diff --git a/.github/actions/aws-nightly-creds/action.yaml b/.github/actions/aws-nightly-creds/action.yaml new file mode 100644 index 0000000000..edd72b5fd1 --- /dev/null +++ b/.github/actions/aws-nightly-creds/action.yaml @@ -0,0 +1,11 @@ +name: aws-nightly-creds +description: "Login to AWS for the nightly jobs" + +runs: + using: composite + steps: + - uses: aws-actions/configure-aws-credentials@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + with: + role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }} + aws-region: us-east-1 + role-duration-seconds: 14400 diff --git a/.github/actions/golang/action.yaml b/.github/actions/golang/action.yaml index 51bc2d9182..502c1d94bc 100644 --- a/.github/actions/golang/action.yaml +++ b/.github/actions/golang/action.yaml @@ -4,7 +4,7 @@ description: "Setup Go binary and caching" runs: using: composite steps: - - uses: actions/setup-go@v4 + - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: 1.19.x cache: true diff --git a/.github/actions/install-tools/action.yaml b/.github/actions/install-tools/action.yaml index a15caae91a..b360fff027 100644 --- a/.github/actions/install-tools/action.yaml +++ b/.github/actions/install-tools/action.yaml @@ -4,11 +4,11 @@ description: "Install pipeline tools" runs: using: composite steps: - - uses: sigstore/cosign-installer@v2.8.1 + - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 - - uses: anchore/sbom-action/download-syft@v0.14.1 + - uses: anchore/sbom-action/download-syft@422cb34a0f8b599678c41b21163ea6088edb2624 # v0.14.1 - run: "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin" shell: bash - - uses: docker/setup-buildx-action@v2 + - uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 diff --git a/.github/actions/node/action.yaml b/.github/actions/node/action.yaml index 6e063fa384..897e32de74 100644 --- a/.github/actions/node/action.yaml +++ b/.github/actions/node/action.yaml @@ -4,7 +4,7 @@ description: "Node cache" runs: using: composite steps: - - uses: actions/setup-node@v3 + - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: 18 cache: "npm" diff --git a/.github/actions/save-logs/action.yaml b/.github/actions/save-logs/action.yaml index 024605928b..117cd06fb7 100644 --- a/.github/actions/save-logs/action.yaml +++ b/.github/actions/save-logs/action.yaml @@ -9,7 +9,7 @@ runs: sudo chown $USER /tmp/zarf-*.log shell: bash - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: debug-log path: /tmp/zarf-*.log diff --git a/.github/workflows/auto-assign-to-project.yml b/.github/workflows/auto-assign-to-project.yml index 9a1dd2d544..188c6b4533 100644 --- a/.github/workflows/auto-assign-to-project.yml +++ b/.github/workflows/auto-assign-to-project.yml @@ -14,7 +14,7 @@ jobs: if: github.event_name == 'issues' && github.event.action == 'opened' steps: - name: Move issue to Zarf Project - uses: actions/add-to-project@v0.5.0 + uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c # v0.5.0 with: project-url: https://github.com/orgs/defenseunicorns/projects/1 github-token: ${{ secrets. ZARF_ORG_PROJECT_TOKEN }} diff --git a/.github/workflows/build-rust-injector.yml b/.github/workflows/build-rust-injector.yml index c3616b1da1..914a9685be 100644 --- a/.github/workflows/build-rust-injector.yml +++ b/.github/workflows/build-rust-injector.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Checkout Repo" - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: ref: ${{ github.event.inputs.branchName }} @@ -48,7 +48,7 @@ jobs: aarch64-linux-musl-strip target/aarch64-unknown-linux-musl/release/zarf-injector - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/nightly-ecr.yml b/.github/workflows/nightly-ecr.yml index 5610516cb9..7a27855d2a 100644 --- a/.github/workflows/nightly-ecr.yml +++ b/.github/workflows/nightly-ecr.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup golang uses: ./.github/actions/golang @@ -32,10 +32,7 @@ jobs: run: make build-cli-linux-amd - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }} - aws-region: us-east-1 + uses: ./.github/actions/aws-nightly-creds # NOTE: The aws cli will need to be explicitly installed on self-hosted runners - name: Login to the ECR Registry diff --git a/.github/workflows/nightly-eks.yml b/.github/workflows/nightly-eks.yml index 0efe2c38ca..85e0f014c2 100644 --- a/.github/workflows/nightly-eks.yml +++ b/.github/workflows/nightly-eks.