github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 21:17:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

Pin actions and tighten workflow permissions (#3954)

Browse Source 
* ci: Reduce chance of installing corrupt packages

See: https://dev.to/hsbt/should-rubygemsbundler-have-a-cooldown-feature-40cp
Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: prevent credential leakage from checkout steps

Add `persist-credentials: false` to all `actions/checkout` calls across
22 workflow files. Without this, the GitHub token used for checkout is
written into `.git/config` and remains accessible to all subsequent steps
and any uploaded artifacts (artipacked finding).

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: prevent template injection from github context in run steps

`${{ github.* }}` expressions used directly inside `run:` blocks are
expanded before the shell sees them. A crafted value (e.g. a tag name
containing shell metacharacters) would execute arbitrary code.

Move the values into `env:` variables (e.g. GITHUB_EVENT_RELEASE_TAG_NAME,
GITHUB_ACTOR) and reference them as `${VAR}` in the shell, so the runtime
never interprets them as code (template-injection finding).

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: prevent injection in yq commands via release tag name

`${{ github.event.release.tag_name }}` was interpolated directly into
yq `cmd:` inputs. A crafted tag name could inject shell commands since
the expression is expanded before the action runs. Use yq's `strenv()`
with an `env:` variable instead so the value is always treated as data.

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: pin all GitHub Actions to full commit SHAs

Actions pinned to mutable tags (e.g. @v6, @main) can change under us if
the upstream repo is compromised or tags are moved, enabling supply-chain
attacks. Pinning to the full 40-char commit SHA locks the exact code that
runs. Version tags are preserved as inline comments (e.g. # v6.0.2) for
readability and Dependabot compatibility.

Used `pinact` for standard tagged versions; remaining branch-based
references (mikefarah/yq, jlumbroso/free-disk-space,
project-stacker/stacker-build-push-action, aquasecurity/trivy-action)
resolved manually via the GitHub API.

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: slow down GitHub Actions dependency updates to biweekly

Dependabot has no native biweekly interval. Combining weekly checks with
a 14-day cooldown achieves the same effect: Dependabot scans every Monday
but won't open a PR for a new action version until 14 days after release,
giving the ecosystem time to stabilize before we adopt it.

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: group all Dependabot updates into single PRs per ecosystem

Without groups, Dependabot opens one PR per dependency. With `patterns: "*"`,
all Go module bumps land in one PR and all GitHub Actions pin updates in
another, reducing review noise.

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: restore credential persistence for helm-charts push

`persist-credentials: false` was too broad — the helm-charts checkout
uses HELM_PUSH_TOKEN specifically so the subsequent `git push` can
authenticate. Only the main repo checkout should have credentials disabled.

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: use --password-stdin for oras login

Passing the token via `-p` exposes it in process listings and debug
logs. Piping via stdin is the standard secure pattern for CLI auth.

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: pin actions to versioned release SHAs

jmgilman/actions-generate-checksum: v1 branch HEAD -> v1.0.1 release
mikefarah/yq: arbitrary master HEAD -> v4.52.5 release

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

---------

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>
This commit is contained in:
Benoit Tigeot
2026-04-11 00:35:22 +02:00
committed by GitHub
parent 43bf754fca
commit d97953f101
26 changed files with 296 additions and 175 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/actions/setup-localstack/action.yaml
+2 -2
View File
@@ -13,12 +13,12 @@ inputs:
runs:
using: "composite"
steps:
- uses: docker/login-action@v4
- uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ inputs.username }}
password: ${{ inputs.password }}
- uses: actions/setup-python@v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.11'
- shell: bash
.github/dependabot.yml
+15 -2
View File
@@ -10,8 +10,21 @@ updates:
open-pull-requests-limit: 10
schedule:
interval: "weekly"
- package-ecosystem: "github-actions" # See documentation for possible values
directory: "/" # Location of package manifests
cooldown:
default-days: 7
groups:
go-dependencies:
patterns:
- "*"
- package-ecosystem: "github-actions"
directory: "/"
open-pull-requests-limit: 10
schedule:
interval: "weekly"
day: "monday"
cooldown:
default-days: 14
groups:
github-actions:
patterns:
- "*"
.github/workflows/benchmark.yaml
+6 -4
View File
@@ -14,8 +14,10 @@ jobs:
name: Performance regression check
runs-on: oracle-vm-8cpu-32gb-x86-64
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
@@ -25,13 +27,13 @@ jobs:
run: make BENCH_OUTPUT=ci-cd run-bench
# Download previous benchmark result from cache (if exists)
- name: Download previous benchmark data
uses: actions/cache@v5
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ./cache
key: ${{ runner.os }}-gen1-benchmark
# Run `github-action-benchmark` action
- name: Store benchmark result
uses: benchmark-action/github-action-benchmark@v1.22.0
uses: benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372 # v1.22.0
with:
# What benchmark tool the output.txt came from
tool: 'customBiggerIsBetter'
.github/workflows/branch-cov.yaml
+4 -2
View File
@@ -14,8 +14,10 @@ jobs:
runs-on: ubuntu-latest
name: coverage
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
.github/workflows/build.yaml
+10 -8
View File
@@ -25,16 +25,18 @@ jobs:
arch: [amd64, arm64]
steps:
- name: Check out source code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install go
uses: actions/setup-go@v6
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
go-version: 1.25.x
- name: Cache go dependencies
id: cache-go-dependencies
uses: actions/cache@v5
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: |
~/go/pkg/mod
@@ -43,7 +45,7 @@ jobs:
${{ runner.os }}-go-mod-
- name: Cache go build output
id: cache-go-build
uses: actions/cache@v5
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: |
~/.cache/go-build
@@ -97,7 +99,7 @@ jobs:
- if: github.event_name == 'release' && github.event.action == 'published'
name: Publish artifacts on releases
uses: svenstaro/upload-release-action@v2
uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # latest
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: bin/z*
@@ -115,12 +117,12 @@ jobs:
packages: write
steps:
- name: Download Release Artifacts
uses: robinraju/release-downloader@v1.12
uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1
with:
tag: ${{ github.ref_name }}
fileName: "z*"
- name: Generate checksum
uses: jmgilman/actions-generate-checksum@v1
uses: jmgilman/actions-generate-checksum@3ea6dc9bf8eecf28e2ecc982fab683484a1a8561 # v1.0.1
with:
patterns: z*
method: sha256
@@ -128,7 +130,7 @@ jobs:
- name: Add wildcard character prefix to filenames in checksum file
run: sed -i 's! ! \*!g' checksums.sha256.txt
- name: Publish checksums on releases
uses: svenstaro/upload-release-action@v2
uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # latest
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: checksums.sha256.txt
.github/workflows/cloc.yaml
+4 -2
View File
@@ -18,13 +18,15 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Install go
uses: actions/setup-go@v6
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
go-version: 1.25.x
- name: Check out source code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install dependencies
run: |
cd $GITHUB_WORKSPACE
.github/workflows/cluster.yaml
+20 -16
View File
@@ -16,8 +16,10 @@ jobs:
name: Stateless zot with minio and boltdb
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
@@ -102,7 +104,7 @@ jobs:
sed -i 's/\/dev\/null/\/tmp\/zot3.log/g' test/cluster/config-minio3.json
- name: Free up disk space
uses: jlumbroso/free-disk-space@main
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main
with:
