diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4f54b9b2a627..d5f785463812 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,6 +5,8 @@ updates: directory: "/" schedule: interval: "daily" + cooldown: + default-days: 2 ignore: # ignore this dependency # it seems a bug with dependabot as pining to commit sha should not diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2b9b73c5b66b..98cc8c982e40 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,11 +1,5 @@ name: build -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -126,22 +120,22 @@ jobs: fi - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: version: ${{ env.SETUP_BUILDX_VERSION }} driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} buildkitd-flags: --debug - name: Build test image - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: source: . targets: integration-test @@ -157,7 +151,7 @@ jobs: - name: Send to Codecov if: always() - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3 with: directory: ./bin/testreports flags: integration @@ -172,7 +166,7 @@ jobs: - name: Upload test reports if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: test-reports-${{ env.TESTREPORTS_NAME }} path: ./bin/testreports @@ -196,10 +190,10 @@ jobs: git config --global core.eol lf - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version: "${{ env.GO_VERSION }}" - @@ -234,7 +228,7 @@ jobs: - name: Send to Codecov if: always() - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3 with: directory: ${{ env.TESTREPORTS_DIR }} env_vars: RUNNER_OS @@ -250,7 +244,7 @@ jobs: - name: Upload test reports if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: test-reports-${{ env.TESTREPORTS_NAME }} path: ${{ env.TESTREPORTS_BASEDIR }} @@ -265,14 +259,14 @@ jobs: steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: version: ${{ env.SETUP_BUILDX_VERSION }} driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} buildkitd-flags: --debug - name: Run - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: govulncheck env: @@ -280,12 +274,12 @@ jobs: - name: Upload SARIF report if: ${{ github.ref == 'refs/heads/master' && github.repository == 'docker/buildx' }} - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: sarif_file: ${{ env.DESTDIR }}/govulncheck.out binaries: - uses: docker/github-builder/.github/workflows/bake.yml@v1 + uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0 permissions: contents: read # same as global permission id-token: write # for signing attestation(s) with GitHub OIDC Token @@ -307,7 +301,7 @@ jobs: steps: - name: Download artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: /tmp/buildx-output name: ${{ needs.binaries.outputs.artifact-name }} @@ -350,7 +344,7 @@ jobs: find . -type f -exec file -e ascii -- {} + - name: Upload release binaries - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: release path: ${{ env.DESTDIR }}/* @@ -366,7 +360,7 @@ jobs: bin-image: if: ${{ github.repository == 'docker/buildx' }} - uses: docker/github-builder/.github/workflows/bake.yml@v1 + uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0 needs: - bin-image-prepare - test-integration @@ -409,7 +403,7 @@ jobs: steps: - name: Login to DockerHub - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: username: ${{ vars.DOCKERPUBLICBOT_USERNAME }} password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }} @@ -423,7 +417,7 @@ jobs: image: registry://${{ env.REPO_SLUG }}:master - name: Upload SARIF report - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: sarif_file: ${{ steps.scout.outputs.result-file }} @@ -439,7 +433,7 @@ jobs: steps: - name: Download release binaries - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: ${{ env.DESTDIR }} name: release diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8d00a9356c76..9c0fbf405549 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,11 +1,5 @@ name: codeql -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -29,22 +23,22 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version: ${{ env.GO_VERSION }} - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: languages: go - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: category: "/language:go" diff --git a/.github/workflows/docs-release.yml b/.github/workflows/docs-release.yml index 025837abd111..c70631d2addb 100644 --- a/.github/workflows/docs-release.yml +++ b/.github/workflows/docs-release.yml @@ -1,11 +1,5 @@ name: docs-release -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -33,30 +27,33 @@ jobs: steps: - name: Checkout docs repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ secrets.GHPAT_DOCS_DISPATCH }} repository: docker/docs ref: main - name: Prepare + env: + INPUT_TAG: ${{ github.event.inputs.tag }} + RELEASE_NAME: ${{ github.event.release.name }} run: | rm -rf ./data/buildx/* - if [ -n "${{ github.event.inputs.tag }}" ]; then - echo "RELEASE_NAME=${{ github.event.inputs.tag }}" >> $GITHUB_ENV + if [ -n "${INPUT_TAG}" ]; then + echo "RELEASE_NAME=${INPUT_TAG}" >> $GITHUB_ENV else - echo "RELEASE_NAME=${{ github.event.release.name }}" >> $GITHUB_ENV + echo "RELEASE_NAME=${RELEASE_NAME}" >> $GITHUB_ENV fi - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: version: ${{ env.SETUP_BUILDX_VERSION }} driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} buildkitd-flags: --debug - name: Generate yaml - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: source: ${{ github.server_url }}/${{ github.repository }}.git#${{ env.RELEASE_NAME }} targets: update-docs diff --git a/.github/workflows/docs-upstream.yml b/.github/workflows/docs-upstream.yml index dd509e20baee..60dfacb4fb46 100644 --- a/.github/workflows/docs-upstream.yml +++ b/.github/workflows/docs-upstream.yml @@ -3,12 +3,6 @@ # https://github.com/docker/docker.github.io/blob/98c7c9535063ae4cd2cd0a31478a21d16d2f07a3/docker-bake.hcl#L34-L36 name: docs-upstream -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -39,14 +33,14 @@ jobs: steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: version: ${{ env.SETUP_BUILDX_VERSION }} driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} buildkitd-flags: --debug - name: Build reference YAML docs - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: update-docs provenance: false @@ -58,14 +52,14 @@ jobs: DOCS_FORMATS: yaml - name: Upload reference YAML docs - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: docs-yaml path: /tmp/buildx-docs/out/reference retention-days: 1 validate: - uses: docker/docs/.github/workflows/validate-upstream.yml@main + uses: docker/docs/.github/workflows/validate-upstream.yml@8f0cf552fd0a69bcd19bb3f53a17a346b399673c # main needs: - docs-yaml with: diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 0a6f6b4cf0c3..ab7d6fc3871b 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -1,11 +1,5 @@ name: e2e -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -37,14 +31,14 @@ jobs: steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: version: ${{ env.SETUP_BUILDX_VERSION }} driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} buildkitd-flags: --debug - name: Build - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: binaries set: | @@ -57,7 +51,7 @@ jobs: mv ${{ env.DESTDIR }}/build/buildx ${{ env.DESTDIR }}/build/docker-buildx - name: Upload artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: binary path: ${{ env.DESTDIR }}/build @@ -111,14 +105,14 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 if: matrix.driver == 'docker' || matrix.driver == 'docker-container' - name: Install buildx - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: binary path: /home/runner/.docker/cli-plugins @@ -214,10 +208,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Expose GitHub Runtime - uses: crazy-max/ghaction-github-runtime@v4 + uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0 - name: Environment variables if: matrix.envs != '' @@ -227,10 +221,10 @@ jobs: done - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Install buildx - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: binary path: /home/runner/.docker/cli-plugins @@ -241,13 +235,13 @@ jobs: docker buildx version - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} buildkitd-flags: --debug - name: Build - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: source: ${{ matrix.source }} targets: ${{ matrix.targets }} diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 6fc4b8995666..4346c37bb575 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -1,11 +1,5 @@ name: labeler -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -14,19 +8,17 @@ concurrency: cancel-in-progress: true on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] does not checkout, safe to use pull_request_target jobs: labeler: runs-on: ubuntu-latest permissions: - # same as global permission - contents: read - # required for writing labels - pull-requests: write + contents: read # same as global permission + pull-requests: write # required for writing labels steps: - name: Run - uses: actions/labeler@v6 + uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 with: sync-labels: true diff --git a/.github/workflows/pr-assign-author.yml b/.github/workflows/pr-assign-author.yml index 571b37078581..b150895be185 100644 --- a/.github/workflows/pr-assign-author.yml +++ b/.github/workflows/pr-assign-author.yml @@ -4,7 +4,7 @@ permissions: contents: read on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] does not checkout, safe to use pull_request_target types: - opened - reopened @@ -13,5 +13,5 @@ jobs: run: uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@20ef82212dc54bab5749f5e05576ca6d3c8a5773 # v1.1.0 permissions: - contents: read - pull-requests: write + contents: read # same as global permission + pull-requests: write # required to assign author diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 3a826747b50d..279e60e46d9c 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -1,11 +1,5 @@ name: validate -# Default to 'contents: read', which grants actions to read commits. -# -# If any permission is set, any permission not included in the list is -# implicitly set to "none". -# -# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -37,11 +31,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Generate matrix id: generate - uses: docker/bake-action/subaction/matrix@v7 + uses: docker/bake-action/subaction/matrix@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: target: validate fields: platforms @@ -59,14 +53,14 @@ jobs: steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: version: ${{ env.SETUP_BUILDX_VERSION }} driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} buildkitd-flags: --debug - name: Validate - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: ${{ matrix.target }} set: | diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000000..9c0dae79b9e9 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,33 @@ +name: zizmor + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +on: + workflow_dispatch: + push: + branches: + - 'master' + - 'v[0-9]*' + tags: + - 'v*' + pull_request: + paths-ignore: + - '.github/releases.json' + +jobs: + zizmor: + uses: crazy-max/.github/.github/workflows/zizmor.yml@20ef82212dc54bab5749f5e05576ca6d3c8a5773 # v1.1.0 + permissions: + contents: read + security-events: write + with: + version: v1.22.0 + min-severity: medium + min-confidence: medium + persona: pedantic + no-online-audits: true