From f68dd38174f107ebf734f76e630beeee7f3d06a8 Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Fri, 8 May 2026 00:44:01 +0400 Subject: [PATCH 1/8] ci(dependabot): add docker + pip ecosystems MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two ecosystems were missing from the api dependabot config carried over from PR #228: * `docker`: 5 *.Dockerfile files at the repo root build the production images we publish (caddy, cloud-helpers.aws, github-actions, github-actions-staging, kubectl). Their `FROM` base images need the same weekly bump as gomod / github-actions. The docs example Dockerfiles under docs/docs/examples/ are user-facing samples — Dependabot only inspects the configured `directory: /`, so they're implicitly out of scope. * `pip`: docs/requirements.txt drives the public mkdocs site (mkdocs, mkdocs-material, plugins). Public site, so CVEs in the build chain still matter. Both groups follow the same shape as the existing gomod/github-actions entries: weekly Monday cadence, minor+patch grouped, `dependencies` + ecosystem-specific labels. Signed-off-by: Dmitrii Creed --- .github/dependabot.yml | 48 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3551bab2..cbc17c22 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -38,3 +38,51 @@ updates: update-types: - minor - patch + + # Container images we publish from this repo. The 5 *.Dockerfile files + # at the repo root (caddy, cloud-helpers.aws, github-actions, + # github-actions-staging, kubectl) build production images. The + # Dockerfiles under docs/docs/examples/ are user-facing samples, not + # production artifacts — Dependabot will only pick up the ones at the + # configured directory level (`/`), so example Dockerfiles are + # implicitly out of scope. + - package-ecosystem: docker + directory: / + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 5 + labels: + - dependencies + - docker + commit-message: + prefix: deps + include: scope + groups: + docker-minor-and-patch: + applies-to: version-updates + update-types: + - minor + - patch + + # Python tooling for the docs site (MkDocs + Material + plugins). + # Public site, so CVEs in the build chain still matter. + - package-ecosystem: pip + directory: /docs + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 5 + labels: + - dependencies + - python + - docs + commit-message: + prefix: deps + include: scope + groups: + pip-minor-and-patch: + applies-to: version-updates + update-types: + - minor + - patch From eadac598474a8bae8b79afc3b1afa6116661b9aa Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Fri, 8 May 2026 23:33:00 +0400 Subject: [PATCH 2/8] fix(security): migrate from github.com/docker/docker to moby/moby/{api,client} Drops the legacy github.com/docker/docker v28.5.2+incompatible import path, which has no upstream fix for: - CVE-2026-34040 (HIGH, GHSA-x744-4wpc-v9h2): AuthZ plugin bypass on oversized request bodies - CVE-2026-33997 (MEDIUM, GHSA-pxq6-2prw-chj9): off-by-one in plugin privilege validation Both advisories list the fix only under the split moby modules: github.com/moby/moby/api >=v1.54.2 and github.com/moby/moby/client >=v0.4.1. Code changes in pkg/clouds/pulumi/docker: - imports moved to github.com/moby/moby/{client,api/types/registry} - image.PullOptions{Platform: string} -> client.ImagePullOptions with []ocispec.Platform parsed via containerd/platforms.Parse - explicit NegotiateAPIVersion call replaced by client.WithAPIVersionNegotiation() opt (lazy negotiation on first call) Signed-off-by: Dmitrii Creed --- go.mod | 17 +++++---- go.sum | 61 +++++++++++-------------------- pkg/clouds/pulumi/docker/pull.go | 25 +++++++------ pkg/clouds/pulumi/docker/types.go | 2 +- 4 files changed, 46 insertions(+), 59 deletions(-) diff --git a/go.mod b/go.mod index f3dfcfb0..c9bf944c 100644 --- a/go.mod +++ b/go.mod @@ -13,8 +13,8 @@ require ( github.com/aws/aws-secretsmanager-caching-go v1.1.3 github.com/cloudflare/cloudflare-go v0.104.0 github.com/compose-spec/compose-go v1.20.2 + github.com/containerd/platforms v0.2.1 github.com/disgoorg/disgo v0.18.5 - github.com/docker/docker v28.5.2+incompatible github.com/fatih/color v1.18.0 github.com/go-delve/delve v1.26.3 github.com/go-git/go-billy/v5 v5.8.0 @@ -23,7 +23,10 @@ require ( github.com/google/uuid v1.6.0 github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef github.com/mitchellh/go-homedir v1.1.0 + github.com/moby/moby/api v1.54.2 + github.com/moby/moby/client v0.4.1 github.com/onsi/gomega v1.38.2 + github.com/opencontainers/image-spec v1.1.1 github.com/otiai10/copy v1.14.0 github.com/peterh/liner v1.2.2 github.com/philippgille/chromem-go v0.7.0 @@ -160,6 +163,7 @@ require ( github.com/containerd/console v1.0.4 // indirect github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/errdefs/pkg v0.3.0 // indirect + github.com/containerd/log v0.1.0 // indirect github.com/cosiner/argv v0.1.0 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect github.com/curioswitch/go-reassign v0.3.0 // indirect @@ -171,10 +175,10 @@ require ( github.com/derekparker/trie/v3 v3.2.0 // indirect github.com/disgoorg/json v1.1.0 // indirect github.com/disgoorg/snowflake/v2 v2.0.1 // indirect - github.com/distribution/reference v0.5.0 // indirect + github.com/distribution/reference v0.6.0 // indirect github.com/djherbis/times v1.5.0 // indirect github.com/dlclark/regexp2 v1.11.0 // indirect - github.com/docker/go-connections v0.5.0 // indirect + github.com/docker/go-connections v0.7.0 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/edsrzf/mmap-go v1.1.0 // indirect @@ -312,7 +316,6 @@ require ( github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect - github.com/moby/sys/atomicwriter v0.1.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect github.com/montanaflynn/stats v0.7.1 // indirect @@ -330,7 +333,6 @@ require ( github.com/nxadm/tail v1.4.11 // indirect github.com/olekukonko/tablewriter v0.0.5 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0 // indirect github.com/opentracing/basictracer-go v1.1.0 // indirect github.com/opentracing/opentracing-go v1.2.0 // indirect github.com/pelletier/go-toml/v2 v2.2.4 // indirect @@ -428,9 +430,8 @@ require ( go.opentelemetry.io/auto/sdk v1.2.1 // indirect go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect go.opentelemetry.io/otel v1.43.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 // indirect go.opentelemetry.io/otel/metric v1.43.0 // indirect go.opentelemetry.io/otel/sdk v1.43.0 // indirect go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect @@ -450,7 +451,7 @@ require ( golang.org/x/net v0.53.0 // indirect golang.org/x/sys v0.43.0 // indirect golang.org/x/telemetry v0.0.0-20260409153401-be6f6cb8b1fa // indirect - golang.org/x/time v0.10.0 // indirect + golang.org/x/time v0.11.0 // indirect golang.org/x/tools v0.44.0 // indirect golang.org/x/tools/go/expect v0.1.1-deprecated // indirect golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect diff --git a/go.sum b/go.sum index 6589ecf5..c1009139 100644 --- a/go.sum +++ b/go.sum @@ -91,8 +91,6 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.5.