github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #10840 from step-security-bot/stepsecurity_remediation_1729057981

Browse Source 
[StepSecurity] ci: Harden GitHub Actions
This commit is contained in:
Samuel Karp 2024-10-16 07:15:54 +00:00 committed by GitHub
commit 37943cf6e4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 78 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/api-release.yml vendored
View File

@ -22,7 +22,7 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with: with:
ref: ${{ github.ref }} ref: ${{ github.ref }}
path: src/github.com/containerd/containerd path: src/github.com/containerd/containerd
@ -50,7 +50,7 @@ jobs:
working-directory: src/github.com/containerd/containerd working-directory: src/github.com/containerd/containerd
- name: Save release notes - name: Save release notes
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: containerd-release-notes name: containerd-release-notes
path: src/github.com/containerd/containerd/release-notes.md path: src/github.com/containerd/containerd/release-notes.md
@ -65,11 +65,11 @@ jobs:
needs: [check] needs: [check]
steps: steps:
- name: Download release notes - name: Download release notes
uses: actions/download-artifact@v4 uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with: with:
path: builds path: builds
- name: Create Release - name: Create Release
uses: softprops/action-gh-release@v2 uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
fail_on_unmatched_files: true fail_on_unmatched_files: true

16
.github/workflows/build-test-images.yml vendored
View File

@ -41,7 +41,7 @@ jobs:
working-directory: src/github.com/containerd/containerd working-directory: src/github.com/containerd/containerd
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with: with:
path: src/github.com/containerd/containerd path: src/github.com/containerd/containerd
@ -72,18 +72,18 @@ jobs:
echo "SSH_PUB_KEY=$(cat ~/.ssh/id_rsa.pub)" >> $GITHUB_ENV echo "SSH_PUB_KEY=$(cat ~/.ssh/id_rsa.pub)" >> $GITHUB_ENV
- name: Azure Login - name: Azure Login
uses: azure/login@v2 uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
with: with:
creds: ${{ secrets.AZURE_CREDS }} creds: ${{ secrets.AZURE_CREDS }}
- name: Create Azure Resource Group - name: Create Azure Resource Group
uses: azure/CLI@v1 uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
with: with:
inlinescript: | inlinescript: |
az group create -n ${{ env.AZURE_RESOURCE_GROUP }} -l ${{ github.event.inputs.azure_location }} --tags creationTimestamp=$(date +%Y-%m-%dT%T%z) az group create -n ${{ env.AZURE_RESOURCE_GROUP }} -l ${{ github.event.inputs.azure_location }} --tags creationTimestamp=$(date +%Y-%m-%dT%T%z)
- name: Create Windows Helper VM - name: Create Windows Helper VM
uses: azure/CLI@v1 uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
with: with:
inlinescript: | inlinescript: |
PASSWORD="$(/usr/bin/tr -dc "a-zA-Z0-9@#$%^&*()_+?><~\`;" < /dev/urandom | /usr/bin/head -c 24; echo '')" PASSWORD="$(/usr/bin/tr -dc "a-zA-Z0-9@#$%^&*()_+?><~\`;" < /dev/urandom | /usr/bin/head -c 24; echo '')"
@ -98,7 +98,7 @@ jobs:
az vm open-port --resource-group ${{ env.AZURE_RESOURCE_GROUP }} --name WinDockerHelper --port 2376 --priority 102 az vm open-port --resource-group ${{ env.AZURE_RESOURCE_GROUP }} --name WinDockerHelper --port 2376 --priority 102
- name: Prepare Windows image helper - name: Prepare Windows image helper
uses: azure/CLI@v1 uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
with: with:
inlinescript: | inlinescript: |
# Installs Windows features, opens SSH and Docker port # Installs Windows features, opens SSH and Docker port
@ -120,7 +120,7 @@ jobs:
--parameters 'SSHPublicKey=${{ env.SSH_PUB_KEY }}' --parameters 'SSHPublicKey=${{ env.SSH_PUB_KEY }}'
- name: Get Windows Helper IPs - name: Get Windows Helper IPs
uses: azure/CLI@v1 uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
with: with:
inlinescript: | inlinescript: |
VM_DETAILS=$(az vm show -d -g ${{ env.AZURE_RESOURCE_GROUP }} -n WinDockerHelper -o json) VM_DETAILS=$(az vm show -d -g ${{ env.AZURE_RESOURCE_GROUP }} -n WinDockerHelper -o json)
@ -142,7 +142,7 @@ jobs:
scp -i $HOME/.ssh/id_rsa ${{ env.SSH_OPTS }} azureuser@${{ env.PUBLIC_IP }}:/Users/azureuser/.docker/key.pem $HOME/.docker/key.pem scp -i $HOME/.ssh/id_rsa ${{ env.SSH_OPTS }} azureuser@${{ env.PUBLIC_IP }}:/Users/azureuser/.docker/key.pem $HOME/.docker/key.pem
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
uses: docker/login-action@v3 uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.actor }} username: ${{ github.actor }}
@ -161,7 +161,7 @@ jobs:
- name: Cleanup resources - name: Cleanup resources
if: always() if: always()
uses: azure/CLI@v1 uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
with: with:
inlinescript: | inlinescript: |
az group delete -g ${{ env.AZURE_RESOURCE_GROUP }} --yes az group delete -g ${{ env.AZURE_RESOURCE_GROUP }} --yes