# This might remove tools that are actually needed, if set to "true" but frees about 6 GB
tool-cache: true
@@ -162,7 +164,7 @@ jobs:
rm /tmp/*.log
- name: Upload zot logs for push-pull tests
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: logs-push-pull-bolt
@@ -204,7 +206,7 @@ jobs:
rm /tmp/*.log
- name: Upload zot logs for cidr tests
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: logs-src-cidr-bolt
@@ -239,7 +241,7 @@ jobs:
zip logs-src-ips-bolt.zip /tmp/*.log -r
- name: Upload zot logs for src-ips tests
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: logs-src-ips-bolt
@@ -248,13 +250,13 @@ jobs:
# Download previous benchmark result from cache (if exists)
- name: Download previous benchmark data
uses: actions/cache@v5
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ./cache
key: ${{ runner.os }}-gen1-benchmark-stateless-cluster
# Run `github-action-benchmark` action
- name: Store benchmark result
uses: benchmark-action/github-action-benchmark@v1.22.0
uses: benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372 # v1.22.0
with:
# What benchmark tool the output.txt came from
tool: 'customBiggerIsBetter'
@@ -272,8 +274,10 @@ jobs:
name: Stateless zot with minio and redis
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
@@ -367,7 +371,7 @@ jobs:
sed -i 's/\/dev\/null/\/tmp\/zot3.log/g' test/cluster/config-minio3.json
- name: Free up disk space
uses: jlumbroso/free-disk-space@main
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main
with:
# This might remove tools that are actually needed, if set to "true" but frees about 6 GB
tool-cache: true
@@ -427,7 +431,7 @@ jobs:
rm /tmp/*.log
- name: Upload zot logs for push-pull tests
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: logs-push-pull-redis
@@ -469,7 +473,7 @@ jobs:
rm /tmp/*.log
- name: Upload zot logs for cidr tests
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: logs-src-cidr-redis
@@ -504,7 +508,7 @@ jobs:
zip logs-src-ips-redis.zip /tmp/*.log -r
- name: Upload zot logs for src-ips tests
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: logs-src-ips-redis
@@ -513,13 +517,13 @@ jobs:
# Download previous benchmark result from cache (if exists)
- name: Download previous benchmark data
uses: actions/cache@v5
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ./cache
key: ${{ runner.os }}-gen1-benchmark-stateless-cluster-redis
# Run `github-action-benchmark` action
- name: Store benchmark result
uses: benchmark-action/github-action-benchmark@v1.22.0
uses: benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372 # v1.22.0
with:
# What benchmark tool the output.txt came from
tool: 'customBiggerIsBetter'
.github/workflows/codeql-analysis.yml
+7 -5
View File
@@ -44,10 +44,12 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install go
uses: actions/setup-go@v6
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
@@ -55,7 +57,7 @@ jobs:
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v4.35.1
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
@@ -66,7 +68,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v4.35.1
uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
# ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
@@ -79,4 +81,4 @@ jobs:
# make release
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4.35.1
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
.github/workflows/commit-msg.yaml
+5 -3
View File
@@ -18,9 +18,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Check Commit Type
uses: gsactions/commit-message-checker@v2
uses: gsactions/commit-message-checker@16fa2d5de096ae0d35626443bcd24f1e756cafee # v2.0.0
with:
pattern: '^((build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test)(\(.+\))?(!)?(: (.*\s*)*))'
flags: 'gm'
@@ -30,7 +32,7 @@ jobs:
checkAllCommitMessages: 'true'
accessToken: ${{ secrets.GITHUB_TOKEN }}
- name: Check Line Length
uses: gsactions/commit-message-checker@v2
uses: gsactions/commit-message-checker@16fa2d5de096ae0d35626443bcd24f1e756cafee # v2.0.0
with:
pattern: '^[^#].{1,74}'
error: 'The maximum line length of 74 characters is exceeded.'
.github/workflows/compare-binary-size.yaml
+4 -2
View File
@@ -10,8 +10,10 @@ jobs:
runs-on: ubuntu-latest
name: compare-with-main
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
.github/workflows/dco.yaml
+4 -2
View File
@@ -10,9 +10,11 @@ jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Python 3.x
uses: actions/setup-python@v6
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.x'
- name: Check DCO
.github/workflows/ecosystem-tools.yaml
+7 -5
View File
@@ -16,8 +16,10 @@ jobs:
name: Check client tools
runs-on: oracle-vm-16cpu-64gb-x86-64
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
@@ -93,7 +95,7 @@ jobs:
run: |
find /tmp/zot-ft-logs -name '*.log' -print0 | xargs -0 cat
- name: Upload DynamoDB zot logs as build artifact
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: zot-scale-out-dynamodb-logs
@@ -131,7 +133,7 @@ jobs:
run: |
find /tmp/zot-ft-logs/redis -name '*.log' -print0 | xargs -0 cat
- name: Upload Redis zot logs as build artifact
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: zot-scale-out-redis-logs
@@ -156,7 +158,7 @@ jobs:
echo "Redis scale-out tests failed"
exit 1
- name: Upload zb test results zip as build artifact
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: zb-cloud-scale-out-functional-results-${{ github.sha }}
.github/workflows/gc-stress-test.yaml
+20 -12
View File
@@ -16,8 +16,10 @@ jobs:
name: GC(with referrers) on filesystem with short interval
runs-on: oracle-vm-8cpu-32gb-x86-64
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
@@ -39,7 +41,7 @@ jobs:
continue-on-error: true
- name: Upload zot logs
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: gc-referrers-bench-local
@@ -56,8 +58,10 @@ jobs:
name: GC(without referrers) on filesystem with short interval
runs-on: oracle-vm-8cpu-32gb-x86-64
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
@@ -79,7 +83,7 @@ jobs:
continue-on-error: true
- name: Upload zot logs
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: gc-bench-local
@@ -96,8 +100,10 @@ jobs:
name: GC(with referrers) on S3(minio) with short interval
runs-on: oracle-vm-8cpu-32gb-x86-64
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
@@ -162,7 +168,7 @@ jobs:
continue-on-error: true
- name: Upload zot logs
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: gc-referrers-bench-s3
@@ -181,8 +187,10 @@ jobs:
name: GC(without referrers) on S3(minio) with short interval
runs-on: oracle-vm-8cpu-32gb-x86-64
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
@@ -247,7 +255,7 @@ jobs:
continue-on-error: true
- name: Upload zot logs
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: gc-bench-s3
.github/workflows/golangci-lint.yaml
+5 -3
View File
@@ -15,14 +15,16 @@ jobs:
name: lint
runs-on: ubuntu-latest
steps:
- uses: actions/setup-go@v6
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
go-version: 1.25.x
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Run linter with GH action
uses: golangci/golangci-lint-action@v9
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
with:
# Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
version: v2.6.2
.github/workflows/gqlgen.yaml
+7 -3
View File
@@ -21,8 +21,10 @@ jobs:
name: Check GQL generation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
@@ -41,7 +43,9 @@ jobs:
name: Check GQL schema follows best practices
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install dependencies
run: |
cd $GITHUB_WORKSPACE
.github/workflows/license.yaml
+4 -2
View File
@@ -18,8 +18,10 @@ jobs:
runs-on: ubuntu-latest
name: License Check
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
.github/workflows/nightly.yaml
+49 -27
View File
@@ -18,8 +18,10 @@ jobs:
name: Dedupe/restore blobs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
check-latest: true
go-version: 1.25.x
@@ -52,8 +54,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out source code
uses: actions/checkout@v6
- uses: actions/setup-go@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
check-latest: true
go-version: 1.25.x
@@ -70,8 +74,10 @@ jobs:
name: GC(with referrers) on S3(localstack) with short interval
runs-on: oracle-vm-16cpu-64gb-x86-64
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
@@ -114,8 +120,10 @@ jobs:
name: GC(without referrers) on S3(localstack) with short interval
runs-on: oracle-vm-16cpu-64gb-x86-64
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
@@ -158,9 +166,13 @@ jobs:
name: Build docker image (for users still using Docker environments)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Check out source code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: ./.github/actions/clean-runner
- name: Build image
run: |
@@ -170,8 +182,10 @@ jobs:
name: Prometheus setup
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
check-latest: true
go-version: 1.25.x
@@ -189,13 +203,13 @@ jobs:
sudo cp bin/skopeo /usr/bin
skopeo -v
- name: Log in to GitHub Docker Registry
uses: docker/login-action@v4
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Free up disk space
uses: jlumbroso/free-disk-space@main
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main
- name: Run tests
run: |
sudo ./scripts/enable_userns.sh
@@ -205,8 +219,10 @@ jobs:
name: OIDC Workload Identity E2E
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
check-latest: true
go-version: 1.25.x
@@ -218,7 +234,7 @@ jobs:
sudo apt-get update
sudo apt-get install libgpgme-dev libassuan-dev libbtrfs-dev libdevmapper-dev pkg-config rpm uidmap jq
- name: Log in to GitHub Docker Registry
uses: docker/login-action@v4
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -232,8 +248,10 @@ jobs:
name: AWS Secrets Manager Bearer Auth E2E
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
check-latest: true
go-version: 1.25.x
@@ -248,8 +266,10 @@ jobs:
name: s3+dynamodb scale-out
runs-on: oracle-vm-16cpu-64gb-x86-64
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
@@ -278,7 +298,7 @@ jobs:
AWS_SECRET_ACCESS_KEY: fake
continue-on-error: true
- name: Upload zot logs as build artifact
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: zot-scale-out-dynamodb-logs
@@ -307,7 +327,7 @@ jobs:
exit 1
- name: Upload zb test results zip as build artifact
if: steps.scale.outcome == 'success'
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: zb-cloud-scale-out-perf-results-${{ github.sha }}
path: ./zb-results/
@@ -317,8 +337,10 @@ jobs:
name: s3+redis scale-out
runs-on: oracle-vm-16cpu-64gb-x86-64
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
@@ -347,7 +369,7 @@ jobs:
AWS_SECRET_ACCESS_KEY: fake
continue-on-error: true
- name: Upload zot logs as build artifact
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: zot-scale-out-redis-logs
@@ -376,7 +398,7 @@ jobs:
exit 1
- name: Upload zb test results zip as build artifact
if: steps.scale.outcome == 'success'
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: zb-cloud-scale-out-redis-results-${{ github.sha }}
path: ./zb-results/
.github/workflows/oci-conformance-action.yaml
+7 -4
View File
@@ -21,13 +21,15 @@ jobs:
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
- name: Install go 1.23
uses: actions/setup-go@v6
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
go-version: 1.25.x
- name: Checkout this PR
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Start zot server
run: |
cd $GITHUB_WORKSPACE
@@ -35,11 +37,12 @@ jobs:
RUNNER_TRACKING_ID="" && ./bin/zot-linux-amd64 serve examples/config-conformance.json &
IP=`hostname -I | awk '{print $1}'`
echo "SERVER_URL=http://${IP}:8080" >> $GITHUB_ENV
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: opencontainers/distribution-spec
ref: main
path: distribution-spec
persist-credentials: false
- name: build conformance binary from main
run: |
(cd distribution-spec/ && make conformance-binary)
@@ -60,7 +63,7 @@ jobs:
- run: mkdir -p .out/ && mv {report.html,junit.xml} .out/
if: always()
- name: Upload test results zip as build artifact
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: oci-test-results-${{ github.sha }}
path: .out/
.github/workflows/publish.yaml
+62 -34
View File
@@ -27,15 +27,17 @@ jobs:
echo "BASE_IMAGE=gcr.io/distroless/base-nossl-debian13:latest-${ARCH}" >> "$GITHUB_ENV"
fi
- name: Check out the repo
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Log in to GitHub Docker Registry
uses: docker/login-action@v4
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push zot container image
uses: project-stacker/stacker-build-push-action@main
uses: project-stacker/stacker-build-push-action@093acb5ad50bed0012616f46fdba73a8a7169db7 # main
with:
version: v1.1.0-rc3
file: 'build/stacker.yaml'
@@ -51,7 +53,7 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push zot-minimal container image
uses: project-stacker/stacker-build-push-action@main
uses: project-stacker/stacker-build-push-action@093acb5ad50bed0012616f46fdba73a8a7169db7 # main
with:
version: v1.1.0-rc3
file: 'build/stacker-minimal.yaml'
@@ -68,7 +70,7 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push zot-exporter container image
uses: project-stacker/stacker-build-push-action@main
uses: project-stacker/stacker-build-push-action@093acb5ad50bed0012616f46fdba73a8a7169db7 # main
with:
version: v1.1.0-rc3
file: 'build/stacker-zxp.yaml'
@@ -84,7 +86,7 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push zb container image
uses: project-stacker/stacker-build-push-action@main
uses: project-stacker/stacker-build-push-action@093acb5ad50bed0012616f46fdba73a8a7169db7 # main
with:
version: v1.1.0-rc3
file: 'build/stacker-zb.yaml'
@@ -112,9 +114,11 @@ jobs:
image: [zot, zot-minimal, zxp, zb]
steps:
- name: Check out the repo
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Log in to GitHub Docker Registry
uses: docker/login-action@v4
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -125,10 +129,12 @@ jobs:
cd $GITHUB_WORKSPACE
make check-blackbox-prerequisites
export PATH=${PATH}:${GITHUB_WORKSPACE}/hack/tools/bin
./scripts/build_multiarch_image.sh --registry ghcr.io/${{ github.repository_owner }} \
--source-tag ${{ github.event.release.tag_name }} \
--destination-tags "${{ github.event.release.tag_name }} latest" \
./scripts/build_multiarch_image.sh --registry ghcr.io/${GITHUB_REPOSITORY_OWNER} \
--source-tag ${GITHUB_EVENT_RELEASE_TAG_NAME} \
--destination-tags "${GITHUB_EVENT_RELEASE_TAG_NAME} latest" \
--file build/multiarch-${{ matrix.image }}.json
env:
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
test-image:
name: Test OCI images published to GitHub Packages
@@ -138,14 +144,14 @@ jobs:
packages: read
steps:
- name: Log in to GitHub Docker Registry
uses: docker/login-action@v4
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run zot container image with docker
run: |
docker run -d -p 5000:5000 ghcr.io/${{ github.repository_owner }}/zot:${{ github.event.release.tag_name }}
docker run -d -p 5000:5000 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zot:${GITHUB_EVENT_RELEASE_TAG_NAME}
sleep 2
curl --connect-timeout 5 \
--max-time 10 \
@@ -154,9 +160,11 @@ jobs:
--retry-connrefused \
'http://localhost:5000/v2/'
docker kill $(docker ps -q)
env:
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
- name: Run zot container image with podman
run: |
podman run -d -p 5000:5000 ghcr.io/${{ github.repository_owner }}/zot:${{ github.event.release.tag_name }}
podman run -d -p 5000:5000 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zot:${GITHUB_EVENT_RELEASE_TAG_NAME}
sleep 2
curl --connect-timeout 5 \
--max-time 10 \
@@ -165,9 +173,11 @@ jobs:
--retry-connrefused \
'http://localhost:5000/v2/'
podman kill --all
env:
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
- name: Run zot-minimal container image with docker
run: |
docker run -d -p 5000:5000 ghcr.io/${{ github.repository_owner }}/zot-minimal:${{ github.event.release.tag_name }}
docker run -d -p 5000:5000 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zot-minimal:${GITHUB_EVENT_RELEASE_TAG_NAME}
sleep 2
curl --connect-timeout 5 \
--max-time 10 \
@@ -176,9 +186,11 @@ jobs:
--retry-connrefused \
'http://localhost:5000/v2/'
docker kill $(docker ps -q)
env:
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
- name: Run zot-minimal container image with podman
run: |
podman run -d -p 5000:5000 ghcr.io/${{ github.repository_owner }}/zot-minimal:${{ github.event.release.tag_name }}
podman run -d -p 5000:5000 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zot-minimal:${GITHUB_EVENT_RELEASE_TAG_NAME}
sleep 2
curl --connect-timeout 5 \
--max-time 10 \
@@ -187,9 +199,11 @@ jobs:
--retry-connrefused \
'http://localhost:5000/v2/'
podman kill --all
env:
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
- name: Run zot-exporter container image with docker
run: |
docker run -d -p 5001:5001 ghcr.io/${{ github.repository_owner }}/zxp:${{ github.event.release.tag_name }}
docker run -d -p 5001:5001 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zxp:${GITHUB_EVENT_RELEASE_TAG_NAME}
sleep 2
curl --connect-timeout 5 \
--max-time 10 \
@@ -198,9 +212,11 @@ jobs:
--retry-connrefused \
'http://localhost:5001/metrics'
docker kill $(docker ps -q)
env:
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
- name: Run zot-exporter container image with podman
run: |
podman run -d -p 5001:5001 ghcr.io/${{ github.repository_owner }}/zxp:${{ github.event.release.tag_name }}
podman run -d -p 5001:5001 ghcr.io/${GITHUB_REPOSITORY_OWNER}/zxp:${GITHUB_EVENT_RELEASE_TAG_NAME}
sleep 2
curl --connect-timeout 5 \
--max-time 10 \
@@ -209,12 +225,18 @@ jobs:
--retry-connrefused \
'http://localhost:5001/metrics'
podman kill --all
env:
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
- name: Run zb container image with docker
run: |
docker run ghcr.io/${{ github.repository_owner }}/zb:${{ github.event.release.tag_name }} --help
docker run ghcr.io/${GITHUB_REPOSITORY_OWNER}/zb:${GITHUB_EVENT_RELEASE_TAG_NAME} --help
env:
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
- name: Run zb container image with podman
run: |
podman run ghcr.io/${{ github.repository_owner }}/zb:${{ github.event.release.tag_name }} --help
podman run ghcr.io/${GITHUB_REPOSITORY_OWNER}/zb:${GITHUB_EVENT_RELEASE_TAG_NAME} --help
env:
GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
scan-image:
name: Run Trivy scan on OCI images published to GitHub Packages
@@ -229,13 +251,13 @@ jobs:
arch: [amd64, arm64]
steps:
- name: Log in to GitHub Docker Registry
uses: docker/login-action@v4
