diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..a47298a146 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,28 @@ +# Copyright (c) 2026 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0 +# +# SPDX-License-Identifier: EPL-2.0 +version: 2 +updates: + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: weekly + cooldown: + default-days: 7 + open-pull-requests-limit: 10 + labels: + - dependencies + commit-message: + prefix: ci + include: scope + groups: + github-actions: + patterns: + - "*" diff --git a/.github/workflows/docker-nightly.yml b/.github/workflows/docker-nightly.yml index bc8ac8a478..26075d3ccf 100644 --- a/.github/workflows/docker-nightly.yml +++ b/.github/workflows/docker-nightly.yml @@ -20,16 +20,23 @@ jobs: if: github.repository == 'eclipse-ditto/ditto' runs-on: ubuntu-latest steps: + - + name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3 # setup buildx in order to do build and push multi-architecture images + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 # setup buildx in order to do build and push multi-architecture images - name: Inspect buildx builder run: | @@ -40,7 +47,7 @@ jobs: echo "Platforms: ${{ steps.buildx.outputs.platforms }}" - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: username: eclipsedittobot password: ${{ secrets.DOCKER_HUB_TOKEN }} @@ -55,7 +62,7 @@ jobs: echo $IMAGE_TAG - name: Build and push ditto-policies - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -70,7 +77,7 @@ jobs: eclipse/ditto-policies:${{ env.IMAGE_TAG }} - name: Build and push ditto-things - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -85,7 +92,7 @@ jobs: eclipse/ditto-things:${{ env.IMAGE_TAG }} - name: Build and push ditto-gateway - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -100,7 +107,7 @@ jobs: eclipse/ditto-gateway:${{ env.IMAGE_TAG }} - name: Build and push ditto-thingsearch - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -115,7 +122,7 @@ jobs: eclipse/ditto-things-search:${{ env.IMAGE_TAG }} - name: Build and push ditto-connectivity - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -131,7 +138,7 @@ jobs: eclipse/ditto-connectivity:${{ env.IMAGE_TAG }} - name: Use Node.js 18.x - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 - @@ -144,7 +151,7 @@ jobs: working-directory: ./ui - name: Build and push ditto-ui image - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: ./ui file: ui/Dockerfile @@ -155,7 +162,7 @@ jobs: eclipse/ditto-ui:${{ env.IMAGE_TAG }} - name: Run Trivy vulnerability scanner for ditto-policies - uses: aquasecurity/trivy-action@v0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 with: image-ref: 'docker.io/eclipse/ditto-policies:${{ env.IMAGE_TAG }}' format: 'table' @@ -165,7 +172,7 @@ jobs: severity: 'CRITICAL' - name: Run Trivy vulnerability scanner for ditto-things - uses: aquasecurity/trivy-action@v0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 with: image-ref: 'docker.io/eclipse/ditto-things:${{ env.IMAGE_TAG }}' format: 'table' @@ -175,7 +182,7 @@ jobs: severity: 'CRITICAL' - name: Run Trivy vulnerability scanner for ditto-gateway - uses: aquasecurity/trivy-action@v0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 with: image-ref: 'docker.io/eclipse/ditto-gateway:${{ env.IMAGE_TAG }}' format: 'table' @@ -185,7 +192,7 @@ jobs: severity: 'CRITICAL' - name: Run Trivy vulnerability scanner for ditto-things-search - uses: aquasecurity/trivy-action@v0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 with: image-ref: 'docker.io/eclipse/ditto-things-search:${{ env.IMAGE_TAG }}' format: 'table' @@ -195,7 +202,7 @@ jobs: severity: 'CRITICAL' - name: Run Trivy vulnerability scanner for ditto-connectivity - uses: aquasecurity/trivy-action@v0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 with: image-ref: 'docker.io/eclipse/ditto-connectivity:${{ env.IMAGE_TAG }}' format: 'table' @@ -205,7 +212,7 @@ jobs: severity: 'CRITICAL' - name: Run Trivy vulnerability scanner for ditto-ui - uses: aquasecurity/trivy-action@v0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 with: image-ref: 'docker.io/eclipse/ditto-ui:${{ env.IMAGE_TAG }}' format: 'table' diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 14f5b4cea7..cf49a49c1b 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -29,9 +29,16 @@ jobs: concurrency: group: ${{ github.workflow }}-${{ github.ref }} steps: - - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Use Node.js 18.x - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 - name: Install npm dependencies @@ -41,7 +48,7 @@ jobs: run: npm run build working-directory: ./ui - name: Deploy - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./ui diff --git a/.github/workflows/helm-chart-release.yml b/.github/workflows/helm-chart-release.yml index a143387baf..2ce82a3220 100644 --- a/.github/workflows/helm-chart-release.yml +++ b/.github/workflows/helm-chart-release.yml @@ -24,13 +24,19 @@ jobs: build: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Set up Helm - uses: azure/setup-helm@v4.2.0 + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 with: version: ${{ env.VERSION_HELM }} @@ -40,11 +46,15 @@ jobs: - name: Helm | Package shell: bash - run: helm package deployment/helm/ditto --dependency-update --version ${{ inputs.chartVersion }} + env: + CHART_VERSION: ${{ inputs.chartVersion }} + run: helm package deployment/helm/ditto --dependency-update --version "$CHART_VERSION" - name: Helm | Push shell: bash - run: helm push ditto-${{ inputs.chartVersion }}.tgz oci://registry-1.docker.io/eclipse + env: + CHART_VERSION: ${{ inputs.chartVersion }} + run: helm push "ditto-${CHART_VERSION}.tgz" oci://registry-1.docker.io/eclipse - name: Helm | Logout shell: bash @@ -53,4 +63,6 @@ jobs: - name: Helm | Output id: output shell: bash - run: echo "image=registry-1.docker.io/eclipse/ditto:${{ inputs.chartVersion }}" >> $GITHUB_OUTPUT + env: + CHART_VERSION: ${{ inputs.chartVersion }} + run: echo "image=registry-1.docker.io/eclipse/ditto:${CHART_VERSION}" >> $GITHUB_OUTPUT diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml index 62eda1a58b..744bedbf2c 100644 --- a/.github/workflows/helm-chart.yml +++ b/.github/workflows/helm-chart.yml @@ -27,32 +27,44 @@ jobs: lint-chart: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Set up Helm - uses: azure/setup-helm@v4.2.0 + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 with: version: ${{ env.VERSION_HELM }} - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ env.VERSION_PYTHON }} check-latest: true - name: Set up chart-testing - uses: helm/chart-testing-action@v2.6.1 + uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 with: version: ${{ env.VERSION_CHART_TESTING }} - name: Run chart-testing (list-changed) id: list-changed + env: + CT_CONFIG: ${{ env.CONFIG_OPTION_CHART_TESTING }} + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} run: | - changed=$(ct list-changed ${{ env.CONFIG_OPTION_CHART_TESTING }} --target-branch ${{ github.event.repository.default_branch }}) + changed=$(ct list-changed $CT_CONFIG --target-branch "$DEFAULT_BRANCH") if [[ -n "$changed" ]]; then echo "changed=true" >> "$GITHUB_OUTPUT" fi - name: Run chart-testing (lint) if: steps.list-changed.outputs.changed == 'true' - run: ct lint ${{ env.CONFIG_OPTION_CHART_TESTING }} --target-branch ${{ github.event.repository.default_branch }} + env: + CT_CONFIG: ${{ env.CONFIG_OPTION_CHART_TESTING }} + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + run: ct lint $CT_CONFIG --target-branch "$DEFAULT_BRANCH" kubeval-chart: runs-on: ubuntu-latest @@ -67,12 +79,19 @@ jobs: - v1.34.3 - v1.35.1 steps: + - name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Fetch history for chart testing run: git fetch --prune --unshallow - name: Set up Helm - uses: azure/setup-helm@v4.2.0 + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 with: version: ${{ env.VERSION_HELM }} - name: Run kubeval @@ -96,34 +115,47 @@ jobs: - v1.34.3 - v1.35.1 steps: + - name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Fetch history for chart testing run: git fetch --prune --unshallow - name: Set up Helm - uses: azure/setup-helm@v4.2.0 + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 with: version: ${{ env.VERSION_HELM }} - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ env.VERSION_PYTHON }} check-latest: true - name: Set up chart-testing - uses: helm/chart-testing-action@v2.6.1 + uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 with: version: ${{ env.VERSION_CHART_TESTING }} - name: Run chart-testing (list-changed) id: list-changed + env: + CT_CONFIG: ${{ env.CONFIG_OPTION_CHART_TESTING }} + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} run: | - changed=$(ct list-changed ${{ env.CONFIG_OPTION_CHART_TESTING }} --target-branch ${{ github.event.repository.default_branch }}) + changed=$(ct list-changed $CT_CONFIG --target-branch "$DEFAULT_BRANCH") if [[ -n "$changed" ]]; then echo "changed=true" >> "$GITHUB_OUTPUT" fi - name: Create kind ${{ matrix.k8s }} cluster if: steps.list-changed.outputs.changed == 'true' - uses: helm/kind-action@v1.4.0 + uses: helm/kind-action@9e8295d178de23cbfbd8fa16cf844eec1d773a07 # v1.4.0 with: node_image: kindest/node:${{ matrix.k8s }} - name: Run chart-testing (install) if: steps.list-changed.outputs.changed == 'true' - run: ct install ${{ env.CONFIG_OPTION_CHART_TESTING }} --target-branch ${{ github.event.repository.default_branch }} + env: + CT_CONFIG: ${{ env.CONFIG_OPTION_CHART_TESTING }} + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + run: ct install $CT_CONFIG --target-branch "$DEFAULT_BRANCH" diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml index fc5a49b510..8bb01045c7 100644 --- a/.github/workflows/license-check.yml +++ b/.github/workflows/license-check.yml @@ -18,8 +18,15 @@ jobs: check-license-header-year: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: jitterbit/get-changed-files@v1 + - name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: jitterbit/get-changed-files@b17fbb00bdc0c0f63fcf166580804b4d2cdc2a42 # v1 id: the-files continue-on-error: true - name: Printing added files @@ -43,4 +50,4 @@ jobs: fi fi done - exit $missing_counter \ No newline at end of file + exit $missing_counter diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 1d95628758..0d14f94d31 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -33,10 +33,17 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up JDK 25 - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' java-version: 25 diff --git a/.github/workflows/push-dockerhub-on-demand.yml b/.github/workflows/push-dockerhub-on-demand.yml index 593d2cd897..82b486aa85 100644 --- a/.github/workflows/push-dockerhub-on-demand.yml +++ b/.github/workflows/push-dockerhub-on-demand.yml @@ -34,16 +34,23 @@ jobs: build: runs-on: ubuntu-latest steps: + - + name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3 # setup buildx in order to do build and push multi-architecture images + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 # setup buildx in order to do build and push multi-architecture images - name: Inspect buildx builder run: | @@ -54,18 +61,20 @@ jobs: echo "Platforms: ${{ steps.buildx.outputs.platforms }}" - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: username: eclipsedittobot password: ${{ secrets.DOCKER_HUB_TOKEN }} - name: Branch name id: branch_name + env: + DITTO_VERSION_INPUT: ${{ inputs.dittoVersion }} run: | - echo "IMAGE_TAG=${{ inputs.dittoVersion }}" >> $GITHUB_ENV - echo "IMAGE_MINOR_TAG=$(echo ${{ inputs.dittoVersion }} | cut -d. -f-2)" >> $GITHUB_ENV - echo "IMAGE_MAJOR_TAG=$(echo ${{ inputs.dittoVersion }} | cut -d. -f-1)" >> $GITHUB_ENV - echo "MILESTONE_OR_RC_SUFFIX=$(echo ${{ inputs.dittoVersion }} | cut -d- -f2)" >> $GITHUB_ENV + echo "IMAGE_TAG=$DITTO_VERSION_INPUT" >> $GITHUB_ENV + echo "IMAGE_MINOR_TAG=$(echo "$DITTO_VERSION_INPUT" | cut -d. -f-2)" >> $GITHUB_ENV + echo "IMAGE_MAJOR_TAG=$(echo "$DITTO_VERSION_INPUT" | cut -d. -f-1)" >> $GITHUB_ENV + echo "MILESTONE_OR_RC_SUFFIX=$(echo "$DITTO_VERSION_INPUT" | cut -d- -f2)" >> $GITHUB_ENV - name: Building Docker images for tag run: | @@ -77,7 +86,7 @@ jobs: - name: Build and push ditto-policies if: env.MILESTONE_OR_RC_SUFFIX == env.IMAGE_TAG && inputs.dittoImage == 'ditto-policies' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -96,7 +105,7 @@ jobs: - name: Build and push ditto-things if: env.MILESTONE_OR_RC_SUFFIX == env.IMAGE_TAG && inputs.dittoImage == 'ditto-things' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -115,7 +124,7 @@ jobs: - name: Build and push ditto-gateway if: env.MILESTONE_OR_RC_SUFFIX == env.IMAGE_TAG && inputs.dittoImage == 'ditto-gateway' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -134,7 +143,7 @@ jobs: - name: Build and push ditto-thingsearch if: env.MILESTONE_OR_RC_SUFFIX == env.IMAGE_TAG && inputs.dittoImage == 'ditto-things-search' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -153,7 +162,7 @@ jobs: - name: Build and push ditto-connectivity if: env.MILESTONE_OR_RC_SUFFIX == env.IMAGE_TAG && inputs.dittoImage == 'ditto-connectivity' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -172,7 +181,7 @@ jobs: eclipse/ditto-connectivity:latest - name: Use Node.js 18.x - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 - @@ -186,7 +195,7 @@ jobs: - name: Build and push ditto-ui if: env.MILESTONE_OR_RC_SUFFIX == env.IMAGE_TAG && inputs.dittoImage == 'ditto-ui' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: ./ui file: ui/Dockerfile @@ -201,7 +210,7 @@ jobs: - name: Build and push ditto-policies milestone/RC if: env.MILESTONE_OR_RC_SUFFIX != env.IMAGE_TAG && inputs.dittoImage == 'ditto-policies' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -217,7 +226,7 @@ jobs: - name: Build and push ditto-things milestone/RC if: env.MILESTONE_OR_RC_SUFFIX != env.IMAGE_TAG && inputs.dittoImage == 'ditto-things' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -233,7 +242,7 @@ jobs: - name: Build and push ditto-gateway milestone/RC if: env.MILESTONE_OR_RC_SUFFIX != env.IMAGE_TAG && inputs.dittoImage == 'ditto-gateway' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -249,7 +258,7 @@ jobs: - name: Build and push ditto-thingsearch milestone/RC if: env.MILESTONE_OR_RC_SUFFIX != env.IMAGE_TAG && inputs.dittoImage == 'ditto-things-search' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -265,7 +274,7 @@ jobs: - name: Build and push ditto-connectivity milestone/RC if: env.MILESTONE_OR_RC_SUFFIX != env.IMAGE_TAG && inputs.dittoImage == 'ditto-connectivity' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -282,7 +291,7 @@ jobs: - name: Build and push ditto-ui milestone/RC if: env.MILESTONE_OR_RC_SUFFIX != env.IMAGE_TAG && inputs.dittoImage == 'ditto-ui' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: ./ui file: ui/Dockerfile diff --git a/.github/workflows/push-dockerhub.yml b/.github/workflows/push-dockerhub.yml index 84af8c2bb2..733a41d265 100644 --- a/.github/workflows/push-dockerhub.yml +++ b/.github/workflows/push-dockerhub.yml @@ -19,16 +19,23 @@ jobs: build: runs-on: ubuntu-latest steps: + - + name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3 # setup buildx in order to do build and push multi-architecture images + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 # setup buildx in order to do build and push multi-architecture images - name: Inspect buildx builder run: | @@ -39,7 +46,7 @@ jobs: echo "Platforms: ${{ steps.buildx.outputs.platforms }}" - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: username: eclipsedittobot password: ${{ secrets.DOCKER_HUB_TOKEN }} @@ -62,7 +69,7 @@ jobs: - name: Build and push ditto-policies if: env.MILESTONE_OR_RC_SUFFIX == env.IMAGE_TAG - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -81,7 +88,7 @@ jobs: - name: Build and push ditto-things if: env.MILESTONE_OR_RC_SUFFIX == env.IMAGE_TAG - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -100,7 +107,7 @@ jobs: - name: Build and push ditto-gateway if: env.MILESTONE_OR_RC_SUFFIX == env.IMAGE_TAG - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -119,7 +126,7 @@ jobs: - name: Build and push ditto-thingsearch if: env.MILESTONE_OR_RC_SUFFIX == env.IMAGE_TAG - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -138,7 +145,7 @@ jobs: - name: Build and push ditto-connectivity if: env.MILESTONE_OR_RC_SUFFIX == env.IMAGE_TAG - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -157,7 +164,7 @@ jobs: eclipse/ditto-connectivity:latest - name: Use Node.js 18.x - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 - @@ -171,7 +178,7 @@ jobs: - name: Build and push ditto-ui if: env.MILESTONE_OR_RC_SUFFIX == env.IMAGE_TAG - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: ./ui file: ui/Dockerfile @@ -186,7 +193,7 @@ jobs: - name: Build and push ditto-policies milestone/RC if: env.MILESTONE_OR_RC_SUFFIX != env.IMAGE_TAG - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -202,7 +209,7 @@ jobs: - name: Build and push ditto-things milestone/RC if: env.MILESTONE_OR_RC_SUFFIX != env.IMAGE_TAG - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -218,7 +225,7 @@ jobs: - name: Build and push ditto-gateway milestone/RC if: env.MILESTONE_OR_RC_SUFFIX != env.IMAGE_TAG - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -234,7 +241,7 @@ jobs: - name: Build and push ditto-thingsearch milestone/RC if: env.MILESTONE_OR_RC_SUFFIX != env.IMAGE_TAG - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -250,7 +257,7 @@ jobs: - name: Build and push ditto-connectivity milestone/RC if: env.MILESTONE_OR_RC_SUFFIX != env.IMAGE_TAG - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: dockerfile-release @@ -267,7 +274,7 @@ jobs: - name: Build and push ditto-ui milestone/RC if: env.MILESTONE_OR_RC_SUFFIX != env.IMAGE_TAG - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: ./ui file: ui/Dockerfile diff --git a/.github/workflows/system-tests.yml b/.github/workflows/system-tests.yml index d6e1c84dc9..2327a7c167 100644 --- a/.github/workflows/system-tests.yml +++ b/.github/workflows/system-tests.yml @@ -92,31 +92,34 @@ jobs: echo "EXTRA_DOCKER_ARGS: ${{ env.EXTRA_DOCKER_ARGS }}" - name: Checkout Ditto code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: ${{env.DITTO_REPO }} ref: ${{ env.DITTO_BRANCH }} token: ${{ secrets.GITHUB_TOKEN }} path: ditto + persist-credentials: false - name: Checkout ditto-testing repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: ${{ env.DITTO_TESTING_REPO }} ref: ${{ env.DITTO_TESTING_BRANCH }} token: ${{ secrets.GITHUB_TOKEN }} path: ditto-testing + persist-credentials: false - name: Checkout ditto-clients repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: 'eclipse-ditto/ditto-clients' ref: 'master' token: ${{ secrets.GITHUB_TOKEN }} path: ditto-clients + persist-credentials: false - name: Set up JDK 25 - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1 with: distribution: 'temurin' cache: 'maven' @@ -205,7 +208,7 @@ jobs: -e DITTO_VERSION=$DITTO_VERSION \ -e FORK_COUNT=$FORK_COUNT \ ${{ env.EXTRA_DOCKER_ARGS || '' }} \ - maven:3.9.12-eclipse-temurin-25 \ + maven:3.9.12-eclipse-temurin-25@sha256:4f82a03a7d6679281952d628131299b1be88d7030a49c6a2b7d2ba2642e44e3e \ mvn verify -am -amd --batch-mode --errors \ --projects=:system \ -Dtest.environment=docker-compose \ @@ -244,7 +247,7 @@ jobs: -e DITTO_VERSION=$DITTO_VERSION \ -e FORK_COUNT=$FORK_COUNT \ ${{ env.EXTRA_DOCKER_ARGS || '' }} \ - maven:3.9.12-eclipse-temurin-25 \ + maven:3.9.12-eclipse-temurin-25@sha256:4f82a03a7d6679281952d628131299b1be88d7030a49c6a2b7d2ba2642e44e3e \ mvn verify -am -amd --batch-mode --errors --update-snapshots \ --projects=:sync-completely-enabled \ -Dtest.environment=docker-compose \ @@ -286,7 +289,7 @@ jobs: -e DITTO_VERSION=$DITTO_VERSION \ -e FORK_COUNT=$FORK_COUNT \ ${{ env.EXTRA_DOCKER_ARGS || '' }} \ - maven:3.9.12-eclipse-temurin-25 \ + maven:3.9.12-eclipse-temurin-25@sha256:4f82a03a7d6679281952d628131299b1be88d7030a49c6a2b7d2ba2642e44e3e \ mvn verify -am -amd --batch-mode --errors --update-snapshots \ --projects=:sync-event-processing-enabled \ -Dtest.environment=docker-compose \ @@ -330,7 +333,7 @@ jobs: -e DITTO_VERSION=$DITTO_VERSION \ -e FORK_COUNT=$FORK_COUNT \ ${{ env.EXTRA_DOCKER_ARGS || '' }} \ - maven:3.9.12-eclipse-temurin-25 \ + maven:3.9.12-eclipse-temurin-25@sha256:4f82a03a7d6679281952d628131299b1be88d7030a49c6a2b7d2ba2642e44e3e \ mvn verify -am -amd --batch-mode --errors --update-snapshots \ --projects=:sync-tags-streaming-enabled \ -Dtest.environment=docker-compose \ @@ -353,14 +356,14 @@ jobs: - name: Upload test results if: env.GITHUB_ACTOR != 'nektos/act' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: system-test-results-${{ env.DITTO_BRANCH_NO_SLASH }}-${{ github.run_number }} path: 'ditto-testing/system*/**/target/failsafe-reports/**/*.xml' - name: Upload services logs if: env.GITHUB_ACTOR != 'nektos/act' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: system-services-logs path: 'ditto-testing/docker/*.log' @@ -372,7 +375,7 @@ jobs: working-directory: ditto-testing - name: Publish Test Results - uses: dorny/test-reporter@v2 + uses: dorny/test-reporter@df6247429542221bc30d46a036ee47af1102c451 # v2.7.0 with: name: Test Results | ${{ env.DITTO_BRANCH_NO_SLASH }} ${{ github.run_number }} path: ./system*/**/target/failsafe-reports/TEST*.xml diff --git a/.github/workflows/ui-ci.yml b/.github/workflows/ui-ci.yml index 4cfd8fa9a5..c6f12a1822 100644 --- a/.github/workflows/ui-ci.yml +++ b/.github/workflows/ui-ci.yml @@ -26,9 +26,16 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Use Node.js 18.x - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20 - name: Install npm dependencies diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..8cde1149aa --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,51 @@ +# Copyright (c) 2026 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0 +# +# SPDX-License-Identifier: EPL-2.0 +name: zizmor workflow lint + +on: + push: + branches: + - master + paths: + - '.github/workflows/**' + - '.github/dependabot.yml' + pull_request: + paths: + - '.github/workflows/**' + - '.github/dependabot.yml' + +permissions: + contents: read + +jobs: + zizmor: + name: zizmor lint + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + # Gating check: SARIF findings are uploaded to the GitHub Security tab + # (advanced-security: true by default in the action) AND fail the build. + # If new findings appear from legitimate workflow changes, fix them or + # add a scoped `# zizmor: ignore[]` comment with justification. + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000000..7e02582772 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,33 @@ +# Copyright (c) 2026 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0 +# +# SPDX-License-Identifier: EPL-2.0 +# +# zizmor configuration — scoped suppressions with written justification. +# https://docs.zizmor.sh/configuration/ +# +# This file lists findings we have knowingly accepted. Every entry must be +# justified. Do NOT add new entries without a comment explaining the reason. + +rules: + cache-poisoning: + ignore: + # PR/build-validation workflows: run on pull_request and push to master + # but do NOT publish artifacts to any registry. A poisoned cache cannot + # leak into released images because these workflows don't build images. + - maven.yml + - ui-ci.yml + + # Release/publish workflows: setup-node is invoked without a `cache:` + # input, so caching is not enabled on this step. Zizmor flags the + # action defensively because it is cache-capable; the actual runtime + # behaviour does not populate or restore any cache here. + - docker-nightly.yml + - push-dockerhub.yml + - push-dockerhub-on-demand.yml