Fix workflow security issues

Signed-off-by: Damien Dassieu <dassieu.damien@gmail.com>
syngit-org · Jan 13, 2025 · 97e1006 · 97e1006
1 parent 46907a1
commit 97e1006
Show file tree

Hide file tree

Showing 11 changed files with 107 additions and 133 deletions.
diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml
@@ -24,15 +24,15 @@ jobs:
     steps:
       # Checkout the repository to make it available for Git commands
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4.2.2
 
       # setup Docker build action
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 #v3.8.0
 
       - name: Login to Github Packages
-        uses: docker/login-action@v2
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 #v3.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -52,7 +52,7 @@ jobs:
           fi
 
       - name: Build image and push to Docker Hub and GitHub Container Registry
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 #v6.10.0
         with:
           platforms: linux/amd64,linux/arm64
           tags: ghcr.io/${{ github.repository }}:${{ env.tag }}

diff --git a/.github/workflows/helm-chart-releaser.yml b/.github/workflows/helm-chart-releaser.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4.2.2
         with:
           fetch-depth: 0
 
@@ -25,12 +25,12 @@ jobs:
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
       - name: Install Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@b7246b12e77f7134dc2d460a3d5bad15bbe29390 #v4.1.0
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.6.0
+        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 #v1.6.0
         with:
           charts_dir: charts
           config: charts/release_config.yml

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -7,18 +7,19 @@ on:
 jobs:
   lint:
     name: Lint the code
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       - name: Clone the code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4.2.2
 
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v5.2.0
         with:
           go-version: '1.23.3'
 
       - name: Run linter
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 #v6.1.1
         with:
           version: v1.62.2
           args: --timeout=5m
diff --git a/.github/workflows/test-upgrade.yml b/.github/workflows/test-upgrade.yml
@@ -11,31 +11,27 @@ jobs:
 
   test-helm-upgrade:
     name: Helm upgrade test
+    permissions: {}
     runs-on: ubuntu-latest
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v4.2.2
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v2
+      uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 #v3.8.0
 
     - name: Install kubectl
-      uses: azure/setup-kubectl@v1
+      uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f #v4.0.0
       with:
         version: 'latest'
 
     - name: Set up KinD
-      uses: helm/kind-action@v1.2.0
+      uses: helm/kind-action@fa81e57adff234b2908110485695db0f181f3c67 #v1.7.0
       with:
         version: v0.23.0
         cluster_name: syngit-dev-cluster
 
-    - name: Set up Go
-      uses: actions/setup-go@v2
-      with:
-        go-version: '1.22'
-
     - name: Install dependencies
       run: |
         sudo apt-get update

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -9,28 +9,29 @@ jobs:
 
   tests-build-deploy:
     name: Build & deploy tests
+    permissions: {}
     runs-on: ubuntu-latest
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v4.2.2
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v2
+      uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 #v3.8.0
 
     - name: Install kubectl
-      uses: azure/setup-kubectl@v1
+      uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f #v4.0.0
       with:
         version: 'latest'
 
     - name: Set up KinD
-      uses: helm/kind-action@v1.2.0
+      uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 #v1.12.0
       with:
         version: v0.23.0
         cluster_name: syngit-dev-cluster
 
     - name: Set up Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v5.2.0
       with:
         go-version: '1.22'
 
@@ -42,30 +43,28 @@ jobs:
     - name: Run tests
       run: make test-build-deploy
 
-  tests-e2e:
-    name: End-to-end tests
+  tests-behavior:
+    name: Behavior tests
+    permissions: {}
     runs-on: ubuntu-latest
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
-
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v2
+      uses: actions/checkout@v4.2.2
 
     - name: Install kubectl
-      uses: azure/setup-kubectl@v1
+      uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f #v4.0.0
       with:
         version: 'latest'
 
     - name: Set up KinD
-      uses: helm/kind-action@v1.2.0
+      uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 #v1.12.0
       with:
         version: v0.23.0
         cluster_name: syngit-dev-cluster
 
     - name: Set up Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v5.2.0
       with:
         go-version: '1.22'
 
@@ -84,28 +83,29 @@ jobs:
 
   test-helm-install:
     name: Helm install test
+    permissions: {}
     runs-on: ubuntu-latest
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v4.2.2
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v2
+      uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 #v3.8.0
 
