From 2c64f1b25b927fa66afcd72feaf7ad09def39ba7 Mon Sep 17 00:00:00 2001 From: Nitish Bhat Date: Wed, 1 Jul 2026 17:21:45 +0000 Subject: [PATCH 1/3] security(e2e): bump nodeapp base off EOL alpine:3.7 (KUBE-33) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The e2e nodeapp test image was built on alpine:3.7, EOL since Nov 2019 and carrying years of unpatched musl/OpenSSL/busybox CVEs. Pin to a current, digest-locked alpine:3.22 instead. Also scope the docker build context to only the files the Dockerfile copies, and anchor the .gitignore rules for the ephemeral SSH key and built binary to tests/e2e/nodeapp/ — the bare "nodeapp" pattern was matching the whole directory and silently ignoring new files in it. nodeapp is test-only tooling (built by the e2e/dcm_e2e make targets, pushed to a throwaway registry via E2E_NODEAPP_IMG); it is not shipped in any release, helm chart, or product image, and the SSH keypair is regenerated per build rather than committed. --- .gitignore | 6 +++--- tests/e2e/nodeapp/.dockerignore | 10 ++++++++++ tests/e2e/nodeapp/Dockerfile | 2 +- 3 files changed, 14 insertions(+), 4 deletions(-) create mode 100644 tests/e2e/nodeapp/.dockerignore diff --git a/.gitignore b/.gitignore index 8d7f51911..1c27b74c5 100644 --- a/.gitignore +++ b/.gitignore @@ -5,9 +5,9 @@ /helm-charts-k8s/charts/*.tgz *.out -# node app for e2e test -id_rsa* -nodeapp +# node app for e2e test (ephemeral build artifacts, not the source dir) +/tests/e2e/nodeapp/id_rsa* +/tests/e2e/nodeapp/nodeapp # Sphinx documentation _build/ diff --git a/tests/e2e/nodeapp/.dockerignore b/tests/e2e/nodeapp/.dockerignore new file mode 100644 index 000000000..2909d9754 --- /dev/null +++ b/tests/e2e/nodeapp/.dockerignore @@ -0,0 +1,10 @@ +# Keep the build context minimal — only the runtime artifacts referenced by +# COPY in the Dockerfile are needed. The ephemeral, per-build SSH keypair +# (id_rsa/id_rsa.pub, regenerated by `make docker-build`) is intentionally +# copied in and must NOT be excluded here. +* +!nodeapp +!id_rsa +!id_rsa.pub +!docker-entrypoint.sh +!docker-exitpoint.sh diff --git a/tests/e2e/nodeapp/Dockerfile b/tests/e2e/nodeapp/Dockerfile index 2eb39b356..0bafbfc9e 100644 --- a/tests/e2e/nodeapp/Dockerfile +++ b/tests/e2e/nodeapp/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.7 +FROM alpine:3.22@sha256:14358309a308569c32bdc37e2e0e9694be33a9d99e68afb0f5ff33cc1f695dce RUN apk update && apk add openssh-client bash From 33af275ceb31010424d8b6bf2d01cd3f532e6140 Mon Sep 17 00:00:00 2001 From: Nitish Bhat Date: Wed, 1 Jul 2026 17:43:19 +0000 Subject: [PATCH 2/3] security(ci): pin rocm-docs-core reusable workflow and scope token (KUBE-27, KUBE-30) linting.yml called ROCm/rocm-docs-core's reusable workflow at the mutable @develop branch with no permissions block, so the inherited GITHUB_TOKEN defaulted to the repo/org read-write ceiling. A push to that upstream branch could run arbitrary steps with write access to this repo. - Pin the reusable workflow to the v1.35.0 commit SHA (immutable ref). - Add top-level permissions: contents: read. Verified the reusable workflow only checks out and runs markdownlint/spellcheck, so read is sufficient. - Add the github-actions ecosystem to dependabot.yml so the pinned SHA is kept current via automated PRs. --- .github/dependabot.yml | 4 ++++ .github/workflows/linting.yml | 5 ++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 69f6d30dd..93585c20b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,3 +11,7 @@ updates: schedule: interval: "daily" versioning-strategy: increase + - package-ecosystem: "github-actions" + directory: "/" # Scans .github/workflows for action/reusable-workflow refs + schedule: + interval: "weekly" diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 7f40d4f93..7232c32bb 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -9,7 +9,10 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: call-workflow-passing-data: name: Documentation - uses: ROCm/rocm-docs-core/.github/workflows/linting.yml@develop + uses: ROCm/rocm-docs-core/.github/workflows/linting.yml@b623885e7e4fe2f87bd2898d8ea0e2c4ded2eca1 # v1.35.0 From 1a959f520b3e195fb8b1e1924f720959ea77617f Mon Sep 17 00:00:00 2001 From: Nitish Bhat Date: Wed, 1 Jul 2026 18:03:36 +0000 Subject: [PATCH 3/3] security(build): pin and checksum-verify helm in Dockerfile.build (KUBE-31) Dockerfile.build installed helm by piping the get-helm-3 script fetched from the tip of helm's main branch, with no integrity verification. A tampered script (mutable branch, CDN/MITM) would execute in the build environment. Replace it with a pinned, digest-verified tarball install: fetch a specific helm version from get.helm.sh and check it against the official sha256 before extracting. Version and checksum are Makefile args (HELM_VERSION/HELM_SHA256) forwarded to docker-build-env, matching the existing base-image build-arg pattern; bump both together on upgrade. Pinned to v3.19.0 (latest helm 3) to preserve current behavior; helm 4 is a separate major-version decision. --- Dockerfile.build | 9 ++++++--- Makefile | 6 ++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/Dockerfile.build b/Dockerfile.build index 7d3b5bb96..8cf306fcf 100644 --- a/Dockerfile.build +++ b/Dockerfile.build @@ -54,9 +54,12 @@ RUN wget https://go.dev/dl/go1.26.4.linux-amd64.tar.gz && \ ENV PATH="/usr/local/go/bin:${PATH}" -RUN curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && \ - chmod 700 get_helm.sh && \ - ./get_helm.sh && rm get_helm.sh +ARG HELM_VERSION=v3.19.0 +ARG HELM_SHA256=a7f81ce08007091b86d8bd696eb4d86b8d0f2e1b9f6c714be62f82f96a594496 +RUN curl -fsSL -o helm.tar.gz "https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz" && \ + echo "${HELM_SHA256} helm.tar.gz" | sha256sum -c - && \ + tar -xzf helm.tar.gz --strip-components=1 -C /usr/local/bin linux-amd64/helm && \ + rm helm.tar.gz RUN curl -sSL https://github.com/arttor/helmify/releases/download/v0.4.13/helmify_Linux_x86_64.tar.gz \ -o helmify_Linux_x86_64.tar.gz && \ diff --git a/Makefile b/Makefile index 762ef0701..9cb55fa9f 100644 --- a/Makefile +++ b/Makefile @@ -132,6 +132,10 @@ DOCKER_CACHE_FROM ?= DOCKER_CACHE_TO ?= GOLANG_BASE_IMG ?= golang:1.26.4 OPERATOR_CONTROLLER_BASE_IMAGE ?= registry.access.redhat.com/ubi9/ubi-minimal:9.7 +# Helm binary installed into the build-shell image (Dockerfile.build). Pin the +# version and its published sha256 together; bump both when upgrading. +HELM_VERSION ?= v3.19.0 +HELM_SHA256 ?= a7f81ce08007091b86d8bd696eb4d86b8d0f2e1b9f6c714be62f82f96a594496 ################## # Documentation website build variables @@ -376,6 +380,8 @@ docker-build-env: ## Build the docker shell container. -t $(DOCKER_BUILDER_IMAGE) \ --build-arg BUILD_BASE_IMG=$(BUILD_BASE_IMG) \ --build-arg INSECURE_REGISTRY=$(INSECURE_REGISTRY) \ + --build-arg HELM_VERSION=$(HELM_VERSION) \ + --build-arg HELM_SHA256=$(HELM_SHA256) \ $(if $(DOCKER_CACHE_FROM),--cache-from=$(DOCKER_CACHE_FROM)) \ $(if $(DOCKER_CACHE_TO),--cache-to=$(DOCKER_CACHE_TO)) \ --load \