ci: update all workflows with most of zizmor findings

yorugac · yorugac · commit bbd7f931969b · 2025-04-28T18:18:11.000+03:00
diff --git a/.github/workflows/e2e-test.yaml b/.github/workflows/e2e-test.yaml
@@ -1,5 +1,6 @@
 ---
 name: "Create cluster using KinD"
+permissions: {}
 on:
   workflow_dispatch: {}
 jobs:
@@ -8,18 +9,23 @@ jobs:
     steps:
       - name: "Build:checkout"
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: "Build:buildx"
-        uses: docker/setup-buildx-action@v3
+        # this is v3.10.0
+        uses: docker/setup-buildx-action@29109295f81e9208d7d86ff1c6c12d2833863392
         with:
           version: v0.9.1 # Buildx version
       - name: "Build:login"
-        uses: docker/login-action@v3
+        # this is v3.4.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: "Build:dockerimage"
-        uses: docker/build-push-action@v5
+        # this is v6.16.0
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1
         with:
           context: .
           file: Dockerfile.controller
@@ -34,16 +40,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: "Kustomize Build"
-        uses: karancode/kustomize-github-action@master
+        # this is latest master
+        uses: karancode/kustomize-github-action@883a86ec3535e4e7d0fe6450a85f8325c97d2a7b
         with:
           kustomize_version: "3.0.0"
           kustomize_build_dir: "config/default"
           kustomize_output_file: "rendered.yaml"
           kustomize_build_options: "--load_restrictor none"
           token: ${{ github.token }} # ref: https://github.com/karancode/kustomize-github-action/issues/46
-        # TODO: setup-kind seems to be not well maintained so check for alternatives
-      - uses: engineerd/setup-kind@v0.5.0
+        # this is v0.6.2
+      - uses: engineerd/setup-kind@71e45b960fc8dd50b4aeabf6eb6ef2ca0920b4c1
         with:
           version: "v0.20.0"
           image: "kindest/node:v1.27.1"
@@ -71,14 +80,17 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Helm
-        uses: azure/setup-helm@v1
+        # this is v4.3.0
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112
         with:
           version: v3.7.2
 
       - name: Create kind cluster
-        uses: helm/kind-action@v1.8.0
+        # this is v1.12.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
         with:
           node_image: "kindest/node:v1.27.1"
 
diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml
@@ -1,5 +1,6 @@
 ---
 name: "Golang Lint"
+permissions: {}
 on:
   - push
   - pull_request
@@ -9,12 +10,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
         with:
           go-version: '1.23'
           cache: false
       - name: lint
-        uses: golangci/golangci-lint-action@v3
+        # this is v6.5.2
+        uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84
         with:
           version: v1.61
           args: --timeout=5m
diff --git a/.github/workflows/helm-lint.yaml b/.github/workflows/helm-lint.yaml
@@ -1,5 +1,6 @@
 ---
 name: Helm Lint
+permissions: {}
 on:
   # `ct lint` does not work well with tag references on releases.
   # OTOH, Helm linting on tags is not necessary so long as it
@@ -20,10 +21,12 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@v1
+        # this is v4.3.0
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112
         with:
           version: v3.7.2
 
@@ -32,7 +35,8 @@ jobs:
           python-version: 3.13.1
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.6.1
+        # this is v2.7.0
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
 
       - name: Run chart-testing (lint)
         run: |
diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
@@ -1,5 +1,6 @@
 
 name: Helm release
+permissions: {}
 
 on:
   workflow_dispatch: {}
@@ -16,6 +17,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
+        with:
+          persist-credentials: true # this job is opening a PR in the next steps
 
       - name: Make changes to the file
         run: |
diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml
@@ -1,5 +1,6 @@
 ---
 name: Helm Test
+permissions: {}
 on:
   push:
     # run only on branches and not tags
@@ -19,9 +20,11 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Helm
-        uses: azure/setup-helm@v1
+        # this is v4.3.0
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112
         with:
           version: v3.7.2
 
@@ -30,7 +33,8 @@ jobs:
           python-version: 3.13.1
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.6.1
+        # this is v2.7.0
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
 
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -42,7 +46,8 @@ jobs:
           fi
 
       - name: Create kind cluster
-        uses: helm/kind-action@v1.2.0
+        # this is v1.12.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
         if: steps.list-changed.outputs.changed == 'true'
 