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@57a97c7
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 57a97c7
with:
image-ref: 'ghcr.io/${{ github.repository_owner }}/zot-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}'
format: 'sarif'
@@ -244,7 +266,7 @@ jobs:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Run Trivy vulnerability scanner (minimal)
uses: aquasecurity/trivy-action@57a97c7
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 57a97c7
with:
image-ref: 'ghcr.io/${{ github.repository_owner }}/zot-minimal-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}'
format: 'sarif'
@@ -253,7 +275,7 @@ jobs:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4.35.1
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: 'trivy-results.sarif'
@@ -266,13 +288,13 @@ jobs:
packages: read
steps:
- name: Log in to GitHub Docker Registry
uses: docker/login-action@v4
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@57a97c7
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 57a97c7
with:
image-ref: 'ghcr.io/${{ github.repository_owner }}/zot:${{ github.event.release.tag_name }}'
format: 'sarif'
@@ -281,7 +303,7 @@ jobs:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Run Trivy vulnerability scanner (minimal)
uses: aquasecurity/trivy-action@57a97c7
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 57a97c7
with:
image-ref: 'ghcr.io/${{ github.repository_owner }}/zot-minimal:${{ github.event.release.tag_name }}'
format: 'sarif'
@@ -290,7 +312,7 @@ jobs:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4.35.1
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: 'trivy-results.sarif'
@@ -303,33 +325,39 @@ jobs:
packages: write
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: main
fetch-depth: '0'
persist-credentials: false
- name: Checkout project-zot/helm-charts
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: project-zot/helm-charts
ref: main
fetch-depth: '0'
token: ${{ secrets.HELM_PUSH_TOKEN }}
path: ./helm-charts
persist-credentials: true
- name: Configure Git
run: |
git config --global user.name 'github-actions'
git config --global user.email 'github-actions@users.noreply.github.com'
- name: Update appVersion
uses: mikefarah/yq@master
uses: mikefarah/yq@0f4fb8d35ec1a939d78dd6862f494d19ec589f19 # v4.52.5
with:
cmd: yq -i '.appVersion = "${{ github.event.release.tag_name }}"' 'helm-charts/charts/zot/Chart.yaml'
cmd: yq -i '.appVersion = strenv(RELEASE_TAG)' 'helm-charts/charts/zot/Chart.yaml'
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
- name: Update image tag
uses: mikefarah/yq@master
uses: mikefarah/yq@0f4fb8d35ec1a939d78dd6862f494d19ec589f19 # v4.52.5
with:
cmd: |
yq e '.image.tag = "${{ github.event.release.tag_name }}"' 'helm-charts/charts/zot/values.yaml' > values-updated.yaml
yq e '.image.tag = strenv(RELEASE_TAG)' 'helm-charts/charts/zot/values.yaml' > values-updated.yaml
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
- name: Patch values.yaml file
run: |
diff -b 'helm-charts/charts/zot/values.yaml' values-updated.yaml > values.diff || true
.github/workflows/scorecards.yaml
+3 -3
View File
@@ -25,7 +25,7 @@ jobs:
steps:
- name: "Checkout code"
uses: actions/checkout@v6 # v3.0.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
@@ -49,7 +49,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@v7 # v3.0.0
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
with:
name: SARIF file
path: results.sarif
@@ -57,6 +57,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@v4.35.1
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: results.sarif
.github/workflows/stale.yaml
+1 -1
View File
@@ -12,7 +12,7 @@ jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v10
- uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
with:
stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
stale-pr-message: 'This PR is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
.github/workflows/sync-3rdparty-images.yaml
+5 -4
View File
@@ -23,7 +23,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Log in to GitHub Docker Registry
uses: docker/login-action@v4
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -40,17 +40,18 @@ jobs:
packages: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
sparse-checkout: |
Makefile
sparse-checkout-cone-mode: false
persist-credentials: false
- name: Copy trivy-db using oras cli
run: |
# setup oras
make $PWD/hack/tools/bin/oras
export PATH=$PATH:$PWD/hack/tools/bin
oras login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} ghcr.io
echo "${GITHUB_TOKEN}" | oras login -u "${GITHUB_ACTOR}" --password-stdin ghcr.io
oras copy ghcr.io/aquasecurity/trivy-db:2 ghcr.io/${{ github.repository_owner }}/trivy-db:2
oras copy ghcr.io/aquasecurity/trivy-db:latest ghcr.io/${{ github.repository_owner }}/trivy-db:latest
oras copy ghcr.io/aquasecurity/trivy-java-db:1 ghcr.io/${{ github.repository_owner }}/trivy-java-db:1
@@ -66,7 +67,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Log in to GitHub Docker Registry
uses: docker/login-action@v4
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
.github/workflows/test.yaml
+31 -21
View File
@@ -16,16 +16,18 @@ jobs:
name: Running zot without extensions tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install go
uses: actions/setup-go@v6
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
go-version: 1.25.x
- name: Cache go dependencies
id: cache-go-dependencies
uses: actions/cache@v5
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: |
~/go/pkg/mod
@@ -48,7 +50,7 @@ jobs:
AWS_ACCESS_KEY_ID: fake
AWS_SECRET_ACCESS_KEY: fake
- name: upload coverage
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: coverage-minimal
path: coverage-minimal.txt
@@ -57,15 +59,17 @@ jobs:
name: Run zot with extensions tests
runs-on: oracle-vm-16cpu-64gb-x86-64
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
go-version: 1.25.x
- name: Cache go dependencies
id: cache-go-dependencies
uses: actions/cache@v5
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: |
~/go/pkg/mod
@@ -88,7 +92,7 @@ jobs:
AWS_ACCESS_KEY_ID: fake
AWS_SECRET_ACCESS_KEY: fake
- name: upload coverage
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: coverage-extended
path: coverage-extended.txt
@@ -97,15 +101,17 @@ jobs:
name: Running development-mode tests on Linux
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
go-version: 1.25.x
- name: Cache go dependencies
id: cache-go-dependencies
uses: actions/cache@v5
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: |
~/go/pkg/mod
@@ -120,7 +126,7 @@ jobs:
- name: run zot development-mode unit tests (possibly using failure injection)
run: make test-devmode
- name: upload coverage
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: coverage-devmode
path: coverage-dev-*.txt
@@ -128,15 +134,17 @@ jobs:
name: Running privileged tests on Linux
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
go-version: 1.25.x
- name: Cache go dependencies
id: cache-go-dependencies
uses: actions/cache@v5
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: |
~/go/pkg/mod
@@ -160,7 +168,7 @@ jobs:
GCSMOCK_ENDPOINT: http://localhost:9000/
STORAGE_EMULATOR_HOST: localhost:9000
- name: upload coverage
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: coverage-needprivileges
path: coverage-needprivileges-*.txt
@@ -171,14 +179,16 @@ jobs:
if: always()
needs: [test-run-minimal,test-run-extensions,test-run-devmode,test-run-privileged]
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
go-version: 1.25.x
- name: download all workflow coverage files
uses: actions/download-artifact@v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- name: merge code coverage
run: |
cd $GITHUB_WORKSPACE
@@ -190,12 +200,12 @@ jobs:
mkdir unified-coverage
cp coverage.txt coverage.html unified-coverage/
- name: upload unified-coverage as build artifact
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: unified-coverage
path: unified-coverage/*
- name: upload code coverage
uses: codecov/codecov-action@v6
uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
with:
token: ${{ secrets.CODECOV_TOKEN }}
.github/workflows/tls.yaml
+4 -2
View File
@@ -22,8 +22,10 @@ jobs:
godebug: "fips140=only"
name: TLS check (${{ matrix.mode }})
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
.github/workflows/verify-config.yaml
+5 -3
View File
@@ -19,16 +19,18 @@ jobs:
name: Verify Config Files
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install go
uses: actions/setup-go@v6
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
go-version: 1.25.x
- name: Cache go dependencies
id: cache-go-dependencies
uses: actions/cache@v5
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: |
~/go/pkg/mod
.github/workflows/web-scan.yaml
+5 -3
View File
@@ -22,13 +22,15 @@ jobs:
flavor: [zot-linux-amd64-minimal, zot-linux-amd64]
steps:
- name: Install go
uses: actions/setup-go@v6
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
go-version: 1.25.x
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Build zot
run: |
echo "Building $FLAVOR"
@@ -57,7 +59,7 @@ jobs:
env:
FLAVOR: ${{ matrix.flavor }}
- name: ZAP Scan Rest API
uses: zaproxy/action-baseline@v0.15.0
uses: zaproxy/action-baseline@de8ad967d3548d44ef623df22cf95c3b0baf8b25 # v0.15.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'