36
.github/workflows/ci.yml vendored
View File

@ -29,9 +29,9 @@ jobs:
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: ./.github/actions/install-go - uses: ./.github/actions/install-go
- uses: golangci/golangci-lint-action@v6 - uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
with: with:
version: v1.60.1 version: v1.60.1
skip-cache: true skip-cache: true
@ -46,14 +46,14 @@ jobs:
timeout-minutes: 5 timeout-minutes: 5
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with: with:
path: src/github.com/containerd/containerd path: src/github.com/containerd/containerd
fetch-depth: 100 fetch-depth: 100
- uses: ./src/github.com/containerd/containerd/.github/actions/install-go - uses: ./src/github.com/containerd/containerd/.github/actions/install-go
- uses: containerd/project-checks@v1.1.0 - uses: containerd/project-checks@434a07157608eeaa1d5c8d4dd506154204cd9401 # v1.1.0
if: github.repository == 'containerd/containerd' if: github.repository == 'containerd/containerd'
with: with:
working-directory: src/github.com/containerd/containerd working-directory: src/github.com/containerd/containerd
@ -78,7 +78,7 @@ jobs:
working-directory: src/github.com/containerd/containerd working-directory: src/github.com/containerd/containerd
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with: with:
path: src/github.com/containerd/containerd path: src/github.com/containerd/containerd
@ -108,7 +108,7 @@ jobs:
timeout-minutes: 5 timeout-minutes: 5
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: ./.github/actions/install-go - uses: ./.github/actions/install-go
- run: go install github.com/cpuguy83/go-md2man/v2@v2.0.2 - run: go install github.com/cpuguy83/go-md2man/v2@v2.0.2
- run: make man - run: make man
@ -139,7 +139,7 @@ jobs:
goarm: "7" goarm: "7"
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: ./.github/actions/install-go - uses: ./.github/actions/install-go
- run: | - run: |
set -e -x set -e -x
@ -195,7 +195,7 @@ jobs:
exclude: exclude:
- os: ${{ github.repository != 'containerd/containerd' && 'arm64-8core-32gb' }} - os: ${{ github.repository != 'containerd/containerd' && 'arm64-8core-32gb' }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: ./.github/actions/install-go - uses: ./.github/actions/install-go
with: with:
go-version: ${{ matrix.go-version }} go-version: ${{ matrix.go-version }}
@ -227,13 +227,13 @@ jobs:
working-directory: src/github.com/containerd/containerd working-directory: src/github.com/containerd/containerd
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with: with:
path: src/github.com/containerd/containerd path: src/github.com/containerd/containerd
- uses: ./src/github.com/containerd/containerd/.github/actions/install-go - uses: ./src/github.com/containerd/containerd/.github/actions/install-go
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with: with:
repository: kubernetes-sigs/cri-tools repository: kubernetes-sigs/cri-tools
path: src/github.com/kubernetes-sigs/cri-tools path: src/github.com/kubernetes-sigs/cri-tools
@ -367,7 +367,7 @@ jobs:
} }
critest.exe --runtime-endpoint=npipe://.//pipe//containerd-containerd --test-images-file='${{env.CRI_TEST_IMAGES}}' --report-dir='${{github.workspace}}/critestreport' $skip critest.exe --runtime-endpoint=npipe://.//pipe//containerd-containerd --test-images-file='${{env.CRI_TEST_IMAGES}}' --report-dir='${{github.workspace}}/critestreport' $skip
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: always() if: always()
with: with:
name: TestResults ${{ matrix.os }} ${{ matrix.cgroup_driver }} name: TestResults ${{ matrix.os }} ${{ matrix.cgroup_driver }}
@ -396,7 +396,7 @@ jobs:
env: env:
GOTEST: gotestsum -- GOTEST: gotestsum --
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: ./.github/actions/install-go - uses: ./.github/actions/install-go
- name: Install containerd dependencies - name: Install containerd dependencies
@ -514,7 +514,7 @@ jobs:
sudo lsmod sudo lsmod
sudo dmesg -T -f kern sudo dmesg -T -f kern
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: always() if: always()
with: with:
name: TestResults ${{ matrix.runtime }} ${{matrix.runc}} ${{ matrix.os }} ${{ matrix.cgroup_driver }} name: TestResults ${{ matrix.runtime }} ${{matrix.runc}} ${{ matrix.os }} ${{ matrix.cgroup_driver }}
@ -553,8 +553,8 @@ jobs:
cat /etc/os-release cat /etc/os-release
cat /proc/cpuinfo cat /proc/cpuinfo
free -mt free -mt
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/cache@v4 - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
with: with:
path: /root/.vagrant.d path: /root/.vagrant.d
key: vagrant-${{ matrix.box }} key: vagrant-${{ matrix.box }}
@ -595,7 +595,7 @@ jobs:
cgroup_driver: [cgroupfs, systemd] cgroup_driver: [cgroupfs, systemd]
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Set up cgroup v2 delegation - name: Set up cgroup v2 delegation
run: | run: |
sudo mkdir -p /etc/systemd/system/user@.service.d sudo mkdir -p /etc/systemd/system/user@.service.d
@ -644,7 +644,7 @@ jobs:
GOTEST: gotestsum -- GOTEST: gotestsum --
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: ./.github/actions/install-go - uses: ./.github/actions/install-go
- run: script/setup/install-gotestsum - run: script/setup/install-gotestsum
- run: script/setup/install-teststat - run: script/setup/install-teststat
@ -657,7 +657,7 @@ jobs:
if: always() if: always()
- run: script/test/test2annotation.sh *-gotest.json - run: script/test/test2annotation.sh *-gotest.json
if: always() if: always()
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: always() if: always()
with: with:
name: TestResults MacOS name: TestResults MacOS