     - name: Install kubectl
-      uses: azure/setup-kubectl@v1
+      uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f #v4.0.0
       with:
         version: 'latest'
 
     - name: Set up KinD
-      uses: helm/kind-action@v1.2.0
+      uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 #v1.12.0
       with:
         version: v0.23.0
         cluster_name: syngit-dev-cluster
 
     - name: Set up Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v5.2.0
       with:
         go-version: '1.22'
 

diff --git a/Makefile b/Makefile
@@ -250,6 +250,7 @@ setup-webhooks-for-deploy: manifests kustomize ## Setup webhooks using auto-gene
 cleanup-webhooks-for-deploy: manifests kustomize ## Cleanup webhooks using auto-generated certs (make deploy).
 	$(KUSTOMIZE) build $(DEV_LOCAL_PATH)/deploy | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
 	./hack/webhooks/cleanup-injector.sh $(TEMP_CERT_DIR) || true
+	mv $(DEV_LOCAL_PATH)/deploy/webhook/secret.yaml.bak $(DEV_LOCAL_PATH)/deploy/webhook/secret.yaml || true
 
 .PHONY: force-cleanup
 force-cleanup: ## Force cleanup of the resources (for dev purpose)

diff --git a/README.md b/README.md
@@ -1,13 +1,17 @@
-<p align="center" style="margin-bottom: -20px">
-  <img src="./img/logo.png" width="400">
-</p>
-<p align="center">
-  <img src="./img/wiki/conception/commitonly-proxy.png" width="700">
-</p>
+# Syngit
+
+<img src="./img/wiki/conception/commitonly-proxy.png" width="700">
 
 Syngit is a Kubernetes operator that allows you to push resources on a git repository and manage their lifecycle. It leverage the gitops by unifying the source of truth between your cluster and your git repository. It acts as a proxy between your client tool (`kubectl`, `oc` or any UI) and the cluster.
 
-----
+## Features
+
+- 🤩 Intercept scoped resources and push them on Git
+- 🛡️ End-to-end RBAC management and separation of concerns
+- 🌍 Gitlab and Github external providers
+- ✏️ Highly customizable configuration
+
+## Demo
 
 ![demo-gif](./img/gif-syngit-commitapply.gif)
 