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.5.0/go.mod h1:T5RfihdXtBDxt1Ch2wobif3TvzTdumDy29kahv6AV9A= github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.1 h1:fXPMAmuh0gDuRDey0atC8cXBuKIlqCzCkL8sm1n9Ov0= github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.1/go.mod h1:SUZc9YRRHfx2+FAQKNDGrssXehqLpxmwRv2mC/5ntj4= -github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= -github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk= @@ -250,11 +248,8 @@ github.com/catenacyber/perfsprint v0.8.2 h1:+o9zVmCSVa7M4MvabsWvESEhpsMkhfE7k0sH github.com/catenacyber/perfsprint v0.8.2/go.mod h1:q//VWC2fWbcdSLEY1R3l8n0zQCDPdE4IjZwyY1HMunM= github.com/ccojocar/zxcvbn-go v1.0.2 h1:na/czXU8RrhXO4EZme6eQJLR4PzcGsahsBOAwU6I3Vg= github.com/ccojocar/zxcvbn-go v1.0.2/go.mod h1:g1qkXtUSvHP8lhHp5GrSmTz6uWALGRMQdw6Qnz/hi60= -github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4= github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= -github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM= -github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= @@ -299,6 +294,8 @@ github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151X github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= +github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= +github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cosiner/argv v0.1.0 h1:BVDiEL32lwHukgJKP87btEPenzrrHUjajs/8yzaqcXg= github.com/cosiner/argv v0.1.0/go.mod h1:EusR6TucWKX+zFgtdUsKT2Cvg45K5rtpCcWz4hK06d8= @@ -306,8 +303,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= -github.com/creack/pty v1.1.20 h1:VIPb/a2s17qNeQgDnkfZC35RScx+blkKF8GV68n80J4= -github.com/creack/pty v1.1.20/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= +github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s= +github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= github.com/curioswitch/go-reassign v0.3.0 h1:dh3kpQHuADL3cobV/sSGETA8DOv457dwl+fbBAhrQPs= github.com/curioswitch/go-reassign v0.3.0/go.mod h1:nApPCCTtqLJN/s8HfItCcKV0jIPwluBOvZP+dsJGA88= github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= @@ -333,16 +330,14 @@ github.com/disgoorg/json v1.1.0 h1:7xigHvomlVA9PQw9bMGO02PHGJJPqvX5AnwlYg/Tnys= github.com/disgoorg/json v1.1.0/go.mod h1:BHDwdde0rpQFDVsRLKhma6Y7fTbQKub/zdGO5O9NqqA= github.com/disgoorg/snowflake/v2 v2.0.1 h1:CuUxGLwggUxEswZOmZ+mZ5i0xSumQdXW9tXW7uGqe+0= github.com/disgoorg/snowflake/v2 v2.0.1/go.mod h1:SPU9c2CNn5DSyb86QcKtdZgix9osEtKrHLW4rMhfLCs= -github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0= -github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= +github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= +github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/djherbis/times v1.5.0 h1:79myA211VwPhFTqUk8xehWrsEO+zcIZj0zT8mXPVARU= github.com/djherbis/times v1.5.0/go.mod h1:5q7FDLvbNg1L/KaBmPcWlVR9NmoKo3+ucqUA3ijQhA0= github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI= github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8= -github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM= -github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= -github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= +github.com/docker/go-connections v0.7.0 h1:6SsRfJddP22WMrCkj19x9WKjEDTB+ahsdiGYf0mN39c= +github.com/docker/go-connections v0.7.0/go.mod h1:no1qkHdjq7kLMGUXYAduOhYPSJxxvgWBh7ogVvptn3Q= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= @@ -610,8 +605,6 @@ github.com/gostaticanalysis/nilerr v0.1.1/go.mod h1:wZYb6YI5YAxxq0i1+VJbY0s2YONW github.com/gostaticanalysis/testutil v0.3.1-0.20210208050101-bfb5c8eec0e4/go.mod h1:D+FIZ+7OahH3ePw/izIEeH5I06eKs1IKI4Xr64/Am3M= github.com/gostaticanalysis/testutil v0.5.0 h1:Dq4wT1DdTwTGCQQv3rl3IvD5Ld0E6HiY+3Zh0sUGqw8= github.com/gostaticanalysis/testutil v0.5.0/go.mod h1:OLQSbuM6zw2EvCcXTz1lVq5unyoNft372msDY0nY5Hs= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c= github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 h1:MJG/KsmcqMwFAkh8mTnAwhyKoB+sTAnY4CACC110tbU= github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645/go.mod h1:6iZfnjpejD4L/4DwD7NryNaJyCQdzwWwH2MWhCA90Kw= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -806,12 +799,10 @@ github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zx github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= -github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw= -github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs= -github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU= -github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko= -github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= -github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= +github.com/moby/moby/api v1.54.2 h1:wiat9QAhnDQjA7wk1kh/TqHz2I1uUA7M7t9SAl/JNXg= +github.com/moby/moby/api v1.54.2/go.mod h1:+RQ6wluLwtYaTd1WnPLykIDPekkuyD/ROWQClE83pzs= +github.com/moby/moby/client v0.4.1 h1:DMQgisVoMkmMs7fp3ROSdiBnoAu8+vo3GggFl06M/wY= +github.com/moby/moby/client v0.4.1/go.mod h1:z52C9O2POPOsnxZAy//WtKcQ32P+jT/NGeXu/7nfjGQ= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -824,8 +815,6 @@ github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8 github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow= github.com/moricho/tparallel v0.3.2 h1:odr8aZVFA3NZrNybggMkYO3rgPRcqjeQUlBBFVxKHTI= github.com/moricho/tparallel v0.3.2/go.mod h1:OQ+K3b4Ln3l2TZveGCywybl68glfLEwFGqvnjok8b+U= -github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= -github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI= github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo= github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA= @@ -860,8 +849,8 @@ github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= -github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= +github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= github.com/opentracing/basictracer-go v1.1.0 h1:Oa1fTSBvAl8pa3U+IJYqrKm0NALwH9OsgwOqDv4xJW0= github.com/opentracing/basictracer-go v1.1.0/go.mod h1:V2HZueSJEp879yv285Aap1BS69fQMD+MNP1mRs6mBQc= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= @@ -1182,14 +1171,10 @@ go.opentelemetry.io/contrib/detectors/gcp v1.39.0 h1:kWRNZMsfBHZ+uHjiH4y7Etn2FK2 go.opentelemetry.io/contrib/detectors/gcp v1.39.0/go.mod h1:t/OGqzHBa5v6RHZwrDBJ2OirWc+4q/w2fTbLZwAKjTk= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 h1:rgMkmiGfix9vFJDcDi1PK8WEQP4FLQwLDfhp5ZLpFeE= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0/go.mod h1:ijPqXp5P6IRRByFVVg9DY8P5HkxkHE5ARIa+86aXPf4= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 h1:CV7UdSGJt/Ao6Gp4CXckLxVRRsRgDHoI8XjbL3PDl8s= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0/go.mod h1:FRmFuRJfag1IZ2dPkHnEoSFVgTVPUd2qf5Vi69hLb8I= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 h1:sbiXRNDSWJOTobXh5HyQKjq6wUC5tNybqjIqDpAY4CU= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0/go.mod h1:69uWxva0WgAA/4bu2Yy70SLDBwZXuQ6PbBpbsa5iZrQ= go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I= go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0/go.mod h1:Vl1/iaggsuRlrHf/hfPJPvVag77kKyvrLeD10kpMl+A= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 h1:3iZJKlCZufyRzPzlQhUIWVmfltrXuGyfjREgGP3UUjc= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0/go.mod h1:/G+nUPfhq2e+qiXMGxMwumDrP5jtzU+mWN7/sjT2rak= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0 h1:WDdP9acbMYjbKIyJUhTvtzj601sVJOqgWdUxSdR/Ysc= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0/go.mod h1:BLbf7zbNIONBLPwvFnwNHGj4zge8uTCM/UPIVW1Mq2I= go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM= @@ -1200,8 +1185,6 @@ go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfC go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A= go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A= go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0= -go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g= -go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk= go.starlark.net v0.0.0-20231101134539-556fd59b42f6 h1:+eC0F/k4aBLC4szgOcjd7bDTEnpxADJyWJE0yowgM3E= go.starlark.net v0.0.0-20231101134539-556fd59b42f6/go.mod h1:LcLNIzVOMp4oV+uusnpk+VU+SzXaJakUuBjoCSWH5dM= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= @@ -1464,8 +1447,8 @@ golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.10.0 h1:3usCWA8tQn0L8+hFJQNgzpWbd89begxN66o1Ojdn5L4= -golang.org/x/time v0.10.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= +golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -1654,8 +1637,8 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= -gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g= +gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q= +gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -1683,8 +1666,8 @@ mvdan.cc/gofumpt v0.10.0 h1:yGGpRS2pBN2OQIi7b21IXknJna7faPkFaVfHLrN6Euo= mvdan.cc/gofumpt v0.10.0/go.mod h1:sU2ElXHzOEmvoPqfutYG7uunlueR4K2T1JFml40SzP4= mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f h1:lMpcwN6GxNbWtbpI1+xzFLSW8XzX0u72NttUGVFjO3U= mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f/go.mod h1:RSLa7mKKCNeTTMHBw5Hsy2rfJmd6O2ivt9Dw9ZqCQpQ= -pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw= -pgregory.net/rapid v1.1.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04= +pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk= +pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/pkg/clouds/pulumi/docker/pull.go b/pkg/clouds/pulumi/docker/pull.go index eb5c921d..5bbf72eb 100644 --- a/pkg/clouds/pulumi/docker/pull.go +++ b/pkg/clouds/pulumi/docker/pull.go @@ -3,13 +3,12 @@ package docker import ( "bufio" - "golang.org/x/sync/errgroup" - - "github.com/docker/docker/api/types/image" - "github.com/docker/docker/client" + "github.com/containerd/platforms" + "github.com/moby/moby/client" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/pkg/errors" - sdk "github.com/pulumi/pulumi/sdk/v3/go/pulumi" + "golang.org/x/sync/errgroup" "github.com/simple-container-com/api/pkg/api/logger" ) @@ -35,20 +34,24 @@ func NewDockerPull(ctx *sdk.Context, name string, args *PullArgs, opts ...sdk.Re return nil, err } - dockerAPI, err := client.NewClientWithOpts(client.FromEnv) + dockerAPI, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation()) if err != nil { return nil, err } - dockerAPI.NegotiateAPIVersion(ctx.Context()) msgReader := chanMsgReader{msgChan: make(chan readerNextMessage)} digest := sdk.All(args.RemoteImage, args.AuthHeader, args.Platform).ApplyT(func(all []any) (string, error) { remoteImage, authHeader, platform := all[0].(string), all[1].(string), all[2].(string) - reader, err := dockerAPI.ImagePull(ctx.Context(), remoteImage, image.PullOptions{ - RegistryAuth: authHeader, - Platform: platform, - }) + pullOpts := client.ImagePullOptions{RegistryAuth: authHeader} + if platform != "" { + parsed, perr := platforms.Parse(platform) + if perr != nil { + return "", errors.Wrapf(perr, "invalid platform %q for docker pull of %q", platform, remoteImage) + } + pullOpts.Platforms = []ocispec.Platform{parsed} + } + reader, err := dockerAPI.ImagePull(ctx.Context(), remoteImage, pullOpts) if err != nil { return "", errors.Wrapf(err, "failed to invoke docker pull for %q", remoteImage) } diff --git a/pkg/clouds/pulumi/docker/types.go b/pkg/clouds/pulumi/docker/types.go index e32acb1c..9c9f5eb5 100644 --- a/pkg/clouds/pulumi/docker/types.go +++ b/pkg/clouds/pulumi/docker/types.go @@ -6,7 +6,7 @@ import ( "encoding/json" "fmt" - "github.com/docker/docker/api/types/registry" + "github.com/moby/moby/api/types/registry" "github.com/pkg/errors" "github.com/simple-container-com/api/pkg/util" From a9e110d7f575e367f1aadfff7cfaa947831dbe63 Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Fri, 8 May 2026 23:33:12 +0400 Subject: [PATCH 3/8] ci(security): pin third-party GitHub Actions to commit SHAs Resolves 26 Semgrep gha-unpinned-third-party-action findings across branch-preview.yaml, branch.yaml, build-staging.yml, push.yaml, and simple-forge.yml. Mutable major-version tags (e.g. @v6) are re-pointable by the action's owner; pinning to a 40-char commit SHA removes that supply-chain hijack vector (cf. tj-actions/changed-files incident, CVE-2025-30066). Pinned: - reecetech/version-increment 71036b21 (2023.10.2) - fregante/setup-git-user 024bc0b8 (v2.0.2) - useblacksmith/setup-go 647ac649 (v6.0.1) - docker/setup-buildx-action 8d2750c6 (v3.12.0) Signed-off-by: Dmitrii Creed --- .github/workflows/branch-preview.yaml | 16 ++++++++-------- .github/workflows/branch.yaml | 12 ++++++------ .github/workflows/build-staging.yml | 4 ++-- .github/workflows/push.yaml | 18 +++++++++--------- .github/workflows/simple-forge.yml | 2 +- 5 files changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/branch-preview.yaml b/.github/workflows/branch-preview.yaml index 92ba2e80..30218850 100644 --- a/.github/workflows/branch-preview.yaml +++ b/.github/workflows/branch-preview.yaml @@ -19,7 +19,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get next version - uses: reecetech/version-increment@2023.10.2 + uses: reecetech/version-increment@71036b212bbdc100b48aae069870f10953433346 # 2023.10.2 id: base-version with: scheme: "calver" @@ -41,9 +41,9 @@ jobs: cicd-bot-telegram-chat-id: ${{ steps.telegram-secrets.outputs.cicd-bot-telegram-chat-id }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: fregante/setup-git-user@v2 + - uses: fregante/setup-git-user@024bc0b8e177d7e77203b48dab6fb45666854b35 # v2.0.2 - name: Set up Go with Blacksmith caching - uses: useblacksmith/setup-go@v6 + uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: go-version: '1.25' - name: install sc tool @@ -126,7 +126,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go with Blacksmith caching - uses: useblacksmith/setup-go@v6 + uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: go-version: '1.25' - name: create build directories @@ -168,7 +168,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go with Blacksmith caching - uses: useblacksmith/setup-go@v6 + uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: go-version: '1.25' - name: create build directories @@ -194,7 +194,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go with Blacksmith caching - uses: useblacksmith/setup-go@v6 + uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: go-version: '1.25' - name: test @@ -234,7 +234,7 @@ jobs: EOF sc secrets reveal - name: Setup Docker Buildx with advanced caching - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 with: driver-opts: | image=moby/buildkit:buildx-stable-1 @@ -318,7 +318,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - - uses: fregante/setup-git-user@v2 + - uses: fregante/setup-git-user@024bc0b8e177d7e77203b48dab6fb45666854b35 # v2.0.2 - name: configure git remote with token run: | git remote set-url origin https://${{ secrets.GITHUB_TOKEN }}@github.com/simple-container-com/api.git diff --git a/.github/workflows/branch.yaml b/.github/workflows/branch.yaml index 1b30b373..6cc179ea 100644 --- a/.github/workflows/branch.yaml +++ b/.github/workflows/branch.yaml @@ -18,9 +18,9 @@ jobs: cicd-bot-telegram-chat-id: ${{ steps.telegram-secrets.outputs.cicd-bot-telegram-chat-id }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: fregante/setup-git-user@v2 + - uses: fregante/setup-git-user@024bc0b8e177d7e77203b48dab6fb45666854b35 # v2.0.2 - name: Set up Go with Blacksmith caching - uses: useblacksmith/setup-go@v6 + uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: go-version: '1.25' - name: install sc tool @@ -103,7 +103,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go with Blacksmith caching - uses: useblacksmith/setup-go@v6 + uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: go-version: '1.25' - name: create build directories @@ -143,7 +143,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go with Blacksmith caching - uses: useblacksmith/setup-go@v6 + uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: go-version: '1.25' - name: create build directories @@ -168,7 +168,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go with Blacksmith caching - uses: useblacksmith/setup-go@v6 + uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: go-version: '1.25' - name: build github-actions-staging @@ -189,7 +189,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go with Blacksmith caching - uses: useblacksmith/setup-go@v6 + uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: go-version: '1.25' - name: test diff --git a/.github/workflows/build-staging.yml b/.github/workflows/build-staging.yml index 76def95a..5e89fc95 100644 --- a/.github/workflows/build-staging.yml +++ b/.github/workflows/build-staging.yml @@ -19,7 +19,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go with Blacksmith caching - uses: useblacksmith/setup-go@v6 + uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: go-version: '1.24' @@ -61,7 +61,7 @@ jobs: echo "cicd-bot-telegram-chat-id=$(sc stack secret-get -s dist cicd-bot-telegram-chat-id)" >> $GITHUB_OUTPUT - name: Setup Docker Buildx with advanced caching - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 with: driver-opts: | image=moby/buildkit:buildx-stable-1 diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index 30e1bf4c..09d1f758 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get next version - uses: reecetech/version-increment@2023.10.2 + uses: reecetech/version-increment@71036b212bbdc100b48aae069870f10953433346 # 2023.10.2 id: version with: scheme: "calver" @@ -38,9 +38,9 @@ jobs: cicd-bot-telegram-chat-id: ${{ steps.telegram-secrets.outputs.cicd-bot-telegram-chat-id }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: fregante/setup-git-user@v2 + - uses: fregante/setup-git-user@024bc0b8e177d7e77203b48dab6fb45666854b35 # v2.0.2 - name: Set up Go with Blacksmith caching - uses: useblacksmith/setup-go@v6 + uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: go-version: '1.25' - name: install sc tool @@ -128,7 +128,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go with Blacksmith caching - uses: useblacksmith/setup-go@v6 + uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: go-version: '1.25' - name: create build directories @@ -176,7 +176,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go with Blacksmith caching - uses: useblacksmith/setup-go@v6 + uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: go-version: '1.25' - name: create build directories @@ -202,7 +202,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go with Blacksmith caching - uses: useblacksmith/setup-go@v6 + uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: go-version: '1.25' - name: build github-actions-staging @@ -226,7 +226,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go with Blacksmith caching - uses: useblacksmith/setup-go@v6 + uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: go-version: '1.25' - name: test @@ -316,7 +316,7 @@ jobs: EOF sc secrets reveal - name: Setup Docker Buildx with advanced caching - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 with: driver-opts: | image=moby/buildkit:buildx-stable-1 @@ -350,7 +350,7 @@ jobs: needs: [prepare, build-setup, build-platforms, build-binaries, build-github-actions-staging, test, build-docs, docker-build] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: fregante/setup-git-user@v2 + - uses: fregante/setup-git-user@024bc0b8e177d7e77203b48dab6fb45666854b35 # v2.0.2 - name: install sc tool uses: simple-container-com/actions/install-sc@main - name: install welder tool diff --git a/.github/workflows/simple-forge.yml b/.github/workflows/simple-forge.yml index 43b9135f..dae3223d 100644 --- a/.github/workflows/simple-forge.yml +++ b/.github/workflows/simple-forge.yml @@ -50,7 +50,7 @@ jobs: fetch-depth: 0 - name: Setup Go with Blacksmith Cache - uses: useblacksmith/setup-go@v6 + uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: go-version: '1.25' From ebd8fe26b8df47bc16cba5db8fbe49da2f6fa6ba Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Fri, 8 May 2026 23:44:06 +0400 Subject: [PATCH 4/8] fix(security): use %w to preserve error wrap chain in fmt.Errorf MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves 19 Semgrep go-fmt-errorf-percent-v-for-error findings (rule shipped in actions PR 7) across: - pkg/assistant/chat/commands_project.go (6) - pkg/assistant/core/commands.go (5) - pkg/assistant/mcp/server.go (5) - pkg/clouds/pulumi/gcp/bucket_uploader.go (3) %v formats the error's text but drops the wrap chain — errors.Is and errors.As cannot then unwrap to the underlying sentinel, so callers lose the ability to programmatically distinguish error kinds. Untouched: 3 fmt.Errorf calls in server.go that format recover() panic values (any) or a non-error response struct field — %w is invalid for non-error operands and the rule correctly skips them. Signed-off-by: Dmitrii Creed --- pkg/assistant/chat/commands_project.go | 12 ++++++------ pkg/assistant/core/commands.go | 10 +++++----- pkg/assistant/mcp/server.go | 10 +++++----- pkg/clouds/pulumi/gcp/bucket_uploader.go | 6 +++--- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/pkg/assistant/chat/commands_project.go b/pkg/assistant/chat/commands_project.go index 6bfc6b6a..67beb6d1 100644 --- a/pkg/assistant/chat/commands_project.go +++ b/pkg/assistant/chat/commands_project.go @@ -1168,7 +1168,7 @@ func (c *ChatInterface) selectDeploymentTypeForChat(context *ConversationContext // Use chat interface's ReadSimple for menu selection response, err := c.inputHandler.ReadSimple("\n Select deployment type [1-3]: ") if err != nil { - return fmt.Errorf("failed to read selection: %v", err) + return fmt.Errorf("failed to read selection: %w", err) } response = strings.TrimSpace(response) @@ -1800,17 +1800,17 @@ func (c *ChatInterface) replaceFileLines(filePath, newContent, lineRange string) } startLine, err = strconv.Atoi(strings.TrimSpace(parts[0])) if err != nil { - return nil, fmt.Errorf("invalid start line number: %v", err) + return nil, fmt.Errorf("invalid start line number: %w", err) } endLine, err = strconv.Atoi(strings.TrimSpace(parts[1])) if err != nil { - return nil, fmt.Errorf("invalid end line number: %v", err) + return nil, fmt.Errorf("invalid end line number: %w", err) } } else { // Single line replacement startLine, err = strconv.Atoi(strings.TrimSpace(lineRange)) if err != nil { - return nil, fmt.Errorf("invalid line number: %v", err) + return nil, fmt.Errorf("invalid line number: %w", err) } endLine = startLine } @@ -1824,7 +1824,7 @@ func (c *ChatInterface) replaceFileLines(filePath, newContent, lineRange string) if _, err := os.Stat(filePath); !os.IsNotExist(err) { existingContent, err = os.ReadFile(filePath) if err != nil { - return nil, fmt.Errorf("failed to read existing file: %v", err) + return nil, fmt.Errorf("failed to read existing file: %w", err) } } @@ -1863,7 +1863,7 @@ func (c *ChatInterface) appendToFile(filePath, content string) ([]byte, error) { var err error existingContent, err = os.ReadFile(filePath) if err != nil { - return nil, fmt.Errorf("failed to read existing file: %v", err) + return nil, fmt.Errorf("failed to read existing file: %w", err) } } diff --git a/pkg/assistant/core/commands.go b/pkg/assistant/core/commands.go index 6e36cff9..ed8ea9b7 100644 --- a/pkg/assistant/core/commands.go +++ b/pkg/assistant/core/commands.go @@ -2706,7 +2706,7 @@ func (p *CustomConfigVersionProvider) GetCurrent(stackName, configType string) ( // Convert stack config to YAML string yamlBytes, err := yaml.Marshal(stackConfig) if err != nil { - return nil, fmt.Errorf("failed to marshal stack config to YAML: %v", err) + return nil, fmt.Errorf("failed to marshal stack config to YAML: %w", err) } return &configdiff.ResolvedConfig{ @@ -2727,13 +2727,13 @@ func (p *CustomConfigVersionProvider) GetFromGit(stackName, configType, gitRef s cmd := exec.Command("git", "show", fmt.Sprintf("%s:%s", gitRef, p.filePath)) output, err := cmd.Output() if err != nil { - return nil, fmt.Errorf("failed to get file from git: %v", err) + return nil, fmt.Errorf("failed to get file from git: %w", err) } // Parse the YAML content var yamlContent map[string]interface{} if err := yaml.Unmarshal(output, &yamlContent); err != nil { - return nil, fmt.Errorf("failed to parse YAML from git: %v", err) + return nil, fmt.Errorf("failed to parse YAML from git: %w", err) } // Extract the specific stack from the content @@ -2742,7 +2742,7 @@ func (p *CustomConfigVersionProvider) GetFromGit(stackName, configType, gitRef s // Convert stack config to YAML string yamlBytes, err := yaml.Marshal(stackConfig) if err != nil { - return nil, fmt.Errorf("failed to marshal stack config to YAML: %v", err) + return nil, fmt.Errorf("failed to marshal stack config to YAML: %w", err) } return &configdiff.ResolvedConfig{ @@ -2777,7 +2777,7 @@ func (p *CustomConfigVersionProvider) GetFromLocal(stackName, configType, filePa // Convert stack config to YAML string yamlBytes, err := yaml.Marshal(stackConfig) if err != nil { - return nil, fmt.Errorf("failed to marshal stack config to YAML: %v", err) + return nil, fmt.Errorf("failed to marshal stack config to YAML: %w", err) } return &configdiff.ResolvedConfig{ diff --git a/pkg/assistant/mcp/server.go b/pkg/assistant/mcp/server.go index fddd141e..c1d9172f 100644 --- a/pkg/assistant/mcp/server.go +++ b/pkg/assistant/mcp/server.go @@ -3445,17 +3445,17 @@ func (h *DefaultMCPHandler) replaceFileLines(filePath, newContent, lineRange str } startLine, err = strconv.Atoi(strings.TrimSpace(parts[0])) if err != nil { - return nil, fmt.Errorf("invalid start line number: %v", err) + return nil, fmt.Errorf("invalid start line number: %w", err) } endLine, err = strconv.Atoi(strings.TrimSpace(parts[1])) if err != nil { - return nil, fmt.Errorf("invalid end line number: %v", err) + return nil, fmt.Errorf("invalid end line number: %w", err) } } else { // Single line replacement startLine, err = strconv.Atoi(strings.TrimSpace(lineRange)) if err != nil { - return nil, fmt.Errorf("invalid line number: %v", err) + return nil, fmt.Errorf("invalid line number: %w", err) } endLine = startLine } @@ -3469,7 +3469,7 @@ func (h *DefaultMCPHandler) replaceFileLines(filePath, newContent, lineRange str if _, err := os.Stat(filePath); !os.IsNotExist(err) { existingContent, err = os.ReadFile(filePath) if err != nil { - return nil, fmt.Errorf("failed to read existing file: %v", err) + return nil, fmt.Errorf("failed to read existing file: %w", err) } } @@ -3507,7 +3507,7 @@ func (h *DefaultMCPHandler) appendToFile(filePath, content string) ([]byte, erro var err error existingContent, err = os.ReadFile(filePath) if err != nil { - return nil, fmt.Errorf("failed to read existing file: %v", err) + return nil, fmt.Errorf("failed to read existing file: %w", err) } } diff --git a/pkg/clouds/pulumi/gcp/bucket_uploader.go b/pkg/clouds/pulumi/gcp/bucket_uploader.go index 98777dff..c0e8a86f 100644 --- a/pkg/clouds/pulumi/gcp/bucket_uploader.go +++ b/pkg/clouds/pulumi/gcp/bucket_uploader.go @@ -103,7 +103,7 @@ func copyAllFilesToBucket(ctx context.Context, bucketName string, syncDir, gcpCr f, err := os.Open(path.Join(syncDir, copyPath)) if err != nil { params.Log.Error(ctx, color.RedFmt("Error uploading %s: %v", filePath, err)) - return fmt.Errorf("os.Open: %v", err) + return fmt.Errorf("os.Open: %w", err) } defer func(f *os.File) { _ = f.Close() @@ -113,12 +113,12 @@ func copyAllFilesToBucket(ctx context.Context, bucketName string, syncDir, gcpCr bytesCopied, err := io.Copy(wc, f) if err != nil { params.Log.Error(ctx, color.RedFmt("Error uploading %s: %v", filePath, err)) - return fmt.Errorf("io.Copy: %v", err) + return fmt.Errorf("io.Copy: %w", err) } totalBytes.Add(bytesCopied) if err := wc.Close(); err != nil { params.Log.Error(ctx, color.RedFmt("Error closing bucket object %s: %v", filePath, err)) - return fmt.Errorf("Writer.Close: %v", err) + return fmt.Errorf("Writer.Close: %w", err) } var contentType string if attrs, err := updateContentType(ctx, object, filePath); err != nil { From 7cd52e401f5b0a8bfb91314d2cd62d234faf6265 Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Mon, 11 May 2026 01:05:53 +0400 Subject: [PATCH 5/8] ci(security): clear remaining Semgrep findings across workflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After actions/main shipped the tightened SAST ruleset (PR #7 and follow-ups incl. `gha-checkout-missing-persist-credentials-false`, `gha-github-token-in-url`, `gha-buildkit-insecure-entitlement`, `gha-pull-request-uses-non-token-secret`), this PR's Semgrep Status went red. Closing them out: - gha-buildkit-insecure-entitlement (3): drop `--allow-insecure-entitlement security.insecure` from every setup-buildx-action invocation — no Dockerfile uses `RUN --security=insecure`, the flag is dead weight that opened a build-time sandbox escape. - gha-github-token-in-url (5): replace `git remote set-url origin https://${TOKEN}@github.com/...