6
.github/workflows/codeql.yml vendored
View File

@ -30,13 +30,13 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: ./.github/actions/install-go - uses: ./.github/actions/install-go
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v3 uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
# Override language selection by uncommenting this and choosing your languages # Override language selection by uncommenting this and choosing your languages
# with: # with:
# languages: go, javascript, csharp, python, cpp, java # languages: go, javascript, csharp, python, cpp, java
@ -46,4 +46,4 @@ jobs:
make make
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3 uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13

8
.github/workflows/fuzz.yml vendored
View File

@ -14,19 +14,19 @@ jobs:
steps: steps:
- name: Build Fuzzers - name: Build Fuzzers
id: build id: build
uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@abe2c06d0e162320403dd10e8268adbb0b8923f8 # master
with: with:
oss-fuzz-project-name: 'containerd' oss-fuzz-project-name: 'containerd'
language: go language: go
- name: Run Fuzzers - name: Run Fuzzers
uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@abe2c06d0e162320403dd10e8268adbb0b8923f8 # master
with: with:
oss-fuzz-project-name: 'containerd' oss-fuzz-project-name: 'containerd'
fuzz-seconds: 300 fuzz-seconds: 300
language: go language: go
continue-on-error: true continue-on-error: true
- name: Upload Crash - name: Upload Crash
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: failure() && steps.build.outcome == 'success' if: failure() && steps.build.outcome == 'success'
with: with:
name: artifacts name: artifacts
@ -40,6 +40,6 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 30 timeout-minutes: 30
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: ./.github/actions/install-go - uses: ./.github/actions/install-go
- run: script/go-test-fuzz.sh - run: script/go-test-fuzz.sh

