diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 57d5aa39..34bfbe3a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -19,3 +19,23 @@ updates: directory: / schedule: interval: daily + + - package-ecosystem: docker + directory: /ci/ovs_test_setup + schedule: + interval: daily + + - package-ecosystem: docker + directory: /ci/ovs_test_setup/testpmd_image + schedule: + interval: daily + + - package-ecosystem: docker + directory: /docker/testpmd + schedule: + interval: daily + + - package-ecosystem: docker + directory: /docker/userspacecni + schedule: + interval: daily diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b96b312e..de4a074b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,6 +26,11 @@ jobs: language: [ go ] steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 3e5ffd80..14f47388 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -16,6 +16,11 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: 'Checkout Repository' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.5.2 - name: 'Dependency Review' diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index d13ec83b..dfa939c3 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -14,6 +14,11 @@ jobs: name: E2E runs-on: hugepage-runner steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 9f472483..33e4c88e 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -14,6 +14,11 @@ jobs: name: fuzz-tests runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Set up Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index fca58c3e..aaec9a50 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -31,6 +31,11 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.1.0 with: diff --git a/.github/workflows/static-scan.yml b/.github/workflows/static-scan.yml index 935d47c3..c56f26e7 100644 --- a/.github/workflows/static-scan.yml +++ b/.github/workflows/static-scan.yml @@ -10,6 +10,11 @@ jobs: name: Lint runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: @@ -36,6 +41,11 @@ jobs: name: Shellcheck runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.5.3 - name: Run ShellCheck uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # master @@ -46,6 +56,11 @@ jobs: env: HADOLINT_RECURSIVE: "true" steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 name: Run Hadolint @@ -56,6 +71,11 @@ jobs: go-check: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.5.2 - name: remove deployer container from dockerfile diff --git a/.github/workflows/trivy-testpmd.yml b/.github/workflows/trivy-testpmd.yml index 3505c3a5..85536c1c 100644 --- a/.github/workflows/trivy-testpmd.yml +++ b/.github/workflows/trivy-testpmd.yml @@ -26,6 +26,11 @@ jobs: name: Build runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 7bf55b0b..0ecc5e98 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -26,6 +26,11 @@ jobs: name: Build runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 diff --git a/.github/workflows/unittest.yml b/.github/workflows/unittest.yml index 39203667..8b46c1b0 100644 --- a/.github/workflows/unittest.yml +++ b/.github/workflows/unittest.yml @@ -13,6 +13,11 @@ jobs: name: unit-tests runs-on: hugepage-runner steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: diff --git a/.github/workflows/weekly_e2e.yml b/.github/workflows/weekly_e2e.yml index 1c93a500..302ed85c 100644 --- a/.github/workflows/weekly_e2e.yml +++ b/.github/workflows/weekly_e2e.yml @@ -19,6 +19,11 @@ jobs: name: E2E_vpp_latest runs-on: hugepage-runner steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: @@ -42,6 +47,11 @@ jobs: matrix: kubernetes_version: [v1.28.0,v1.27.0,v1.26.0] steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..e8e93873 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,18 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/golangci/golangci-lint + rev: v1.52.2 + hooks: + - id: golangci-lint +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace