apply security best practices

.github/dependabot.yml

@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: monthly
+
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: monthly

.github/workflows/build.yml

@@ -37,9 +37,13 @@ jobs:
       # DOCKER_TARGET_PLATFORM: linux/amd64,linux/arm/v7
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
 
     - name: Check out cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: |
           ~/go/pkg/mod

.github/workflows/codeql.yml

@@ -20,6 +20,9 @@ on:
     branches: [ "main" ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -48,6 +51,11 @@ jobs:
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
       uses: actions/checkout@v4
 

.github/workflows/reuse.yml

@@ -8,6 +8,9 @@ on:
     branches: [ "main" ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   reuse:
     name: reuse
@@ -18,6 +21,11 @@ jobs:
       security-events: write
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
       uses: actions/checkout@v4
 

.github/workflows/scorecard.yml

@@ -32,42 +32,47 @@ jobs:
       # actions: read
 
     steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
 
-      - name: "Run analysis"
-        uses: ossf/[email protected]
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
-          # - you want to enable the Branch-Protection check on a *public* repository, or
-          # - you are installing Scorecard on a *private* repository
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+    - name: "Checkout code"
+      uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
-          # Public repositories:
-          #   - Publish results to OpenSSF REST API for easy access by consumers
-          #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
-          publish_results: true
+    - name: "Run analysis"
+      uses: ossf/[email protected]
+      with:
+        results_file: results.sarif
+        results_format: sarif
+        # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+        # - you want to enable the Branch-Protection check on a *public* repository, or
+        # - you are installing Scorecard on a *private* repository
+        # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+        # repo_token: ${{ secrets.SCORECARD_TOKEN }}
 
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
-      - name: "Upload artifact"
-        uses: actions/[email protected]
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
+        # Public repositories:
+        #   - Publish results to OpenSSF REST API for easy access by consumers
+        #   - Allows the repository to include the Scorecard badge.
+        #   - See https://github.com/ossf/scorecard-action#publishing-results.
+        # For private repositories:
+        #   - `publish_results` will always be set to `false`, regardless
+        #     of the value entered here.
+        publish_results: true
 
-      # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/[email protected]
-        with:
-          sarif_file: results.sarif
+    # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+    # format to the repository Actions tab.
+    - name: "Upload artifact"
+      uses: actions/[email protected]
+      with:
+        name: SARIF file
+        path: results.sarif
+        retention-days: 5
+
+    # Upload the results to GitHub's code scanning dashboard.
+    - name: "Upload to code-scanning"
+      uses: github/codeql-action/[email protected]
+      with:
+        sarif_file: results.sarif

Dockerfile

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-FROM golang:1.21-alpine as builder
+FROM golang:1.22-alpine as builder
 ARG gitVersion=0.0.0-dev
 ARG gitCommit=0000000000000000000000000000000000000000
 ARG gitTreeState="dirty"

pkg/operator/useless/Dockerfile

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # Build the manager binary
-FROM golang:1.21 as builder
+FROM golang:1.22 as builder
 ARG TARGETOS
 ARG TARGETARCH