diff --git a/.github/workflows/build_harbor_garbage_collector.yml b/.github/workflows/build_harbor_garbage_collector.yml index 7762542..50eabdb 100644 --- a/.github/workflows/build_harbor_garbage_collector.yml +++ b/.github/workflows/build_harbor_garbage_collector.yml @@ -3,19 +3,23 @@ name: Build Harbor garbage collector docker image on: workflow_dispatch: -permissions: - id-token: write +permissions: {} jobs: docker: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Login to Stackable Harbor - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: oci.stackable.tech username: robot$stackable+github-action-build @@ -26,7 +30,7 @@ jobs: - name: Build and push id: build-and-push - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: ./tools/harbor-garbage-collector file: ./tools/harbor-garbage-collector/Dockerfile diff --git a/.github/workflows/build_harbor_sbom_browser.yml b/.github/workflows/build_harbor_sbom_browser.yml index 935a6bf..7ec63a2 100644 --- a/.github/workflows/build_harbor_sbom_browser.yml +++ b/.github/workflows/build_harbor_sbom_browser.yml @@ -3,19 +3,23 @@ name: Build SBOM browser docker image on: workflow_dispatch: -permissions: - id-token: write +permissions: {} jobs: docker: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Login to Stackable Harbor - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: oci.stackable.tech username: robot$stackable+github-action-build @@ -26,7 +30,7 @@ jobs: - name: Build and push id: build-and-push - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: ./tools/harbor-sbom-browser file: ./tools/harbor-sbom-browser/Dockerfile diff --git a/.github/workflows/build_matterbridge.yml b/.github/workflows/build_matterbridge.yml index e8faea0..4b5ddc8 100644 --- a/.github/workflows/build_matterbridge.yml +++ b/.github/workflows/build_matterbridge.yml @@ -3,19 +3,23 @@ name: Build Matterbridge on: workflow_dispatch: -permissions: - id-token: write +permissions: {} jobs: docker: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Login to Stackable Harbor - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: oci.stackable.tech username: robot$stackable+github-action-build @@ -26,7 +30,7 @@ jobs: - name: Build and push id: build-and-push - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: ./tools/matterbridge file: ./tools/matterbridge/Dockerfile diff --git a/.github/workflows/build_nexus_garbage_collector.yml b/.github/workflows/build_nexus_garbage_collector.yml index 67fa725..4112f73 100644 --- a/.github/workflows/build_nexus_garbage_collector.yml +++ b/.github/workflows/build_nexus_garbage_collector.yml @@ -3,19 +3,23 @@ name: Build Nexus garbage collector docker image on: workflow_dispatch: -permissions: - id-token: write +permissions: {} jobs: docker: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Login to Stackable Harbor - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: oci.stackable.tech username: robot$stackable+github-action-build @@ -26,7 +30,7 @@ jobs: - name: Build and push id: build-and-push - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: ./tools/nexus-garbage-collector file: ./tools/nexus-garbage-collector/Dockerfile diff --git a/.github/workflows/build_oci_monitor.yml b/.github/workflows/build_oci_monitor.yml index 045591e..360d6f0 100644 --- a/.github/workflows/build_oci_monitor.yml +++ b/.github/workflows/build_oci_monitor.yml @@ -3,19 +3,23 @@ name: Build OCI monitor docker image on: workflow_dispatch: -permissions: - id-token: write +permissions: {} jobs: docker: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Login to Stackable Harbor - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: oci.stackable.tech username: robot$stackable+github-action-build @@ -26,7 +30,7 @@ jobs: - name: Build and push id: build-and-push - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: ./tools/monitor-oci-artifacts file: ./tools/monitor-oci-artifacts/Dockerfile diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index ff5ac19..cef3c87 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -15,16 +15,46 @@ on: - lookup - full +permissions: {} + env: # Look at https://hub.docker.com/r/renovate/renovate/tags and identify new versions if an # update is required - RENOVATE_VERSION: sha256:3e59ae8e4251678f7a0ef5c0abc4e0abf643b5b10bcbbb36fc51c4427533f4d4 + # + # TODO: Renovate 37.78.0 is six major versions behind as of 30 June 2026. + # + # The config validator https://docs.renovatebot.com/config-validation/ (V 43.246.1) was run against all public + # stackabletech repositories + # + # Two repository configs require changes before upgrading: + # 1) SecObserve + # - Replace "baseBranches" with "baseBranchPatterns". + # - Replace "pip_requirements.fileMatch" with "pip_requirements.managerFilePatterns". + # - Remove "binarySource" from renovate.json because it is now a global-only option. + # 2) ny-tlc-report + # - Replace "config:base" preset with "config:recommended". + # + # Note: The validator only test the config files and does't check runtime behaviour etc + RENOVATE_VERSION: sha256:3e59ae8e4251678f7a0ef5c0abc4e0abf643b5b10bcbbb36fc51c4427533f4d4 #37.78.0 (1st Dec 2023) jobs: renovate: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout - uses: actions/checkout@v3.6.0 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Self-hosted Renovate - run: docker run --rm --volume "${{ github.workspace }}/renovate/config.js:/usr/src/app/config.js" --env RENOVATE_TOKEN="${{ secrets.STACKY_RENOVATE_TOKEN }}" --env LOG_LEVEL=debug --env RENOVATE_DRY_RUN=${{ github.event.inputs.dry-run }} renovate/renovate@$RENOVATE_VERSION + env: + RENOVATE_TOKEN: ${{ secrets.STACKY_RENOVATE_TOKEN }} + RENOVATE_DRY_RUN: ${{ github.event.inputs.dry-run }} + run: | + docker run --rm \ + --volume "${{ github.workspace }}/renovate/config.js:/usr/src/app/config.js" \ + --env RENOVATE_TOKEN \ + --env LOG_LEVEL=debug \ + --env RENOVATE_DRY_RUN="$RENOVATE_DRY_RUN" \ + "renovate/renovate@$RENOVATE_VERSION"