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup golang uses: ./.github/actions/golang @@ -40,12 +40,7 @@ jobs: uses: ./.github/actions/packages - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }} - aws-region: us-east-1 - role-duration-seconds: 14400 - + uses: ./.github/actions/aws-nightly-creds - name: Build the eks package run: ./build/zarf package create packages/distros/eks -o build --confirm diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eb56a467c0..d8740fe2c0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: packages: write steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: fetch-depth: 0 @@ -35,7 +35,7 @@ jobs: make build-cli-linux-arm - name: "Zarf Agent: Login to GHCR" - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: registry: ghcr.io username: dummy @@ -78,7 +78,7 @@ jobs: # Set up AWS credentials for GoReleaser to upload backups of artifacts to S3 - name: Set AWS Credentials - uses: aws-actions/configure-aws-credentials@v1-node16 + uses: aws-actions/configure-aws-credentials@023daa7fe5f7f817faa31fc0fc4a8d0fb6224ed0 # v1-node16 with: aws-access-key-id: ${{ secrets.AWS_GOV_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_GOV_SECRET_ACCESS_KEY }} @@ -94,7 +94,7 @@ jobs: # Create the GitHub release notes, upload artifact backups to S3, publish homebrew recipe - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v4 + uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0 with: distribution: goreleaser version: latest @@ -104,7 +104,7 @@ jobs: HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.ZARF_ORG_PROJECT_TOKEN }} - name: Save CVE report - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: cve-report path: build/zarf-known-cves.csv diff --git a/.github/workflows/scan-codeql.yml b/.github/workflows/scan-codeql.yml index 180e735d2d..6953ca6e77 100644 --- a/.github/workflows/scan-codeql.yml +++ b/.github/workflows/scan-codeql.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup golang uses: ./.github/actions/golang @@ -48,7 +48,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2 env: CODEQL_EXTRACTOR_GO_BUILD_TRACING: on with: @@ -59,6 +59,6 @@ jobs: run: make build-cli-linux-amd - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scan-cves.yml b/.github/workflows/scan-cves.yml index 498ca892b8..4b25621919 100644 --- a/.github/workflows/scan-cves.yml +++ b/.github/workflows/scan-cves.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup golang uses: ./.github/actions/golang diff --git a/.github/workflows/scan-docs-and-schema.yml b/.github/workflows/scan-docs-and-schema.yml index 75c9d1a15f..2dd996b41a 100644 --- a/.github/workflows/scan-docs-and-schema.yml +++ b/.github/workflows/scan-docs-and-schema.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup golang uses: ./.github/actions/golang diff --git a/.github/workflows/scan-labels.yml b/.github/workflows/scan-labels.yml index db246cf48c..b2ada16cda 100644 --- a/.github/workflows/scan-labels.yml +++ b/.github/workflows/scan-labels.yml @@ -10,6 +10,6 @@ jobs: enforce: runs-on: ubuntu-latest steps: - - uses: yogevbd/enforce-label-action@2.2.2 + - uses: yogevbd/enforce-label-action@a3c219da6b8fa73f6ba62b68ff09c469b3a1c024 # 2.2.2 with: BANNED_LABELS: "needs-docs,needs-tests,needs-adr,needs-git-sign-off,needs-tutorial" diff --git a/.github/workflows/scan-lint.yml b/.github/workflows/scan-lint.yml index b6707e4662..98df73ecd4 100644 --- a/.github/workflows/scan-lint.yml +++ b/.github/workflows/scan-lint.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Run Revive Action by pulling pre-built image uses: docker://morphy/revive-action:v2 diff --git a/.github/workflows/test-bigbang.yml b/.github/workflows/test-bigbang.yml index 76d989147a..df348d5c43 100644 --- a/.github/workflows/test-bigbang.yml +++ b/.github/workflows/test-bigbang.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup golang uses: ./.github/actions/golang @@ -41,7 +41,7 @@ jobs: uses: ./.github/actions/k3d - name: "Login to Iron Bank" - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 if: ${{ env.IRONBANK_USERNAME != '' }} env: IRONBANK_USERNAME: ${{ secrets.IRONBANK_USERNAME }} diff --git a/.github/workflows/test-external.yml b/.github/workflows/test-external.yml index 5d1294714f..4959878ea4 100644 --- a/.github/workflows/test-external.yml +++ b/.github/workflows/test-external.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup golang uses: ./.github/actions/golang diff --git a/.github/workflows/test-k3d.yml b/.github/workflows/test-k3d.yml index 5a03321765..4fd86bc077 100644 --- a/.github/workflows/test-k3d.yml +++ b/.github/workflows/test-k3d.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup golang uses: ./.github/actions/golang diff --git a/.github/workflows/test-k3s.yml b/.github/workflows/test-k3s.yml index 157b50fff3..9c33186fc1 100644 --- a/.github/workflows/test-k3s.yml +++ b/.github/workflows/test-k3s.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup golang uses: ./.github/actions/golang diff --git a/.github/workflows/test-kind.yml b/.github/workflows/test-kind.yml index c1651f791d..66bb2402f6 100644 --- a/.github/workflows/test-kind.yml +++ b/.github/workflows/test-kind.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup golang uses: ./.github/actions/golang diff --git a/.github/workflows/test-minikube.yml b/.github/workflows/test-minikube.yml index 80fa823e57..1a669d8c66 100644 --- a/.github/workflows/test-minikube.yml +++ b/.github/workflows/test-minikube.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup golang uses: ./.github/actions/golang diff --git a/.github/workflows/test-ui.yml b/.github/workflows/test-ui.yml index 25d54b3386..b35d37de3b 100644 --- a/.github/workflows/test-ui.yml +++ b/.github/workflows/test-ui.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 # Have to run early for now since UI tests are a little brittle around cluster state - name: Setup K3d diff --git a/.github/workflows/test-unit.yml b/.github/workflows/test-unit.yml index 049960ea2f..e6c0c47c82 100644 --- a/.github/workflows/test-unit.yml +++ b/.github/workflows/test-unit.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup golang uses: ./.github/actions/golang diff --git a/.github/workflows/test-upgrade.yml b/.github/workflows/test-upgrade.yml index 43b76dd0a9..c4170fe5e8 100644 --- a/.github/workflows/test-upgrade.yml +++ b/.github/workflows/test-upgrade.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup golang uses: ./.github/actions/golang diff --git a/.github/workflows/test-windows.yml b/.github/workflows/test-windows.yml index f93eb2124c..36063218fd 100644 --- a/.github/workflows/test-windows.yml +++ b/.github/workflows/test-windows.yml @@ -26,7 +26,7 @@ jobs: runs-on: windows-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Optimize caching run: echo C:\Program Files\Git\usr\bin>>"%GITHUB_PATH%" diff --git a/README.md b/README.md index 44493b15df..a370219bb6 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ Zarf eliminates the [complexity of air gap software delivery](https://www.itopst - Builtin [K9s Dashboard](https://k9scli.io/) for managing a cluster from the terminal - [Mutating Webhook](adr/0005-mutating-webhook.md) to automatically update Kubernetes pod's image path and pull secrets as well as [Flux Git Repository](https://fluxcd.io/docs/components/source/gitrepositories/) URLs and secret references - Builtin [command to find images](https://docs.zarf.dev/docs/user-guide/the-zarf-cli/cli-commands/zarf_prepare_find-images) and resources from a Helm chart -- Tunneling capability to [connect to Kuberenetes resources](https://docs.zarf.dev/docs/user-guide/the-zarf-cli/cli-commands/zarf_connect) without network routing, DNS, TLS or Ingress configuration required +- Tunneling capability to [connect to Kubernetes resources](https://docs.zarf.dev/docs/user-guide/the-zarf-cli/cli-commands/zarf_connect) without network routing, DNS, TLS or Ingress configuration required ## 🛠️ Configurable Features