From 6ffa50b5f4b16ec1361ce26ea9978e0e9fae71d7 Mon Sep 17 00:00:00 2001 From: Rafael Breno Date: Tue, 7 Apr 2026 14:12:20 -0300 Subject: [PATCH 1/2] Switch release workflow trigger and add draft flag for release creation Signed-off-by: Rafael Breno --- .github/workflows/release.yml | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 780d2819951..f680be7041c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,8 +1,9 @@ name: K3s Release on: - release: - types: [published] + push: + tags: + - "v*" permissions: contents: read @@ -194,6 +195,7 @@ jobs: - name: Read Prime artifacts secrets uses: rancher-eio/read-vault-secrets@main + if: ${{ github.repository_owner == 'k3s-io' }} with: secrets: | secret/data/github/repo/${{ github.repository }}/prime-artifacts-uploader/credentials accessKeyId | AWS_ACCESS_KEY_ID ; @@ -216,6 +218,7 @@ jobs: - name: Configure AWS Credentials (s3) uses: aws-actions/configure-aws-credentials@v6 + if: ${{ github.repository_owner == 'k3s-io' }} with: aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }} @@ -248,21 +251,20 @@ jobs: run: | ./scripts/validate-artifacts - - name: Upload Assets to Release - uses: softprops/action-gh-release@v2.5.0 - with: - files: | - dist/artifacts/k3s* - dist/artifacts/sha256sum* + - name: Create Draft Release with Assets env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: gh release create -R "${GITHUB_REPOSITORY}" --draft --generate-notes "${GITHUB_REF_NAME}" "${GITHUB_WORKSPACE}"/dist/artifacts/k3s* "${GITHUB_WORKSPACE}"/dist/artifacts/sha256sum* + - name: Update Image Registry for Prime/Staging + if: ${{ github.repository_owner == 'k3s-io' }} env: REGISTRY: ${{ env.REGISTRY }} run: sed -i "s|docker.io|${REGISTRY}|g" dist/artifacts/k3s-images.txt - name: Upload Assets to S3 + if: ${{ github.repository_owner == 'k3s-io' }} env: S3_PATH: s3://${{ env.PRIME_ARTIFACTS_BUCKET_NAME }}/k3s/${{ github.event.release.tag_name }} run: | From 9f966f001060f773cb20de369904ffec38789039 Mon Sep 17 00:00:00 2001 From: Rafael Breno Date: Wed, 8 Apr 2026 14:02:05 -0300 Subject: [PATCH 2/2] pin sha to gha Signed-off-by: Rafael Breno --- .github/workflows/actionlint.yaml | 4 +-- .github/workflows/airgap.yaml | 8 +++--- .github/workflows/build-k3s.yaml | 14 ++++----- .github/workflows/e2e.yaml | 30 +++++++++---------- .github/workflows/epic.yaml | 4 +-- .github/workflows/govulncheck.yml | 2 +- .github/workflows/install.yaml | 6 ++-- .github/workflows/integration.yaml | 16 +++++------ .github/workflows/nightly-install.yaml | 4 +-- .github/workflows/release.yml | 40 +++++++++++++------------- .github/workflows/scorecard.yml | 2 +- .github/workflows/stale.yml | 2 +- .github/workflows/trivy-scan.yml | 8 +++--- .github/workflows/trivy-trigger.yml | 6 ++-- .github/workflows/unitcoverage.yaml | 14 ++++----- .github/workflows/updatecli.yaml | 4 +-- .github/workflows/validate.yaml | 6 ++-- 17 files changed, 85 insertions(+), 85 deletions(-) diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index e9c487a1bb1..959e518cbbe 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -10,9 +10,9 @@ jobs: runs-on: ubuntu-latest # Runs on standard runner, docker pulls with --platform steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: actionlint - uses: raven-actions/actionlint@v2 + uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 # v2 with: shellcheck: false pyflakes: false diff --git a/.github/workflows/airgap.yaml b/.github/workflows/airgap.yaml index 97175d676de..3f7c0407110 100644 --- a/.github/workflows/airgap.yaml +++ b/.github/workflows/airgap.yaml @@ -17,17 +17,17 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Docker - uses: docker/setup-docker-action@v5 + uses: docker/setup-docker-action@1a6edb0ba9ac496f6850236981f15d8f9a82254d # v5 with: version: type=image,tag=28 daemon-config: '{"features":{"containerd-snapshotter":true}}' set-host: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Install Dependencies run: sudo apt-get update -y && sudo apt-get install -y zstd pigz @@ -40,7 +40,7 @@ jobs: ./scripts/package-airgap ${{ matrix.arch }} - name: Upload Artifacts - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: images-${{ matrix.arch }} path: dist/artifacts/k3s-airgap-images-${{ matrix.arch }}.