Skip to content

[StepSecurity] ci: Harden GitHub Actions #2980

[StepSecurity] ci: Harden GitHub Actions

[StepSecurity] ci: Harden GitHub Actions #2980

Workflow file for this run

name: Validate
on:
push:
branches: [main]
pull_request:
branches: [main]
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
permissions:
contents: read
jobs:
validate:
name: validate - ${{ matrix.name }}
runs-on: ${{ matrix.runner }}
container: ghcr.io/kedacore/keda-tools:1.23.3
strategy:
matrix:
include:
- runner: ARM64
name: arm64
- runner: ubuntu-latest
name: amd64
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Register workspace path
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Check go version
run: go version
- name: Set Go paths
id: go-paths
run: |
echo ::set-output name=mod_cache::$(go env GOMODCACHE)
echo ::set-output name=build_cache::$(go env GOCACHE)
- name: Go modules cache
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: ${{ steps.go-paths.outputs.mod_cache }}
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
- name: Go build cache
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: ${{ steps.go-paths.outputs.build_cache }}
key: ${{ runner.os }}-go-build-cache-${{ hashFiles('**/go.sum') }}
- name: Download Go Modules
run: go mod download
- name: Codegen
run: make verify-codegen
- name: Manifests
run: make verify-manifests
- name: Mockgen
run: make verify-mockgen
- name: Build
run: ARCH=${{ matrix.name }} make build
- name: Test
run: ARCH=${{ matrix.name }} make test
statics:
permissions:
contents: read # for actions/checkout to fetch code
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
name: Static Checks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: "1.23"
- uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
with:
version: v1.60