CVE patch #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CVE patch | |
| on: | |
| workflow_dispatch: {} | |
| permissions: | |
| packages: write | |
| env: | |
| IMAGES_TEST: | | |
| cr.fluentbit.io/fluent/fluent-bit:2.1.4 | |
| docker.io/alpine/curl:8.5.0 | |
| # docker.io/aquasec/kube-bench:v0.6.10 | |
| # docker.io/bitnami/external-dns:0.14.0-debian-11-r8 | |
| # docker.io/bitnami/kubectl:1.24.1 | |
| # docker.io/bitnami/kubectl:1.26.4 | |
| # docker.io/bitnami/kubectl:1.27.9 | |
| # docker.io/bitnami/memcached:1.6.19-debian-11-r7 | |
| # docker.io/bitnami/postgres-exporter:0.12.0-debian-11-r77 | |
| # docker.io/bitnami/postgresql:11.22.0-debian-11-r4 | |
| # docker.io/bitnami/postgresql:15.2.0-debian-11-r21 | |
| # docker.io/bitnami/thanos:0.33.0-debian-11-r1 | |
| # docker.io/curlimages/curl:7.83.1 | |
| # docker.io/fluent/fluent-bit:2.1.4 | |
| # docker.io/grafana/grafana:8.5.26 | |
| # docker.io/grafana/grafana:9.4.7 | |
| # docker.io/grafana/grafana:9.5.13 | |
| # docker.io/grafana/loki:2.9.1 | |
| # docker.io/istio/install-cni:1.20.2 | |
| # docker.io/istio/operator:1.20.2 | |
| # docker.io/istio/pilot:1.20.2 | |
| # docker.io/istio/proxyv2:1.20.2 | |
| # docker.io/jaegertracing/all-in-one:1.52.0 | |
| # docker.io/jaegertracing/jaeger-operator:1.52.0 | |
| # docker.io/jimmidyson/configmap-reload:v0.7.1 | |
| # docker.io/jpillora/chisel:1.9.1 | |
| # docker.io/kiwigrid/k8s-sidecar:1.25.3 | |
| # docker.io/kubernetesui/dashboard:v2.7.0 | |
| # docker.io/kubernetesui/metrics-scraper:v1.0.9 | |
| # docker.io/library/busybox:1 | |
| # docker.io/library/traefik:v2.10.6 | |
| # docker.io/mesosphere/capimate:v0.0.0-dev.0 | |
| # docker.io/mesosphere/cluster-observer:1.2.0 | |
| # docker.io/mesosphere/dex-controller:v0.14.0 | |
| # docker.io/mesosphere/dex-k8s-authenticator:v1.3.2-d2iq | |
| # docker.io/mesosphere/dex:v2.37.0-d2iq.2 | |
| # docker.io/mesosphere/dkp-diagnostics-node-collector:v0.9.6 | |
| # docker.io/mesosphere/ghostunnel:v1.7.1-server-backend-proxy.1 | |
| # docker.io/mesosphere/grafana-plugins:v0.0.1 | |
| # docker.io/mesosphere/insights-management:v1.0.1 | |
| # docker.io/mesosphere/insights:v1.0.1 | |
| # docker.io/mesosphere/karma:v0.88-d2iq-server-name.2 | |
| # docker.io/mesosphere/kommander2-appmanagement-config-api:v2.8.0-dev-SNAPSHOT-0279d6286 | |
| # docker.io/mesosphere/kommander2-appmanagement-webhook:v2.8.0-dev | |
| # docker.io/mesosphere/kommander2-appmanagement-webhook:v2.8.0-dev-SNAPSHOT-0279d6286 | |
| # docker.io/mesosphere/kommander2-appmanagement:v2.8.0-dev | |
| # docker.io/mesosphere/kommander2-appmanagement:v2.8.0-dev-SNAPSHOT-0279d6286 | |
| # docker.io/mesosphere/kommander2-core-installer:v2.8.0-dev | |
| # docker.io/mesosphere/kommander2-core-installer:v2.8.0-dev-SNAPSHOT-0279d6286 | |
| # docker.io/mesosphere/kommander2-federation-authorizedlister:v2.8.0-dev | |
| # docker.io/mesosphere/kommander2-federation-authorizedlister:v2.8.0-dev-SNAPSHOT-0279d6286 | |
| # docker.io/mesosphere/kommander2-federation-controller-manager:v2.8.0-dev | |
| # docker.io/mesosphere/kommander2-federation-controller-manager:v2.8.0-dev-SNAPSHOT-0279d6286 | |
| # docker.io/mesosphere/kommander2-federation-webhook:v2.8.0-dev | |
| # docker.io/mesosphere/kommander2-federation-webhook:v2.8.0-dev-SNAPSHOT-0279d6286 | |
| # docker.io/mesosphere/kommander2-flux-operator:v2.8.0-dev | |
| # docker.io/mesosphere/kommander2-flux-operator:v2.8.0-dev-SNAPSHOT-0279d6286 | |
| # docker.io/mesosphere/kommander2-kubetools:v2.8.0-dev | |
| # docker.io/mesosphere/kommander2-kubetools:v2.8.0-dev-SNAPSHOT-0279d6286 | |
| # docker.io/mesosphere/kommander2-licensing-controller-manager:v2.8.0-dev | |
| # docker.io/mesosphere/kommander2-licensing-controller-manager:v2.8.0-dev-SNAPSHOT-0279d6286 | |
| # docker.io/mesosphere/kommander2-licensing-webhook:v2.8.0-dev | |
| # docker.io/mesosphere/kommander2-licensing-webhook:v2.8.0-dev-SNAPSHOT-0279d6286 | |
| # docker.io/mesosphere/kommander:11.1.4 | |
| # docker.io/mesosphere/kubeaddons-addon-initializer:v0.7.0 | |
| # docker.io/mesosphere/kubetunnel-controller:v0.0.31 | |
| # docker.io/mesosphere/kubetunnel-kubeconfig-webhook:v0.0.31 | |
| # docker.io/mesosphere/kubetunnel-reverse-proxy:v0.0.31 | |
| # docker.io/mesosphere/kubetunnel-webhook:v0.0.31 | |
| # docker.io/mesosphere/pause-busybox:3.6 | |
| # docker.io/mesosphere/traefik-forward-auth:3.1.0 | |
| # docker.io/mesosphere/trivy-bundles:0.45.1-20231019T024033Z | |
| # docker.io/nginxinc/nginx-unprivileged:1.24.0-alpine | |
| # docker.io/openpolicyagent/gatekeeper-crds:v3.14.0 | |
| # docker.io/openpolicyagent/gatekeeper:v3.14.0 | |
| # docker.io/rook/ceph:v1.13.2 | |
| # docker.io/semitechnologies/weaviate:1.21.4 | |
| # docker.io/thanosio/thanos:v0.15.0 | |
| # docker.io/thanosio/thanos:v0.29.0 | |
| # docker.io/velero/velero-plugin-for-aws:v1.7.0 | |
| # docker.io/velero/velero:v1.12.3 | |
| # gcr.io/google_containers/kubernetes-dashboard-init-amd64:v1.0.0 | |
| # gcr.io/google_containers/pause:3.2 | |
| # gcr.io/knative-releases/knative.dev/net-istio/cmd/controller:v1.10.0 | |
| # gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook:v1.10.0 | |
| # gcr.io/knative-releases/knative.dev/serving/cmd/activator:v1.10.0 | |
| # gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler-hpa:v1.10.0 | |
| # gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler:v1.10.0 | |
| # gcr.io/knative-releases/knative.dev/serving/cmd/domain-mapping-webhook:v1.10.0 | |
| # gcr.io/knative-releases/knative.dev/serving/cmd/domain-mapping:v1.10.0 | |
| # gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 | |
| # gcr.io/kubecost1/cost-model:prod-1.106.5 | |
| # gcr.io/kubecost1/frontend:prod-1.106.5 | |
| # ghcr.io/fluxcd/helm-controller:v0.36.2 | |
| # ghcr.io/fluxcd/kustomize-controller:v1.1.1 | |
| # ghcr.io/fluxcd/notification-controller:v1.1.0 | |
| # ghcr.io/fluxcd/source-controller:v1.1.2 | |
| # ghcr.io/helm/chartmuseum:v0.16.1 | |
| # ghcr.io/kube-logging/config-reloader:v0.0.5 | |
| # ghcr.io/kube-logging/fluentd:v1.16-full-build.122 | |