* diff --git a/.github/workflows/build-k3s.yaml b/.github/workflows/build-k3s.yaml index 90389737aa7..0b2ee58728f 100644 --- a/.github/workflows/build-k3s.yaml +++ b/.github/workflows/build-k3s.yaml @@ -34,23 +34,23 @@ jobs: GOOS: ${{ inputs.os }} steps: - name: Checkout K3s - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up QEMU if: inputs.arch == 'arm' - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4 with: cache-image: false - name: Set up Docker - uses: docker/setup-docker-action@v5 + uses: docker/setup-docker-action@1a6edb0ba9ac496f6850236981f15d8f9a82254d # v5 with: version: type=image,tag=28 daemon-config: '{"features":{"containerd-snapshotter":true}}' set-host: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Determine Git Version Info id: git_vars @@ -67,7 +67,7 @@ jobs: if: inputs.arch == 'arm64' || inputs.arch == 'amd64' env: DOCKER_BUILD_SUMMARY: false - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 with: context: . file: ./Dockerfile.local @@ -89,7 +89,7 @@ jobs: env: PLATFORM: ${{ inputs.arch == 'arm' && 'linux/arm/v7' || format('linux/{0}', inputs.arch) }} DOCKER_BUILD_SUMMARY: false - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 with: context: . file: ./Dockerfile.local @@ -128,7 +128,7 @@ jobs: mv ./build/out/data-linux.tar.zst ./dist/artifacts/data-linux${{ env.ARCH_EXT }}.tar.zst - name: "Upload K3s Artifacts" - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: k3s${{ env.ARCH_EXT }} path: dist/artifacts/ diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index c843c904455..f40e558a43b 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -74,10 +74,10 @@ jobs: /usr/share/swift df -khl - name: "Checkout" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: {fetch-depth: 1} - name: Set up Docker - uses: docker/setup-docker-action@v5 + uses: docker/setup-docker-action@1a6edb0ba9ac496f6850236981f15d8f9a82254d # v5 with: version: type=image,tag=28 daemon-config: '{"features":{"containerd-snapshotter":true}}' @@ -86,14 +86,14 @@ jobs: uses: ./.github/actions/vagrant-setup - name: Vagrant R/W Cache if: matrix.etest != 'btrfs' && github.ref == 'refs/heads/main' - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: | ~/.vagrant.d/boxes key: ${{ matrix.etest != 'btrfs' && 'vagrant-box-ubuntu-2404' || 'vagrant-box-leap' }} - name: Vagrant Read Cache if: matrix.etest != 'btrfs' && github.ref != 'refs/heads/main' - uses: actions/cache/restore@v5 + uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: | ~/.vagrant.d/boxes @@ -108,7 +108,7 @@ jobs: curl -LO "https://dl.k8s.io/release/${STABLE_VERSION}/bin/linux/amd64/kubectl" sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - name: "Download k3s binary" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: k3s-amd64 path: ./dist/artifacts @@ -120,20 +120,20 @@ jobs: cd tests/e2e/${{ matrix.etest }} go test -timeout=45m ./${{ matrix.etest }}_test.go -test.v -ginkgo.v -ci -local - name: On Failure, Upload Journald Logs - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 if: ${{ failure() }} with: name: e2e-${{ matrix.etest }}-logs path: tests/e2e/${{ matrix.etest }}/*log.txt retention-days: 30 - name: On Failure, Launch Debug Session - uses: lhotari/action-upterm@v1 + uses: lhotari/action-upterm@b0357f23233f5ea6d58947c0c402e0631bab7334 # v1 if: ${{ failure() }} with: ## If no one connects after 5 minutes, shut down server. wait-timeout-minutes: 5 - name: Upload Results To Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 with: token: ${{ secrets.CODECOV_TOKEN }} files: tests/e2e/${{ matrix.etest }}/coverage.out @@ -150,7 +150,7 @@ jobs: channel: ${{ steps.channel_step.outputs.channel }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Go uses: ./.github/actions/setup-go - name: Build Go Tests @@ -158,7 +158,7 @@ jobs: mkdir -p ./dist/artifacts go test -c -ldflags="-w -s" -o ./dist/artifacts ./tests/docker/... - name: Upload Go Tests - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: docker-go-tests-${{ matrix.arch }} path: ./dist/artifacts/*.test @@ -226,14 +226,14 @@ jobs: /usr/share/swift df -khl - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Download K3s image" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: k3s-${{ matrix.arch }} path: ./dist/artifacts - name: Set up Docker - uses: docker/setup-docker-action@v5 + uses: docker/setup-docker-action@1a6edb0ba9ac496f6850236981f15d8f9a82254d # v5 with: version: type=image,tag=28 daemon-config: '{"features":{"containerd-snapshotter":true}}' @@ -249,14 +249,14 @@ jobs: echo "K3S_IMAGE=$IMAGE_TAG" >> $GITHUB_ENV - name: Install Nix if: matrix.dtest == 'nixsnapshotter' - uses: DeterminateSystems/nix-installer-action@v21 + uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 - name: Build nix test image if: matrix.dtest == 'nixsnapshotter' run: | nix build github:pdtpartners/nix-snapshotter#image-hello