diff --git a/.github/workflows/overcloud-host-image-build.yml b/.github/workflows/overcloud-host-image-build.yml index 5d8adf4256..5168304005 100644 --- a/.github/workflows/overcloud-host-image-build.yml +++ b/.github/workflows/overcloud-host-image-build.yml @@ -54,7 +54,7 @@ jobs: sudo /etc/init.d/ssh start - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: src/kayobe-config @@ -79,8 +79,8 @@ jobs: run: | echo "${{ steps.host_image_tag.outputs.host_image_tag }}" - - name: Clone StackHPC Kayobe repository - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: stackhpc/kayobe ref: refs/heads/stackhpc/${{ steps.openstack_release.outputs.openstack_release }} @@ -96,7 +96,7 @@ jobs: pip install ../src/kayobe - name: Install terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0 - name: Initialise terraform run: terraform init @@ -501,7 +501,7 @@ jobs: steps.build_ubuntu_jammy.outcome == 'failure' - name: Upload logs artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: Build logs path: ./logs diff --git a/.github/workflows/overcloud-host-image-promote.yml b/.github/workflows/overcloud-host-image-promote.yml index 1e91a50cdb..d372f14c64 100644 --- a/.github/workflows/overcloud-host-image-promote.yml +++ b/.github/workflows/overcloud-host-image-promote.yml @@ -35,7 +35,7 @@ jobs: if: github.repository == 'stackhpc/stackhpc-kayobe-config' runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: src/kayobe-config @@ -47,7 +47,7 @@ jobs: working-directory: src/kayobe-config - name: Clone StackHPC Kayobe repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: repository: stackhpc/kayobe ref: refs/heads/stackhpc/${{ steps.openstack_release.outputs.openstack_release }} diff --git a/.github/workflows/overcloud-host-image-upload.yml b/.github/workflows/overcloud-host-image-upload.yml index a648744afc..fc670604e3 100644 --- a/.github/workflows/overcloud-host-image-upload.yml +++ b/.github/workflows/overcloud-host-image-upload.yml @@ -51,7 +51,7 @@ jobs: sudo apt update sudo apt install -y build-essential git unzip nodejs python3-wheel python3-pip python3-venv - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: src/kayobe-config @@ -62,7 +62,7 @@ jobs: echo "openstack_release=${BRANCH}" | sed -E "s,(stable|unmaintained)/,," >> $GITHUB_OUTPUT - name: Clone StackHPC Kayobe repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: repository: stackhpc/kayobe ref: refs/heads/stackhpc/${{ steps.openstack_release.outputs.openstack_release }} diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml index 7f426d3f87..415d7d0307 100644 --- a/.github/workflows/stackhpc-all-in-one.yml +++ b/.github/workflows/stackhpc-all-in-one.yml @@ -77,12 +77,13 @@ jobs: KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD }} KAYOBE_IMAGE: ${{ inputs.kayobe_image }} steps: - - name: Install Package - uses: ConorMacBride/install-package@main - with: - apt: git unzip nodejs openssh-client + - name: Install Package dependencies + run: | + sudo apt update && + sudo apt install -y git unzip nodejs openssh-client - - uses: actions/checkout@v4 + - name: Checkout config + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true @@ -106,7 +107,7 @@ jobs: fi - name: Install terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0 - name: Initialise terraform run: terraform init @@ -320,7 +321,7 @@ jobs: if: ${{ always() && steps.tf_apply.outcome == 'success' }} - name: Upload test result artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: test-results-${{ inputs.os_distribution }}-${{ inputs.os_release }}-${{ inputs.neutron_plugin }} path: | diff --git a/.github/workflows/stackhpc-build-kayobe-image.yml b/.github/workflows/stackhpc-build-kayobe-image.yml index e500fd8045..ddf205c66b 100644 --- a/.github/workflows/stackhpc-build-kayobe-image.yml +++ b/.github/workflows/stackhpc-build-kayobe-image.yml @@ -51,12 +51,12 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - name: Checkout kayobe config - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -64,12 +64,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: driver-opts: | image=moby/buildkit:master @@ -85,7 +85,7 @@ jobs: # Setting KAYOBE_USER_UID and KAYOBE_USER_GID to 1001 to match docker's defaults # so that docker can run as a privileged user within the Kayobe image. - name: Build and push Docker image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: file: ./.automation/docker/kayobe/Dockerfile context: . @@ -100,8 +100,9 @@ jobs: labels: ${{ steps.meta.outputs.labels }} - name: Send message to Slack via Workflow Builder - uses: slackapi/slack-github-action@v1.26.0 + uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 with: + webhook-type: "incoming-webhook" payload: | { "channel-id": "${{ env.SLACK_CHANNEL_ID }}", diff --git a/.github/workflows/stackhpc-ci-cleanup.yml b/.github/workflows/stackhpc-ci-cleanup.yml index a14b2970c5..6c431d7fa6 100644 --- a/.github/workflows/stackhpc-ci-cleanup.yml +++ b/.github/workflows/stackhpc-ci-cleanup.yml @@ -13,12 +13,12 @@ jobs: permissions: {} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: src/kayobe-config - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 - name: Generate clouds.yaml run: | @@ -77,8 +77,9 @@ jobs: OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }} - name: Send message to Slack via Workflow Builder - uses: slackapi/slack-github-action@v1.26.0 + uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 with: + webhook-type: "incoming-webhook" payload: | { "channel-id": "${{ env.SLACK_CHANNEL_ID }}", diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml index 56c5bb0517..8ffc4d0af0 100644 --- a/.github/workflows/stackhpc-container-image-build.yml +++ b/.github/workflows/stackhpc-container-image-build.yml @@ -58,7 +58,7 @@ jobs: openstack_release: ${{ steps.openstack_release.outputs.openstack_release }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Determine OpenStack release id: openstack_release @@ -125,12 +125,12 @@ jobs: sudo apt install gh -y - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: src/kayobe-config - name: Clone StackHPC Kayobe repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: repository: stackhpc/kayobe ref: refs/heads/stackhpc/${{ needs.generate-tag.outputs.openstack_release }} @@ -284,7 +284,7 @@ jobs: if: inputs.push - name: Upload output artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ${{ matrix.distro }}-logs path: image-build-logs diff --git a/.github/workflows/stackhpc-promote.yml b/.github/workflows/stackhpc-promote.yml index 386d4d405f..998173e7fc 100644 --- a/.github/workflows/stackhpc-promote.yml +++ b/.github/workflows/stackhpc-promote.yml @@ -29,8 +29,9 @@ jobs: echo "::notice Package repository promote workflow: https://github.com/stackhpc/stackhpc-release-train/actions/workflows/package-promote.yml" - name: Send message to Slack via Workflow Builder - uses: slackapi/slack-github-action@v1.26.0 + uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 with: + webhook-type: "incoming-webhook" payload: | { "channel-id": "${{ env.SLACK_CHANNEL_ID }}", diff --git a/.github/workflows/stackhpc-pull-request.yml b/.github/workflows/stackhpc-pull-request.yml index ec0ddccfba..86e29fbbff 100644 --- a/.github/workflows/stackhpc-pull-request.yml +++ b/.github/workflows/stackhpc-pull-request.yml @@ -16,16 +16,17 @@ jobs: runs-on: ubuntu-22.04 permissions: pull-requests: read + packages: none name: Check changed files if: github.repository == 'stackhpc/stackhpc-kayobe-config' outputs: aio: ${{ steps.changes.outputs.aio }} steps: - name: GitHub Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check changed files - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: changes with: # Filters are defined in this file. @@ -47,11 +48,11 @@ jobs: if: github.repository == 'stackhpc/stackhpc-kayobe-config' steps: - name: GitHub Checkout 🛎 - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Setup Python ${{ matrix.python-version }} 🐍 - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: Install Tox 📦 @@ -69,6 +70,9 @@ jobs: build-kayobe-image: name: Build Kayobe Image + permissions: + contents: read + packages: write # required by docker/build-push-action needs: - check-changes uses: ./.github/workflows/stackhpc-build-kayobe-image.yml @@ -172,6 +176,7 @@ jobs: all-in-one-ubuntu-jammy-ovs: name: aio (Ubuntu Jammy OVS) + permissions: {} needs: - check-changes - build-kayobe-image @@ -206,6 +211,7 @@ jobs: all-in-one-rocky-9-ovs: name: aio (Rocky 9 OVS) + permissions: {} needs: - check-changes - build-kayobe-image @@ -223,6 +229,7 @@ jobs: all-in-one-rocky-9-ovn: name: aio (Rocky 9 OVN) + permissions: {} needs: - check-changes - build-kayobe-image diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index 13e6a1f22c..4c196184a2 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -134,6 +134,10 @@ kolla_sources: type: git location: https://github.com/stackhpc/stackhpc-inspector-plugins.git reference: 1.3.0 + keystone-base: + type: git + location: https://github.com/stackhpc/keystone.git + reference: stackhpc/{{ openstack_release }} magnum-base: type: git location: https://github.com/stackhpc/magnum.git diff --git a/etc/kayobe/kolla/globals.yml b/etc/kayobe/kolla/globals.yml index 8f9c79f4c6..73828e5ab0 100644 --- a/etc/kayobe/kolla/globals.yml +++ b/etc/kayobe/kolla/globals.yml @@ -32,9 +32,9 @@ kayobe_image_tags: rocky: yoga-20240320T082414 ubuntu: yoga-20240320T082414 keystone: - centos: yoga-20260401T104301 - rocky: yoga-20260401T104301 - ubuntu: yoga-20260401T104301 + centos: yoga-20260528T064235 + rocky: yoga-20260528T064235 + ubuntu: yoga-20260528T064235 magnum: centos: yoga-20240416T102136 rocky: yoga-20240416T102136 diff --git a/releasenotes/notes/fix-keystone-multiple-cves-6166cf4143f53fd3.yaml b/releasenotes/notes/fix-keystone-multiple-cves-6166cf4143f53fd3.yaml new file mode 100644 index 0000000000..0ae7675587 --- /dev/null +++ b/releasenotes/notes/fix-keystone-multiple-cves-6166cf4143f53fd3.yaml @@ -0,0 +1,5 @@ +--- +security: + - | + Fixes CVE-2026-42998, CVE-2026-42999, CVE-2026-43000, CVE-2026-43001 + and CVE-2026-44394 with updated Keystone images.