Skip to content

chore(ci): integrate Renovate bot and pin dependencies to improve Scorecard score from 0/10 to 6/10#2585

Merged
Aryan-sharma11 merged 1 commit into
kubearmor:mainfrom
Athang69:chore/renovate-pin-deps
Jun 25, 2026
Merged

chore(ci): integrate Renovate bot and pin dependencies to improve Scorecard score from 0/10 to 6/10#2585
Aryan-sharma11 merged 1 commit into
kubearmor:mainfrom
Athang69:chore/renovate-pin-deps

Conversation

@Athang69

@Athang69 Athang69 commented May 9, 2026

Copy link
Copy Markdown
Contributor

Purpose of PR?:
Improve the OSSF Scorecard Pinned-Dependencies score from 0/10 to 6/10 by integrating Renovate bot for automated dependency pinning and manually pinning remaining unpinned dependencies.

Fixes #2566 #2586

Does this PR introduce a breaking change?
No. All changes are to CI/CD configuration files, Dockerfiles, and shell scripts. No production code is modified.

If the changes in this PR are manually verified, list down the scenarios covered:

  • Scorecard Pinned-Dependencies check before this PR: 0/10

    • 2/70 GitHub-owned Actions pinned
    • 2/54 third-party Actions pinned
    • 0/14 container images pinned
    • 0/1 pipCommand pinned
    • 7/16 goCommand pinned
  • Scorecard Pinned-Dependencies check after this PR: 6/10

    • 71/71 GitHub-owned Actions pinned
    • 55/55 third-party Actions pinned
    • 14/14 container images pinned
    • 1/1 pipCommand pinned
    • 14/16 goCommand pinned
image

Additional information for reviewer?

This PR adds two files to integrate Renovate bot:

  • renovate.json - configures Renovate with helpers:pinGitHubActionDigests preset and Docker digest pinning
  • .github/workflows/renovate.yml - runs Renovate on a weekly schedule to keep all pinned SHAs up to date automatically

After merging, maintainers need to add a repository secret named RENOVATE_TOKEN containing a classic PAT with repo and workflow scopes. On first run Renovate will open PRs to keep all pinned SHAs current whenever new action versions are released.

The following were manually pinned:

  • All GitHub Actions across 19 workflow files pinned to full commit SHAs (via Renovate first run)
  • All Docker FROM images pinned to sha256 digests (via Renovate first run)
  • examples/multiubuntu/build/Dockerfile: both ubuntu:18.04 base images pinned to sha256 digest
  • examples/multiubuntu/build/Dockerfile: pip install flask pinned to flask==3.1.1 with --require-hashes
  • Dockerfile: go install protoc-gen-go pinned to v1.36.11, protoc-gen-go-grpc pinned to v1.6.1
  • .github/workflows/ci-test-systemd.yml: same protoc tool pins as above
  • .github/workflows/ci-network-tests.yml: gover pinned to v0.0.0-20171022184752-b58185e213c5
  • .github/workflows/ci-test-ubi-image.yml: same gover pin as above
  • contribution/license/add-license-header.sh: addlicense pinned to v1.2.0

Remaining warnings (50 downloadThenRun instances in contribution scripts and release workflows using curl | bash patterns) are not addressed in this PR and will be tracked as a follow-up.

Checklist:

  • Bug fix. Fixes #
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • PR Title follows the convention of chore(ci): improve Pinned-Dependencies scorecard score from 0/10 to 6/10
  • Commit has unit tests
  • Commit has integration tests

Copilot AI review requested due to automatic review settings May 9, 2026 06:18
@Athang69

Athang69 commented May 9, 2026

Copy link
Copy Markdown
Contributor Author

Hi @rksharma95 and @Aryan-sharma11,

This PR is part of my work on issue #2566 (KubeArmor Supply Chain Security with SLSA Level 3 Compliance and OpenSSF Scorecard Hardening).

Quick summary of what this does:

  • Adds Renovate bot integration (.github/renovate.json + .github/workflows/renovate.yml) to automate keeping all pinned SHAs up to date going forward
  • Pins all GitHub Actions across 19 workflow files to full commit SHAs (71/71 GitHub-owned, 55/55 third-party)
  • Pins all Docker base images to sha256 digests (14/14)
  • Manually pins go install commands in Dockerfiles and workflow scripts to specific versions
  • Pins pip install in examples/multiubuntu/build/Dockerfile with --require-hashes

Result: Scorecard Pinned-Dependencies improved from 0/10 to 6/10.

One action needed from maintainers after merge: add a repository secret named RENOVATE_TOKEN containing a classic PAT with repo and workflow scopes. Renovate will then run every Monday at 3am and automatically open PRs to keep all pinned SHAs current whenever new action versions are released, so the score stays high without manual effort.

The remaining 50 downloadThenRun warnings (curl-pipe-bash patterns in contribution/ scripts and release workflows) are not addressed here and will be a follow-up PR.

Happy to make any changes based on your feedback.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 27 out of 28 changed files in this pull request and generated 4 comments.

Comments suppressed due to low confidence (1)

contribution/license/add-license-header.sh:15

  • Shell parameter expansions should be quoted here. if [ -z $1 ] and the later addlicense ... $1 can behave incorrectly (or error) when $1 is empty or contains whitespace/glob characters. Quote $1 in the test and when passing it to addlicense.
if [ -z $1 ]; then
    GIT_ROOT=$(git rev-parse --show-toplevel)
    echo "No Arguement Supplied, Checking and Fixing all files from project root"
    addlicense -f license.header -v $GIT_ROOT/**/*.go $GIT_ROOT/**/*.sh
    echo "Done"
else
    addlicense -f license.header -v $1
    echo "Done"

Comment thread examples/multiubuntu/build/Dockerfile Outdated
Comment thread examples/multiubuntu/build/Dockerfile Outdated
Comment thread .github/workflows/renovate.yml Outdated
Comment thread renovate.json

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 27 out of 28 changed files in this pull request and generated 4 comments.

Comment thread examples/multiubuntu/build/Dockerfile Outdated
Comment thread .github/workflows/renovate.yml Outdated
Comment thread renovate.json
Comment thread deployments/podman/docker-compose.yaml Outdated

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 27 out of 28 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

contribution/license/add-license-header.sh:10

  • The argument check is unsafe: [ -z $1 ] will error when $1 is empty/unset and will mis-handle paths with spaces. Use a quoted/defaulted parameter test (e.g., ${1:-}) and quote arguments when passing them to addlicense.
go install github.com/google/[email protected]

if [ -z $1 ]; then
    GIT_ROOT=$(git rev-parse --show-toplevel)
    echo "No Arguement Supplied, Checking and Fixing all files from project root"

Comment thread examples/multiubuntu/build/Dockerfile Outdated
Comment thread .github/workflows/renovate.yml
@Athang69 Athang69 force-pushed the chore/renovate-pin-deps branch 6 times, most recently from 94c6c2f to 51e5fbc Compare May 14, 2026 06:24
@Athang69

Copy link
Copy Markdown
Contributor Author

@rksharma95 @Aryan-sharma11 @AryanBakliwal PTAL.
Thanks!!

@Aryan-sharma11 Aryan-sharma11 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Athang69 This looks good! One suggestion, the Install regctl step pulls latest binary. Can we pin it to a specific version and add a checksum verification?

@Athang69 Athang69 force-pushed the chore/renovate-pin-deps branch 2 times, most recently from 8570f04 to 284dfe8 Compare June 15, 2026 11:22
@Athang69

Copy link
Copy Markdown
Contributor Author

@Athang69 This looks good! One suggestion, the Install regctl step pulls latest binary. Can we pin it to a specific version and add a checksum verification?

Hi @Aryan-sharma11, addressed your feedback. Pinned regctl to v0.11.5 in both ci-stable-release.yml and ci-operator-release.yaml with sha256 checksum verification (commit 8881cca). The curl now uses the versioned download URL instead of /latest/download/. Also rebased onto current main. PTAL.

@Athang69 Athang69 requested a review from Aryan-sharma11 June 15, 2026 11:32
@Aryan-sharma11

Copy link
Copy Markdown
Member

Please look into why CI is failing.

@Aryan-sharma11 Aryan-sharma11 force-pushed the chore/renovate-pin-deps branch from e97d3d0 to 9d2a6a1 Compare June 16, 2026 09:46
@Athang69

Copy link
Copy Markdown
Contributor Author

Please look into why CI is failing.

@Aryan-sharma11 All CI tests are passing now. PTAL.
Thankss!

Aryan-sharma11
Aryan-sharma11 previously approved these changes Jun 22, 2026

@Aryan-sharma11 Aryan-sharma11 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Athang69 ci-latest-ubi-release workflow is still not using pinned dependencies.
Also kindly squash commits

Comment thread .github/workflows/ci-latest-release.yml Outdated
Comment thread .github/workflows/ci-latest-release.yml Outdated
Comment thread .github/workflows/ci-latest-release.yml Outdated
Comment thread .github/workflows/ci-marketplace-release.yml Outdated
Comment thread .github/workflows/ci-marketplace-release.yml Outdated
@Athang69

Copy link
Copy Markdown
Contributor Author

@Athang69 ci-latest-ubi-release workflow is still not using pinned dependencies. Also kindly squash commits

@Aryan-sharma11. I've pinned all the remaining unpinned actions and the regctl install (with checksum validation) in ci-latest-ubi-release.yml, along with the same fixes I'd already made in ci-latest-release.yml and ci-marketplace-release.yml. Also squashed all commits into one. Ready for another look.

Aryan-sharma11
Aryan-sharma11 approved these changes Jun 24, 2026
@Athang69

Copy link
Copy Markdown
Contributor Author

@Athang69 ci-latest-ubi-release workflow is still not using pinned dependencies.

Hi @Aryan-sharma11, just double checked the diff and ci-latest-ubi-release.yml does have all the pinned dependencies, including the regctl install with checksum validation, across all three jobs (check, build, push-stable-version, kubearmor-controller-release).

@Aryan-sharma11

Copy link
Copy Markdown
Member

@Athang69 ci-latest-ubi-release workflow is still not using pinned dependencies.

Hi @Aryan-sharma11, just double checked the diff and ci-latest-ubi-release.yml does have all the pinned dependencies, including the regctl install with checksum validation, across all three jobs (check, build, push-stable-version, kubearmor-controller-release).

LGTM 🚀
Thanks @Athang69 .

@Athang69

Copy link
Copy Markdown
Contributor Author

@Athang69 ci-latest-ubi-release workflow is still not using pinned dependencies.

@Aryan-sharma11 Just to make sure I address this correctly, when you say "still not using pinned dependencies," do you mean it's not showing as pinned in the diff itself, or is this from a Scorecard/CI check still flagging it (possibly because it's scanning main rather than this PR branch)?

@Aryan-sharma11

Copy link
Copy Markdown
Member

@Athang69 ci-latest-ubi-release workflow is still not using pinned dependencies.

@Aryan-sharma11 Just to make sure I address this correctly, when you say "still not using pinned dependencies," do you mean it's not showing as pinned in the diff itself, or is this from a Scorecard/CI check still flagging it (possibly because it's scanning main rather than this PR branch)?

Apologies, I mistakenly left that comment. It was probably from a previous review.

@Athang69

Copy link
Copy Markdown
Contributor Author

Apologies, I mistakenly left that comment. It was probably from a previous review.

No worries, thanks for confirming! Let me know if anything else comes up.

@Aryan-sharma11 Aryan-sharma11 force-pushed the chore/renovate-pin-deps branch from ecfa7dd to 0771667 Compare June 24, 2026 10:56
@Aryan-sharma11 Aryan-sharma11 force-pushed the chore/renovate-pin-deps branch from 0771667 to 0085446 Compare June 25, 2026 03:30
@Aryan-sharma11 Aryan-sharma11 merged commit 2715942 into kubearmor:main Jun 25, 2026
22 of 23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

KubeArmor Supply Chain Security with SLSA Level 3 Compliance and OpenSSF Scorecard Hardening

5 participants