cp result ./tests/docker/resources/nix-hello-image.tar - name: Download Go Tests - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: docker-go-tests-${{ matrix.arch }} path: ./dist/artifacts diff --git a/.github/workflows/epic.yaml b/.github/workflows/epic.yaml index 9c675354966..24ff8a03f50 100644 --- a/.github/workflows/epic.yaml +++ b/.github/workflows/epic.yaml @@ -14,8 +14,8 @@ jobs: issues: write steps: - name: Run epics action - uses: cloudaper/epics-action@v1 + uses: cloudaper/epics-action@4dea9b8b2ccd4778a7c2426d8fd0bed9c9f665e6 # v1 with: github-token: ${{ secrets.GITHUB_TOKEN }} epic-label-name: epic - auto-close-epic: false \ No newline at end of file + auto-close-epic: false diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml index 3caf262ad70..db4bbf2c100 100644 --- a/.github/workflows/govulncheck.yml +++ b/.github/workflows/govulncheck.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Go uses: ./.github/actions/setup-go - name: Install govulncheck diff --git a/.github/workflows/install.yaml b/.github/workflows/install.yaml index 42f8edf10bd..9074997b17c 100644 --- a/.github/workflows/install.yaml +++ b/.github/workflows/install.yaml @@ -58,12 +58,12 @@ jobs: /usr/share/swift df -khl - name: "Checkout" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: {fetch-depth: 1} - name: Set up vagrant and libvirt uses: ./.github/actions/vagrant-setup - name: "Vagrant Cache" - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: | ~/.vagrant.d/boxes @@ -71,7 +71,7 @@ jobs: - name: "Vagrant Plugin(s)" run: vagrant plugin install vagrant-k3s vagrant-reload vagrant-scp - name: "Download k3s binary" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: k3s-amd64 path: tests/install/${{ matrix.vm }} diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index 0c05c2ca239..8a99bde1d5c 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -67,13 +67,13 @@ jobs: /usr/share/swift df -khl - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 - name: Install Go uses: ./.github/actions/setup-go - name: "Download k3s binary" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: k3s-amd64 path: ./dist/artifacts @@ -84,14 +84,14 @@ jobs: cd tests/integration/${{ matrix.itest }} sudo -E env "PATH=$PATH" go test -timeout=45m ./... -run Integration -ginkgo.v -test.v - name: On Failure, Upload Logs - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 if: ${{ failure() }} with: name: integration-${{ matrix.itest }}-logs path: tests/integration/${{ matrix.itest }}/*log.txt retention-days: 30 - name: On Failure, Launch Debug Session - uses: lhotari/action-upterm@v1 + uses: lhotari/action-upterm@b0357f23233f5ea6d58947c0c402e0631bab7334 # v1 if: ${{ failure() }} with: ## If no one connects after 5 minutes, shut down server. @@ -99,7 +99,7 @@ jobs: - name: Generate coverage report run: go tool covdata textfmt -i $GOCOVERDIR -o ${{ matrix.itest }}.out - name: Upload Results To Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./${{ matrix.itest }}.out @@ -114,12 +114,12 @@ jobs: GOCOVERDIR: "D:/tmp/k3scov" steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: {fetch-depth: 1} - name: Install Go uses: ./.github/actions/setup-go - name: Download k3s binary - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: k3s-windows path: dist/artifacts/ @@ -146,7 +146,7 @@ jobs: - name: Generate coverage report run: go tool covdata textfmt -i $Env:GOCOVERDIR -o windows.out - name: Upload Results To Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./windows.out diff --git a/.github/workflows/nightly-install.yaml b/.github/workflows/nightly-install.yaml index cff33f0971a..ffb954a403e 100644 --- a/.github/workflows/nightly-install.yaml +++ b/.github/workflows/nightly-install.yaml @@ -44,12 +44,12 @@ jobs: /usr/share/swift df -khl - name: "Checkout" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: {fetch-depth: 1} - name: Set up vagrant and libvirt uses: ./.github/actions/vagrant-setup - name: "Vagrant Cache" - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: | ~/.vagrant.d/boxes diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f680be7041c..34f4abd89c1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,20 +40,20 @@ jobs: needs: [build-amd64, build-arm64, build-arm] steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Docker - uses: docker/setup-docker-action@v5 + uses: docker/setup-docker-action@1a6edb0ba9ac496f6850236981f15d8f9a82254d # v5 with: version: type=image,tag=28 daemon-config: '{"features":{"containerd-snapshotter":true}}' set-host: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Read