| # ghcr.io/kube-logging/logging-operator:4.2.2 | |
| # ghcr.io/kube-logging/node-exporter:v0.6.1 | |
| # ghcr.io/mesosphere/gitea:1.19.2-d2iq-rootless | |
| # ghcr.io/mesosphere/kubefed:v0.10.4 | |
| # ghcr.io/stakater/reloader:v1.0.65 | |
| # nvcr.io/nvidia/cloud-native/dcgm:3.1.8-1-ubuntu20.04 | |
| # nvcr.io/nvidia/cloud-native/gpu-operator-validator:v23.6.1 | |
| # nvcr.io/nvidia/gpu-feature-discovery:v0.8.1-ubi8 | |
| # nvcr.io/nvidia/gpu-operator:v23.6.1 | |
| # nvcr.io/nvidia/k8s-device-plugin:v0.14.1-ubi8 | |
| # nvcr.io/nvidia/k8s/container-toolkit:v1.13.1-centos7 | |
| # nvcr.io/nvidia/k8s/container-toolkit:v1.13.1-ubi8 | |
| # nvcr.io/nvidia/k8s/container-toolkit:v1.13.1-ubuntu20.04 | |
| # nvcr.io/nvidia/k8s/cuda-sample:vectoradd-cuda10.2 | |
| # nvcr.io/nvidia/k8s/dcgm-exporter:3.1.8-3.1.5-ubuntu20.04 | |
| # quay.io/brancz/kube-rbac-proxy:v0.14.2 | |
| # quay.io/ceph/ceph:v18.2.1 | |
| # quay.io/fairwinds/nova:3.4.0 | |
| # quay.io/fairwinds/pluto:v5.10.6 | |
| # quay.io/fairwinds/polaris:5.1 | |
| # quay.io/jetstack/cert-manager-cainjector:v1.13.1 | |
| # quay.io/jetstack/cert-manager-controller:v1.13.1 | |
| # quay.io/jetstack/cert-manager-ctl:v1.13.1 | |
| # quay.io/jetstack/cert-manager-webhook:v1.13.1 | |
| # quay.io/jetstack/kube-oidc-proxy:v0.3.0 | |
| # quay.io/kiali/kiali-operator:v1.79.0 | |
| # quay.io/kiali/kiali:v1.79.0 | |
| # quay.io/kiwigrid/k8s-sidecar:1.25.1 | |
| # quay.io/kubernetes-multicluster/kubefed:v0.9.1 | |
| # quay.io/kubernetes_incubator/nfs-provisioner:v2.3.0 | |
| # quay.io/prometheus-operator/prometheus-config-reloader:v0.66.0 | |
| # quay.io/prometheus-operator/prometheus-operator:v0.66.0 | |
| # quay.io/prometheus/alertmanager:v0.21.0 | |
| # quay.io/prometheus/alertmanager:v0.25.0 | |
| # quay.io/prometheus/node-exporter:v1.6.0 | |
| # quay.io/prometheus/prometheus:v2.35.0 | |
| # quay.io/prometheus/prometheus:v2.45.0 | |
| # quay.io/thanos/thanos:v0.31.0 | |
| # registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20221220-controller-v1.5.1-58-g787ea74b6 | |
| # registry.k8s.io/kube-state-metrics/kube-state-metrics:v1.9.8 | |
| # registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.9.2 | |
| # registry.k8s.io/prometheus-adapter/prometheus-adapter:v0.11.2 | |
| jobs: | |
| patch_images: | |
| runs-on: | |
| - self-hosted | |
| - large | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # - name: Login to Docker Hub | |
| # uses: docker/login-action@v3 | |
| # with: | |
| # username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| # password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| - name: Save images | |
| id: save-images | |
| run: | | |
| { | |
| echo 'images<<EOF' | |
| echo "$IMAGES_TEST" | |
| echo 'EOF' | |
| } >> "$GITHUB_OUTPUT" | |
| - name: Patch images | |
| id: patch-images | |
| uses: ./.github/actions/copacetic-action | |
| with: | |
| images: ${{ steps.save-images.outputs.images }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| debug: true | |
| timeout: 2h | |