diff --git a/.github/actions/prepare-docker-binaries/action.yaml b/.github/actions/prepare-docker-binaries/action.yaml index dbb8aef..f57a3ae 100644 --- a/.github/actions/prepare-docker-binaries/action.yaml +++ b/.github/actions/prepare-docker-binaries/action.yaml @@ -8,7 +8,7 @@ runs: using: composite steps: - name: Download all binary artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: ./artifacts diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..1714042 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,16 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + - package-ecosystem: cargo + directory: / + schedule: + interval: daily + + - package-ecosystem: docker + directory: /docker + schedule: + interval: daily diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..83f47f1 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - name: 'Dependency Review' + uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 3dd57bc..53105c8 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -24,11 +24,16 @@ jobs: name: Build Documentation runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Rust build environment - uses: firestoned/github-actions/rust/setup-rust-build@v1.3.1 + uses: firestoned/github-actions/rust/setup-rust-build@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: target: x86_64-unknown-linux-gnu @@ -45,11 +50,11 @@ jobs: - name: Setup Pages if: github.ref == 'refs/heads/main' - uses: actions/configure-pages@v4 + uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4.0.0 - name: Upload artifact if: github.ref == 'refs/heads/main' - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 with: path: docs/target @@ -62,6 +67,11 @@ jobs: name: github-pages url: ${{ steps.deployment.outputs.page_url }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index 81a68c6..806a5ca 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -27,35 +27,40 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Rust build environment - uses: firestoned/github-actions/rust/setup-rust-build@v1.3.1 + uses: firestoned/github-actions/rust/setup-rust-build@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: target: x86_64-unknown-linux-gnu - name: Install Kind - uses: helm/kind-action@v1 + uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0 with: install_only: true version: v0.20.0 - name: Install kubectl - uses: azure/setup-kubectl@v4 + uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1 with: version: 'v1.28.0' - name: Extract version information id: version - uses: firestoned/github-actions/versioning/extract-version@v1.3.1 + uses: firestoned/github-actions/versioning/extract-version@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: repository: firestoned/bindy workflow-type: main image-suffix: "" - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/license-scan.yaml b/.github/workflows/license-scan.yaml index 66a2ee6..7b074a8 100644 --- a/.github/workflows/license-scan.yaml +++ b/.github/workflows/license-scan.yaml @@ -20,6 +20,9 @@ on: - cron: '0 0 1 1,4,7,10 *' workflow_dispatch: +permissions: + contents: read + jobs: license-scan: runs-on: ubuntu-latest @@ -28,11 +31,16 @@ jobs: pull-requests: write # Required to post comments on PRs steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Rust build environment - uses: firestoned/github-actions/rust/setup-rust-build@v1.3.1 + uses: firestoned/github-actions/rust/setup-rust-build@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: target: x86_64-unknown-linux-gnu @@ -218,7 +226,7 @@ jobs: done - name: Upload license report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: always() with: name: license-report @@ -227,7 +235,7 @@ jobs: - name: Post license report to PR if: github.event_name == 'pull_request' && always() - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 with: script: | const fs = require('fs'); diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index e839076..73b25d4 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -23,11 +23,16 @@ jobs: name: Verify SPDX License Headers runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Check license headers - uses: firestoned/github-actions/security/license-check@v1.3.1 + uses: firestoned/github-actions/security/license-check@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: copyright-holder: "Erick Bourgeois, firestoned" license-id: "MIT" @@ -36,13 +41,18 @@ jobs: name: Verify Signed Commits runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 # Fetch all history for verification - name: Verify commits are signed - uses: firestoned/github-actions/security/verify-signed-commits@v1.3.1 + uses: firestoned/github-actions/security/verify-signed-commits@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} verify-mode: push @@ -66,26 +76,31 @@ jobs: artifact_name: bindy-linux-arm64 binary_name: bindy steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Rust build environment - uses: firestoned/github-actions/rust/setup-rust-build@v1.3.1 + uses: firestoned/github-actions/rust/setup-rust-build@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: target: ${{ matrix.platform.target }} - name: Build binary - uses: firestoned/github-actions/rust/build-binary@v1.3.1 + uses: firestoned/github-actions/rust/build-binary@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: target: ${{ matrix.platform.target }} - name: Generate SBOM - uses: firestoned/github-actions/rust/generate-sbom@v1.3.1 + uses: firestoned/github-actions/rust/generate-sbom@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: target: ${{ matrix.platform.target }} - name: Upload binary and SBOM artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: ${{ matrix.platform.artifact_name }} path: | @@ -98,11 +113,16 @@ jobs: runs-on: ubuntu-latest needs: [license-check, verify-commits] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable - name: Install tarpaulin run: cargo install cargo-tarpaulin @@ -111,7 +131,7 @@ jobs: run: cargo tarpaulin --verbose --all-features --workspace --timeout 120 --out Xml - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 with: files: ./cobertura.xml fail_ci_if_error: false @@ -128,12 +148,17 @@ jobs: image-repository-distroless: ${{ steps.version-distroless.outputs.image-repository }} short-sha: ${{ steps.version-chainguard.outputs.short-sha }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Extract version for Chainguard id: version-chainguard - uses: firestoned/github-actions/versioning/extract-version@v1.3.1 + uses: firestoned/github-actions/versioning/extract-version@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: repository: firestoned/bindy workflow-type: main @@ -141,7 +166,7 @@ jobs: - name: Extract version for Distroless id: version-distroless - uses: firestoned/github-actions/versioning/extract-version@v1.3.1 + uses: firestoned/github-actions/versioning/extract-version@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: repository: firestoned/bindy workflow-type: main @@ -171,20 +196,25 @@ jobs: image-tag: ${{ needs.extract-version.outputs.image-tag-distroless }} image-repository: ${{ needs.extract-version.outputs.image-repository-distroless }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Prepare Docker binaries uses: ./.github/actions/prepare-docker-binaries - name: Setup Docker environment - uses: firestoned/github-actions/docker/setup-docker@v1.3.1 + uses: firestoned/github-actions/docker/setup-docker@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: github_token: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ghcr.io/${{ matrix.variant.image-repository }} tags: | @@ -197,7 +227,7 @@ jobs: - name: Build and push Docker image (${{ matrix.variant.name }}) id: docker_build - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: . file: ${{ matrix.variant.dockerfile }} @@ -217,11 +247,16 @@ jobs: runs-on: ubuntu-latest needs: [license-check, verify-commits] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Run security scan - uses: firestoned/github-actions/rust/security-scan@v1.3.1 + uses: firestoned/github-actions/rust/security-scan@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: cargo-audit-version: "0.22.0" @@ -240,11 +275,16 @@ jobs: image-tag: ${{ needs.extract-version.outputs.image-tag-distroless }} image-repository: ${{ needs.extract-version.outputs.image-repository-distroless }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Run Trivy scan on ${{ matrix.variant.name }} image - uses: firestoned/github-actions/security/trivy-scan@v1.3.1 + uses: firestoned/github-actions/security/trivy-scan@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: image-ref: ghcr.io/${{ matrix.variant.image-repository }}:${{ matrix.variant.image-tag }} sarif-category: trivy-main-${{ matrix.variant.name }} diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 1635aac..8db3f4d 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -23,11 +23,16 @@ jobs: name: Verify SPDX License Headers runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Check license headers - uses: firestoned/github-actions/security/license-check@v1.3.1 + uses: firestoned/github-actions/security/license-check@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: copyright-holder: "Erick Bourgeois, firestoned" license-id: "MIT" @@ -36,13 +41,18 @@ jobs: name: Verify Signed Commits runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 # Fetch all history for verification - name: Verify all commits are signed - uses: firestoned/github-actions/security/verify-signed-commits@v1.3.1 + uses: firestoned/github-actions/security/verify-signed-commits@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} base-ref: origin/${{ github.base_ref }} @@ -53,11 +63,16 @@ jobs: runs-on: ubuntu-latest needs: [license-check, verify-commits] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable with: components: rustfmt @@ -68,16 +83,21 @@ jobs: name: Build Documentation runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable with: toolchain: stable - name: Setup Rust cache - uses: Swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 - name: Install mdBook and preprocessors run: | @@ -97,16 +117,21 @@ jobs: runs-on: ubuntu-latest needs: format steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable with: components: clippy - name: Cache cargo dependencies - uses: firestoned/github-actions/rust/cache-cargo@v1.3.1 + uses: firestoned/github-actions/rust/cache-cargo@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 - name: Run clippy run: cargo clippy --all-targets --all-features -- -D warnings @@ -130,26 +155,31 @@ jobs: artifact_name: bindy-linux-arm64 binary_name: bindy steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Rust build environment - uses: firestoned/github-actions/rust/setup-rust-build@v1.3.1 + uses: firestoned/github-actions/rust/setup-rust-build@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: target: ${{ matrix.platform.target }} - name: Build binary - uses: firestoned/github-actions/rust/build-binary@v1.3.1 + uses: firestoned/github-actions/rust/build-binary@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: target: ${{ matrix.platform.target }} - name: Generate SBOM - uses: firestoned/github-actions/rust/generate-sbom@v1.3.1 + uses: firestoned/github-actions/rust/generate-sbom@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: target: ${{ matrix.platform.target }} - name: Upload binary and SBOM artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: ${{ matrix.platform.artifact_name }} path: | @@ -162,20 +192,25 @@ jobs: runs-on: ubuntu-latest needs: build steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable - name: Download x86_64 build artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: bindy-linux-amd64 path: target/x86_64-unknown-linux-gnu/release/ - name: Cache cargo dependencies - uses: firestoned/github-actions/rust/cache-cargo@v1.3.1 + uses: firestoned/github-actions/rust/cache-cargo@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 - name: Run tests run: cargo test --all --verbose @@ -191,12 +226,17 @@ jobs: image-repository-distroless: ${{ steps.version-distroless.outputs.image-repository }} short-sha: ${{ steps.version-chainguard.outputs.short-sha }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Extract version for Chainguard id: version-chainguard - uses: firestoned/github-actions/versioning/extract-version@v1.3.1 + uses: firestoned/github-actions/versioning/extract-version@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: repository: firestoned/bindy workflow-type: pr @@ -205,7 +245,7 @@ jobs: - name: Extract version for Distroless id: version-distroless - uses: firestoned/github-actions/versioning/extract-version@v1.3.1 + uses: firestoned/github-actions/versioning/extract-version@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: repository: firestoned/bindy workflow-type: pr @@ -236,20 +276,25 @@ jobs: image-tag: ${{ needs.extract-version.outputs.image-tag-distroless }} image-repository: ${{ needs.extract-version.outputs.image-repository-distroless }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Prepare Docker binaries uses: ./.github/actions/prepare-docker-binaries - name: Setup Docker environment - uses: firestoned/github-actions/docker/setup-docker@v1.3.1 + uses: firestoned/github-actions/docker/setup-docker@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: github_token: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ghcr.io/${{ matrix.variant.image-repository }} tags: | @@ -259,7 +304,7 @@ jobs: latest=false - name: Build and push Docker image (${{ matrix.variant.name }}) - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: . file: ${{ matrix.variant.dockerfile }} @@ -278,11 +323,16 @@ jobs: name: Security Vulnerability Scan runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Run security scan - uses: firestoned/github-actions/rust/security-scan@v1.3.1 + uses: firestoned/github-actions/rust/security-scan@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: cargo-audit-version: "0.22.0" @@ -301,11 +351,16 @@ jobs: image-tag: ${{ needs.extract-version.outputs.image-tag-distroless }} image-repository: ${{ needs.extract-version.outputs.image-repository-distroless }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Run Trivy scan on ${{ matrix.variant.name }} image - uses: firestoned/github-actions/security/trivy-scan@v1.3.1 + uses: firestoned/github-actions/security/trivy-scan@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: image-ref: ghcr.io/${{ matrix.variant.image-repository }}:${{ matrix.variant.image-tag }} sarif-category: trivy-pr-${{ matrix.variant.name }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index be238ad..ef82d45 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -23,11 +23,16 @@ jobs: name: Verify SPDX License Headers runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Check license headers - uses: firestoned/github-actions/security/license-check@v1.3.1 + uses: firestoned/github-actions/security/license-check@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: copyright-holder: "Erick Bourgeois, firestoned" license-id: "MIT" @@ -36,13 +41,18 @@ jobs: name: Verify Signed Commits runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 # Fetch all history for verification - name: Verify release tag commit is signed - uses: firestoned/github-actions/security/verify-signed-commits@v1.3.1 + uses: firestoned/github-actions/security/verify-signed-commits@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} verify-mode: release @@ -60,12 +70,17 @@ jobs: image-repository-distroless: ${{ steps.version-distroless.outputs.image-repository }} short-sha: ${{ steps.version-chainguard.outputs.short-sha }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Extract version for Chainguard id: version-chainguard - uses: firestoned/github-actions/versioning/extract-version@v1.3.1 + uses: firestoned/github-actions/versioning/extract-version@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: repository: firestoned/bindy workflow-type: release @@ -74,7 +89,7 @@ jobs: - name: Extract version for Distroless id: version-distroless - uses: firestoned/github-actions/versioning/extract-version@v1.3.1 + uses: firestoned/github-actions/versioning/extract-version@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: repository: firestoned/bindy workflow-type: release @@ -100,8 +115,13 @@ jobs: artifact_name: bindy-linux-arm64 binary_name: bindy steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Update Cargo.toml version run: | @@ -110,23 +130,23 @@ jobs: grep '^version = ' Cargo.toml - name: Setup Rust build environment - uses: firestoned/github-actions/rust/setup-rust-build@v1.3.1 + uses: firestoned/github-actions/rust/setup-rust-build@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: target: ${{ matrix.platform.target }} cache-key: release-${{ needs.extract-version.outputs.version }} - name: Build binary - uses: firestoned/github-actions/rust/build-binary@v1.3.1 + uses: firestoned/github-actions/rust/build-binary@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: target: ${{ matrix.platform.target }} - name: Generate SBOM - uses: firestoned/github-actions/rust/generate-sbom@v1.3.1 + uses: firestoned/github-actions/rust/generate-sbom@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: target: ${{ matrix.platform.target }} - name: Upload binary and SBOM artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: ${{ matrix.platform.artifact_name }} path: | @@ -158,20 +178,25 @@ jobs: image-tag: ${{ needs.extract-version.outputs.image-tag-distroless }} image-repository: ${{ needs.extract-version.outputs.image-repository-distroless }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Prepare Docker binaries uses: ./.github/actions/prepare-docker-binaries - name: Setup Docker environment - uses: firestoned/github-actions/docker/setup-docker@v1.3.1 + uses: firestoned/github-actions/docker/setup-docker@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: github_token: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ghcr.io/${{ matrix.variant.image-repository }} tags: | @@ -185,7 +210,7 @@ jobs: - name: Build and push Docker image (${{ matrix.variant.name }}) id: docker_build - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: . file: ${{ matrix.variant.dockerfile }} @@ -203,7 +228,7 @@ jobs: provenance: true - name: Sign container image with Cosign - uses: firestoned/github-actions/security/cosign-sign@v1.3.1 + uses: firestoned/github-actions/security/cosign-sign@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: image-digest: ${{ steps.docker_build.outputs.digest }} image-tags: ${{ needs.extract-version.outputs.tag_name }} @@ -211,14 +236,14 @@ jobs: repository: ${{ matrix.variant.image-repository }} - name: Generate Docker SBOM for ${{ matrix.variant.name }} - uses: anchore/sbom-action@v0 + uses: anchore/sbom-action@a930d0ac434e3182448fe678398ba5713717112a # v0.21.0 with: image: ghcr.io/${{ matrix.variant.image-repository }}:${{ needs.extract-version.outputs.tag_name }} format: cyclonedx-json output-file: docker-sbom-${{ matrix.variant.name }}.json - name: Upload Docker SBOM as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: docker-sbom-${{ matrix.variant.name }} path: docker-sbom-${{ matrix.variant.name }}.json @@ -238,11 +263,16 @@ jobs: - name: Linux ARM64 artifact_name: bindy-linux-arm64 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Download binary artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: ${{ matrix.platform.artifact_name }} path: ./artifacts/${{ matrix.platform.artifact_name }} @@ -255,12 +285,12 @@ jobs: ls -lh ${{ matrix.platform.artifact_name }}.tar.gz - name: Sign binary tarball with Cosign - uses: firestoned/github-actions/security/cosign-sign@v1.3.1 + uses: firestoned/github-actions/security/cosign-sign@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: artifact-path: artifacts/${{ matrix.platform.artifact_name }}/${{ matrix.platform.artifact_name }}.tar.gz - name: Upload signed artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: ${{ matrix.platform.artifact_name }}-signed path: | @@ -274,8 +304,13 @@ jobs: outputs: hashes: ${{ steps.hash.outputs.hashes }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Download signed artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: bindy-linux-*-signed path: ./artifacts @@ -310,8 +345,13 @@ jobs: permissions: contents: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Download all artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: ./artifacts @@ -380,7 +420,7 @@ jobs: ls -lh ../provenance/ || echo "No provenance files found" - name: Upload release assets - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 with: files: | artifacts/release/*.tar.gz @@ -394,11 +434,16 @@ jobs: runs-on: ubuntu-latest needs: extract-version steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Run security scan - uses: firestoned/github-actions/rust/security-scan@v1.3.1 + uses: firestoned/github-actions/rust/security-scan@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: cargo-audit-version: "0.22.0" upload-artifact-name: cargo-audit-report-release @@ -418,11 +463,16 @@ jobs: image-tag: ${{ needs.extract-version.outputs.image-tag-distroless }} image-repository: ${{ needs.extract-version.outputs.image-repository-distroless }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Run Trivy scan on ${{ matrix.variant.name }} image - uses: firestoned/github-actions/security/trivy-scan@v1.3.1 + uses: firestoned/github-actions/security/trivy-scan@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: image-ref: ghcr.io/${{ matrix.variant.image-repository }}:${{ matrix.variant.image-tag }} sarif-category: trivy-release-${{ matrix.variant.name }} diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 7f6e960..cf980b8 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -21,22 +21,27 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Rust build environment - uses: firestoned/github-actions/rust/setup-rust-build@v1.3.1 + uses: firestoned/github-actions/rust/setup-rust-build@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: target: x86_64-unknown-linux-gnu - name: Generate SBOM (JSON and XML) - uses: firestoned/github-actions/rust/generate-sbom@v1.3.1 + uses: firestoned/github-actions/rust/generate-sbom@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: format: both describe: binaries - name: Upload SBOM artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: sbom path: | @@ -57,8 +62,13 @@ jobs: needs: generate-sbom steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Download SBOM artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: sbom diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 9a9a67f..4cdfeec 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -36,8 +36,13 @@ jobs: # actions: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false @@ -51,13 +56,13 @@ jobs: # Upload results to GitHub's code scanning dashboard - name: Upload SARIF results to code scanning - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 with: sarif_file: results.sarif # Upload results as workflow artifact - name: Upload Scorecard results as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml index 4b23272..962e524 100644 --- a/.github/workflows/security-scan.yaml +++ b/.github/workflows/security-scan.yaml @@ -22,13 +22,18 @@ jobs: name: Scan Rust Dependencies runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Run security scan id: audit continue-on-error: true - uses: firestoned/github-actions/rust/security-scan@v1.3.1 + uses: firestoned/github-actions/rust/security-scan@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: upload-artifact-name: scheduled-cargo-audit-${{ github.run_number }} @@ -53,7 +58,7 @@ jobs: - name: Create GitHub issue for vulnerabilities if: steps.parse.outputs.has_vulnerabilities == 'true' - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 with: script: | const fs = require('fs'); @@ -153,13 +158,18 @@ jobs: matrix: tag: ['latest', 'main'] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Run Trivy scan on ${{ matrix.tag }} continue-on-error: true id: trivy - uses: firestoned/github-actions/security/trivy-scan@v1.3.1 + uses: firestoned/github-actions/security/trivy-scan@91de875aa3887b7cb029f380502c15b24a8f3999 # v1.3.1 with: image-ref: ghcr.io/${{ github.repository }}:${{ matrix.tag }} sarif-category: trivy-scheduled-${{ matrix.tag }} @@ -191,7 +201,7 @@ jobs: - name: Create GitHub issue for container vulnerabilities if: steps.parse.outputs.has_vulnerabilities == 'true' - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 with: script: | const fs = require('fs'); diff --git a/.github/workflows/update-image-digests.yaml b/.github/workflows/update-image-digests.yaml index d2c013b..7dc1260 100644 --- a/.github/workflows/update-image-digests.yaml +++ b/.github/workflows/update-image-digests.yaml @@ -9,6 +9,9 @@ on: - cron: '0 0 1 * *' workflow_dispatch: +permissions: + contents: read + jobs: update-digests: runs-on: ubuntu-latest @@ -17,8 +20,13 @@ jobs: pull-requests: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install crane (for fetching image digests) run: | @@ -78,7 +86,7 @@ jobs: - name: Create Pull Request if: steps.fetch-digests.outputs.digests-changed == 'true' - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: | @@ -129,7 +137,7 @@ jobs: - name: Upload digest report if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: digest-report path: digest-report.md diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..d8562a4 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,14 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace diff --git a/docker/Dockerfile b/docker/Dockerfile index fda443a..7adce41 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -21,7 +21,7 @@ # to match the target platform (amd64 or arm64). # Build stage to install BIND9 and create user -FROM debian:12-slim AS builder +FROM debian:12-slim@sha256:e899040a73d36e2b36fa33216943539d9957cba8172b858097c2cabcdb20a3e2 AS builder RUN apt-get update && \ DEBIAN_FRONTEND=noninteractive apt-get install -y \ @@ -30,7 +30,7 @@ RUN apt-get update && \ && rm -rf /var/lib/apt/lists/* # Runtime stage - Distroless with glibc -FROM gcr.io/distroless/cc-debian12:nonroot +FROM gcr.io/distroless/cc-debian12:nonroot@sha256:2575808fe33e2a728348040ef2fd6757b0200a73ca8daebd0c258e2601e76c6d ARG TARGETARCH ARG VERSION=0.1.0