From d6643916f9a3356e86808e37d909abd0e88e8632 Mon Sep 17 00:00:00 2001 From: David Collom Date: Tue, 11 Nov 2025 10:37:26 +0000 Subject: [PATCH 1/2] Resolve CodeQL Incomplete RegEx --- pkg/client/docker/path.go | 2 +- pkg/client/gcr/path.go | 2 +- pkg/client/quay/path.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/client/docker/path.go b/pkg/client/docker/path.go index 636b150e..bb453df4 100644 --- a/pkg/client/docker/path.go +++ b/pkg/client/docker/path.go @@ -6,7 +6,7 @@ import ( ) var ( - dockerReg = regexp.MustCompile(`(^(.*\.)?docker.com$)|(^(.*\.)?docker.io$)`) + dockerReg = regexp.MustCompile(`(^(.*\.)?docker\.com$)|(^(.*\.)?docker\.io$)`) ) func (c *Client) IsHost(host string) bool { diff --git a/pkg/client/gcr/path.go b/pkg/client/gcr/path.go index 69b678ea..f24ce724 100644 --- a/pkg/client/gcr/path.go +++ b/pkg/client/gcr/path.go @@ -6,7 +6,7 @@ import ( ) var ( - reg = regexp.MustCompile(`(^(.*\.)?gcr.io$|^(.*\.)?k8s.io$|^(.+)-docker.pkg.dev$)`) + reg = regexp.MustCompile(`(^(.*\.)?gcr\.io$|^(.*\.)?k8s\.io$|^(.+)-docker\.pkg\.dev$)`) ) func (c *Client) IsHost(host string) bool { diff --git a/pkg/client/quay/path.go b/pkg/client/quay/path.go index 0510a292..db431038 100644 --- a/pkg/client/quay/path.go +++ b/pkg/client/quay/path.go @@ -6,7 +6,7 @@ import ( ) var ( - reg = regexp.MustCompile(`(^(.*\.)?quay.io$)`) + reg = regexp.MustCompile(`(^(.*\.)?quay\.io$)`) ) func (c *Client) IsHost(host string) bool { From 19d8ae3730e118d1691ddb0676a7bc448aad937c Mon Sep 17 00:00:00 2001 From: David Collom Date: Tue, 11 Nov 2025 10:38:28 +0000 Subject: [PATCH 2/2] Resolve CodeQL Workload Permissions --- .github/workflows/build-test.yaml | 15 +++++++++++---- .github/workflows/helm-test.yaml | 8 +++++--- .github/workflows/release.yaml | 3 +++ 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index 02c956d8..b28b541d 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -8,12 +8,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Setting some default permissions for all jobs +permissions: + contents: read + security-events: read + pull-requests: read + checks: write + jobs: lint: - permissions: - contents: read # for actions/checkout to fetch code - pull-requests: read # for golangci/golangci-lint-action to fetch pull requests - checks: write # for golangci/golangci-lint-action to annotate Pull Requests name: Lint Go code runs-on: ubuntu-latest steps: @@ -35,6 +38,8 @@ jobs: code-scan: name: Code Scan runs-on: ubuntu-latest + permissions: + security-events: write steps: - name: Checkout code uses: actions/checkout@v4 @@ -58,6 +63,8 @@ jobs: govulncheck: runs-on: ubuntu-latest name: Run govulncheck + permissions: + security-events: write steps: # We only need to checkout as govuln does the go setup... - name: Checkout code diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml index a5f9b8c9..de176bcb 100644 --- a/.github/workflows/helm-test.yaml +++ b/.github/workflows/helm-test.yaml @@ -11,11 +11,13 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + pull-requests: read + checks: write + jobs: lint: - permissions: - contents: read # for actions/checkout to fetch code - pull-requests: read # for golangci/golangci-lint-action to fetch pull requests name: Lint Helm Chart runs-on: ubuntu-latest steps: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ee0fc273..92be465a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -11,6 +11,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: release-name: name: Generate a clean release name from the branch/tag