Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-22 21:31:14 -05:00
Code Issues Packages Projects Releases Wiki Activity

ci: fix scorecard/pinned-dependencies findings (#967)

Browse Source 
* fix scorecard/pinned-dependencies findings
* make renovate update go install
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
This commit is contained in:
Fabian Kammel 2023-01-17 16:12:23 +01:00 committed by GitHub
parent bbda3d1ecd
commit 85f33b2140
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 35 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/actions/e2e_kbench/action.yml vendored
View File

@ -20,7 +20,7 @@ runs:
- name: Install evaluation dependencies - name: Install evaluation dependencies
shell: bash shell: bash
run: pip install -r .github/actions/e2e_kbench/evaluate/requirements.txt run: pip install --require-hashes -r .github/actions/e2e_kbench/evaluate/requirements.txt
- name: Checkout patched K-Bench - name: Checkout patched K-Bench
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

6
.github/actions/e2e_kbench/evaluate/requirements.txt vendored
View File

@ -1,2 +1,4 @@
matplotlib==3.6.2 matplotlib==3.6.2 \
numpy==1.23.5 --hash=sha256:9347cc6822f38db2b1d1ce992f375289670e595a2d1c15961aacbe0977407dfc
numpy==1.23.5 \
--hash=sha256:5e05b1c973a9f858c74367553e236f287e749465f773328c8ef31abe18f691e1

15
.github/runners/azure-cvm/azure-function/requirements.txt vendored
View File

@ -2,8 +2,13 @@
# The Python Worker is managed by Azure Functions platform # The Python Worker is managed by Azure Functions platform
# Manually managing azure-functions-worker may cause unexpected issues # Manually managing azure-functions-worker may cause unexpected issues
azure-functions azure-functions==1.12.0 \
azure-mgmt-resource==21.2.1 --hash=sha256:443b049652ede41e57a698230cc3848d20e5b53dff52bc4a636ee0820813f1b5
azure-identity==1.12.0 azure-mgmt-resource==21.2.1 \
azure-mgmt-subscription==3.1.1 --hash=sha256:c6f6987e6f61f0cb23abc3fb3658770bae8d299a46834d43d4b20251495d3806
azure-keyvault==4.2.0 azure-identity==1.12.0 \
--hash=sha256:2a58ce4a209a013e37eaccfd5937570ab99e9118b3e1acf875eed3a85d541b92
azure-mgmt-subscription==3.1.1 \
--hash=sha256:38d4574a8d47fa17e3587d756e296cb63b82ad8fb21cd8543bcee443a502bf48
azure-keyvault==4.2.0 \
--hash=sha256:16b29039244cbe8b940c98a0d795626d76d2a579cb9b8c559983ad208082c0de

2
.github/workflows/build-os-image-requirements.txt vendored Normal file
View File

@ -0,0 +1,2 @@
lief==0.12.2 \
--hash=sha256:8e97f109cf4a24ad37d8227b52cf878a58723abe7d88f0f3d5867c02d8ead49b

2
.github/workflows/build-os-image.yml vendored
View File

@ -573,7 +573,7 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: | run: |
echo "::group::Install dependencies" echo "::group::Install dependencies"
python -m pip install --user lief==0.12.2 python -m pip install --user --require-hashes -r .github/workflows/build-os-image-requirements.txt
sudo apt-get update sudo apt-get update
sudo apt-get install -y systemd-container # for systemd-dissect sudo apt-get install -y systemd-container # for systemd-dissect
echo "::endgroup::" echo "::endgroup::"

2
.github/workflows/check-licenses.yml vendored
View File

@ -29,7 +29,7 @@ jobs:
cache: true cache: true
- name: Install go-licenses - name: Install go-licenses
run: go install github.com/google/go-licenses@latest run: go install github.com/google/go-licenses@0e0ec3a03d2277ffa8161963486f03bb58a6358c # v1.5.0
- name: Check licenses - name: Check licenses
run: hack/check-licenses.sh run: hack/check-licenses.sh

2
.github/workflows/test-actionlint.yml vendored
View File

@ -34,7 +34,7 @@ jobs:
- name: Install Actionlint - name: Install Actionlint
shell: bash shell: bash
run: go install github.com/rhysd/actionlint/cmd/actionlint@latest run: go install github.com/rhysd/actionlint/cmd/actionlint@7fdc9630cc360ea1a469eed64ac6d78caeda1234 # v1.6.22
- name: Run Actionlint - name: Run Actionlint
shell: bash shell: bash

2
.github/workflows/test-go-generate.yml vendored
View File

@ -31,7 +31,7 @@ jobs:
- name: Install stringer - name: Install stringer
shell: bash shell: bash
run: go install golang.org/x/tools/cmd/stringer@latest run: go install golang.org/x/tools/cmd/stringer@7db99dd12661adab9ce92e9b9633b6ef90867fad # v0.5.0
- name: Get Go submodules - name: Get Go submodules
id: submods id: submods

2
.github/workflows/test-govulncheck.yml vendored
View File

@ -46,5 +46,5 @@ jobs:
- name: Govulncheck - name: Govulncheck
shell: bash shell: bash
run: | run: |
go install golang.org/x/vuln/cmd/govulncheck@latest go install golang.org/x/vuln/cmd/govulncheck@6ad3e3d0781578532aaedbed543b25d7d586c746 # v0.0.0-20230110180137-6ad3e3d07815
GOMEMLIMIT=5GiB govulncheck "$(go list -f '{{.Dir}}/...' -m | xargs)" GOMEMLIMIT=5GiB govulncheck "$(go list -f '{{.Dir}}/...' -m | xargs)"

4
hack/azure-snp-report-verify/Dockerfile
View File

@ -1,4 +1,4 @@
FROM ubuntu:20.04 AS build FROM ubuntu:20.04@sha256:0e0402cd13f68137edb0266e1d2c682f217814420f2d43d300ed8f65479b14fb AS build
RUN apt-get update && apt-get install -y \ RUN apt-get update && apt-get install -y \
build-essential \ build-essential \
libcurl4-openssl-dev \ libcurl4-openssl-dev \
@ -10,7 +10,7 @@ RUN wget -q https://github.com/Azure/confidential-computing-cvm-guest-attestatio
&& touch Utils.h \ && touch Utils.h \
&& g++ -Os -I/usr/include/azguestattestation1 -oclient main.cpp -lazguestattestation && g++ -Os -I/usr/include/azguestattestation1 -oclient main.cpp -lazguestattestation
FROM ubuntu:20.04 AS release FROM ubuntu:20.04@sha256:0e0402cd13f68137edb0266e1d2c682f217814420f2d43d300ed8f65479b14fb AS release
COPY --from=build client azguestattestation1_1.0.2_amd64.deb / COPY --from=build client azguestattestation1_1.0.2_amd64.deb /
RUN apt-get update && apt-get install -y /azguestattestation1_1.0.2_amd64.deb RUN apt-get update && apt-get install -y /azguestattestation1_1.0.2_amd64.deb
ENTRYPOINT ["/client"] ENTRYPOINT ["/client"]

12
renovate.json
View File

@ -224,7 +224,7 @@
}, },
{ {
"fileMatch": [ "fileMatch": [
"(^|\\/)versions.go$" "versions.go$"
], ],
"matchStrings": [ "matchStrings": [
" \"https:\\/\\/github\\.com\\/containernetworking\\/plugins\\/releases\\/download\\/(?<currentValue>[^\\/\\s\"]+)\\/[^\"]+\"" " \"https:\\/\\/github\\.com\\/containernetworking\\/plugins\\/releases\\/download\\/(?<currentValue>[^\\/\\s\"]+)\\/[^\"]+\""
@ -232,6 +232,16 @@
"depNameTemplate": "containernetworking/plugins", "depNameTemplate": "containernetworking/plugins",
"datasourceTemplate": "github-releases", "datasourceTemplate": "github-releases",
"autoReplaceStringTemplate": " \"https://github.com/containernetworking/plugins/releases/download/{{{newValue}}}/cni-plugins-linux-amd64-{{{newValue}}}.tgz\"" "autoReplaceStringTemplate": " \"https://github.com/containernetworking/plugins/releases/download/{{{newValue}}}/cni-plugins-linux-amd64-{{{newValue}}}.tgz\""
},
{
"fileMatch": [
"\\.yaml$",
"\\.yml$"
],
"matchStrings": [
"go install (?<depName>[^@]+?)@(?<currentValue>[0-9a-f]{40})"
],
"datasourceTemplate": "go"
} }
] ]
} }