2
.github/workflows/images.yml vendored
View File

@ -26,7 +26,7 @@ jobs:
working-directory: src/github.com/containerd/containerd working-directory: src/github.com/containerd/containerd
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with: with:
path: src/github.com/containerd/containerd path: src/github.com/containerd/containerd

4
.github/workflows/links.yml vendored
View File

@ -18,9 +18,9 @@ jobs:
name: lychee name: lychee
timeout-minutes: 15 timeout-minutes: 15
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: lycheeverse/lychee-action@v1.10.0 - uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621 # v1.10.0
with: with:
# Fail action on broken links # Fail action on broken links
fail: true fail: true

16
.github/workflows/nightly.yml vendored
View File

@ -20,7 +20,7 @@ jobs:
working-directory: src/github.com/containerd/containerd working-directory: src/github.com/containerd/containerd
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with: with:
path: src/github.com/containerd/containerd path: src/github.com/containerd/containerd
@ -99,31 +99,31 @@ jobs:
# #
- name: Upload artifacts (linux_amd64) - name: Upload artifacts (linux_amd64)
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: linux_amd64 name: linux_amd64
path: src/github.com/containerd/containerd/bin_amd64 path: src/github.com/containerd/containerd/bin_amd64
- name: Upload artifacts (linux_arm64) - name: Upload artifacts (linux_arm64)
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: linux_arm64 name: linux_arm64
path: src/github.com/containerd/containerd/bin_arm64 path: src/github.com/containerd/containerd/bin_arm64
- name: Upload artifacts (linux_s390x) - name: Upload artifacts (linux_s390x)
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: linux_s390x name: linux_s390x
path: src/github.com/containerd/containerd/bin_s390x path: src/github.com/containerd/containerd/bin_s390x
- name: Upload artifacts (linux_ppc64le) - name: Upload artifacts (linux_ppc64le)
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: linux_ppc64le name: linux_ppc64le
path: src/github.com/containerd/containerd/bin_ppc64le path: src/github.com/containerd/containerd/bin_ppc64le
- name: Upload artifacts (linux_riscv64) - name: Upload artifacts (linux_riscv64)
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: linux_riscv64 name: linux_riscv64
path: src/github.com/containerd/containerd/bin_riscv64 path: src/github.com/containerd/containerd/bin_riscv64
@ -138,7 +138,7 @@ jobs:
working-directory: src/github.com/containerd/containerd working-directory: src/github.com/containerd/containerd
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with: with:
path: src/github.com/containerd/containerd path: src/github.com/containerd/containerd
@ -158,7 +158,7 @@ jobs:
make binaries make binaries
- name: Upload artifacts (windows_amd64) - name: Upload artifacts (windows_amd64)
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: windows_amd64 name: windows_amd64
path: src/github.com/containerd/containerd/bin/ path: src/github.com/containerd/containerd/bin/

18
.github/workflows/release.yml vendored
View File

@ -29,7 +29,7 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with: with:
ref: ${{ github.ref }} ref: ${{ github.ref }}
path: src/github.com/containerd/containerd path: src/github.com/containerd/containerd
@ -57,7 +57,7 @@ jobs:
working-directory: src/github.com/containerd/containerd working-directory: src/github.com/containerd/containerd
- name: Save release notes - name: Save release notes
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: containerd-release-notes name: containerd-release-notes
path: src/github.com/containerd/containerd/release-notes.md path: src/github.com/containerd/containerd/release-notes.md
@ -93,7 +93,7 @@ jobs:
releasever="${releasever#refs/tags/}" releasever="${releasever#refs/tags/}"
echo "RELEASE_VER=${releasever}" >> $GITHUB_ENV echo "RELEASE_VER=${releasever}" >> $GITHUB_ENV
- name: Checkout containerd - name: Checkout containerd
uses: actions/checkout@v4 uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with: with:
# Intentionally use github.repository instead of containerd/containerd to # Intentionally use github.repository instead of containerd/containerd to
# make this action runnable on forks. # make this action runnable on forks.
@ -103,10 +103,10 @@ jobs:
path: src/github.com/containerd/containerd path: src/github.com/containerd/containerd
- name: Setup buildx instance - name: Setup buildx instance
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
with: with:
use: true use: true
- uses: crazy-max/ghaction-github-runtime@v3 # sets up needed vars for caching to github - uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3.0.0
- name: Make - name: Make
shell: bash shell: bash
run: | run: |
@ -127,7 +127,7 @@ jobs:
env: env:
PLATFORM: ${{ matrix.dockerfile-platform }} PLATFORM: ${{ matrix.dockerfile-platform }}
- name: Save Artifacts - name: Save Artifacts
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: release-tars-${{env.PLATFORM_CLEAN}} name: release-tars-${{env.PLATFORM_CLEAN}}
path: src/github.com/containerd/containerd/releases/*.tar.gz* path: src/github.com/containerd/containerd/releases/*.tar.gz*
@ -144,11 +144,11 @@ jobs:
needs: [build, check] needs: [build, check]
steps: steps:
- name: Download builds and release notes - name: Download builds and release notes
uses: actions/download-artifact@v4 uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with: with:
path: builds path: builds
- name: Create Release - name: Create Release
uses: softprops/action-gh-release@v2 uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
fail_on_unmatched_files: true fail_on_unmatched_files: true
@ -160,6 +160,6 @@ jobs:
builds/release-tars-**/* builds/release-tars-**/*
make_latest: false make_latest: false
- name: Attest Artifacts - name: Attest Artifacts
uses: actions/attest-build-provenance@v1 uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
with: with:
subject-path: ./builds/release-tars-**/*.tar.gz subject-path: ./builds/release-tars-**/*.tar.gz

