diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml deleted file mode 100644 index 87fe878f8049..000000000000 --- a/.github/workflows/codeql-analysis.yaml +++ /dev/null @@ -1,31 +0,0 @@ -name: "CodeQL" -on: - push: - branches: - - 'main' - - 'release-v*' - schedule: - - cron: '0 12 * * *' -jobs: - analyze: - if: github.repository == 'aws/karpenter-provider-aws' - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read # github/codeql-action/init@v2 - security-events: write # github/codeql-action/init@v2 - - strategy: - fail-fast: false - matrix: - language: [ 'go' ] - - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: ./.github/actions/install-deps - - run: make vulncheck - - uses: github/codeql-action/init@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8 - with: - languages: ${{ matrix.language }} - - uses: github/codeql-action/autobuild@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8 - - uses: github/codeql-action/analyze@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8 diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml new file mode 100644 index 000000000000..e6f06b545401 --- /dev/null +++ b/.github/workflows/codeql.yaml @@ -0,0 +1,47 @@ +name: "CodeQL" +on: + push: + branches: + - 'main' + - 'release-v*' + pull_request: + schedule: + - cron: '0 12 * * *' +jobs: + analyze-go: + name: Analyze Go + runs-on: ubuntu-latest + permissions: + actions: read # github/codeql-action/init@v2 + security-events: write # github/codeql-action/init@v2 + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: ./.github/actions/install-deps + - run: make vulncheck + - uses: github/codeql-action/init@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8 + with: + languages: go + - uses: github/codeql-action/autobuild@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8 + - uses: github/codeql-action/analyze@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8 + # Javascript is added here for evaluating Github Action vulnerabilities + # https://github.blog/2023-08-09-four-tips-to-keep-your-github-actions-workflows-secure/#2-enable-code-scanning-for-workflows + analyze-github-actions: + name: Analyze Github Actions + runs-on: ubuntu-latest + permissions: + actions: read # github/codeql-action/init@v2 + security-events: write # github/codeql-action/init@v2 + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: github/codeql-action/init@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8 + with: + languages: javascript + config: | + packs: + # Use the latest version of 'codeql-javascript' published by 'advanced-security' + # This will catch things like actions that aren't pinned to a hash + - advanced-security/codeql-javascript + paths: + - '.github/workflows' + - '.github/actions' + - uses: github/codeql-action/analyze@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8 \ No newline at end of file diff --git a/.github/workflows/e2e-soak-trigger.yaml b/.github/workflows/e2e-soak-trigger.yaml index 88944a275d8b..4f2c9b574b4c 100644 --- a/.github/workflows/e2e-soak-trigger.yaml +++ b/.github/workflows/e2e-soak-trigger.yaml @@ -11,7 +11,7 @@ jobs: outputs: PREEXISTING_CLUSTERS: ${{ steps.list_clusters.outputs.PREEXISTING_CLUSTERS }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: configure aws credentials uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a with: diff --git a/.github/workflows/resource-count.yaml b/.github/workflows/resource-count.yaml index 6720f62f2039..2baafad1c529 100644 --- a/.github/workflows/resource-count.yaml +++ b/.github/workflows/resource-count.yaml @@ -16,7 +16,7 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v4.0.1 + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: role-to-assume: arn:aws:iam::${{ vars.ACCOUNT_ID }}:role/${{ vars.ROLE_NAME }} aws-region: ${{ matrix.region }}