diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 44c1fdb..7027cc4 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -11,10 +11,14 @@ jobs: name: fmt runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + with: + egress-policy: audit + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable with: components: rustfmt - run: ./hack/ci/install-linux-deps.sh @@ -23,7 +27,11 @@ jobs: name: shellcheck runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + with: + egress-policy: audit + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: submodules: recursive - run: ./hack/code/shellcheck.sh diff --git a/.github/workflows/client.yml b/.github/workflows/client.yml index 56ce09b..abca48a 100644 --- a/.github/workflows/client.yml +++ b/.github/workflows/client.yml @@ -27,18 +27,22 @@ jobs: run: shell: bash steps: + - name: Harden Runner + uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + with: + egress-policy: audit - run: git config --global core.autocrlf false && git config --global core.eol lf if: ${{ matrix.platform.os == 'windows' }} - - uses: actions/checkout@v4 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable if: ${{ matrix.platform.os != 'darwin' }} - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable with: targets: "${{ matrix.platform.arch }}-apple-darwin" if: ${{ matrix.platform.os == 'darwin' }} - - uses: homebrew/actions/setup-homebrew@master + - uses: homebrew/actions/setup-homebrew@4b34604e75af8f8b23b454f0b5ffb7c5d8ce0056 # master if: ${{ matrix.platform.os == 'darwin' }} - run: ./hack/ci/install-${{ matrix.platform.deps }}-deps.sh - run: ./hack/build/cargo.sh build --bin kratactl diff --git a/.github/workflows/kernel.yml b/.github/workflows/kernel.yml index 95792f9..e1db2b8 100644 --- a/.github/workflows/kernel.yml +++ b/.github/workflows/kernel.yml @@ -22,10 +22,14 @@ jobs: TARGET_ARCH: "${{ matrix.arch }}" name: kernel build ${{ matrix.arch }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + with: + egress-policy: audit + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - run: ./hack/ci/install-linux-deps.sh - run: ./hack/kernel/build.sh env: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 8f28bf0..bebd861 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -16,17 +16,22 @@ jobs: TARGET_ARCH: "${{ matrix.arch }}" name: nightly server ${{ matrix.arch }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + with: + egress-policy: audit + + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable with: targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl" - run: ./hack/ci/install-linux-deps.sh - run: ./hack/dist/bundle.sh env: KRATA_KERNEL_BUILD_JOBS: "5" - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: krata-bundle-systemd-${{ matrix.arch }} path: "target/dist/bundle-systemd-${{ matrix.arch }}.tgz" @@ -34,7 +39,7 @@ jobs: - run: ./hack/dist/deb.sh env: KRATA_KERNEL_BUILD_SKIP: "1" - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: krata-debian-${{ matrix.arch }} path: "target/dist/*.deb" @@ -42,7 +47,7 @@ jobs: - run: ./hack/dist/apk.sh env: KRATA_KERNEL_BUILD_SKIP: "1" - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: krata-alpine-${{ matrix.arch }} path: "target/dist/*_${{ matrix.arch }}.apk" @@ -50,7 +55,7 @@ jobs: - run: ./hack/os/build.sh env: KRATA_KERNEL_BUILD_SKIP: "1" - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: krata-os-${{ matrix.arch }} path: "target/os/krata-${{ matrix.arch }}.qcow2" @@ -75,27 +80,32 @@ jobs: run: shell: bash steps: + - name: Harden Runner + uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + with: + egress-policy: audit + - run: git config --global core.autocrlf false && git config --global core.eol lf if: ${{ matrix.platform.os == 'windows' }} - - uses: actions/checkout@v4 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable if: ${{ matrix.platform.os != 'darwin' }} - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable with: targets: "${{ matrix.platform.arch }}-apple-darwin" if: ${{ matrix.platform.os == 'darwin' }} - - uses: homebrew/actions/setup-homebrew@master + - uses: homebrew/actions/setup-homebrew@4b34604e75af8f8b23b454f0b5ffb7c5d8ce0056 # master if: ${{ matrix.platform.os == 'darwin' }} - run: ./hack/ci/install-${{ matrix.platform.deps }}-deps.sh - run: ./hack/build/cargo.sh build --release --bin kratactl - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: kratactl-${{ matrix.platform.os }}-${{ matrix.platform.arch }} path: "target/*/release/kratactl" if: ${{ matrix.platform.os != 'windows' }} - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: kratactl-${{ matrix.platform.os }}-${{ matrix.platform.arch }} path: "target/*/release/kratactl.exe" diff --git a/.github/workflows/os.yml b/.github/workflows/os.yml index 20d15ee..fbe6672 100644 --- a/.github/workflows/os.yml +++ b/.github/workflows/os.yml @@ -23,17 +23,21 @@ jobs: TARGET_ARCH: "${{ matrix.arch }}" name: os build ${{ matrix.arch }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + with: + egress-policy: audit + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable with: targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl" - run: ./hack/ci/install-linux-deps.sh - run: ./hack/os/build.sh env: KRATA_KERNEL_BUILD_JOBS: "5" - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: krata-os-${{ matrix.arch }} path: "target/os/krata-${{ matrix.arch }}.qcow2" diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index 27eddd5..c2cbd8a 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -25,10 +25,14 @@ jobs: TARGET_ARCH: "${{ matrix.arch }}" name: release-binaries server ${{ matrix.arch }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + with: + egress-policy: audit + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable with: targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl" - run: ./hack/ci/install-linux-deps.sh @@ -72,16 +76,20 @@ jobs: shell: bash timeout-minutes: 60 steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + with: + egress-policy: audit + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable if: ${{ matrix.platform.os != 'darwin' }} - uses: dtolnay/rust-toolchain@stable with: targets: "${{ matrix.platform.arch }}-apple-darwin" if: ${{ matrix.platform.os == 'darwin' }} - - uses: homebrew/actions/setup-homebrew@master + - uses: homebrew/actions/setup-homebrew@4b34604e75af8f8b23b454f0b5ffb7c5d8ce0056 # master if: ${{ matrix.platform.os == 'darwin' }} - run: ./hack/ci/install-${{ matrix.platform.deps }}-deps.sh - run: ./hack/build/cargo.sh build --release --bin kratactl diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml index 765bc0d..ceddfa7 100644 --- a/.github/workflows/release-plz.yml +++ b/.github/workflows/release-plz.yml @@ -14,20 +14,24 @@ jobs: name: release-plz runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - name: Harden Runner + uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + with: + egress-policy: audit + - uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1.10.0 id: generate-token with: app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}" private-key: "${{ secrets.EDERA_CULTIVATION_APP_PRIVATE_KEY }}" - - uses: actions/checkout@v4 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: submodules: recursive fetch-depth: 0 token: "${{ steps.generate-token.outputs.token }}" - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - run: ./hack/ci/install-linux-deps.sh - name: release-plz - uses: MarcoIeni/release-plz-action@v0.5 + uses: MarcoIeni/release-plz-action@76e66a600f00c1f47dd1a2f3169f97a5213dc90b # v0.5.55 env: GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" CARGO_REGISTRY_TOKEN: "${{ secrets.KRATA_RELEASE_CARGO_TOKEN }}" diff --git a/.github/workflows/server.yml b/.github/workflows/server.yml index 02b1baa..292deee 100644 --- a/.github/workflows/server.yml +++ b/.github/workflows/server.yml @@ -19,10 +19,14 @@ jobs: TARGET_ARCH: "${{ matrix.arch }}" name: server build ${{ matrix.arch }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + with: + egress-policy: audit + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - run: ./hack/ci/install-linux-deps.sh - run: ./hack/build/cargo.sh build test: @@ -36,10 +40,15 @@ jobs: TARGET_ARCH: "${{ matrix.arch }}" name: server test ${{ matrix.arch }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + with: + egress-policy: audit + + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - run: ./hack/ci/install-linux-deps.sh - run: ./hack/build/cargo.sh test clippy: @@ -53,10 +62,14 @@ jobs: TARGET_ARCH: "${{ matrix.arch }}" name: server clippy ${{ matrix.arch }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + with: + egress-policy: audit + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable with: components: clippy - run: ./hack/ci/install-linux-deps.sh @@ -72,10 +85,14 @@ jobs: TARGET_ARCH: "${{ matrix.arch }}" name: server initrd ${{ matrix.arch }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 + with: + egress-policy: audit + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable with: targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl" - run: ./hack/ci/install-linux-deps.sh