       - name: Run chart-testing (install)
diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
@@ -1,5 +1,6 @@
 ---
 name: "Release k6-operator"
+permissions: {}
 
 on:
   workflow_dispatch:
@@ -18,30 +19,39 @@ jobs:
     steps:
       - name: "Build:checkout"
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: "Set image tag name"
+        env:
+          GH_IMAGE_TAG: ${{ github.event.inputs.image_tag }}
+          GH_TAG_NAME: ${{ github.event.release.tag_name }}
         run: |
           if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            echo "IMAGETAG=${{ github.event.inputs.image_tag }}" >> $GITHUB_ENV
+            echo "IMAGETAG=${GH_IMAGE_TAG}" >> $GITHUB_ENV
           else
-            echo "IMAGETAG=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
+            echo "IMAGETAG=${GH_TAG_NAME}" >> $GITHUB_ENV
           fi
       - name: "Check image tag name"
         run: |
           echo "IMAGETAG=${{env.IMAGETAG}}"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        # this is v3.6.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
       - name: "Build:buildx"
-        uses: docker/setup-buildx-action@v3
+        # this is v3.10.0
+        uses: docker/setup-buildx-action@29109295f81e9208d7d86ff1c6c12d2833863392
         with:
           version: v0.9.1 # Buildx version
       - name: "Build:login"
-        uses: docker/login-action@v3
+        # this is v3.4.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: "Build:dockerimage"
-        uses: docker/build-push-action@v5
+        # this is v6.16.0
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1
         with:
           context: .
           push: true
@@ -51,15 +61,17 @@ jobs:
           platforms: linux/amd64,linux/arm64
           tags: ghcr.io/grafana/k6-operator:latest,ghcr.io/grafana/k6-operator:controller-${{env.IMAGETAG}}
       - name: "Build:dockerimage"
-        uses: docker/build-push-action@v5
+        # this is v6.16.0
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1
         with:
           context: .
           push: true
           file: Dockerfile.runner
           platforms: linux/amd64,linux/arm64
           tags: ghcr.io/grafana/k6-operator:latest-runner,ghcr.io/grafana/k6-operator:runner-${{env.IMAGETAG}}
       - name: "Build:dockerimage"
-        uses: docker/build-push-action@v5
+        # this is v6.16.0
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1
         with:
           context: .
           push: true
@@ -77,15 +89,21 @@ jobs:
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v4
+        with:
+          persist-credentials: true # this job is opening a PR in the next steps
       - name: "Set image tag name"
+        env:
+          GH_IMAGE_TAG: ${{ github.event.inputs.image_tag }}
+          GH_TAG_NAME: ${{ github.event.release.tag_name }}
         run: |
           if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            echo "IMAGETAG=${{ github.event.inputs.image_tag }}" >> $GITHUB_ENV
+            echo "IMAGETAG=${GH_IMAGE_TAG}" >> $GITHUB_ENV
           else
-            echo "IMAGETAG=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
+            echo "IMAGETAG=${GH_TAG_NAME}" >> $GITHUB_ENV
           fi
       - name: "Setup kustomize"
-        uses: imranismail/setup-kustomize@v2
+        # this is v2.1.0
+        uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f
       - name: "Bundle"
         run: |
           cd config/default && kustomize edit set image ghcr.io/grafana/k6-operator=*:controller-${{env.IMAGETAG}} && kustomize build . > ../../bundle.yaml
diff --git a/.github/workflows/unit-test.yaml b/.github/workflows/unit-test.yaml
@@ -1,5 +1,6 @@
 ---
 name: "Unit Test"
+permissions: {}
 on:
   - push
   - pull_request
@@ -18,6 +19,8 @@ jobs:
           go-version: ${{ matrix.go-version }}
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Test
         run: |
           make test-setup
diff --git a/.github/workflows/yamllint.yaml b/.github/workflows/yamllint.yaml
@@ -1,15 +1,20 @@
 ---
 name: Yaml Lint
+permissions: {}
 on:
   - push
   - pull_request
+
 jobs:
   lintAllTheThings:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: yaml-lint
-        uses: ibiqlik/action-yamllint@v3
+        # this is v3.1.1
+        uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c
         with:
           file_or_dir: config/**/*.yaml e2e/*.yaml
           config_file: .yamllint.yaml