diff --git a/config/local/deploy/webhook/secret.yaml b/config/local/deploy/webhook/secret.yaml
@@ -5,5 +5,5 @@ metadata:
   namespace: system
 type: kubernetes.io/tls
 data:
-  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHRENDQWdDZ0F3SUJBZ0lVR0dESml0UCt3NXowcTR2NVdTRnhlOEw1aUxFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0RURUxNQWtHQTFVRUJoTUNRVlV3SGhjTk1qVXdNVEV6TVRNeU1qTXdXaGNOTWpZd01URXpNVE15TWpNdwpXakFOTVFzd0NRWURWUVFHRXdKQlZUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFOZlA5eitlNW00L1dESnNRZHY0Nk82dmwxSFZTUG52aFVQRHRuVDlOdDVpb0J0d2RXaGdGUnhNSTM2TnlCSi8KZlFQTEFWb1RwVjEzd0htYVJhZllGWmxEZHpYd012ejZLYjgwWHJFMHc1OTl6eXNjQzJVWXhVRnJULytYN3J3VAplKzk3S3BHb0Y0czBXRitOTmlnd3dTSnBVV1FrMFNYVlhQdVJadDlMenRRRWl5S2ZCYWZNMWRYdWtEWGM3UkFBCnhGQ2xtdEdSdTRnZHdxMVFoVDlzYWxoU0xzRGtpeFlGV3cxTUREc2JvWUpCRktJZFdKS09CTm1lVDM2VGZoZUcKU055RDFUb1Fkd1EyK0pTNWdOMmdab2Q5bzQyTjlFZ3RzMFJxY2o1QTRUZzFobFFXWHg2NzZhTnU3NVdwVU44bApQMlVLZ3BUdjJEV1o1VUhYNjYvb1Vpc0NBd0VBQWFOd01HNHdMQVlEVlIwUkJDVXdJNEloYzNsdVoybDBMWGRsClltaHZiMnN0YzJWeWRtbGpaUzV6ZVc1bmFYUXVjM1pqTUIwR0ExVWREZ1FXQkJSbFFqbTNoZVY3anNzd0wvRW4KNHFUZXJqaUkrREFmQmdOVkhTTUVHREFXZ0JROUhadFlRNjhyUzhUOVVJSThHRHA3OXNOd0NUQU5CZ2txaGtpRwo5dzBCQVFzRkFBT0NBUUVBWUlINEhKWklCRktvTmViTjR0L3puQ3VHM1B6YmRqMis2ck80WHVOKzlqT3NQWVlXCitPNjBkMXFOZGtFNG52RGhoeGJocThkVDFGNHl4MjQxaFgvNndIazVIQzd5ZjRGbUo0L2dnV3c4bExqWkFEMUwKNGVYcndEQUVpeWh6MklQbzBHMEYxdFlJNGxUVnlnQ21tTG9Dc3NHa2s0MmdSWGM5TkQ4Mm5hYUJGNlFBL0ZkRgpNenhvY2RtOUpvNGxHSmViaXBZaXBwSHo4bUVycjZQdDR1bnRtbjljWXdkZWlMYy93NkVlaHROZkpKNXB1THBLCnUvK2F5ZnRJT29MNW8ySHJLNlE2aHlWdWxvRVlKV0VBOHRBczd4bXZNUWtMbmlnUnIvaHpYV21IWjIzUHkxNWsKM09ybFZKR01KSldOamV1aDFnYzRnYUhYZ3dobitSWUhTKzZCd2c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
-  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRRFh6L2MvbnVadVAxZ3kKYkVIYitPanVyNWRSMVVqNTc0VkR3N1owL1RiZVlxQWJjSFZvWUJVY1RDTitqY2dTZjMwRHl3RmFFNlZkZDhCNQpta1duMkJXWlEzYzE4REw4K2ltL05GNnhOTU9mZmM4ckhBdGxHTVZCYTAvL2wrNjhFM3Z2ZXlxUnFCZUxORmhmCmpUWW9NTUVpYVZGa0pORWwxVno3a1diZlM4N1VCSXNpbndXbnpOWFY3cEExM08wUUFNUlFwWnJSa2J1SUhjS3QKVUlVL2JHcFlVaTdBNUlzV0JWc05UQXc3RzZHQ1FSU2lIVmlTamdUWm5rOStrMzRYaGtqY2c5VTZFSGNFTnZpVQp1WURkb0dhSGZhT05qZlJJTGJORWFuSStRT0U0TllaVUZsOGV1K21qYnUrVnFWRGZKVDlsQ29LVTc5ZzFtZVZCCjErdXY2RklyQWdNQkFBRUNnZ0VBSllENWlhL1dnYUEyZG9URHFUT0hYenRhZzVrYUZuMGVYcGxiVXRkU09yRk8KKzVXK2dZWDVCVExpRkRNVmFzbUc4eXJMTUZrcnFxT042bFA1K09JZlZzUVhxbUwwcVd2YjUyTjFkVHdqSnN0WgpQamVnYjFBdnIxK3p4a29qN2NGQkQyd0xDTWI2V0hHZlRmT2ZUcnF5UllXaDVGSlZta3FLM3hqMGxLZDY2UE1UCmZQaTZ3R3BmSy9zNWtxdkYrd08xTFg1bUJwTVpiSW9UOW5XRFBoWEhHa1NGR1FKTXRkUEU0STB4ZkxXRWpVN00Kd0FHOEd1eVVQNlZuWnppUGRRci9XWjQveWFpazNGdXhwYXAvVlk2aFhGREc2VVRXeEg3SW1jVEtTTkFqWGJyVQozT3AwYjUzSVp0TktPb1hFV01PZlFQbnJkZ2RFc1gzdU1JQTRucWxSNFFLQmdRRHJHVzdZU2liUFdCSW95QjdPCkxnZnhHMzJsYXI0SklEdTB5QUgwZUphMytmWWtrN0JHTzNGM2JabzBqRzEwTjVIRktKQSttU3U4NGxXSUhZUzYKa05Jdk9pcVJkQWFwdGl6VFU3ais2bkQ1Z2wxM0xMcnNTYXB4ckpnZDZIZDFqc3N1UFJXa1RySllobitXOTQ1Sgo5dWVoN3FPR0VxRGlzWG9UVGtCem5jQ2NjUUtCZ1FEcS81WFVBMS95NGc3bU5Mc3BVVE1FRENUQlRIVW51Y2ZzCmUwcHZzc2k1Q3lIeTVtOWVsb3lMcVMzRERNWEFFMjBvS2xuVHQxUWpnSGxyZEFlZmdNM1oxQWlnclRES0VXZUsKY09Za0lGSlFOR1M1dzBLbndsUENKMkR6TjZKd29lR0NHMG42SVk4OStmR2pQNHFjSUNUTWxjY0dPSG1QaitOLwpMYkFJMm04V1d3S0JnRGhhUDB5TzhhQ1Byc0todldpVWRnamdHd3owZWhxNzVEUGdJVC9WUytOTGdpbWdVUWQwCnBpMEhVNGczQk9GdmxIeGF6Y0NEZkkxby96R0NTZGRpY1U4cXRSdHFZVko2dldIbVZwaWIzM3FmT2dJZjhhcEQKdWh4SFQ2c1RsdGJSNUhmdjRta2hCL1RhUUdrU2E4UGs3LzdMc2R5b1NISXVNbUhBUndpdmpvU3hBb0dBQ0t5RQphRDN6cGJCb1ltRGg0NldHbjRpZk5xOU94N2VZeEliTWVaRDh6YSsyZ2hPMVdxVnQ3SjNDL2FjVUNZSHVEb1I1CnFsSGkvaWg0MHRtR2lvR2psMzIzRDg4MHROQ3RwTE9FR3lOQ1JvbVlpaTdGNEJGUkxDSnQ5cXhBQjY1Qjk1NXcKUFpaTmhqa2FqUzhFTzcwSC9yRXNsbk14TVhaYkxFK1FadE5CTkc4Q2dZQUlmODFBN3I5MWhtV0dnRkRuTkpjbgpIQWZlT2JVMHBISXBQZ0NnQWFrWXcyanVlaEJDQ3UzNDV2bzNXYjJ5NWpMd2w5T0llZEdScVBBSWg3OU5hUmRWCmtra2g3eFFXU3hiSVZTeko1cVJJZFNWWjNDL25jVHVLZ0tBSmhRK1JuZWpkRUswK0xOMXpLc0J6Y3p3TlpjR0MKL1F2RkZGSHBIN29wNHFhbVU4RkxuZz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+  tls.crt: 
+  tls.key: 
diff --git a/go.mod b/go.mod
@@ -5,13 +5,12 @@ go 1.22.0
 toolchain go1.22.2
 
 require (
-	github.com/go-git/go-billy/v5 v5.5.0
-	github.com/go-git/go-git/v5 v5.12.0
-	github.com/go-logr/logr v1.4.1
+	github.com/go-git/go-billy/v5 v5.6.0
+	github.com/go-git/go-git/v5 v5.13.0
 	github.com/gorilla/mux v1.8.1
 	github.com/joho/godotenv v1.5.1
 	github.com/onsi/ginkgo/v2 v2.19.0
-	github.com/onsi/gomega v1.33.1
+	github.com/onsi/gomega v1.34.1
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.30.1
@@ -20,17 +19,19 @@ require (
 	sigs.k8s.io/controller-runtime v0.17.0
 )
 
+require github.com/go-logr/logr v1.4.1 // indirect
+
 require (
 	dario.cat/mergo v1.0.0 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/ProtonMail/go-crypto v1.0.0 // indirect
+	github.com/ProtonMail/go-crypto v1.1.3 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
@@ -71,7 +72,7 @@ require (
 	github.com/prometheus/common v0.45.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
-	github.com/skeema/knownhosts v1.2.2 // indirect
+	github.com/skeema/knownhosts v1.3.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
@@ -85,23 +86,23 @@ require (
 	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
-	golang.org/x/crypto v0.23.0 // indirect
-	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
-	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	golang.org/x/mod v0.19.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/oauth2 v0.12.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
-	golang.org/x/term v0.20.0 // indirect
-	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/term v0.27.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.21.0 // indirect
+	golang.org/x/tools v0.23.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20230726155614-23370e0ffb3e // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
 	google.golang.org/grpc v1.58.3 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	google.golang.org/protobuf v1.34.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	k8s.io/apiextensions-apiserver v0.29.0 // indirect