Skip to content

fix(ci): pin dependencies version and verify checksum #285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jvanz merged 3 commits into from
Apr 6, 2026
Merged

fix(ci): pin dependencies version and verify checksum #285

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4b38209
fix(ci): pin dependencies version and verify checksum
jvanz Mar 31, 2026
fc220ce
fix(ci): allow to specify program versions
flavio Apr 1, 2026
60c0ab9
fix(actions): standardize input names to lowercase with hyphens
jvanz Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/reusable-release-policy-assemblyscript.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ jobs:
- name: Release
uses: kubewarden/github-actions/policy-release@7bc76e326b9c29582dd89eaf1b9efad1da3d3872
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
github-token: ${{ secrets.GITHUB_TOKEN }}
oci-target: ${{ inputs.oci-target }}
policy-version: ${{ steps.calculate-version.outputs.version }}
expect-sbom: "false"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/reusable-release-policy-go-wasi.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ jobs:
- name: Release
uses: kubewarden/github-actions/policy-release@7bc76e326b9c29582dd89eaf1b9efad1da3d3872
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
github-token: ${{ secrets.GITHUB_TOKEN }}
oci-target: ${{ inputs.oci-target }}
policy-version: ${{ steps.calculate-version.outputs.version }}
push-artifacthub:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/reusable-release-policy-go.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ jobs:
- name: Release
uses: kubewarden/github-actions/policy-release@7bc76e326b9c29582dd89eaf1b9efad1da3d3872
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
github-token: ${{ secrets.GITHUB_TOKEN }}
oci-target: ${{ inputs.oci-target }}
policy-version: ${{ steps.calculate-version.outputs.version }}
push-artifacthub:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/reusable-release-policy-rego.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ jobs:
- name: Release
uses: kubewarden/github-actions/policy-release@7bc76e326b9c29582dd89eaf1b9efad1da3d3872
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
github-token: ${{ secrets.GITHUB_TOKEN }}
oci-target: ${{ inputs.oci-target }}
policy-working-dir: ${{ inputs.policy-working-dir }}
policy-version: ${{ steps.calculate-version.outputs.version }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/reusable-release-policy-rust.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ jobs:
- name: Release
uses: kubewarden/github-actions/policy-release@7bc76e326b9c29582dd89eaf1b9efad1da3d3872
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
github-token: ${{ secrets.GITHUB_TOKEN }}
oci-target: ${{ inputs.oci-target }}
policy-version: ${{ steps.calculate-version.outputs.version }}
push-artifacthub:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/reusable-release-policy-swift.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ jobs:
- name: Release
uses: kubewarden/github-actions/policy-release@7bc76e326b9c29582dd89eaf1b9efad1da3d3872
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
github-token: ${{ secrets.GITHUB_TOKEN }}
oci-target: ${{ inputs.oci-target }}
policy-version: ${{ steps.calculate-version.outputs.version }}
push-artifacthub:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/reusable-release-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ jobs:
if: >
hashFiles('**/Cargo.toml') != '' &&
! steps.restore-cache.outputs.cache-hit
run: cargo install cargo-edit
run: cargo install cargo-edit --version 0.13.9 --locked

- name: Create values.yaml for Updatecli
run: |
Expand Down
4 changes: 2 additions & 2 deletions attestation/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ inputs:
arch:
description: architecture being processed
required: true
GITHUB_TOKEN:
github-token:
description: |
The GitHub token with permission to publish images to ghcr.
required: true
Expand All @@ -24,7 +24,7 @@ runs:
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ inputs.GITHUB_TOKEN }}
password: ${{ inputs.github-token }}
- name: Download all digests
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
Expand Down
15 changes: 11 additions & 4 deletions binaryen-installer/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,14 @@ branding:
icon: "package"
color: "blue"
inputs:
VERSION:
version:
description: "binaryen release to be installed"
required: false
default: "116"
checksum:
description: "SHA256 checksum of the binaryen release tarball"
required: false
default: "c55b74f3109cdae97490faf089b0286d3bba926bb6ea5ed00c8c784fc53718fd"
runs:
using: "composite"
steps:
Expand All @@ -16,14 +20,17 @@ runs:
#!/bin/bash
set -e

