From b6de58efd0b02495a223dfe047220f1252d72210 Mon Sep 17 00:00:00 2001 From: Alain Kaeslin Date: Thu, 8 Jan 2026 15:49:39 +0100 Subject: [PATCH 1/4] Pin action versions. --- .github/workflows/ccm-integration-tests.yml | 28 ++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ccm-integration-tests.yml b/.github/workflows/ccm-integration-tests.yml index 95840e6..1527441 100644 --- a/.github/workflows/ccm-integration-tests.yml +++ b/.github/workflows/ccm-integration-tests.yml @@ -27,16 +27,16 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version: '${{ env.GO_VERSION }}' - name: Restore cache - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/golangci-lint @@ -50,7 +50,7 @@ jobs: run: make lint - name: Save cache - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/golangci-lint @@ -62,11 +62,11 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false - - uses: actions/setup-go@v5 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '${{ env.GO_VERSION }}' @@ -78,7 +78,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false @@ -94,7 +94,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false @@ -111,7 +111,7 @@ jobs: run: 'shasum -a 256 image.tar | tee image.tar.sha256' - name: Store image - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: tested-image path: | @@ -154,19 +154,19 @@ jobs: group: integration-${{ matrix.kubernetes }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false - name: Load image - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: tested-image - name: Validate hash run: 'shasum --check image.tar.sha256' - - uses: actions/setup-go@v5 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '${{ env.GO_VERSION }}' @@ -202,13 +202,13 @@ jobs: contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 persist-credentials: false - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.13' From c84d605f5f134a01233700c414d2074e162b204e Mon Sep 17 00:00:00 2001 From: Alain Kaeslin Date: Thu, 8 Jan 2026 16:03:17 +0100 Subject: [PATCH 2/4] ci: use official zizmor-action for workflow validation --- .github/workflows/ccm-integration-tests.yml | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ccm-integration-tests.yml b/.github/workflows/ccm-integration-tests.yml index 1527441..f5acd7c 100644 --- a/.github/workflows/ccm-integration-tests.yml +++ b/.github/workflows/ccm-integration-tests.yml @@ -198,23 +198,19 @@ jobs: name: Validate GitHub Workflows runs-on: ubuntu-latest + # More Information: + # https://github.com/zizmorcore/zizmor-action?tab=readme-ov-file#usage-with-github-advanced-security-recommended + # + # Use `uvx zizmor .github/` for a local preview using the latest zizmor version. + permissions: contents: read + security-events: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - fetch-depth: 0 persist-credentials: false - - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 - with: - python-version: '3.13' - - - name: Check Workflows - run: | - python -m pip install zizmor --root-user-action=ignore - zizmor .github/workflows/* - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0 From 4389358f6fe0871305e54e6b481d5e4aac04613d Mon Sep 17 00:00:00 2001 From: Alain Kaeslin Date: Thu, 8 Jan 2026 16:10:00 +0100 Subject: [PATCH 3/4] Configure dependabot for github-actions ecosystem. --- .github/dependabot.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .github/dependabot.yaml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..b724d45 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,9 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + ignore: + - dependency-name: "*" + update-types: ["version-update:semver-minor", "version-update:semver-patch"] From 59f07af6c58cc5fffd13d74d7091d8c8a8610551 Mon Sep 17 00:00:00 2001 From: Alain Kaeslin Date: Thu, 8 Jan 2026 18:01:38 +0100 Subject: [PATCH 4/4] Configure dependabot cooldown period to 7 days. --- .github/dependabot.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index b724d45..48ac80f 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -7,3 +7,5 @@ updates: ignore: - dependency-name: "*" update-types: ["version-update:semver-minor", "version-update:semver-patch"] + cooldown: + default-days: 7