` with `gh auth setup-git` + `GH_TOKEN` env. Token no longer ends up in `.git/config`, ps output, or any redirected URL. - gha-checkout-missing-persist-credentials-false (28): add `with: persist-credentials: false` to every actions/checkout. The preceding gh-auth-setup-git change means subsequent `git push` / `welder run rebuild` / `welder run tag-release` steps still authenticate via gh's credential helper instead of relying on the checkout-persisted token in `.git/config`. - gha-pull-request-uses-non-token-secret (1) on branch.yaml: suppressed with documented rationale — GitHub blocks secrets for fork PRs, so the practical attack surface is internal collaborators only. Workflow_run- gated split is the proper fix, tracked separately. Local semgrep against actions/semgrep-scan/rules: 0 ERROR, 0 WARNING (down from 11 ERROR + 28 WARNING). Signed-off-by: Dmitrii Creed --- .github/workflows/branch-preview.yaml | 27 +++++++++++++++++++++++---- .github/workflows/branch.yaml | 24 +++++++++++++++++++++++- .github/workflows/build-staging.yml | 5 ++++- .github/workflows/push.yaml | 27 ++++++++++++++++++++++++--- .github/workflows/simple-forge.yml | 1 + 5 files changed, 75 insertions(+), 9 deletions(-) diff --git a/.github/workflows/branch-preview.yaml b/.github/workflows/branch-preview.yaml index 30218850..4d65216b 100644 --- a/.github/workflows/branch-preview.yaml +++ b/.github/workflows/branch-preview.yaml @@ -18,6 +18,8 @@ jobs: version: ${{ steps.version.outputs.version }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Get next version uses: reecetech/version-increment@71036b212bbdc100b48aae069870f10953433346 # 2023.10.2 id: base-version @@ -41,6 +43,8 @@ jobs: cicd-bot-telegram-chat-id: ${{ steps.telegram-secrets.outputs.cicd-bot-telegram-chat-id }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: fregante/setup-git-user@024bc0b8e177d7e77203b48dab6fb45666854b35 # v2.0.2 - name: Set up Go with Blacksmith caching uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 @@ -68,8 +72,9 @@ jobs: env: OPENAI_API_KEY: ${{ steps.get-openai-key.outputs.openai-key }} SKIP_EMBEDDINGS: "true" + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: |- - git remote set-url origin https://${{ secrets.GITHUB_TOKEN }}@github.com/simple-container-com/api.git + gh auth setup-git welder run rebuild - name: clean run: | @@ -125,6 +130,8 @@ jobs: arch: amd64 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go with Blacksmith caching uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: @@ -167,6 +174,8 @@ jobs: output: dist/cloud-helpers steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go with Blacksmith caching uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: @@ -193,6 +202,8 @@ jobs: needs: [prepare, build-setup] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go with Blacksmith caching uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: @@ -218,6 +229,8 @@ jobs: tag_prefix: "simplecontainer/cloud-helpers:aws-" steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: download ${{ matrix.target }} binary uses: actions/download-artifact@v4 with: @@ -238,7 +251,6 @@ jobs: with: driver-opts: | image=moby/buildkit:buildx-stable-1 - buildkitd-flags: --allow-insecure-entitlement security.insecure - name: Disable IPv6 (Blacksmith runners have broken IPv6 to Docker Hub) run: sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1 - name: Docker login using SC secrets @@ -266,6 +278,8 @@ jobs: needs: [prepare, build-setup, build-platforms, test] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: download all sc platform artifacts uses: actions/download-artifact@v4 with: @@ -317,11 +331,14 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + persist-credentials: false fetch-depth: 0 - uses: fregante/setup-git-user@024bc0b8e177d7e77203b48dab6fb45666854b35 # v2.0.2 - - name: configure git remote with token + - name: configure git credential helper + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - git remote set-url origin https://${{ secrets.GITHUB_TOKEN }}@github.com/simple-container-com/api.git + gh auth setup-git - name: create release branch and update action.yml image tags env: VERSION: ${{ needs.prepare.outputs.version }} @@ -362,6 +379,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 if: ${{ always() }} + with: + persist-credentials: false - name: Extract git reference id: extract_git_ref diff --git a/.github/workflows/branch.yaml b/.github/workflows/branch.yaml index 6cc179ea..8f7310bb 100644 --- a/.github/workflows/branch.yaml +++ b/.github/workflows/branch.yaml @@ -1,4 +1,13 @@ name: Build simple-container in branch +# GitHub does not pass repository secrets to workflows triggered by fork +# PRs (only same-repo branches), so the practical attack surface for the +# rule below is limited to internal collaborators with push access. The +# PR-validation job requires `secrets.SC_CONFIG` to decrypt the SC config +# and run integration-style tests against shared infra. Splitting this +# into a workflow_run-gated secret-using job is the proper fix and is +# tracked separately; until then this is accepted defense-in-depth risk +# for trusted contributors. +# nosemgrep: gha-pull-request-uses-non-token-secret on: workflow_dispatch: pull_request: @@ -18,6 +27,8 @@ jobs: cicd-bot-telegram-chat-id: ${{ steps.telegram-secrets.outputs.cicd-bot-telegram-chat-id }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: fregante/setup-git-user@024bc0b8e177d7e77203b48dab6fb45666854b35 # v2.0.2 - name: Set up Go with Blacksmith caching uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 @@ -45,8 +56,9 @@ jobs: env: OPENAI_API_KEY: ${{ steps.get-openai-key.outputs.openai-key }} SKIP_EMBEDDINGS: "true" + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: |- - git remote set-url origin https://${{ secrets.GITHUB_TOKEN }}@github.com/simple-container-com/api.git + gh auth setup-git welder run rebuild - name: clean run: | @@ -102,6 +114,8 @@ jobs: arch: amd64 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go with Blacksmith caching uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: @@ -142,6 +156,8 @@ jobs: output: dist/cloud-helpers steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go with Blacksmith caching uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: @@ -167,6 +183,8 @@ jobs: needs: build-setup steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go with Blacksmith caching uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: @@ -188,6 +206,8 @@ jobs: needs: build-setup steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go with Blacksmith caching uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: @@ -211,6 +231,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 if: ${{ always() }} + with: + persist-credentials: false - name: Extract git reference id: extract_git_ref diff --git a/.github/workflows/build-staging.yml b/.github/workflows/build-staging.yml index 5e89fc95..a04c3f6c 100644 --- a/.github/workflows/build-staging.yml +++ b/.github/workflows/build-staging.yml @@ -17,6 +17,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go with Blacksmith caching uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 @@ -65,7 +67,6 @@ jobs: with: driver-opts: | image=moby/buildkit:buildx-stable-1 - buildkitd-flags: --allow-insecure-entitlement security.insecure - name: Build static github-actions binary with welder (cached Go modules) run: | @@ -140,6 +141,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 if: ${{ always() }} + with: + persist-credentials: false - name: Extract git reference id: extract_git_ref diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index 09d1f758..4bf3a8fd 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -21,6 +21,8 @@ jobs: version: ${{ steps.version.outputs.version }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Get next version uses: reecetech/version-increment@71036b212bbdc100b48aae069870f10953433346 # 2023.10.2 id: version @@ -38,6 +40,8 @@ jobs: cicd-bot-telegram-chat-id: ${{ steps.telegram-secrets.outputs.cicd-bot-telegram-chat-id }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: fregante/setup-git-user@024bc0b8e177d7e77203b48dab6fb45666854b35 # v2.0.2 - name: Set up Go with Blacksmith caching uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 @@ -65,8 +69,9 @@ jobs: env: OPENAI_API_KEY: ${{ steps.get-openai-key.outputs.openai-key }} SKIP_EMBEDDINGS: "true" + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: |- - git remote set-url origin https://${{ secrets.GITHUB_TOKEN }}@github.com/simple-container-com/api.git + gh auth setup-git welder run rebuild - name: clean run: | @@ -127,6 +132,8 @@ jobs: arch: amd64 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go with Blacksmith caching uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: @@ -175,6 +182,8 @@ jobs: output: dist/cloud-helpers steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go with Blacksmith caching uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: @@ -201,6 +210,8 @@ jobs: needs: [prepare, build-setup] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go with Blacksmith caching uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: @@ -225,6 +236,8 @@ jobs: needs: [prepare, build-setup] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go with Blacksmith caching uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 with: @@ -239,6 +252,8 @@ jobs: needs: [prepare, build-setup] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: restore cached schemas uses: actions/cache@v4 with: @@ -286,6 +301,8 @@ jobs: simplecontainer/cloud-helpers:aws-${{ needs.prepare.outputs.version }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: download github-actions-staging binary if: matrix.image == 'github-actions-staging' uses: actions/download-artifact@v4 @@ -320,7 +337,6 @@ jobs: with: driver-opts: | image=moby/buildkit:buildx-stable-1 - buildkitd-flags: --allow-insecure-entitlement security.insecure - name: Docker login using SC secrets run: | sc stack secret-get -s dist dockerhub-cicd-token | docker login --username simplecontainer --password-stdin @@ -350,6 +366,8 @@ jobs: needs: [prepare, build-setup, build-platforms, build-binaries, build-github-actions-staging, test, build-docs, docker-build] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: fregante/setup-git-user@024bc0b8e177d7e77203b48dab6fb45666854b35 # v2.0.2 - name: install sc tool uses: simple-container-com/actions/install-sc@main @@ -394,8 +412,9 @@ jobs: - name: Run tag-release task after images are built env: VERSION: ${{ needs.prepare.outputs.version }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: |- - git remote set-url origin https://${{ secrets.GITHUB_TOKEN }}@github.com/simple-container-com/api.git + gh auth setup-git welder run tag-release - name: publish sc tool shell: bash @@ -417,6 +436,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 if: ${{ always() }} + with: + persist-credentials: false - name: Extract git reference id: extract_git_ref diff --git a/.github/workflows/simple-forge.yml b/.github/workflows/simple-forge.yml index dae3223d..b50bd17c 100644 --- a/.github/workflows/simple-forge.yml +++ b/.github/workflows/simple-forge.yml @@ -48,6 +48,7 @@ jobs: with: token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} fetch-depth: 0 + persist-credentials: false - name: Setup Go with Blacksmith Cache uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6.0.1 From 72b874ff47ff5b2a1b54cbefcd096da3397b2058 Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Mon, 11 May 2026 01:19:12 +0400 Subject: [PATCH 6/8] fix(security): pin first-party GitHub Actions + use moby client.New Clears the remaining 24 Semgrep INFO findings (`gha-unpinned-first-party-action`) and the staticcheck SA1019 build break that landed with the moby/moby/client migration. - Pin actions/upload-artifact, actions/download-artifact, actions/cache, actions/cache/save to commit SHAs with version comments. Dependabot's `github-actions` ecosystem (enabled by this PR) will keep these current automatically by bumping both the SHA and the version comment. - Replace deprecated `client.NewClientWithOpts` with `client.New` in pkg/clouds/pulumi/docker/pull.go. The new moby/moby/client v0.4.1 deprecates the legacy name (SA1019 from golangci-lint's staticcheck); signature and behaviour are identical. Local semgrep against actions/semgrep-scan/rules: 0 findings at every severity (down from 11 ERROR + 28 WARNING + 24 INFO at PR open). Signed-off-by: Dmitrii Creed --- .github/workflows/branch-preview.yaml | 12 ++++++------ .github/workflows/branch.yaml | 8 ++++---- .github/workflows/build-staging.yml | 2 +- .github/workflows/push.yaml | 26 +++++++++++++------------- pkg/clouds/pulumi/docker/pull.go | 2 +- 5 files changed, 25 insertions(+), 25 deletions(-) diff --git a/.github/workflows/branch-preview.yaml b/.github/workflows/branch-preview.yaml index 4d65216b..4fd2e3ab 100644 --- a/.github/workflows/branch-preview.yaml +++ b/.github/workflows/branch-preview.yaml @@ -109,7 +109,7 @@ jobs: echo "cicd-bot-telegram-token=$(./bin/sc stack secret-get -s dist cicd-bot-telegram-token)" >> $GITHUB_OUTPUT echo "cicd-bot-telegram-chat-id=$(./bin/sc stack secret-get -s dist cicd-bot-telegram-chat-id)" >> $GITHUB_OUTPUT - name: upload bin directory artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: bin-tools path: bin @@ -153,7 +153,7 @@ jobs: tar -czf .sc/stacks/dist/bundle/sc-${GOOS}-${GOARCH}.tar.gz -C dist/${GOOS}-${GOARCH} sc${EXT} cp .sc/stacks/dist/bundle/sc-${GOOS}-${GOARCH}.tar.gz .sc/stacks/dist/bundle/sc-${GOOS}-${GOARCH}-v${VERSION}.tar.gz - name: upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: sc-${{ matrix.os }}-${{ matrix.arch }} path: .sc/stacks/dist/bundle/sc-${{ matrix.os }}-${{ matrix.arch }}-v*.tar.gz @@ -190,7 +190,7 @@ jobs: run: | go build -a -installsuffix cgo -ldflags "-s -w -X=github.com/simple-container-com/api/internal/build.Version=${VERSION}" -o ${{ matrix.output }} ./cmd/${{ matrix.cmd }} - name: upload ${{ matrix.target }} binary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: ${{ matrix.target }}-binary path: ${{ matrix.output }} @@ -232,7 +232,7 @@ jobs: with: persist-credentials: false - name: download ${{ matrix.target }} binary - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: ${{ matrix.target }}-binary path: dist @@ -281,12 +281,12 @@ jobs: with: persist-credentials: false - name: download all sc platform artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: artifacts pattern: sc-* - name: download bin tools artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: bin-tools path: bin diff --git a/.github/workflows/branch.yaml b/.github/workflows/branch.yaml index 8f7310bb..1fc332b6 100644 --- a/.github/workflows/branch.yaml +++ b/.github/workflows/branch.yaml @@ -93,7 +93,7 @@ jobs: echo "cicd-bot-telegram-token=$(./bin/sc stack secret-get -s dist cicd-bot-telegram-token)" >> $GITHUB_OUTPUT echo "cicd-bot-telegram-chat-id=$(./bin/sc stack secret-get -s dist cicd-bot-telegram-chat-id)" >> $GITHUB_OUTPUT - name: upload bin directory artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: bin-tools path: bin @@ -135,7 +135,7 @@ jobs: go build -ldflags "-s -w" -o dist/${GOOS}-${GOARCH}/sc${EXT} ./cmd/sc tar -czf .sc/stacks/dist/bundle/sc-${GOOS}-${GOARCH}.tar.gz -C dist/${GOOS}-${GOARCH} sc${EXT} - name: upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: sc-${{ matrix.os }}-${{ matrix.arch }} path: .sc/stacks/dist/bundle/sc-${{ matrix.os }}-${{ matrix.arch }}.tar.gz @@ -171,7 +171,7 @@ jobs: run: | go build -a -installsuffix cgo -ldflags "-s -w" -o ${{ matrix.output }} ./cmd/${{ matrix.cmd }} - name: upload ${{ matrix.target }} binary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: ${{ matrix.target }}-binary path: ${{ matrix.output }} @@ -194,7 +194,7 @@ jobs: mkdir -p bin go build -ldflags "-s -w" -a -installsuffix cgo -o