chore(security): pin docker images and improve actions permissions (#253)

2025-08-03 05:10:55 +00:00 · 2024-07-16 15:25:29 -07:00 · 2024-07-16 15:25:29 -07:00 · 9e91ffe065
commit 9e91ffe065
parent b57d95c610
11 changed files with 31 additions and 28 deletions
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@ -17,7 +17,7 @@ jobs:
    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
-    - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable
+    - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
      with:
        components: rustfmt
    - run: ./hack/ci/install-linux-deps.sh
--- a/.github/workflows/client.yml
+++ b/.github/workflows/client.yml
@ -35,9 +35,9 @@ jobs:
    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
-    - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable
+    - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
      if: ${{ matrix.platform.os != 'darwin' }}
-    - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable
+    - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
      with:
        targets: "${{ matrix.platform.arch }}-apple-darwin"
      if: ${{ matrix.platform.os == 'darwin' }}
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@ -5,8 +5,6 @@ on:
  - cron: "0 10 * * *"
 permissions:
  contents: read
  packages: write
  id-token: write
 jobs:
  server:
    runs-on: ubuntu-latest
@ -26,7 +24,7 @@ jobs:
    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
-    - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable
+    - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
      with:
        targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl"
    - run: ./hack/ci/install-linux-deps.sh
@ -84,9 +82,9 @@ jobs:
    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
-    - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable
+    - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
      if: ${{ matrix.platform.os != 'darwin' }}
-    - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable
+    - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
      with:
        targets: "${{ matrix.platform.arch }}-apple-darwin"
      if: ${{ matrix.platform.os == 'darwin' }}
@ -115,6 +113,8 @@ jobs:
        - kratanet
        - krata-guest-init
    name: "oci build ${{ matrix.component }}"
    permissions:
      packages: write
    steps:
    - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
      with:
--- a/.github/workflows/os.yml
+++ b/.github/workflows/os.yml
@ -25,7 +25,7 @@ jobs:
    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
-    - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable
+    - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
      with:
        targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl"
    - run: ./hack/ci/install-linux-deps.sh
--- a/.github/workflows/release-binaries.yml
+++ b/.github/workflows/release-binaries.yml
@ -1,8 +1,4 @@
 name: release-binaries
 permissions:
  contents: write
  packages: write
  id-token: write
 on:
  release:
    types:
@ -25,7 +21,9 @@ jobs:
        - aarch64
    env:
      TARGET_ARCH: "${{ matrix.arch }}"
-    name: release-binaries server ${{ matrix.arch }}
+    name: "release-binaries server ${{ matrix.arch }}"
    permissions:
      contents: write
    steps:
    - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
      with:
@ -33,7 +31,7 @@ jobs:
    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
-    - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable
+    - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
      with:
        targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl"
    - run: ./hack/ci/install-linux-deps.sh
@ -68,6 +66,8 @@ jobs:
      run:
        shell: bash
    timeout-minutes: 60
    permissions:
      contents: write
    steps:
    - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
      with:
@ -75,7 +75,7 @@ jobs:
    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
-    - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable
+    - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
      if: ${{ matrix.platform.os != 'darwin' }}
    - uses: dtolnay/rust-toolchain@stable
      with:
@ -103,6 +103,9 @@ jobs:
        - kratanet
        - krata-guest-init
    name: "release-binaries oci ${{ matrix.component }}"
    permissions:
      contents: write
      packages: write
    steps:
    - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
      with:
--- a/.github/workflows/release-plz.yml
+++ b/.github/workflows/release-plz.yml
@ -1,7 +1,4 @@
 name: release-plz
 permissions:
  pull-requests: write
  contents: write
 on:
  push:
    branches:
@ -13,6 +10,9 @@ jobs:
  release-plz:
    name: release-plz
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
      contents: write
    steps:
    - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
      with:
@ -27,7 +27,7 @@ jobs:
        submodules: recursive
        fetch-depth: 0
        token: "${{ steps.generate-token.outputs.token }}"
-    - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable
+    - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
    - run: ./hack/ci/install-linux-deps.sh
    - name: release-plz
      uses: MarcoIeni/release-plz-action@86afd21a7b114234aab55ba0005eed52f77d89e4 # v0.5.62
--- a/.github/workflows/server.yml
+++ b/.github/workflows/server.yml
@ -25,7 +25,7 @@ jobs:
    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
-    - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable
+    - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
    - run: ./hack/ci/install-linux-deps.sh
    - run: ./hack/build/cargo.sh build
  test:
@ -45,7 +45,7 @@ jobs:
    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
-    - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable
+    - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
    - run: ./hack/ci/install-linux-deps.sh
    - run: ./hack/build/cargo.sh test
  clippy:
@ -65,7 +65,7 @@ jobs:
    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
-    - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable
+    - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
      with:
        components: clippy
    - run: ./hack/ci/install-linux-deps.sh
@ -87,7 +87,7 @@ jobs:
    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
-    - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable
+    - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
      with:
        targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl"
    - run: ./hack/ci/install-linux-deps.sh
--- a/images/Dockerfile.krata-guest-init
+++ b/images/Dockerfile.krata-guest-init
@ -1,4 +1,4 @@
-FROM rust:1.79-alpine AS build
+FROM rust:1.79-alpine@sha256:a454f49f2e15e233f829a0fd9a7cbdac64b6f38ec08aeac227595d4fc6eb6d4d AS build
 RUN apk update && apk add protoc protobuf-dev build-base && rm -rf /var/cache/apk/*
 ENV TARGET_LIBC=musl TARGET_VENDOR=unknown
--- a/images/Dockerfile.kratactl
+++ b/images/Dockerfile.kratactl
@ -1,4 +1,4 @@
-FROM rust:1.79-alpine AS build
+FROM rust:1.79-alpine@sha256:a454f49f2e15e233f829a0fd9a7cbdac64b6f38ec08aeac227595d4fc6eb6d4d AS build
 RUN apk update && apk add protoc protobuf-dev build-base && rm -rf /var/cache/apk/*
 ENV TARGET_LIBC=musl TARGET_VENDOR=unknown
--- a/images/Dockerfile.kratad
+++ b/images/Dockerfile.kratad
@ -1,4 +1,4 @@
-FROM rust:1.79-alpine AS build
+FROM rust:1.79-alpine@sha256:a454f49f2e15e233f829a0fd9a7cbdac64b6f38ec08aeac227595d4fc6eb6d4d AS build
 RUN apk update && apk add protoc protobuf-dev build-base && rm -rf /var/cache/apk/*
 ENV TARGET_LIBC=musl TARGET_VENDOR=unknown
--- a/images/Dockerfile.kratanet
+++ b/images/Dockerfile.kratanet
@ -1,4 +1,4 @@
-FROM rust:1.79-alpine AS build
+FROM rust:1.79-alpine@sha256:a454f49f2e15e233f829a0fd9a7cbdac64b6f38ec08aeac227595d4fc6eb6d4d AS build
 RUN apk update && apk add protoc protobuf-dev build-base && rm -rf /var/cache/apk/*
 ENV TARGET_LIBC=musl TARGET_VENDOR=unknown