From de922be58b270e4e7877825ae8187d9e669371d1 Mon Sep 17 00:00:00 2001 From: RyanH-STFC Date: Wed, 25 Mar 2026 14:52:46 +0000 Subject: [PATCH 1/3] Change token to read only This is recommended by checkout action as best practice --- .github/workflows/cloud_chatops.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/cloud_chatops.yaml b/.github/workflows/cloud_chatops.yaml index e3b162fb..16e7e0f1 100644 --- a/.github/workflows/cloud_chatops.yaml +++ b/.github/workflows/cloud_chatops.yaml @@ -1,5 +1,8 @@ name: Cloud Chatops +permissions: + contents: read + on: push: branches: From 35b6efa42328213ce62cd0d1c94fa4fa183f892d Mon Sep 17 00:00:00 2001 From: RyanH-STFC Date: Wed, 25 Mar 2026 14:56:54 +0000 Subject: [PATCH 2/3] Change actions from tag to pinned sha Changed all of the tags to SHAs for defense against supply chain attacks Added the releases docs for easier updating of SHAs for next person. --- .github/workflows/cloud_chatops.yaml | 32 +++++++++++++++++----------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/.github/workflows/cloud_chatops.yaml b/.github/workflows/cloud_chatops.yaml index 16e7e0f1..8626af49 100644 --- a/.github/workflows/cloud_chatops.yaml +++ b/.github/workflows/cloud_chatops.yaml @@ -20,9 +20,11 @@ jobs: os: ['ubuntu-22.04','ubuntu-latest'] python-version: [ "3.12", "3.x" ] steps: - - uses: actions/checkout@v6 + # https://github.com/actions/checkout/releases + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + # https://github.com/actions/setup-python/releases + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: ${{ matrix.python-version }} cache: "pip" @@ -49,7 +51,8 @@ jobs: python3 -m pytest tests --cov-report xml:coverage.xml --cov - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + # https://github.com/codecov/codecov-action/releases + uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de with: token: ${{secrets.CODECOV_TOKEN}} files: cloud-chatops/coverage.xml @@ -58,13 +61,15 @@ jobs: runs-on: ubuntu-latest needs: test_and_lint steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + # https://github.com/docker/setup-buildx-action/releases + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd - name: Login to Harbor - uses: docker/login-action@v3 + # https://github.com/docker/login-action/releases + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 with: registry: harbor.stfc.ac.uk username: ${{ secrets.STAGING_HARBOR_USERNAME }} @@ -75,7 +80,8 @@ jobs: run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - name: Build and push to staging project - uses: docker/build-push-action@v6 + # https://github.com/docker/build-push-action/releases + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 with: cache-from: type=gha cache-to: type=gha,mode=max @@ -87,13 +93,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout master - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: ref: 'master' path: 'main' - name: Checkout current working branch - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: path: 'branch' @@ -119,13 +125,13 @@ jobs: needs: [test_and_lint, check_version_update] if: github.ref == 'refs/heads/master' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd - name: Login to Harbor - uses: docker/login-action@v3 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 with: registry: harbor.stfc.ac.uk username: ${{ secrets.HARBOR_USERNAME }} @@ -144,7 +150,7 @@ jobs: - 'cloud-chatops/version.txt' - name: Build and push on version change - uses: docker/build-push-action@v6 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 if: steps.release_updated.outputs.version == 'true' with: cache-from: type=gha From cae737166ea389a08ada626402aba1941971b346 Mon Sep 17 00:00:00 2001 From: RyanH-STFC Date: Wed, 25 Mar 2026 15:03:54 +0000 Subject: [PATCH 3/3] Change patch version Must change the version for any change on this REPO, therfore bumping the patch version by one. --- cloud-chatops/docker-compose.yaml | 2 +- cloud-chatops/version.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cloud-chatops/docker-compose.yaml b/cloud-chatops/docker-compose.yaml index 58256560..8a15f630 100644 --- a/cloud-chatops/docker-compose.yaml +++ b/cloud-chatops/docker-compose.yaml @@ -1,6 +1,6 @@ services: cloud_chatops: - image: harbor.stfc.ac.uk/stfc-cloud/cloud-chatops:9.1.1 + image: harbor.stfc.ac.uk/stfc-cloud/cloud-chatops:9.1.2 volumes: - /opt/chatops/secrets.yml/:/usr/src/app/secrets.yml - /opt/chatops/config.yml/:/usr/src/app/config.yml diff --git a/cloud-chatops/version.txt b/cloud-chatops/version.txt index 44931da2..d6b7c4d5 100644 --- a/cloud-chatops/version.txt +++ b/cloud-chatops/version.txt @@ -1 +1 @@ -9.1.1 +9.1.2