From ec3075a447c53db8c4f81070fb0667534d03cdd3 Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 15:50:05 +0100 Subject: [PATCH 01/17] Pin actions Pins actions/checkout to v6.0.2 commit hash instead of the tag. --- .github/workflows/overcloud-host-image-build.yml | 6 +++--- .github/workflows/overcloud-host-image-promote.yml | 2 +- .github/workflows/overcloud-host-image-upload.yml | 2 +- .github/workflows/stackhpc-all-in-one.yml | 3 ++- .github/workflows/stackhpc-build-kayobe-image.yml | 2 +- .github/workflows/stackhpc-ci-cleanup.yml | 2 +- .github/workflows/stackhpc-container-image-build.yml | 4 ++-- .github/workflows/stackhpc-pull-request.yml | 4 ++-- 8 files changed, 13 insertions(+), 12 deletions(-) diff --git a/.github/workflows/overcloud-host-image-build.yml b/.github/workflows/overcloud-host-image-build.yml index 5d8adf4256..0e8d34cdb7 100644 --- a/.github/workflows/overcloud-host-image-build.yml +++ b/.github/workflows/overcloud-host-image-build.yml @@ -54,7 +54,7 @@ jobs: sudo /etc/init.d/ssh start - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: src/kayobe-config @@ -79,8 +79,8 @@ jobs: run: | echo "${{ steps.host_image_tag.outputs.host_image_tag }}" - - name: Clone StackHPC Kayobe repository - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: stackhpc/kayobe ref: refs/heads/stackhpc/${{ steps.openstack_release.outputs.openstack_release }} diff --git a/.github/workflows/overcloud-host-image-promote.yml b/.github/workflows/overcloud-host-image-promote.yml index 1e91a50cdb..2d321c76eb 100644 --- a/.github/workflows/overcloud-host-image-promote.yml +++ b/.github/workflows/overcloud-host-image-promote.yml @@ -35,7 +35,7 @@ jobs: if: github.repository == 'stackhpc/stackhpc-kayobe-config' runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: src/kayobe-config diff --git a/.github/workflows/overcloud-host-image-upload.yml b/.github/workflows/overcloud-host-image-upload.yml index a648744afc..2f64511cb8 100644 --- a/.github/workflows/overcloud-host-image-upload.yml +++ b/.github/workflows/overcloud-host-image-upload.yml @@ -51,7 +51,7 @@ jobs: sudo apt update sudo apt install -y build-essential git unzip nodejs python3-wheel python3-pip python3-venv - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: src/kayobe-config diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml index 7f426d3f87..745418b612 100644 --- a/.github/workflows/stackhpc-all-in-one.yml +++ b/.github/workflows/stackhpc-all-in-one.yml @@ -82,7 +82,8 @@ jobs: with: apt: git unzip nodejs openssh-client - - uses: actions/checkout@v4 + - name: Checkout config + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true diff --git a/.github/workflows/stackhpc-build-kayobe-image.yml b/.github/workflows/stackhpc-build-kayobe-image.yml index e500fd8045..025def0112 100644 --- a/.github/workflows/stackhpc-build-kayobe-image.yml +++ b/.github/workflows/stackhpc-build-kayobe-image.yml @@ -51,7 +51,7 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - name: Checkout kayobe config - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true diff --git a/.github/workflows/stackhpc-ci-cleanup.yml b/.github/workflows/stackhpc-ci-cleanup.yml index a14b2970c5..9e50de5a00 100644 --- a/.github/workflows/stackhpc-ci-cleanup.yml +++ b/.github/workflows/stackhpc-ci-cleanup.yml @@ -13,7 +13,7 @@ jobs: permissions: {} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: src/kayobe-config diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml index 56c5bb0517..93ee1d7881 100644 --- a/.github/workflows/stackhpc-container-image-build.yml +++ b/.github/workflows/stackhpc-container-image-build.yml @@ -58,7 +58,7 @@ jobs: openstack_release: ${{ steps.openstack_release.outputs.openstack_release }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Determine OpenStack release id: openstack_release @@ -125,7 +125,7 @@ jobs: sudo apt install gh -y - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: src/kayobe-config diff --git a/.github/workflows/stackhpc-pull-request.yml b/.github/workflows/stackhpc-pull-request.yml index ec0ddccfba..bc855d9e0d 100644 --- a/.github/workflows/stackhpc-pull-request.yml +++ b/.github/workflows/stackhpc-pull-request.yml @@ -22,7 +22,7 @@ jobs: aio: ${{ steps.changes.outputs.aio }} steps: - name: GitHub Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check changed files uses: dorny/paths-filter@v3 @@ -47,7 +47,7 @@ jobs: if: github.repository == 'stackhpc/stackhpc-kayobe-config' steps: - name: GitHub Checkout 🛎 - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Setup Python ${{ matrix.python-version }} 🐍 From c727651f7e074fa60d7bab069f7eff1bc0ad4271 Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 15:50:07 +0100 Subject: [PATCH 02/17] Pins actions/setup-python to a309ff8b426b58ec0e2a45f0f869d46889d02405 Pins actions/setup-python to v6.2.0 commit hash instead of the tag. --- .github/workflows/stackhpc-ci-cleanup.yml | 2 +- .github/workflows/stackhpc-pull-request.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/stackhpc-ci-cleanup.yml b/.github/workflows/stackhpc-ci-cleanup.yml index 9e50de5a00..be4f2981a0 100644 --- a/.github/workflows/stackhpc-ci-cleanup.yml +++ b/.github/workflows/stackhpc-ci-cleanup.yml @@ -18,7 +18,7 @@ jobs: path: src/kayobe-config - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 - name: Generate clouds.yaml run: | diff --git a/.github/workflows/stackhpc-pull-request.yml b/.github/workflows/stackhpc-pull-request.yml index bc855d9e0d..4a167221b8 100644 --- a/.github/workflows/stackhpc-pull-request.yml +++ b/.github/workflows/stackhpc-pull-request.yml @@ -51,7 +51,7 @@ jobs: with: fetch-depth: 0 - name: Setup Python ${{ matrix.python-version }} 🐍 - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: Install Tox 📦 From f358bfeddfa4f1929350c78aa57d76e593bfe98c Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 15:50:08 +0100 Subject: [PATCH 03/17] Updates actions/upload-artifact and pins to bbbca2ddaa5d8feaa63e36b76fdaad77386f024f Updates actions/upload-artifact from v6 to v7.0.0 and pins to a specific commit hash instead of the tag. --- .github/workflows/overcloud-host-image-build.yml | 2 +- .github/workflows/stackhpc-all-in-one.yml | 2 +- .github/workflows/stackhpc-container-image-build.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/overcloud-host-image-build.yml b/.github/workflows/overcloud-host-image-build.yml index 0e8d34cdb7..2b4aaa9f48 100644 --- a/.github/workflows/overcloud-host-image-build.yml +++ b/.github/workflows/overcloud-host-image-build.yml @@ -501,7 +501,7 @@ jobs: steps.build_ubuntu_jammy.outcome == 'failure' - name: Upload logs artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: Build logs path: ./logs diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml index 745418b612..c35c115b23 100644 --- a/.github/workflows/stackhpc-all-in-one.yml +++ b/.github/workflows/stackhpc-all-in-one.yml @@ -321,7 +321,7 @@ jobs: if: ${{ always() && steps.tf_apply.outcome == 'success' }} - name: Upload test result artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: test-results-${{ inputs.os_distribution }}-${{ inputs.os_release }}-${{ inputs.neutron_plugin }} path: | diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml index 93ee1d7881..6e4ae53bd4 100644 --- a/.github/workflows/stackhpc-container-image-build.yml +++ b/.github/workflows/stackhpc-container-image-build.yml @@ -284,7 +284,7 @@ jobs: if: inputs.push - name: Upload output artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ${{ matrix.distro }}-logs path: image-build-logs From 86a111c25279c75e4a876fd5a4bea12de39cc335 Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 15:50:11 +0100 Subject: [PATCH 04/17] Updates docker/build-push-action and pins to d08e5c354a6adb9ed34480a06d141179aa583294 Updates docker/build-push-action from v6 to v7.0.0 and pins to a specific commit hash instead of the tag. --- .github/workflows/stackhpc-build-kayobe-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stackhpc-build-kayobe-image.yml b/.github/workflows/stackhpc-build-kayobe-image.yml index 025def0112..e413c53ab0 100644 --- a/.github/workflows/stackhpc-build-kayobe-image.yml +++ b/.github/workflows/stackhpc-build-kayobe-image.yml @@ -85,7 +85,7 @@ jobs: # Setting KAYOBE_USER_UID and KAYOBE_USER_GID to 1001 to match docker's defaults # so that docker can run as a privileged user within the Kayobe image. - name: Build and push Docker image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: file: ./.automation/docker/kayobe/Dockerfile context: . From 484d7fb8ab325ad1cfe61cb64d5d8783144a2ff4 Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 15:50:11 +0100 Subject: [PATCH 05/17] Updates docker/login-action and pins to b45d80f862d83dbcd57f89517bcf500b2ab88fb2 Updates docker/login-action from v3 to v4.0.0 and pins to a specific commit hash instead of the tag. --- .github/workflows/stackhpc-build-kayobe-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stackhpc-build-kayobe-image.yml b/.github/workflows/stackhpc-build-kayobe-image.yml index e413c53ab0..8f2a2d22f4 100644 --- a/.github/workflows/stackhpc-build-kayobe-image.yml +++ b/.github/workflows/stackhpc-build-kayobe-image.yml @@ -56,7 +56,7 @@ jobs: submodules: true - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} From dd75458e30efba04f3b31c8c4fac4347bf8a9b4d Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 15:50:13 +0100 Subject: [PATCH 06/17] Updates docker/metadata-action and pins to 030e881283bb7a6894de51c315a6bfe6a94e05cf Updates docker/metadata-action from v5 to v6.0.0 and pins to a specific commit hash instead of the tag. --- .github/workflows/stackhpc-build-kayobe-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stackhpc-build-kayobe-image.yml b/.github/workflows/stackhpc-build-kayobe-image.yml index 8f2a2d22f4..11717bff71 100644 --- a/.github/workflows/stackhpc-build-kayobe-image.yml +++ b/.github/workflows/stackhpc-build-kayobe-image.yml @@ -64,7 +64,7 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} From ddaafcec8b07d0b9527fc47317ae6e4356bc36a4 Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 15:50:14 +0100 Subject: [PATCH 07/17] Updates docker/setup-buildx-action and pins to 4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd Updates docker/setup-buildx-action from v3 to v4.0.0 and pins to a specific commit hash instead of the tag. --- .github/workflows/stackhpc-build-kayobe-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stackhpc-build-kayobe-image.yml b/.github/workflows/stackhpc-build-kayobe-image.yml index 11717bff71..833e738573 100644 --- a/.github/workflows/stackhpc-build-kayobe-image.yml +++ b/.github/workflows/stackhpc-build-kayobe-image.yml @@ -69,7 +69,7 @@ jobs: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: driver-opts: | image=moby/buildkit:master From 37e21f30c6e53ce6ffe7edde5e392cae8a0bbccb Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 15:50:15 +0100 Subject: [PATCH 08/17] Updates dorny/paths-filter and pins to fbd0ab8f3e69293af611ebaee6363fc25e6d187d Updates dorny/paths-filter from v3 to v4.0.1 and pins to a specific commit hash instead of the tag. --- .github/workflows/stackhpc-pull-request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stackhpc-pull-request.yml b/.github/workflows/stackhpc-pull-request.yml index 4a167221b8..00a84f11b8 100644 --- a/.github/workflows/stackhpc-pull-request.yml +++ b/.github/workflows/stackhpc-pull-request.yml @@ -25,7 +25,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check changed files - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: changes with: # Filters are defined in this file. From ed8cb3c49b03fb1edccab65be815561aeaee6f3d Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 15:50:16 +0100 Subject: [PATCH 09/17] Updates hashicorp/setup-terraform and pins to 5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 Updates hashicorp/setup-terraform from v3 to v4.0.0 and pins to a specific commit hash instead of the tag. --- .github/workflows/overcloud-host-image-build.yml | 2 +- .github/workflows/stackhpc-all-in-one.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/overcloud-host-image-build.yml b/.github/workflows/overcloud-host-image-build.yml index 2b4aaa9f48..5168304005 100644 --- a/.github/workflows/overcloud-host-image-build.yml +++ b/.github/workflows/overcloud-host-image-build.yml @@ -96,7 +96,7 @@ jobs: pip install ../src/kayobe - name: Install terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0 - name: Initialise terraform run: terraform init diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml index c35c115b23..16f89bd73a 100644 --- a/.github/workflows/stackhpc-all-in-one.yml +++ b/.github/workflows/stackhpc-all-in-one.yml @@ -107,7 +107,7 @@ jobs: fi - name: Install terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0 - name: Initialise terraform run: terraform init From c4e03276e92f453935a1c4562212e5daf61d3f4d Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 15:50:18 +0100 Subject: [PATCH 10/17] Updates slackapi/slack-github-action and pins to af78098f536edbc4de71162a307590698245be95 Updates slackapi/slack-github-action from v1.26.0 to v3.0.1 and pins to a specific commit hash instead of the tag. --- .github/workflows/stackhpc-build-kayobe-image.yml | 2 +- .github/workflows/stackhpc-ci-cleanup.yml | 2 +- .github/workflows/stackhpc-promote.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/stackhpc-build-kayobe-image.yml b/.github/workflows/stackhpc-build-kayobe-image.yml index 833e738573..0f81ce8144 100644 --- a/.github/workflows/stackhpc-build-kayobe-image.yml +++ b/.github/workflows/stackhpc-build-kayobe-image.yml @@ -100,7 +100,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} - name: Send message to Slack via Workflow Builder - uses: slackapi/slack-github-action@v1.26.0 + uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 with: payload: | { diff --git a/.github/workflows/stackhpc-ci-cleanup.yml b/.github/workflows/stackhpc-ci-cleanup.yml index be4f2981a0..4c57365a98 100644 --- a/.github/workflows/stackhpc-ci-cleanup.yml +++ b/.github/workflows/stackhpc-ci-cleanup.yml @@ -77,7 +77,7 @@ jobs: OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }} - name: Send message to Slack via Workflow Builder - uses: slackapi/slack-github-action@v1.26.0 + uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 with: payload: | { diff --git a/.github/workflows/stackhpc-promote.yml b/.github/workflows/stackhpc-promote.yml index 386d4d405f..1df48b453e 100644 --- a/.github/workflows/stackhpc-promote.yml +++ b/.github/workflows/stackhpc-promote.yml @@ -29,7 +29,7 @@ jobs: echo "::notice Package repository promote workflow: https://github.com/stackhpc/stackhpc-release-train/actions/workflows/package-promote.yml" - name: Send message to Slack via Workflow Builder - uses: slackapi/slack-github-action@v1.26.0 + uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 with: payload: | { From c230f30a6432819f02c599d9e71a7317af9a3926 Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Tue, 31 Mar 2026 09:16:30 +0100 Subject: [PATCH 11/17] Remove ConorMacBride/install-package action Actions have been compromised a lot recently. All this action does is install packages, so it's not worth the risk. Just install the packages directly in the workflow. --- .github/workflows/stackhpc-all-in-one.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml index 16f89bd73a..415d7d0307 100644 --- a/.github/workflows/stackhpc-all-in-one.yml +++ b/.github/workflows/stackhpc-all-in-one.yml @@ -77,10 +77,10 @@ jobs: KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD }} KAYOBE_IMAGE: ${{ inputs.kayobe_image }} steps: - - name: Install Package - uses: ConorMacBride/install-package@main - with: - apt: git unzip nodejs openssh-client + - name: Install Package dependencies + run: | + sudo apt update && + sudo apt install -y git unzip nodejs openssh-client - name: Checkout config uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 From 778c7090c86e2e6546ce2ac14e4ea1abd265f010 Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Wed, 1 Apr 2026 16:33:35 +0100 Subject: [PATCH 12/17] Update Slack action invocation for v3 spec --- .github/workflows/stackhpc-build-kayobe-image.yml | 1 + .github/workflows/stackhpc-ci-cleanup.yml | 1 + .github/workflows/stackhpc-promote.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/stackhpc-build-kayobe-image.yml b/.github/workflows/stackhpc-build-kayobe-image.yml index 0f81ce8144..c290c125fe 100644 --- a/.github/workflows/stackhpc-build-kayobe-image.yml +++ b/.github/workflows/stackhpc-build-kayobe-image.yml @@ -102,6 +102,7 @@ jobs: - name: Send message to Slack via Workflow Builder uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 with: + webhook-type: "incoming-webhook" payload: | { "channel-id": "${{ env.SLACK_CHANNEL_ID }}", diff --git a/.github/workflows/stackhpc-ci-cleanup.yml b/.github/workflows/stackhpc-ci-cleanup.yml index 4c57365a98..6c431d7fa6 100644 --- a/.github/workflows/stackhpc-ci-cleanup.yml +++ b/.github/workflows/stackhpc-ci-cleanup.yml @@ -79,6 +79,7 @@ jobs: - name: Send message to Slack via Workflow Builder uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 with: + webhook-type: "incoming-webhook" payload: | { "channel-id": "${{ env.SLACK_CHANNEL_ID }}", diff --git a/.github/workflows/stackhpc-promote.yml b/.github/workflows/stackhpc-promote.yml index 1df48b453e..998173e7fc 100644 --- a/.github/workflows/stackhpc-promote.yml +++ b/.github/workflows/stackhpc-promote.yml @@ -31,6 +31,7 @@ jobs: - name: Send message to Slack via Workflow Builder uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 with: + webhook-type: "incoming-webhook" payload: | { "channel-id": "${{ env.SLACK_CHANNEL_ID }}", From ee3a4e517759f581628d280c059a8ee3c717ef26 Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Mon, 27 Apr 2026 09:18:00 +0100 Subject: [PATCH 13/17] Update actions to org-wide pins --- .github/workflows/stackhpc-build-kayobe-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stackhpc-build-kayobe-image.yml b/.github/workflows/stackhpc-build-kayobe-image.yml index c290c125fe..ddf205c66b 100644 --- a/.github/workflows/stackhpc-build-kayobe-image.yml +++ b/.github/workflows/stackhpc-build-kayobe-image.yml @@ -56,7 +56,7 @@ jobs: submodules: true - name: Log in to the Container registry - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} From 423b5f4c710a612b9aa2f08133e7c9d77abca47f Mon Sep 17 00:00:00 2001 From: Owen Jones Date: Mon, 13 Apr 2026 15:30:42 +0100 Subject: [PATCH 14/17] Update Pull Request workflow job permissions Adds the `packages:write` permission to the Build Kayobe Image job in the workflow (required for `docker/build-push-action`) and ensures all other jobs don't have this permission. --- .github/workflows/stackhpc-pull-request.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/stackhpc-pull-request.yml b/.github/workflows/stackhpc-pull-request.yml index 00a84f11b8..86e29fbbff 100644 --- a/.github/workflows/stackhpc-pull-request.yml +++ b/.github/workflows/stackhpc-pull-request.yml @@ -16,6 +16,7 @@ jobs: runs-on: ubuntu-22.04 permissions: pull-requests: read + packages: none name: Check changed files if: github.repository == 'stackhpc/stackhpc-kayobe-config' outputs: @@ -69,6 +70,9 @@ jobs: build-kayobe-image: name: Build Kayobe Image + permissions: + contents: read + packages: write # required by docker/build-push-action needs: - check-changes uses: ./.github/workflows/stackhpc-build-kayobe-image.yml @@ -172,6 +176,7 @@ jobs: all-in-one-ubuntu-jammy-ovs: name: aio (Ubuntu Jammy OVS) + permissions: {} needs: - check-changes - build-kayobe-image @@ -206,6 +211,7 @@ jobs: all-in-one-rocky-9-ovs: name: aio (Rocky 9 OVS) + permissions: {} needs: - check-changes - build-kayobe-image @@ -223,6 +229,7 @@ jobs: all-in-one-rocky-9-ovn: name: aio (Rocky 9 OVN) + permissions: {} needs: - check-changes - build-kayobe-image From 3f934e02e136b6e8ee9f9ef48ca8a0872251afa4 Mon Sep 17 00:00:00 2001 From: Alex Welsh Date: Thu, 28 May 2026 11:31:15 +0100 Subject: [PATCH 15/17] Minor fixes to actions pinning --- .github/workflows/overcloud-host-image-promote.yml | 2 +- .github/workflows/overcloud-host-image-upload.yml | 2 +- .github/workflows/stackhpc-container-image-build.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/overcloud-host-image-promote.yml b/.github/workflows/overcloud-host-image-promote.yml index 2d321c76eb..d372f14c64 100644 --- a/.github/workflows/overcloud-host-image-promote.yml +++ b/.github/workflows/overcloud-host-image-promote.yml @@ -47,7 +47,7 @@ jobs: working-directory: src/kayobe-config - name: Clone StackHPC Kayobe repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: repository: stackhpc/kayobe ref: refs/heads/stackhpc/${{ steps.openstack_release.outputs.openstack_release }} diff --git a/.github/workflows/overcloud-host-image-upload.yml b/.github/workflows/overcloud-host-image-upload.yml index 2f64511cb8..fc670604e3 100644 --- a/.github/workflows/overcloud-host-image-upload.yml +++ b/.github/workflows/overcloud-host-image-upload.yml @@ -62,7 +62,7 @@ jobs: echo "openstack_release=${BRANCH}" | sed -E "s,(stable|unmaintained)/,," >> $GITHUB_OUTPUT - name: Clone StackHPC Kayobe repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: repository: stackhpc/kayobe ref: refs/heads/stackhpc/${{ steps.openstack_release.outputs.openstack_release }} diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml index 6e4ae53bd4..8ffc4d0af0 100644 --- a/.github/workflows/stackhpc-container-image-build.yml +++ b/.github/workflows/stackhpc-container-image-build.yml @@ -130,7 +130,7 @@ jobs: path: src/kayobe-config - name: Clone StackHPC Kayobe repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: repository: stackhpc/kayobe ref: refs/heads/stackhpc/${{ needs.generate-tag.outputs.openstack_release }} From 8b98f998a700420cdc8a5ca8d9d4f0941d2e3402 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Thu, 28 May 2026 10:55:09 +0100 Subject: [PATCH 16/17] Fix multiple Keystone vulnerabilities Fixed CVE-2026-42998, CVE-2026-42999, CVE-2026-43000, CVE-2026-43001 and CVE-2026-44394 with updated Keystone images. --- etc/kayobe/kolla/globals.yml | 6 +++--- .../notes/fix-keystone-multiple-cves-6166cf4143f53fd3.yaml | 5 +++++ 2 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/fix-keystone-multiple-cves-6166cf4143f53fd3.yaml diff --git a/etc/kayobe/kolla/globals.yml b/etc/kayobe/kolla/globals.yml index 8f9c79f4c6..73828e5ab0 100644 --- a/etc/kayobe/kolla/globals.yml +++ b/etc/kayobe/kolla/globals.yml @@ -32,9 +32,9 @@ kayobe_image_tags: rocky: yoga-20240320T082414 ubuntu: yoga-20240320T082414 keystone: - centos: yoga-20260401T104301 - rocky: yoga-20260401T104301 - ubuntu: yoga-20260401T104301 + centos: yoga-20260528T064235 + rocky: yoga-20260528T064235 + ubuntu: yoga-20260528T064235 magnum: centos: yoga-20240416T102136 rocky: yoga-20240416T102136 diff --git a/releasenotes/notes/fix-keystone-multiple-cves-6166cf4143f53fd3.yaml b/releasenotes/notes/fix-keystone-multiple-cves-6166cf4143f53fd3.yaml new file mode 100644 index 0000000000..0ae7675587 --- /dev/null +++ b/releasenotes/notes/fix-keystone-multiple-cves-6166cf4143f53fd3.yaml @@ -0,0 +1,5 @@ +--- +security: + - | + Fixes CVE-2026-42998, CVE-2026-42999, CVE-2026-43000, CVE-2026-43001 + and CVE-2026-44394 with updated Keystone images. From 5a7090f2a88e68562bddd714c1926c153baa3171 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Fri, 12 Jun 2026 15:45:14 +0100 Subject: [PATCH 17/17] Use StackHPC fork for building Keystone To ensure not to omit security fixes from commit 8b98f998a700420cdc8a5ca8d9d4f0941d2e3402 --- etc/kayobe/kolla.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index 13e6a1f22c..4c196184a2 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -134,6 +134,10 @@ kolla_sources: type: git location: https://github.com/stackhpc/stackhpc-inspector-plugins.git reference: 1.3.0 + keystone-base: + type: git + location: https://github.com/stackhpc/keystone.git + reference: stackhpc/{{ openstack_release }} magnum-base: type: git location: https://github.com/stackhpc/magnum.git