trigger-ci:
     runs-on: ubuntu-24.04
@@ -27,7 +28,7 @@ jobs:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           fetch-depth: 0
           token: ${{ steps.github-app-token.outputs.token }}
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index e44c296c19ca..8b735c69d8cf 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -2,7 +2,7 @@ name: "CodeQL"
 on:
   workflow_dispatch: {}
   schedule:
-    - cron: '35 3 * * *'
+    - cron: '35 3 * * *' # Runs daily at 3:35 AM UTC
 permissions:
   contents: read
 jobs:
@@ -12,7 +12,6 @@ jobs:
     runs-on: ubuntu-24.04
     permissions:
       actions: read
-      contents: read
       security-events: write
     strategy:
       fail-fast: false
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 8e5e88f79110..57b7580d7364 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -7,7 +7,7 @@ on:
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
-    - cron: '35 3 * * *'
+    - cron: '35 3 * * *' # Runs daily at 3:35 AM UTC
 # Declare default permissions as read only.
 permissions: read-all
 jobs:
diff --git a/mk/dependencies/deps.lock b/mk/dependencies/deps.lock
index 8ea30fa386e0..425198b0b1d7 100644
--- a/mk/dependencies/deps.lock
+++ b/mk/dependencies/deps.lock
@@ -1 +1 @@
-f6b0e50e8e4e29117feb760a7a89a3caae215653
+f8aeed5427ff7d4c6b6f9a3136cbdc1b3fea1aaa
diff --git a/mk/dependencies/golangci-lint.sh b/mk/dependencies/golangci-lint.sh
index 18f7625fefa9..4dafbf35ea05 100755
--- a/mk/dependencies/golangci-lint.sh
+++ b/mk/dependencies/golangci-lint.sh
@@ -14,4 +14,4 @@ if [ -e "${golangcilint}" ] && [ "v$(${golangcilint} version --format short)" ==
   echo "golangci-lint ${VERSION} is already installed at ${OUTPUT_BIN_DIR}"
   exit
 fi
-curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${OUTPUT_BIN_DIR}" "${VERSION}"
+curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/e68d278319b6d0a68680e3389bc0576ef39ec02b/install.sh | sh -s -- -b "${OUTPUT_BIN_DIR}" "${VERSION}"
diff --git a/mk/dependencies/helm.sh b/mk/dependencies/helm.sh
index 09ff2a724178..f20b76529d5c 100755
--- a/mk/dependencies/helm.sh
+++ b/mk/dependencies/helm.sh
@@ -5,7 +5,7 @@ set -e
 OUTPUT_DIR=$1/bin
 VERSION="3.8.2"
 export PATH="$OUTPUT_DIR:$PATH" # install script checks if helm is in your path
-curl --fail --location -s https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | \
+curl --fail --location -s https://raw.githubusercontent.com/helm/helm/ad9768402951f48f61e1ecbea0c1894456d63a2a/scripts/get-helm-3 | \
 	HELM_INSTALL_DIR=${OUTPUT_DIR} DESIRED_VERSION=v${VERSION} USE_SUDO=false bash
 
 CR_VERSION="1.3.0"
diff --git a/mk/dependencies/k3d.sh b/mk/dependencies/k3d.sh
index 0fec1e1bc576..0005a637b8ca 100755
--- a/mk/dependencies/k3d.sh
+++ b/mk/dependencies/k3d.sh
@@ -8,7 +8,6 @@ VERSION="5.7.4"
 if [[ $2 == "get-version" ]]; then
   echo ${VERSION}
 else
-  # see https://raw.githubusercontent.com/rancher/k3d/main/install.sh
-  curl --fail --location -s https://raw.githubusercontent.com/rancher/k3d/main/install.sh | \
+  curl --fail --location -s https://raw.githubusercontent.com/rancher/k3d/4709d6adb24b23721f471e667e7301fa673b5efc/install.sh | \
             PATH=${OUTPUT_DIR}:${PATH} TAG=v${VERSION} USE_SUDO="false" K3D_INSTALL_DIR="${OUTPUT_DIR}" bash
 fi