From d2b9edf67e1fe61c1ef08df67927404a791ec2d8 Mon Sep 17 00:00:00 2001 From: Mark Mandel Date: Mon, 1 Jun 2026 11:26:19 -0700 Subject: [PATCH 1/2] build: pin GHA to commit SHAs, add workflow permissions and dependabot Pin all GitHub Actions references to immutable commit SHAs with inline version comments. Upgrade fossas/fossa-action from @main to v1.9.0. Add top-level permissions: {} to all workflow files and a missing contents: read block to fossa.yml (fixes code scanning alert #23). Add .github/dependabot.yml to enable weekly version update PRs for GitHub Actions. This was done (a) because it's a good idea, and (b) because we kept getting malicious PRs trying to get us to point GitHub Actions to invalid SHA targets. Signed-off-by: Mark Mandel --- .github/dependabot.yml | 25 ++++++++++++++++++++++ .github/workflows/close.yaml | 3 ++- .github/workflows/fossa.yml | 7 ++++-- .github/workflows/label-pr.yml | 3 ++- .github/workflows/labeler.yml | 3 ++- .github/workflows/obsolete.yaml | 3 ++- .github/workflows/pr_update.yml | 3 ++- .github/workflows/stale.yaml | 3 ++- .github/workflows/update_dependencies.yaml | 5 +++-- 9 files changed, 45 insertions(+), 10 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..fc1a63e24c --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,25 @@ +--- +# Copyright Contributors to Agones a Series of LF Projects, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + commit-message: + prefix: "build" + labels: + - kind/cleanup diff --git a/.github/workflows/close.yaml b/.github/workflows/close.yaml index f8268ddee3..f87bf5d307 100644 --- a/.github/workflows/close.yaml +++ b/.github/workflows/close.yaml @@ -23,13 +23,14 @@ on: workflow_dispatch: schedule: - cron: 0 1 1,15 * * +permissions: {} jobs: stale: runs-on: ubuntu-latest permissions: issues: write steps: - - uses: actions/stale@v8 + - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-issue-stale: 30 diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index c1e2cd46c4..445ea175a0 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -23,12 +23,15 @@ on: - main workflow_dispatch: +permissions: {} jobs: fossa: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 - - uses: fossas/fossa-action@main + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: fossas/fossa-action@ff70fe9fe17cbd2040648f1c45e8ec4e4884dcf3 # v1.9.0 with: api-key: ${{ secrets.FOSSA_API_KEY }} team: Agones diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml index 4699708eac..7eae04cb91 100644 --- a/.github/workflows/label-pr.yml +++ b/.github/workflows/label-pr.yml @@ -17,6 +17,7 @@ # name: Label PR on: [pull_request_target] +permissions: {} jobs: label: runs-on: ubuntu-latest @@ -25,7 +26,7 @@ jobs: pull-requests: write steps: - name: Label PR - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 with: script: |- const keywords = { diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index b869cfa256..077e338d9d 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -17,6 +17,7 @@ name: labeler on: - pull_request_target +permissions: {} jobs: labeler: runs-on: ubuntu-latest @@ -25,7 +26,7 @@ jobs: pull-requests: write name: Label the PR size steps: - - uses: codelytv/pr-size-labeler@v1 + - uses: codelytv/pr-size-labeler@095a41fca88b8764fd9e008ad269bcdb82bb38b9 # v1 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} xs_max_size: '10' diff --git a/.github/workflows/obsolete.yaml b/.github/workflows/obsolete.yaml index fbd185b690..46598f9ed3 100644 --- a/.github/workflows/obsolete.yaml +++ b/.github/workflows/obsolete.yaml @@ -21,6 +21,7 @@ on: schedule: - cron: 0 2 1,15 * * workflow_dispatch: +permissions: {} jobs: stale: runs-on: ubuntu-latest @@ -29,7 +30,7 @@ jobs: name: Track Obsolete Issues steps: - name: Track stale issues and check if obsolete - uses: actions/stale@v8 + uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-issue-stale: 30 diff --git a/.github/workflows/pr_update.yml b/.github/workflows/pr_update.yml index 562f0978b7..831dd34ba7 100644 --- a/.github/workflows/pr_update.yml +++ b/.github/workflows/pr_update.yml @@ -21,6 +21,7 @@ name: PR update on: push: branches: [main] +permissions: {} jobs: autoupdate: runs-on: ubuntu-latest @@ -29,7 +30,7 @@ jobs: pull-requests: write steps: - name: Automatically update PR - uses: adRise/update-pr-branch@v0.6.0 + uses: adRise/update-pr-branch@437fab6e0ac7d2a668f2c479f64225edd7f303fd # v0.6.0 with: token: ${{ secrets.AGONES_BOT }} base: main diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 1235eb68bf..5f1ac90947 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -21,6 +21,7 @@ on: workflow_dispatch: schedule: - cron: 0 10 1,15 * * +permissions: {} jobs: stale: runs-on: ubuntu-latest @@ -29,7 +30,7 @@ jobs: name: stale issues steps: - name: Stale issues - uses: actions/stale@v8 + uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-issue-stale: 30 diff --git a/.github/workflows/update_dependencies.yaml b/.github/workflows/update_dependencies.yaml index 51719e10d6..5bc223e93c 100644 --- a/.github/workflows/update_dependencies.yaml +++ b/.github/workflows/update_dependencies.yaml @@ -3,6 +3,7 @@ name: Update Dependencies on: schedule: - cron: 0 0 * * 1 +permissions: {} jobs: create_issue: name: Create update dependency issue once every six weeks @@ -14,8 +15,8 @@ jobs: - name: Run this workflow only every six weeks (fail this step the other five weeks) run: | if [[ $(("( $(date +%s) - $(date +%s --date=20250310) ) / 86400 % 42")) -eq 0 ]] then exit 0; else exit 1; fi - - uses: actions/checkout@v3 - - uses: JasonEtco/create-an-issue@v2 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: From 5bae1427a7715a5435cddc692bea6ae64ea658e9 Mon Sep 17 00:00:00 2001 From: Mark Mandel Date: Mon, 1 Jun 2026 14:51:58 -0700 Subject: [PATCH 2/2] Linter updates Signed-off-by: Mark Mandel --- .github/workflows/close.yaml | 2 +- .github/workflows/fossa.yml | 4 ++-- .github/workflows/label-pr.yml | 2 +- .github/workflows/labeler.yml | 2 +- .github/workflows/obsolete.yaml | 2 +- .github/workflows/pr_update.yml | 2 +- .github/workflows/stale.yaml | 2 +- .github/workflows/update_dependencies.yaml | 4 ++-- 8 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/close.yaml b/.github/workflows/close.yaml index f87bf5d307..53b21dee72 100644 --- a/.github/workflows/close.yaml +++ b/.github/workflows/close.yaml @@ -30,7 +30,7 @@ jobs: permissions: issues: write steps: - - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8 + - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-issue-stale: 30 diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index 445ea175a0..8140b05173 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -30,8 +30,8 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: fossas/fossa-action@ff70fe9fe17cbd2040648f1c45e8ec4e4884dcf3 # v1.9.0 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: fossas/fossa-action@ff70fe9fe17cbd2040648f1c45e8ec4e4884dcf3 # v1.9.0 with: api-key: ${{ secrets.FOSSA_API_KEY }} team: Agones diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml index 7eae04cb91..56a2ac529f 100644 --- a/.github/workflows/label-pr.yml +++ b/.github/workflows/label-pr.yml @@ -26,7 +26,7 @@ jobs: pull-requests: write steps: - name: Label PR - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 with: script: |- const keywords = { diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 077e338d9d..0c2bcaa677 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -26,7 +26,7 @@ jobs: pull-requests: write name: Label the PR size steps: - - uses: codelytv/pr-size-labeler@095a41fca88b8764fd9e008ad269bcdb82bb38b9 # v1 + - uses: codelytv/pr-size-labeler@095a41fca88b8764fd9e008ad269bcdb82bb38b9 # v1 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} xs_max_size: '10' diff --git a/.github/workflows/obsolete.yaml b/.github/workflows/obsolete.yaml index 46598f9ed3..76f1319582 100644 --- a/.github/workflows/obsolete.yaml +++ b/.github/workflows/obsolete.yaml @@ -30,7 +30,7 @@ jobs: name: Track Obsolete Issues steps: - name: Track stale issues and check if obsolete - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8 + uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-issue-stale: 30 diff --git a/.github/workflows/pr_update.yml b/.github/workflows/pr_update.yml index 831dd34ba7..81064b0782 100644 --- a/.github/workflows/pr_update.yml +++ b/.github/workflows/pr_update.yml @@ -30,7 +30,7 @@ jobs: pull-requests: write steps: - name: Automatically update PR - uses: adRise/update-pr-branch@437fab6e0ac7d2a668f2c479f64225edd7f303fd # v0.6.0 + uses: adRise/update-pr-branch@437fab6e0ac7d2a668f2c479f64225edd7f303fd # v0.6.0 with: token: ${{ secrets.AGONES_BOT }} base: main diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 5f1ac90947..d22c81d6b5 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -30,7 +30,7 @@ jobs: name: stale issues steps: - name: Stale issues - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8 + uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-issue-stale: 30 diff --git a/.github/workflows/update_dependencies.yaml b/.github/workflows/update_dependencies.yaml index 5bc223e93c..ba9770756c 100644 --- a/.github/workflows/update_dependencies.yaml +++ b/.github/workflows/update_dependencies.yaml @@ -15,8 +15,8 @@ jobs: - name: Run this workflow only every six weeks (fail this step the other five weeks) run: | if [[ $(("( $(date +%s) - $(date +%s --date=20250310) ) / 86400 % 42")) -eq 0 ]] then exit 0; else exit 1; fi - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: