chore(ci): integrate Renovate bot and pin dependencies to improve Scorecard score from 0/10 to 6/10#2585
Conversation
|
Hi @rksharma95 and @Aryan-sharma11, This PR is part of my work on issue #2566 (KubeArmor Supply Chain Security with SLSA Level 3 Compliance and OpenSSF Scorecard Hardening). Quick summary of what this does:
Result: Scorecard Pinned-Dependencies improved from 0/10 to 6/10. One action needed from maintainers after merge: add a repository secret named RENOVATE_TOKEN containing a classic PAT with repo and workflow scopes. Renovate will then run every Monday at 3am and automatically open PRs to keep all pinned SHAs current whenever new action versions are released, so the score stays high without manual effort. The remaining 50 downloadThenRun warnings (curl-pipe-bash patterns in contribution/ scripts and release workflows) are not addressed here and will be a follow-up PR. Happy to make any changes based on your feedback. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 27 out of 28 changed files in this pull request and generated 4 comments.
Comments suppressed due to low confidence (1)
contribution/license/add-license-header.sh:15
- Shell parameter expansions should be quoted here.
if [ -z $1 ]and the lateraddlicense ... $1can behave incorrectly (or error) when$1is empty or contains whitespace/glob characters. Quote$1in the test and when passing it toaddlicense.
if [ -z $1 ]; then
GIT_ROOT=$(git rev-parse --show-toplevel)
echo "No Arguement Supplied, Checking and Fixing all files from project root"
addlicense -f license.header -v $GIT_ROOT/**/*.go $GIT_ROOT/**/*.sh
echo "Done"
else
addlicense -f license.header -v $1
echo "Done"
a62aa58 to
fcee179
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 27 out of 28 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
contribution/license/add-license-header.sh:10
- The argument check is unsafe:
[ -z $1 ]will error when$1is empty/unset and will mis-handle paths with spaces. Use a quoted/defaulted parameter test (e.g.,${1:-}) and quote arguments when passing them toaddlicense.
go install github.com/google/[email protected]
if [ -z $1 ]; then
GIT_ROOT=$(git rev-parse --show-toplevel)
echo "No Arguement Supplied, Checking and Fixing all files from project root"
94c6c2f to
51e5fbc
Compare
|
@rksharma95 @Aryan-sharma11 @AryanBakliwal PTAL. |
Aryan-sharma11
left a comment
There was a problem hiding this comment.
@Athang69 This looks good! One suggestion, the Install regctl step pulls latest binary. Can we pin it to a specific version and add a checksum verification?
8570f04 to
284dfe8
Compare
Hi @Aryan-sharma11, addressed your feedback. Pinned regctl to v0.11.5 in both ci-stable-release.yml and ci-operator-release.yaml with sha256 checksum verification (commit 8881cca). The curl now uses the versioned download URL instead of /latest/download/. Also rebased onto current main. PTAL. |
|
Please look into why CI is failing. |
e97d3d0 to
9d2a6a1
Compare
@Aryan-sharma11 All CI tests are passing now. PTAL. |
9d2a6a1 to
3c88077
Compare
There was a problem hiding this comment.
@Athang69 ci-latest-ubi-release workflow is still not using pinned dependencies.
Also kindly squash commits
3c88077 to
e7666c0
Compare
@Aryan-sharma11. I've pinned all the remaining unpinned actions and the regctl install (with checksum validation) in ci-latest-ubi-release.yml, along with the same fixes I'd already made in ci-latest-release.yml and ci-marketplace-release.yml. Also squashed all commits into one. Ready for another look. |
e7666c0 to
ecfa7dd
Compare
Hi @Aryan-sharma11, just double checked the diff and ci-latest-ubi-release.yml does have all the pinned dependencies, including the regctl install with checksum validation, across all three jobs (check, build, push-stable-version, kubearmor-controller-release). |
LGTM 🚀 |
@Aryan-sharma11 Just to make sure I address this correctly, when you say "still not using pinned dependencies," do you mean it's not showing as pinned in the diff itself, or is this from a Scorecard/CI check still flagging it (possibly because it's scanning main rather than this PR branch)? |
Apologies, I mistakenly left that comment. It was probably from a previous review. |
No worries, thanks for confirming! Let me know if anything else comes up. |
ecfa7dd to
0771667
Compare
Signed-off-by: Athang69 <[email protected]>
0771667 to
0085446
Compare
Purpose of PR?:
Improve the OSSF Scorecard
Pinned-Dependenciesscore from 0/10 to 6/10 by integrating Renovate bot for automated dependency pinning and manually pinning remaining unpinned dependencies.Fixes #2566 #2586
Does this PR introduce a breaking change?
No. All changes are to CI/CD configuration files, Dockerfiles, and shell scripts. No production code is modified.
If the changes in this PR are manually verified, list down the scenarios covered:
Scorecard
Pinned-Dependenciescheck before this PR: 0/10Scorecard
Pinned-Dependenciescheck after this PR: 6/10Additional information for reviewer?
This PR adds two files to integrate Renovate bot:
renovate.json- configures Renovate withhelpers:pinGitHubActionDigestspreset and Docker digest pinning.github/workflows/renovate.yml- runs Renovate on a weekly schedule to keep all pinned SHAs up to date automaticallyAfter merging, maintainers need to add a repository secret named
RENOVATE_TOKENcontaining a classic PAT withrepoandworkflowscopes. On first run Renovate will open PRs to keep all pinned SHAs current whenever new action versions are released.The following were manually pinned:
FROMimages pinned tosha256digests (via Renovate first run)examples/multiubuntu/build/Dockerfile: bothubuntu:18.04base images pinned to sha256 digestexamples/multiubuntu/build/Dockerfile:pip install flaskpinned toflask==3.1.1with--require-hashesDockerfile:go install protoc-gen-gopinned tov1.36.11,protoc-gen-go-grpcpinned tov1.6.1.github/workflows/ci-test-systemd.yml: same protoc tool pins as above.github/workflows/ci-network-tests.yml:goverpinned tov0.0.0-20171022184752-b58185e213c5.github/workflows/ci-test-ubi-image.yml: samegoverpin as abovecontribution/license/add-license-header.sh:addlicensepinned tov1.2.0Remaining warnings (50
downloadThenRuninstances in contribution scripts and release workflows usingcurl | bashpatterns) are not addressed in this PR and will be tracked as a follow-up.Checklist:
chore(ci): improve Pinned-Dependencies scorecard score from 0/10 to 6/10