VERSION="${{ inputs.version }}"
CHECKSUM="${{ inputs.checksum }}"
INSTALL_DIR=$HOME/.binaryen

mkdir -p $INSTALL_DIR

curl -sL https://github.com/WebAssembly/binaryen/releases/download/version_${{ inputs.VERSION }}/binaryen-version_${{ inputs.VERSION }}-x86_64-linux.tar.gz -o $INSTALL_DIR/binaryen.tar.gz
curl -sL https://github.com/WebAssembly/binaryen/releases/download/version_${VERSION}/binaryen-version_${VERSION}-x86_64-linux.tar.gz -o $INSTALL_DIR/binaryen.tar.gz
echo "${CHECKSUM} $INSTALL_DIR/binaryen.tar.gz" | sha256sum --check
tar xvf $INSTALL_DIR/binaryen.tar.gz -C $INSTALL_DIR
mv $INSTALL_DIR/binaryen-version_${{ inputs.VERSION }}/bin/* $INSTALL_DIR
mv $INSTALL_DIR/binaryen-version_${VERSION}/bin/* $INSTALL_DIR
rm $INSTALL_DIR/binaryen.tar.gz
rm -rf $INSTALL_DIR/binaryen-version_${{ inputs.VERSION }}
rm -rf $INSTALL_DIR/binaryen-version_${VERSION}

echo $INSTALL_DIR >> $GITHUB_PATH
8 changes: 4 additions & 4 deletions container-build/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: container-build
description: build/sign an image and publish its digest in artifact
inputs:
digest_artifact_prefix:
digest-artifact-prefix:
description: the prefix of the artifact filename
default: digest-
component:
Expand All @@ -16,7 +16,7 @@ inputs:
description: |
Target platform for Docker build (e.g., linux/amd64, linux/arm64)
required: true
GITHUB_TOKEN:
github-token:
description: |
The GitHub token with permission to publish images to ghcr.
required: true
Expand All @@ -34,7 +34,7 @@ runs:
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ inputs.GITHUB_TOKEN }}
password: ${{ inputs.github-token }}
- name: Docker meta
id: meta
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
Expand Down Expand Up @@ -87,6 +87,6 @@ runs:
- name: Upload digest
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: ${{ inputs.digest_artifact_prefix }}${{ inputs.component }}-${{ inputs.arch }}
name: ${{ inputs.digest-artifact-prefix }}${{ inputs.component }}-${{ inputs.arch }}
path: ${{ runner.temp }}/digests/*.txt
retention-days: 1
11 changes: 9 additions & 2 deletions crane-installer/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,14 @@ branding:
icon: 'package'
color: 'blue'
inputs:
VERSION:
version:
description: 'crane release to be installed'
required: false
default: "0.15.2"
checksum:
description: "SHA256 checksum of the crane release tarball"
required: false
default: "bd5f72ae96373ac640679a6108280b6d76698773ca21f293ae30cc17413e2ad1"
runs:
using: "composite"
steps:
Expand All @@ -16,11 +20,14 @@ runs:
#!/bin/bash
set -e

VERSION="${{ inputs.version }}"
CHECKSUM="${{ inputs.checksum }}"
INSTALL_DIR=$HOME/.crane

mkdir -p $INSTALL_DIR

curl -sL https://github.com/google/go-containerregistry/releases/download/v${{ inputs.VERSION }}/go-containerregistry_Linux_x86_64.tar.gz -o $INSTALL_DIR/crane.tar.gz
curl -sL https://github.com/google/go-containerregistry/releases/download/v${VERSION}/go-containerregistry_Linux_x86_64.tar.gz -o $INSTALL_DIR/crane.tar.gz
echo "${CHECKSUM} $INSTALL_DIR/crane.tar.gz" | sha256sum --check
tar xvf $INSTALL_DIR/crane.tar.gz -C $INSTALL_DIR
rm $INSTALL_DIR/crane.tar.gz

Expand Down
26 changes: 22 additions & 4 deletions kubernetes-bom-installer/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,19 @@ inputs:
version:
description: 'Kubernetes bom command version to be installed'
required: false
default: v0.3.0
default: "v0.3.0"
arch:
description: 'Kubernetes bom command arch to be installed'
description: "Architecture to install (linux-amd64, linux-arm64)"
required: false
default: "linux-amd64"
checksum-linux-amd64:
description: "SHA256 checksum of the linux-amd64 release tarball"
required: false
default: "314b1713c3350cd063f2330fba25766860011c8e193fbae30da2d8b58cc3ac13"
checksum-linux-arm64:
description: "SHA256 checksum of the linux-arm64 release tarball"
required: false
default: "451698ad7124aedc14d02f1cc48bbc41d687f42509e6fa0272ac37bf28abb74c"
runs:
using: "composite"
steps:
Expand All @@ -20,10 +28,20 @@ runs:
#!/bin/bash
set -e