2
.github/workflows/stale.yml vendored
View File

@ -17,7 +17,7 @@ jobs:
pull-requests: write pull-requests: write
steps: steps:
- uses: actions/stale@v9 - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
# All stale bot options: https://github.com/actions/stale#all-options # All stale bot options: https://github.com/actions/stale#all-options
with: with:
# Idle number of days before marking issues/PRs stale # Idle number of days before marking issues/PRs stale

20
.github/workflows/windows-hyperv-periodic.yml vendored
View File

@ -55,7 +55,7 @@ jobs:
GOOGLE_BUCKET: "containerd-integration/logs/windows-ltsc2022-hyperv/" GOOGLE_BUCKET: "containerd-integration/logs/windows-ltsc2022-hyperv/"
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Install required packages - name: Install required packages
run: | run: |
@ -81,18 +81,18 @@ jobs:
echo "SSH_PUB_KEY=$(cat ~/.ssh/id_rsa.pub)" >> $GITHUB_ENV echo "SSH_PUB_KEY=$(cat ~/.ssh/id_rsa.pub)" >> $GITHUB_ENV
- name: AZLogin - name: AZLogin
uses: azure/login@v2 uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
with: with:
creds: ${{ secrets.AZURE_CREDS }} creds: ${{ secrets.AZURE_CREDS }}
- name: AZResourceGroupCreate - name: AZResourceGroupCreate
uses: azure/CLI@v1 uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
with: with:
inlinescript: | inlinescript: |
az group create -n ${{ matrix.AZURE_RESOURCE_GROUP }} -l ${{ env.AZURE_DEFAULT_LOCATION }} --tags creationTimestamp=$(date -u '+%Y-%m-%dT%H:%M:%SZ') az group create -n ${{ matrix.AZURE_RESOURCE_GROUP }} -l ${{ env.AZURE_DEFAULT_LOCATION }} --tags creationTimestamp=$(date -u '+%Y-%m-%dT%H:%M:%SZ')
- name: AZTestVMCreate - name: AZTestVMCreate
uses: azure/CLI@v1 uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
with: with:
inlinescript: | inlinescript: |
DETAILS=$(az vm create -n winTestVM --admin-username ${{ env.DEFAULT_ADMIN_USERNAME }} --admin-password ${{ env.PASSWORD }} --image ${{ matrix.AZURE_IMG }} -g ${{ matrix.AZURE_RESOURCE_GROUP }} --nsg-rule SSH --size ${{ env.AZURE_DEFAULT_VM_SIZE }} --public-ip-sku Standard -o json) DETAILS=$(az vm create -n winTestVM --admin-username ${{ env.DEFAULT_ADMIN_USERNAME }} --admin-password ${{ env.PASSWORD }} --image ${{ matrix.AZURE_IMG }} -g ${{ matrix.AZURE_RESOURCE_GROUP }} --nsg-rule SSH --size ${{ env.AZURE_DEFAULT_VM_SIZE }} --public-ip-sku Standard -o json)
@ -116,7 +116,7 @@ jobs:
echo "VM_PUB_IP=$PUB_IP" >> $GITHUB_ENV echo "VM_PUB_IP=$PUB_IP" >> $GITHUB_ENV
- name: EnableAZVMSSH - name: EnableAZVMSSH
uses: azure/CLI@v1 uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
with: with:
inlinescript: | inlinescript: |
az vm run-command invoke --command-id RunPowerShellScript -n winTestVM -g ${{ matrix.AZURE_RESOURCE_GROUP }} --scripts @$GITHUB_WORKSPACE/script/setup/enable_ssh_windows.ps1 --parameters 'SSHPublicKey=${{ env.SSH_PUB_KEY }}' az vm run-command invoke --command-id RunPowerShellScript -n winTestVM -g ${{ matrix.AZURE_RESOURCE_GROUP }} --scripts @$GITHUB_WORKSPACE/script/setup/enable_ssh_windows.ps1 --parameters 'SSHPublicKey=${{ env.SSH_PUB_KEY }}'
@ -306,14 +306,14 @@ jobs:
echo 'GCP_WORKLOAD_IDENTITY_PROVIDER=${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}' >> $GITHUB_OUTPUT echo 'GCP_WORKLOAD_IDENTITY_PROVIDER=${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}' >> $GITHUB_OUTPUT
- name: AuthGcp - name: AuthGcp
uses: google-github-actions/auth@v2 uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER
with: with:
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
- name: UploadJobReport - name: UploadJobReport
uses: google-github-actions/upload-cloud-storage@v2.2.0 uses: google-github-actions/upload-cloud-storage@e485962f2bef914ac9c3bdd571f821f0ba7946c4 # v2.2.0
if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER
with: with:
path: ${{ github.workspace }}/latest-build.txt path: ${{ github.workspace }}/latest-build.txt
@ -321,7 +321,7 @@ jobs:
parent: false parent: false
- name: UploadLogsDir - name: UploadLogsDir
uses: google-github-actions/upload-cloud-storage@v2.2.0 uses: google-github-actions/upload-cloud-storage@e485962f2bef914ac9c3bdd571f821f0ba7946c4 # v2.2.0
if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER
with: with:
path: ${{ env.LOGS_DIR }} path: ${{ env.LOGS_DIR }}
@ -329,7 +329,7 @@ jobs:
parent: false parent: false
- name: Check all CI stages succeeded - name: Check all CI stages succeeded
uses: actions/github-script@v7 uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with: with:
script: | script: |
const stepResults = { const stepResults = {
@ -349,7 +349,7 @@ jobs:
- name: ResourceCleanup - name: ResourceCleanup
if: always() if: always()
uses: azure/CLI@v1 uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
with: with:
inlinescript: | inlinescript: |
az group delete -g ${{ matrix.AZURE_RESOURCE_GROUP }} --yes az group delete -g ${{ matrix.AZURE_RESOURCE_GROUP }} --yes

20
.github/workflows/windows-periodic.yml vendored
View File

@ -55,7 +55,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 90 timeout-minutes: 90
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Install required packages - name: Install required packages
run: | run: |
@ -81,18 +81,18 @@ jobs:
echo "SSH_PUB_KEY=$(cat ~/.ssh/id_rsa.pub)" >> $GITHUB_ENV echo "SSH_PUB_KEY=$(cat ~/.ssh/id_rsa.pub)" >> $GITHUB_ENV
- name: AZLogin - name: AZLogin
uses: azure/login@v2 uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
with: with:
creds: ${{ secrets.AZURE_CREDS }} creds: ${{ secrets.AZURE_CREDS }}
- name: AZResourceGroupCreate - name: AZResourceGroupCreate
uses: azure/CLI@v1 uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
with: with:
inlinescript: | inlinescript: |
az group create -n ${{ matrix.AZURE_RESOURCE_GROUP }} -l ${{ env.AZURE_DEFAULT_LOCATION }} --tags creationTimestamp=$(date -u '+%Y-%m-%dT%H:%M:%SZ') az group create -n ${{ matrix.AZURE_RESOURCE_GROUP }} -l ${{ env.AZURE_DEFAULT_LOCATION }} --tags creationTimestamp=$(date -u '+%Y-%m-%dT%H:%M:%SZ')
- name: AZTestVMCreate - name: AZTestVMCreate
uses: azure/CLI@v1 uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
with: with:
inlinescript: | inlinescript: |
DETAILS=$(az vm create -n winTestVM --admin-username ${{ env.DEFAULT_ADMIN_USERNAME }} --admin-password ${{ env.PASSWORD }} --image ${{ matrix.AZURE_IMG }} -g ${{ matrix.AZURE_RESOURCE_GROUP }} --nsg-rule SSH --size ${{ env.AZURE_DEFAULT_VM_SIZE }} --public-ip-sku Standard -o json) DETAILS=$(az vm create -n winTestVM --admin-username ${{ env.DEFAULT_ADMIN_USERNAME }} --admin-password ${{ env.PASSWORD }} --image ${{ matrix.AZURE_IMG }} -g ${{ matrix.AZURE_RESOURCE_GROUP }} --nsg-rule SSH --size ${{ env.AZURE_DEFAULT_VM_SIZE }} --public-ip-sku Standard -o json)
@ -116,7 +116,7 @@ jobs:
echo "VM_PUB_IP=$PUB_IP" >> $GITHUB_ENV echo "VM_PUB_IP=$PUB_IP" >> $GITHUB_ENV
- name: EnableAZVMSSH - name: EnableAZVMSSH
uses: azure/CLI@v1 uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
with: with:
inlinescript: | inlinescript: |
az vm run-command invoke --command-id RunPowerShellScript -n winTestVM -g ${{ matrix.AZURE_RESOURCE_GROUP }} --scripts @$GITHUB_WORKSPACE/script/setup/enable_ssh_windows.ps1 --parameters 'SSHPublicKey=${{ env.SSH_PUB_KEY }}' az vm run-command invoke --command-id RunPowerShellScript -n winTestVM -g ${{ matrix.AZURE_RESOURCE_GROUP }} --scripts @$GITHUB_WORKSPACE/script/setup/enable_ssh_windows.ps1 --parameters 'SSHPublicKey=${{ env.SSH_PUB_KEY }}'
@ -256,14 +256,14 @@ jobs:
echo 'GCP_WORKLOAD_IDENTITY_PROVIDER=${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}' >> $GITHUB_OUTPUT echo 'GCP_WORKLOAD_IDENTITY_PROVIDER=${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}' >> $GITHUB_OUTPUT
- name: AuthGcp - name: AuthGcp
uses: google-github-actions/auth@v2 uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER
with: with:
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
- name: UploadJobReport - name: UploadJobReport
uses: google-github-actions/upload-cloud-storage@v2.2.0 uses: google-github-actions/upload-cloud-storage@e485962f2bef914ac9c3bdd571f821f0ba7946c4 # v2.2.0
if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER
with: with:
path: ${{ github.workspace }}/latest-build.txt path: ${{ github.workspace }}/latest-build.txt
@ -271,7 +271,7 @@ jobs:
parent: false parent: false
- name: UploadLogsDir - name: UploadLogsDir
uses: google-github-actions/upload-cloud-storage@v2.2.0 uses: google-github-actions/upload-cloud-storage@e485962f2bef914ac9c3bdd571f821f0ba7946c4 # v2.2.0
if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER if: steps.AssignGcpCreds.outputs.GCP_SERVICE_ACCOUNT && steps.AssignGcpCreds.outputs.GCP_WORKLOAD_IDENTITY_PROVIDER
with: with:
path: ${{ env.LOGS_DIR }} path: ${{ env.LOGS_DIR }}
@ -279,7 +279,7 @@ jobs:
parent: false parent: false
- name: Check all CI stages succeeded - name: Check all CI stages succeeded
uses: actions/github-script@v7 uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with: with:
script: | script: |
const stepResults = { const stepResults = {
@ -301,7 +301,7 @@ jobs:
- name: ResourceCleanup - name: ResourceCleanup
if: always() if: always()
uses: azure/CLI@v1 uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9
with: with:
inlinescript: | inlinescript: |
az group delete -g ${{ matrix.AZURE_RESOURCE_GROUP }} --yes az group delete -g ${{ matrix.AZURE_RESOURCE_GROUP }} --yes