diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index b0e2785e..37d6260e 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -10,10 +10,7 @@ on: - published name: build-test - -permissions: - contents: read - packages: write +permissions: read-all jobs: build-test: @@ -355,6 +352,9 @@ jobs: if: github.event_name == 'release' && github.event.action== 'published' needs: push-image name: Update Helm Chart + permissions: + contents: write + packages: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/.github/workflows/commit-msg.yaml b/.github/workflows/commit-msg.yaml index 2dda4718..1fed2a10 100644 --- a/.github/workflows/commit-msg.yaml +++ b/.github/workflows/commit-msg.yaml @@ -10,6 +10,8 @@ on: branches: - main +permissions: read-all + jobs: check-commit-message-style: name: Check commit message style diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index e3cfe894..324f7d05 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -23,7 +23,7 @@ jobs: - name: Install dependencies run: | cd $GITHUB_WORKSPACE - go install github.com/swaggo/swag/cmd/swag + go install github.com/swaggo/swag/cmd/swag@v1.8.12 go mod download sudo apt-get update sudo apt-get install libgpgme-dev libassuan-dev libbtrfs-dev libdevmapper-dev pkg-config rpm uidmap @@ -66,7 +66,7 @@ jobs: - name: Install dependencies run: | cd $GITHUB_WORKSPACE - go install github.com/swaggo/swag/cmd/swag + go install github.com/swaggo/swag/cmd/swag@v1.8.12 go mod download - name: Run sync harness run: | diff --git a/.github/workflows/sync-3rdparty-images.yaml b/.github/workflows/sync-3rdparty-images.yaml index 870f3d4e..0fb40f10 100644 --- a/.github/workflows/sync-3rdparty-images.yaml +++ b/.github/workflows/sync-3rdparty-images.yaml @@ -7,13 +7,14 @@ on: - main workflow_dispatch: -permissions: - contents: read - packages: write +permissions: read-all jobs: sync-golang: name: 'golang' + permissions: + contents: read + packages: write strategy: matrix: golang_version: @@ -34,6 +35,9 @@ jobs: docker push ghcr.io/${{ github.repository_owner }}/golang:${{ matrix.golang_version }} sync-trivy: name: 'trivy-db' + permissions: + contents: read + packages: write runs-on: ubuntu-latest steps: - name: Copy trivy-db using oras cli diff --git a/Makefile b/Makefile index c16967d1..4cd2f9cb 100644 --- a/Makefile +++ b/Makefile @@ -25,6 +25,7 @@ CRICTL_VERSION := v1.26.1 ACTION_VALIDATOR := $(TOOLSDIR)/bin/action-validator ACTION_VALIDATOR_VERSION := v0.2.1 ZUI_VERSION := commit-05d5f74 +SWAGGER_VERSION := 1.8.12 STACKER := $(TOOLSDIR)/bin/stacker BATS := $(TOOLSDIR)/bin/bats TESTDATA := $(TOP_LEVEL)/test/data @@ -203,7 +204,7 @@ check: ./golangcilint.yaml $(GOLINTER) rm pkg/extensions/build/.empty swagger/docs.go: - swag -v || go install github.com/swaggo/swag/cmd/swag@1.6.3 + swag -v || go install github.com/swaggo/swag/cmd/swag@$(SWAGGER_VERSION) swag init -o swagger -g pkg/api/routes.go .PHONY: swagger diff --git a/SECURITY.md b/SECURITY.md index 69abcf5f..4db76366 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -9,7 +9,8 @@ ## Reporting a Vulnerability -When a vulnerability is found, please *DO NOT* file a public issue. -Instead, send an email to one of the core [maintainers](MAINTAINERS.md) and -await acknowledgement. Normally we expect to resolve the issue in 60 days. -However should there be an exception the team will reach out for next steps. +When a vulnerability is found, please *DO NOT* file a public issue. Instead, +send an email to one of the core [maintainers](MAINTAINERS.md) and await +acknowledgement _OR_ file a [private security issue](https://github.com/project-zot/zot/security/advisories). +Normally we expect to resolve the issue in 60 days. However should there be an exception +the team will reach out for next steps. diff --git a/golangcilint.yaml b/golangcilint.yaml index e2990605..0e8d880d 100644 --- a/golangcilint.yaml +++ b/golangcilint.yaml @@ -49,11 +49,6 @@ linters-settings: mnd: checks: argument,case,condition,operation,return,assign ignored-numbers: 10,64 - gomoddirectives: - replace-allow-list: - - helm.sh/helm/v3 - - github.com/spdx/tools-golang - - github.com/opencontainers/image-spec issues: exclude-rules: - path: pkg/extensions/search/schema.resolvers.go