VERSION="${{ inputs.version }}"
ARCH="${{ inputs.arch }}"
INSTALL_DIR=$HOME/.bom-generator

case "${ARCH}" in
Copy link
Copy Markdown
Member

@viccuad viccuad Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer to have CHECKSUM_AMD64 and CHECKSUM_ARM64, and have logic that selects between both. Same for the other refactors.

linux-amd64) CHECKSUM="${{ inputs.checksum-linux-amd64 }}" ;;
linux-arm64) CHECKSUM="${{ inputs.checksum-linux-arm64 }}" ;;
*) echo "Unsupported arch: ${ARCH}. Supported values: linux-amd64, linux-arm64"; exit 1 ;;
esac

mkdir -p $INSTALL_DIR

curl -L -O https://github.com/kubernetes-sigs/bom/releases/download/${{ inputs.version }}/bom-${{ inputs.arch }}.tar.gz
tar -xf bom-${{ inputs.arch }}.tar.gz --directory $INSTALL_DIR
curl -L -O https://github.com/kubernetes-sigs/bom/releases/download/${VERSION}/bom-${ARCH}.tar.gz
echo "${CHECKSUM} bom-${ARCH}.tar.gz" | sha256sum --check
tar -xf bom-${ARCH}.tar.gz --directory $INSTALL_DIR

echo $INSTALL_DIR >> $GITHUB_PATH
15 changes: 10 additions & 5 deletions kwctl-installer/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@ branding:
icon: "package"
color: "blue"
inputs:
KWCTL_VERSION:
kwctl-version:
description: "kwctl release to be installed"
required: false
default: v1.33.1
default: "v1.33.1"
runs:
using: "composite"
steps:
Expand All @@ -16,17 +16,22 @@ runs:
#!/bin/bash
set -e

KWCTL_VERSION="${{ inputs.kwctl-version }}"

# Build name of gihub release asset
OS=$(echo "${{ runner.os }}" | tr '[:upper:]' '[:lower:]' | sed 's/macos/darwin/')
ARCH=$(echo "${{ runner.arch }}" | sed -E 's/X64/x86_64/; s/ARM64/aarch64/')
ASSET="kwctl-${OS}-${ARCH}"

INSTALL_DIR=$HOME/.kwctl
RELEASE_URL="download/${{ inputs.KWCTL_VERSION }}"
[ "${{ inputs.KWCTL_VERSION }}" == "latest" ] && RELEASE_URL="latest/download"

mkdir -p $INSTALL_DIR
curl -sL https://github.com/kubewarden/kubewarden-controller/releases/$RELEASE_URL/$ASSET.zip -o $INSTALL_DIR/$ASSET.zip
curl -sL https://github.com/kubewarden/kubewarden-controller/releases/download/${KWCTL_VERSION}/${ASSET}.zip -o $INSTALL_DIR/$ASSET.zip
curl -sL https://github.com/kubewarden/kubewarden-controller/releases/download/${KWCTL_VERSION}/${ASSET}.zip.bundle.sigstore \
-o $INSTALL_DIR/$ASSET.zip.bundle.sigstore
gh attestation verify $INSTALL_DIR/$ASSET.zip \
--bundle $INSTALL_DIR/$ASSET.zip.bundle.sigstore \
--repo kubewarden/kubewarden-controller
unzip -o $INSTALL_DIR/$ASSET.zip -d $INSTALL_DIR
rm $INSTALL_DIR/$ASSET.zip

Expand Down
8 changes: 4 additions & 4 deletions merge-multiarch/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: merge-multiarch-images
description: merge multi-arch images based on images digests provided
inputs:
digest_artifact_prefix:
digest-artifact-prefix:
description: the prefix of the artifact filename
default: digest-
component:
Expand All @@ -15,7 +15,7 @@ inputs:
arch:
description: The list of image architecture for this action to merge (comma-separated)
default: amd64,arm64
GITHUB_TOKEN:
github-token:
description: |
The GitHub token with permission to publish images to ghcr.
required: true
Expand All @@ -26,7 +26,7 @@ runs:
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
path: ${{ runner.temp }}/digests
pattern: ${{ inputs.digest_artifact_prefix}}${{ inputs.component }}-*
pattern: ${{ inputs.digest-artifact-prefix}}${{ inputs.component }}-*
merge-multiple: true
- name: Install cosign
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
Expand All @@ -35,7 +35,7 @@ runs:
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ inputs.GITHUB_TOKEN }}
password: ${{ inputs.github-token }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Create and push multi-arch manifest for ${{ inputs.component }}
Expand Down
11 changes: 9 additions & 2 deletions opa-installer/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,11 @@ inputs:
opa-version:
description: "opa release to be installed"
required: false
default: v0.65.0
default: "v0.65.0"
checksum:
description: "SHA256 checksum of the opa release binary"
required: false
default: "cd6b0b2d762571a746f0261890b155e6dd71cca90dad6b42b6fcf6dd7f619f08"
runs:
using: "composite"
steps:
Expand All @@ -16,11 +20,14 @@ runs:
#!/bin/bash
set -e

VERSION="${{ inputs.opa-version }}"
CHECKSUM="${{ inputs.checksum }}"
INSTALL_DIR=$HOME/.opa

mkdir -p $INSTALL_DIR

curl -sL https://github.com/open-policy-agent/opa/releases/download/${{ inputs.opa-version }}/opa_linux_amd64_static -o $INSTALL_DIR/opa
curl -sL https://github.com/open-policy-agent/opa/releases/download/${VERSION}/opa_linux_amd64_static -o $INSTALL_DIR/opa
echo "${CHECKSUM} $INSTALL_DIR/opa" | sha256sum --check

chmod 755 $INSTALL_DIR/opa
echo $INSTALL_DIR >> $GITHUB_PATH
16 changes: 12 additions & 4 deletions policy-build-tinygo/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,13 @@ branding:
color: "blue"
inputs:
tinygo-version:
required: true
required: false
description: "Version of tinygo to use"
default: 0.39.0
default: "0.39.0"
tinygo-checksum:
required: false
description: "SHA256 checksum of the tinygo release .deb package"
default: "775f15974e35059c8f3a141266bd9d293b5d556a3e44d5e6356c5602e9f386ab"
generate-sbom:
required: false
description: "Generate and sign SBOM files"
Expand All @@ -29,8 +33,12 @@ runs:
- name: Install tinygo
shell: bash
run: |
wget https://github.com/tinygo-org/tinygo/releases/download/v${{ inputs.tinygo-version }}/tinygo_${{ inputs.tinygo-version }}_amd64.deb
sudo dpkg -i tinygo_${{ inputs.tinygo-version }}_amd64.deb
TINYGO_VERSION="${{ inputs.tinygo-version }}"
TINYGO_CHECKSUM="${{ inputs.tinygo-checksum }}"
TINYGO_DEB="tinygo_${TINYGO_VERSION}_amd64.deb"
wget https://github.com/tinygo-org/tinygo/releases/download/v${TINYGO_VERSION}/${TINYGO_DEB}
echo "${TINYGO_CHECKSUM} ${TINYGO_DEB}" | sha256sum --check
sudo dpkg -i ${TINYGO_DEB}
- name: Build Wasm module
shell: bash
run: |
Expand Down
6 changes: 3 additions & 3 deletions policy-release/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ inputs:
oci-target:
description: "OCI target repository for the resulting policy artifact"
required: true
GITHUB_TOKEN:
github-token:
description: "GitHub token to login into ghcr.io"
required: true
policy-working-dir:
Expand All @@ -36,7 +36,7 @@ runs:
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ inputs.GITHUB_TOKEN }}
password: ${{ inputs.github-token }}
- name: Publish Wasm policy artifact to OCI registry with the 'latest' tag
shell: bash
if: ${{ startsWith(github.ref, 'refs/heads/') }}
Expand Down Expand Up @@ -79,7 +79,7 @@ runs:
# if we are on a monorepo, we create a GH release directly and don't reuse a draft release
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
env:
GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ inputs.github-token }}
with:
tag_name: ${{ github.ref }}
name: ${{ github.ref_name }}
Expand Down
Loading
Loading