bin/github-actions ./cmd/github-actions - name: upload github-actions-staging binary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: github-actions-staging-binary path: bin/github-actions diff --git a/.github/workflows/build-staging.yml b/.github/workflows/build-staging.yml index a04c3f6c..fe0f81ad 100644 --- a/.github/workflows/build-staging.yml +++ b/.github/workflows/build-staging.yml @@ -32,7 +32,7 @@ jobs: echo "🏷️ Set VERSION: $VERSION" - name: Cache CLI tools (SC + Welder) - uses: actions/cache@v4 # Automatically uses Blacksmith cache on Blacksmith runners + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 (Automatically uses Blacksmith cache on Blacksmith runners) with: path: | ~/.local/bin/sc diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index 4bf3a8fd..50261f9d 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -106,12 +106,12 @@ jobs: echo "cicd-bot-telegram-token=$(./bin/sc stack secret-get -s dist cicd-bot-telegram-token)" >> $GITHUB_OUTPUT echo "cicd-bot-telegram-chat-id=$(./bin/sc stack secret-get -s dist cicd-bot-telegram-chat-id)" >> $GITHUB_OUTPUT - name: save schemas cache - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: docs/schemas key: schemas-${{ github.run_id }} - name: upload bin directory artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: bin-tools path: bin @@ -155,7 +155,7 @@ jobs: tar -czf .sc/stacks/dist/bundle/sc-${GOOS}-${GOARCH}.tar.gz -C dist/${GOOS}-${GOARCH} sc${EXT} cp .sc/stacks/dist/bundle/sc-${GOOS}-${GOARCH}.tar.gz .sc/stacks/dist/bundle/sc-${GOOS}-${GOARCH}-v${VERSION}.tar.gz - name: upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: sc-${{ matrix.os }}-${{ matrix.arch }} # Match both versioned (sc-os-arch-vX.Y.Z.tar.gz) AND unversioned (sc-os-arch.tar.gz). @@ -198,7 +198,7 @@ jobs: run: | go build -a -installsuffix cgo -ldflags "-s -w -X=github.com/simple-container-com/api/internal/build.Version=${VERSION}" -o ${{ matrix.output }} ./cmd/${{ matrix.cmd }} - name: upload ${{ matrix.target }} binary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: ${{ matrix.target }}-binary path: ${{ matrix.output }} @@ -224,7 +224,7 @@ jobs: mkdir -p bin go build -ldflags "-s -w -X=github.com/simple-container-com/api/internal/build.Version=${VERSION}" -a -installsuffix cgo -o bin/github-actions ./cmd/github-actions - name: upload github-actions-staging binary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: github-actions-staging-binary path: bin/github-actions @@ -255,7 +255,7 @@ jobs: with: persist-credentials: false - name: restore cached schemas - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: docs/schemas key: schemas-${{ github.run_id }} @@ -263,7 +263,7 @@ jobs: run: | docker run --rm -v $PWD/docs:/docs -w /docs python:3.9.18 sh -c "pip install -r requirements.txt && PATH=\$PATH:~/.local/bin mkdocs build" - name: upload docs artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: docs-site path: docs/site @@ -305,19 +305,19 @@ jobs: persist-credentials: false - name: download github-actions-staging binary if: matrix.image == 'github-actions-staging' - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: github-actions-staging-binary path: bin - name: download github-actions binary if: matrix.image == 'github-actions' - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: github-actions-binary path: dist - name: download cloud-helpers binary if: matrix.image == 'cloud-helpers-aws' - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: cloud-helpers-binary path: dist @@ -383,18 +383,18 @@ jobs: EOF sc secrets reveal - name: download all build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: artifacts - name: download bin tools artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: bin-tools path: bin - name: fix bin tools permissions run: chmod +x bin/* - name: download docs artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: docs-site path: docs/site diff --git a/pkg/clouds/pulumi/docker/pull.go b/pkg/clouds/pulumi/docker/pull.go index 5bbf72eb..9dc3a8a0 100644 --- a/pkg/clouds/pulumi/docker/pull.go +++ b/pkg/clouds/pulumi/docker/pull.go @@ -34,7 +34,7 @@ func NewDockerPull(ctx *sdk.Context, name string, args *PullArgs, opts ...sdk.Re return nil, err } - dockerAPI, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation()) + dockerAPI, err := client.New(client.FromEnv, client.WithAPIVersionNegotiation()) if err != nil { return nil, err } From bdf2143f799c691a0d00b21c940dc40ca907c2fe Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Mon, 11 May 2026 01:26:14 +0400 Subject: [PATCH 7/8] fix(docker): drop deprecated client.WithAPIVersionNegotiation() In moby/moby/client v0.4.1 this option is a documented no-op (API-version negotiation is enabled by default), and staticcheck SA1019 fails the build under .golangci.yml. Signed-off-by: Dmitrii Creed --- pkg/clouds/pulumi/docker/pull.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/clouds/pulumi/docker/pull.go b/pkg/clouds/pulumi/docker/pull.go index 9dc3a8a0..157f89d1 100644 --- a/pkg/clouds/pulumi/docker/pull.go +++ b/pkg/clouds/pulumi/docker/pull.go @@ -34,7 +34,7 @@ func NewDockerPull(ctx *sdk.Context, name string, args *PullArgs, opts ...sdk.Re return nil, err } - dockerAPI, err := client.New(client.FromEnv, client.WithAPIVersionNegotiation()) + dockerAPI, err := client.New(client.FromEnv) if err != nil { return nil, err } From 3fa8e20458c4410866e3493910c7fd79877d98bc Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Mon, 11 May 2026 10:48:37 +0400 Subject: [PATCH 8/8] fix(ci): pass GH_TOKEN at job level for publish-git-tag The publish-git-tag job uses 'gh auth setup-git' as a credential helper substitute for the previous URL-embedded token. The helper invokes 'gh auth git-credential' on each git operation, which reads $GH_TOKEN from the *invoking step's* env. Setting GH_TOKEN only on the configure-helper step left subsequent 'git push' steps with no token, producing 'fatal: could not read Username for https://github.com'. Hoist GH_TOKEN to job-level env so every step that shells out to git inherits it. Signed-off-by: Dmitrii Creed --- .github/workflows/branch-preview.yaml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/branch-preview.yaml b/.github/workflows/branch-preview.yaml index 4fd2e3ab..55a8f1b6 100644 --- a/.github/workflows/branch-preview.yaml +++ b/.github/workflows/branch-preview.yaml @@ -328,6 +328,13 @@ jobs: # Only needs docker-build — the tag must point to a commit referencing a published Docker image. # Does not need build-platforms or publish-sc-preview. Runs in parallel with publish-sc-preview. needs: [prepare, docker-build] + # GH_TOKEN must be visible to every step that runs git (checkout, commit, + # push) because `gh auth setup-git` installs `gh auth git-credential` as + # the credential helper — and that helper reads $GH_TOKEN from the + # invoking step's env when git pushes. Setting it once at job level + # avoids the "fatal: could not read Username" failure from per-step env. + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -335,10 +342,7 @@ jobs: fetch-depth: 0 - uses: fregante/setup-git-user@024bc0b8e177d7e77203b48dab6fb45666854b35 # v2.0.2 - name: configure git credential helper - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - gh auth setup-git + run: gh auth setup-git - name: create release branch and update action.yml image tags env: VERSION: ${{ needs.prepare.outputs.version }}