registry secrets (staging) - uses: rancher-eio/read-vault-secrets@main + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 if: ${{ github.repository_owner == 'k3s-io' }} with: secrets: | @@ -62,7 +62,7 @@ jobs: secret/data/github/repo/${{ github.repository }}/k3s-suse-registry-stg/credentials password | STAGING_REGISTRY_PASSWORD - name: Read registry secrets (prime) - uses: rancher-eio/read-vault-secrets@main + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 if: ${{ !contains(github.ref_name, '-rc') && github.repository_owner == 'k3s-io' }} with: secrets: | @@ -72,7 +72,7 @@ jobs: - name: "Read Vault secrets" if: github.repository_owner == 'k3s-io' - uses: rancher-eio/read-vault-secrets@main + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 with: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ; @@ -80,7 +80,7 @@ jobs: - name: Login to DockerHub with Rancher Secrets if: github.repository_owner == 'k3s-io' - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ env.DOCKER_USERNAME }} password: ${{ env.DOCKER_TOKEN }} @@ -88,14 +88,14 @@ jobs: # For forks, setup DockerHub login with GHA secrets - name: Login to DockerHub with GHA Secrets if: github.repository_owner != 'k3s-io' - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} - name: Login to Staging Registry if: github.repository_owner == 'k3s-io' - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ${{ env.STAGING_REGISTRY }} username: ${{ env.STAGING_REGISTRY_USERNAME }} @@ -103,14 +103,14 @@ jobs: - name: Login to Prime Registry if: ${{ !contains(github.ref_name, '-rc') && github.repository_owner == 'k3s-io' }} - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ${{ env.REGISTRY }} username: ${{ env.REGISTRY_USERNAME }} password: ${{ env.REGISTRY_PASSWORD }} - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -144,7 +144,7 @@ jobs: - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: | ghcr.io/${{ github.repository_owner }}/k3s @@ -155,7 +155,7 @@ jobs: tags: ${{ steps.tag_config.outputs.tag_spec }} - name: "Download K3s build" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: k3s* path: ./dist/artifacts @@ -167,7 +167,7 @@ jobs: cp ./dist/artifacts/data-* ./build/out - name: Build and push K3s runtime image - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 with: context: . file: ./package/Dockerfile @@ -191,10 +191,10 @@ jobs: needs: [build-amd64, build-arm64, build-arm, build-airgap] steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Read Prime artifacts secrets - uses: rancher-eio/read-vault-secrets@main + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 if: ${{ github.repository_owner == 'k3s-io' }} with: secrets: | @@ -203,21 +203,21 @@ jobs: secret/data/github/repo/${{ github.repository }}/prime-artifacts-uploader/credentials primeArtifactsBucketName | PRIME_ARTIFACTS_BUCKET_NAME - name: Read registry secrets (staging) - uses: rancher-eio/read-vault-secrets@main + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 if: ${{ contains(github.ref_name, '-rc') && github.repository_owner == 'k3s-io' }} with: secrets: | secret/data/github/repo/${{ github.repository }}/k3s-suse-registry-stg/credentials registry | REGISTRY - name: Read registry secrets (prime) - uses: rancher-eio/read-vault-secrets@main + uses: rancher-eio/read-vault-secrets@0da85151ad1f19ed7986c41587e45aac1ace74b6 # v3 if: ${{ !contains(github.ref_name, '-rc') && github.repository_owner == 'k3s-io' }} with: secrets: | secret/data/github/repo/${{ github.repository }}/k3s-suse-registry/credentials registry | REGISTRY - name: Configure AWS Credentials (s3) - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 if: ${{ github.repository_owner == 'k3s-io' }} with: aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }} @@ -225,7 +225,7 @@ jobs: aws-region: us-east-1 - name: "Download Artifacts" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: "*" path: ./dist/artifacts diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index f56d47ac73b..07432994344 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -73,6 +73,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3 with: sarif_file: results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 5525616233d..09297a6a8e4 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Close Stale Issues - uses: actions/stale@v10.2.0 + uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: # ensure PRs are exempt days-before-pr-stale: -1 diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml index a38638cdad1..4a44369bbc9 100644 --- a/.github/workflows/trivy-scan.yml +++ b/.github/workflows/trivy-scan.yml @@ -22,7 +22,7 @@ jobs: # For some reason with workflow_run.id, download-artifact does not work. # Github Docs explicity provide an example of using github-script to download artifacts. - name: 'Download artifact' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ @@ -58,7 +58,7 @@ jobs: run: curl -fsSO https://raw.githubusercontent.com/rancher/vexhub/refs/heads/main/reports/rancher.openvex.json - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.34.1 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: image-ref: 'rancher/k3s:latest' format: 'table' @@ -69,7 +69,7 @@ jobs: TRIVY_SHOW_SUPPRESSED: true - name: Upload Trivy Report - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: trivy-report path: trivy-report.txt @@ -85,7 +85,7 @@ jobs: steps: - name: Download Trivy Report artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 if: needs.trivy_scan.result == 'success' with: name: trivy-report diff --git a/.github/workflows/trivy-trigger.yml b/.github/workflows/trivy-trigger.yml index f58652abdd4..9023acc9b4f 100644 --- a/.github/workflows/trivy-trigger.yml +++ b/.github/workflows/trivy-trigger.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Verify actor is a member of k3s-io organization and has write permissions - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const org = 'k3s-io'; @@ -46,7 +46,7 @@ jobs: } - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Build And Save K3s Image run: | @@ -61,7 +61,7 @@ jobs: mv k3s.tar pr-context/k3s.tar - name: Upload PR context artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: pr-context-for-scan path: pr-context/ diff --git a/.github/workflows/unitcoverage.yaml b/.github/workflows/unitcoverage.yaml index 92229abe8d7..19084d539a4 100644 --- a/.github/workflows/unitcoverage.yaml +++ b/.github/workflows/unitcoverage.yaml @@ -32,7 +32,7 @@ jobs: timeout-minutes: 20 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 - name: Install Go @@ -43,11 +43,11 @@ jobs: go tool cover -func coverage.out - name: On Failure, Launch Debug Session if: ${{ failure() }} - uses: lhotari/action-upterm@v1 + uses: lhotari/action-upterm@b0357f23233f5ea6d58947c0c402e0631bab7334 # v1 with: wait-timeout-minutes: 5 - name: Upload Results To Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.out @@ -59,7 +59,7 @@ jobs: timeout-minutes: 20 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 - name: Install Go @@ -69,7 +69,7 @@ jobs: go test -coverpkg ./pkg/... -coverprofile coverage.out ./pkg/... -run Unit go tool cover -func coverage.out - name: Upload Results To Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.out @@ -80,8 +80,8 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Build test-mods run: docker build --target test-mods -t k3s:mod -f Dockerfile.test . - name: Run test-mods - run: docker run -i k3s:mod \ No newline at end of file + run: docker run -i k3s:mod diff --git a/.github/workflows/updatecli.yaml b/.github/workflows/updatecli.yaml index 5d878bf0731..bf072b16710 100644 --- a/.github/workflows/updatecli.yaml +++ b/.github/workflows/updatecli.yaml @@ -20,7 +20,7 @@ jobs: if: github.ref == 'refs/heads/main' steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Go uses: ./.github/actions/setup-go @@ -34,7 +34,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Install Updatecli - uses: updatecli/updatecli-action@v2 + uses: updatecli/updatecli-action@2cc8e6d8e356d76b0280cdd03766c36596a0614e # v3.0.0 - name: Apply Updatecli # Never use '--debug' option, because it might leak the access tokens. diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index 47d450c138a..b9846a03aa9 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -45,7 +45,7 @@ jobs: echo "GITHUB_CHECKOUT_FETCH_DEPTH=$( expr 1 + ${{ github.event.pull_request.commits }} )" >> "$GITHUB_ENV" - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: ${{ env.GITHUB_CHECKOUT_FETCH_DEPTH }} @@ -60,14 +60,14 @@ jobs: go-version: "${{ env.GOTOOLCHAIN }}" - name: Lint - uses: golangci/golangci-lint-action@v9 + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9 with: version: v2.7 args: "--new-from-merge-base ${{ github.event.pull_request.base.sha }}" skip-save-cache: ${{ github.ref != 'refs/heads/main' }} - name: Lint (windows) - uses: golangci/golangci-lint-action@v9 + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9 with: version: v2.7 args: "--new-from-merge-base ${{ github.event.pull_request.base.sha }} ./pkg/... ./cmd/..."