diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 8bae858..d47abd2 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -17,7 +17,7 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable + - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable with: components: rustfmt - run: ./hack/ci/install-linux-deps.sh diff --git a/.github/workflows/client.yml b/.github/workflows/client.yml index 2c46395..3485db4 100644 --- a/.github/workflows/client.yml +++ b/.github/workflows/client.yml @@ -35,9 +35,9 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable + - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable if: ${{ matrix.platform.os != 'darwin' }} - - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable + - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable with: targets: "${{ matrix.platform.arch }}-apple-darwin" if: ${{ matrix.platform.os == 'darwin' }} diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index d124078..9bbb7e5 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -5,8 +5,6 @@ on: - cron: "0 10 * * *" permissions: contents: read - packages: write - id-token: write jobs: server: runs-on: ubuntu-latest @@ -26,7 +24,7 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable + - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable with: targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl" - run: ./hack/ci/install-linux-deps.sh @@ -84,9 +82,9 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable + - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable if: ${{ matrix.platform.os != 'darwin' }} - - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable + - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable with: targets: "${{ matrix.platform.arch }}-apple-darwin" if: ${{ matrix.platform.os == 'darwin' }} @@ -115,6 +113,8 @@ jobs: - kratanet - krata-guest-init name: "oci build ${{ matrix.component }}" + permissions: + packages: write steps: - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: diff --git a/.github/workflows/os.yml b/.github/workflows/os.yml index 6b93a2a..fb5e5b9 100644 --- a/.github/workflows/os.yml +++ b/.github/workflows/os.yml @@ -25,7 +25,7 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable + - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable with: targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl" - run: ./hack/ci/install-linux-deps.sh diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index 329f396..d1940fe 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -1,8 +1,4 @@ name: release-binaries -permissions: - contents: write - packages: write - id-token: write on: release: types: @@ -25,7 +21,9 @@ jobs: - aarch64 env: TARGET_ARCH: "${{ matrix.arch }}" - name: release-binaries server ${{ matrix.arch }} + name: "release-binaries server ${{ matrix.arch }}" + permissions: + contents: write steps: - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: @@ -33,7 +31,7 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable + - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable with: targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl" - run: ./hack/ci/install-linux-deps.sh @@ -68,6 +66,8 @@ jobs: run: shell: bash timeout-minutes: 60 + permissions: + contents: write steps: - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: @@ -75,7 +75,7 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable + - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable if: ${{ matrix.platform.os != 'darwin' }} - uses: dtolnay/rust-toolchain@stable with: @@ -103,6 +103,9 @@ jobs: - kratanet - krata-guest-init name: "release-binaries oci ${{ matrix.component }}" + permissions: + contents: write + packages: write steps: - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml index d74ebe3..ef3b940 100644 --- a/.github/workflows/release-plz.yml +++ b/.github/workflows/release-plz.yml @@ -1,7 +1,4 @@ name: release-plz -permissions: - pull-requests: write - contents: write on: push: branches: @@ -13,6 +10,9 @@ jobs: release-plz: name: release-plz runs-on: ubuntu-latest + permissions: + pull-requests: write + contents: write steps: - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: @@ -27,7 +27,7 @@ jobs: submodules: recursive fetch-depth: 0 token: "${{ steps.generate-token.outputs.token }}" - - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable + - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable - run: ./hack/ci/install-linux-deps.sh - name: release-plz uses: MarcoIeni/release-plz-action@86afd21a7b114234aab55ba0005eed52f77d89e4 # v0.5.62 diff --git a/.github/workflows/server.yml b/.github/workflows/server.yml index 14357db..fd33850 100644 --- a/.github/workflows/server.yml +++ b/.github/workflows/server.yml @@ -25,7 +25,7 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable + - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable - run: ./hack/ci/install-linux-deps.sh - run: ./hack/build/cargo.sh build test: @@ -45,7 +45,7 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable + - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable - run: ./hack/ci/install-linux-deps.sh - run: ./hack/build/cargo.sh test clippy: @@ -65,7 +65,7 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable + - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable with: components: clippy - run: ./hack/ci/install-linux-deps.sh @@ -87,7 +87,7 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable + - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable with: targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl" - run: ./hack/ci/install-linux-deps.sh diff --git a/images/Dockerfile.krata-guest-init b/images/Dockerfile.krata-guest-init index 7694771..07becc5 100644 --- a/images/Dockerfile.krata-guest-init +++ b/images/Dockerfile.krata-guest-init @@ -1,4 +1,4 @@ -FROM rust:1.79-alpine AS build +FROM rust:1.79-alpine@sha256:a454f49f2e15e233f829a0fd9a7cbdac64b6f38ec08aeac227595d4fc6eb6d4d AS build RUN apk update && apk add protoc protobuf-dev build-base && rm -rf /var/cache/apk/* ENV TARGET_LIBC=musl TARGET_VENDOR=unknown diff --git a/images/Dockerfile.kratactl b/images/Dockerfile.kratactl index 40d2ee8..55c67a3 100644 --- a/images/Dockerfile.kratactl +++ b/images/Dockerfile.kratactl @@ -1,4 +1,4 @@ -FROM rust:1.79-alpine AS build +FROM rust:1.79-alpine@sha256:a454f49f2e15e233f829a0fd9a7cbdac64b6f38ec08aeac227595d4fc6eb6d4d AS build RUN apk update && apk add protoc protobuf-dev build-base && rm -rf /var/cache/apk/* ENV TARGET_LIBC=musl TARGET_VENDOR=unknown diff --git a/images/Dockerfile.kratad b/images/Dockerfile.kratad index 01a5755..a68bf44 100644 --- a/images/Dockerfile.kratad +++ b/images/Dockerfile.kratad @@ -1,4 +1,4 @@ -FROM rust:1.79-alpine AS build +FROM rust:1.79-alpine@sha256:a454f49f2e15e233f829a0fd9a7cbdac64b6f38ec08aeac227595d4fc6eb6d4d AS build RUN apk update && apk add protoc protobuf-dev build-base && rm -rf /var/cache/apk/* ENV TARGET_LIBC=musl TARGET_VENDOR=unknown diff --git a/images/Dockerfile.kratanet b/images/Dockerfile.kratanet index 4e0f1d0..2538402 100644 --- a/images/Dockerfile.kratanet +++ b/images/Dockerfile.kratanet @@ -1,4 +1,4 @@ -FROM rust:1.79-alpine AS build +FROM rust:1.79-alpine@sha256:a454f49f2e15e233f829a0fd9a7cbdac64b6f38ec08aeac227595d4fc6eb6d4d AS build RUN apk update && apk add protoc protobuf-dev build-base && rm -rf /var/cache/apk/* ENV TARGET_LIBC=musl TARGET_VENDOR=unknown