centralcloud/oncall-engine
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
oncall-engine/.github
History
Matthew Thorning a991fac43e
chore: update gh workflows with zizmor suggested fixes (#5523) 
This pull request updates multiple GitHub Actions workflows to improve
security, stability, and functionality. The most notable changes include
pinning action versions to specific commit SHAs, adding validation for
branch names, and updating dependencies and configurations.

### Security Improvements:
* Added `persist-credentials: false` to `actions/checkout` steps in
`.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml`
and `.github/workflows/e2e-tests.yml` to reduce the risk of unauthorized
access to credentials.
[[1]](diffhunk://#diff-f87667d48e22abfbbccf3695a8acc386143e3542286f432e6e3d8330960c76f9R29)
[[2]](diffhunk://#diff-194218c48b9a0cdd03974145733804c2d992ca818529fe2fa69a501d8b5b1cc3R48-R59)
* Validated branch names against a safe pattern in
`.github/workflows/linting-and-tests.yml` to prevent potential misuse of
branch names in subsequent steps.

### Stability Enhancements:
* Pinned all third-party GitHub Actions to specific commit SHAs across
various workflows to ensure consistent and predictable behavior.
Examples include
`grafana/shared-workflows/actions/build-push-to-dockerhub`,
`catchpoint/workflow-telemetry-action`, and
`actions-ecosystem/action-remove-labels`.
[[1]](diffhunk://#diff-f87667d48e22abfbbccf3695a8acc386143e3542286f432e6e3d8330960c76f9L37-R38)
[[2]](diffhunk://#diff-194218c48b9a0cdd03974145733804c2d992ca818529fe2fa69a501d8b5b1cc3R48-R59)
[[3]](diffhunk://#diff-f93a3de9563193d65121683e6383741ac4b6aa18bdb51ba82b80497e700561cdL15-R15)
* Updated Helm-related actions in
`.github/workflows/linting-and-tests.yml` and
`.github/workflows/on-release-published.yml` to specific SHAs for better
reliability.
[[1]](diffhunk://#diff-a70d3d29c45894eeef2036c533385dbc424f9479590aaea01e62c06dc67079a1L147-R170)
[[2]](diffhunk://#diff-e95a5d3f03a1351728732657b6b150cfbbd9a9724b387226b1f99f079b1954b0L91-R91)

### Functional Updates:
* Enhanced `.github/workflows/linting-and-tests.yml` by using validated
branch references in Git commands to avoid errors caused by unsafe
branch names.
* Updated `snyk/actions/setup` in
`.github/workflows/snyk-security-scan.yml` to a specific SHA for
improved compatibility and security.

These changes collectively enhance the security, reliability, and
maintainability of the workflows.
2025-05-01 08:56:34 -04:00
..
actions deps: bump Python to 3.12.10 (#5517) 2025-04-17 14:44:58 -04:00
ISSUE_TEMPLATE update github issue product areas + label assignment 2024-06-14 12:52:14 -04:00
workflows chore: update gh workflows with zizmor suggested fixes (#5523) 2025-05-01 08:56:34 -04:00
CODEOWNERS chore: update CODEOWNERS (#5237) 2024-11-06 15:03:11 -05:00
helm-ci.yml Configure cross plugin e2e tests (#4222) 2024-04-25 06:25:59 +00:00
pull_request_template.md PR template: "Closes" -> "Related to" (#4693) 2024-07-17 13:44:16 +00:00
release.yml Automate release note generation (#4004) 2024-03-06 14:37:55 +00:00
verify-public-docs-updated.sh add small script + github action to check that public docs updated (#1177) 2023-01-20 13:23:06 +01:00