From 088876e2df13ad0f94e3e635a4dc04bb4b983e9c Mon Sep 17 00:00:00 2001 From: James Fuller Date: Wed, 16 Jul 2025 22:09:48 +0200 Subject: [PATCH 01/10] prep v8.15.0 --- CHANGELOG.md | 5 +++++ Makefile | 2 +- VERSION | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 62ef249..905e3bd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## Unreleased +## [8.15.0] - 2025-16-07 +### Changed +- bump to curl 8.15.0 +- bump to alpine 3.22.1 + ## [8.14.1] - 2025-15-06 ### Changed - bump to curl 8.14.1 diff --git a/Makefile b/Makefile index a181a8f..807629c 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ container_ids=`buildah ls --format "{{.ContainerID}}"` # default setttings for official curl images debian_base=docker.io/debian fedora_base=docker.io/fedora -base=docker.io/alpine:3.22.0 +base=docker.io/alpine:3.22.1 arch="" compiler="gcc" build_opts=" --enable-static --disable-ldap --enable-ipv6 --enable-unix-sockets -with-ssl --with-libssh2 --with-nghttp2=/usr --with-gssapi" diff --git a/VERSION b/VERSION index 3e2c3fb..f808958 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.14.1 \ No newline at end of file +8.15.0 \ No newline at end of file From 5e7e4debfc1397d7cd2f530000c94f284e7f5953 Mon Sep 17 00:00:00 2001 From: James Fuller Date: Fri, 12 Sep 2025 06:43:29 +0200 Subject: [PATCH 02/10] prep v8.16.0 --- CHANGELOG.md | 3 +++ VERSION | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 905e3bd..9070dd0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## Unreleased +## [8.16.0] - 2025-12-09 +### Changed +- bump to curl 8.16.0 ## [8.15.0] - 2025-16-07 ### Changed diff --git a/VERSION b/VERSION index f808958..a8759e7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.15.0 \ No newline at end of file +8.16.0 \ No newline at end of file From c890d482ecc9fd47a953adf0f44f83ac72112b40 Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Wed, 24 Sep 2025 15:18:29 +0200 Subject: [PATCH 03/10] ci: set permissions, pin actions, do not persists creds, add `SECURITY.md` (#86) --- .github/workflows/build_ci_multi.yml | 7 ++++++- .github/workflows/build_latest_release_multi.yml | 10 +++++++--- .github/workflows/build_master.yml | 9 ++++++--- .github/workflows/build_master_dev.yml | 12 ++++++++---- .github/workflows/build_master_multi.yml | 9 ++++++--- SECURITY.md | 16 ++++++++++++++++ 6 files changed, 49 insertions(+), 14 deletions(-) create mode 100644 SECURITY.md diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml index c681d24..ffb3164 100644 --- a/.github/workflows/build_ci_multi.yml +++ b/.github/workflows/build_ci_multi.yml @@ -4,6 +4,9 @@ on: types: [ opened, synchronize, reopened, labeled, unlabeled ] branches: - main + +permissions: {} + env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} @@ -30,7 +33,9 @@ jobs: podman login -u ${{secrets.QUAY_USER}} -p ${{secrets.QUAY_TOKEN}} quay.io docker login -u ${{secrets.QUAY_USER}} -p ${{secrets.QUAY_TOKEN}} quay.io - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false - run: | sudo apt-get update sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml index 967a452..d7bcce3 100644 --- a/.github/workflows/build_latest_release_multi.yml +++ b/.github/workflows/build_latest_release_multi.yml @@ -3,6 +3,9 @@ on: push: tags: - '*' + +permissions: {} + env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} @@ -21,11 +24,12 @@ jobs: install_latest: [ true ] steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: + persist-credentials: false tag_name: ${{ github.ref }} - name: Log in to ghcr.io - uses: redhat-actions/podman-login@v1 + uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1 with: username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} @@ -61,7 +65,7 @@ jobs: buildah manifest push --format v2s2 --all curl-base-multi:$REL "docker://ghcr.io/curl/curl-container/curl-base-multi:${REL}" name: 'push images to github registry' - name: Install Cosign - uses: sigstore/cosign-installer@main + uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3 - name: Write signing key to disk (only needed for `cosign sign --key`) run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key - name: Sign images with sigstore key diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml index 85ba74c..25b68de 100644 --- a/.github/workflows/build_master.yml +++ b/.github/workflows/build_master.yml @@ -6,6 +6,8 @@ on: branches: - main +permissions: {} + env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} @@ -24,11 +26,12 @@ jobs: install_latest: [ true ] steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: + persist-credentials: false ref: "main" - name: Log in to ghcr.io - uses: redhat-actions/podman-login@v1 + uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1 with: username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} @@ -57,7 +60,7 @@ jobs: buildah push curl:master "docker://ghcr.io/curl/curl-container/curl:master" name: 'push images to github registry' - name: Install Cosign - uses: sigstore/cosign-installer@main + uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3 - name: Write signing key to disk (only needed for `cosign sign --key`) run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key - name: Sign image with a key diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml index 8f16aa0..c4b51c9 100644 --- a/.github/workflows/build_master_dev.yml +++ b/.github/workflows/build_master_dev.yml @@ -6,6 +6,9 @@ on: push: branches: - main + +permissions: {} + env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} @@ -24,11 +27,12 @@ jobs: install_latest: [ true ] steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: + persist-credentials: false ref: "main" - name: Log in to ghcr.io - uses: redhat-actions/podman-login@v1 + uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1 with: username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} @@ -53,7 +57,7 @@ jobs: buildah push curl-dev-debian:master "docker://ghcr.io/curl/curl-container/curl-dev-debian:master" name: 'push images to github registry' - name: Install Cosign - uses: sigstore/cosign-installer@main + uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3 - name: Write signing key to disk (only needed for `cosign sign --key`) run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key - name: Sign image with a key @@ -74,7 +78,7 @@ jobs: buildah push curl-dev-fedora:master "docker://ghcr.io/curl/curl-container/curl-dev-fedora:master" name: 'push images to github registry' - name: Install Cosign - uses: sigstore/cosign-installer@main + uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3 - name: Write signing key to disk (only needed for `cosign sign --key`) run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key - name: Sign image with a key diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml index a8415b0..73fe470 100644 --- a/.github/workflows/build_master_multi.yml +++ b/.github/workflows/build_master_multi.yml @@ -6,6 +6,8 @@ on: branches: - main +permissions: {} + env: REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} @@ -24,11 +26,12 @@ jobs: install_latest: [ true ] steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: + persist-credentials: false ref: "main" - name: Log in to ghcr.io - uses: redhat-actions/podman-login@v1 + uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1 with: username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} @@ -56,7 +59,7 @@ jobs: buildah manifest push --all --format v2s2 localhost/curl-multi:master "docker://ghcr.io/curl/curl-container/curl-multi:master" name: 'push multi images to github registry' - name: Install Cosign - uses: sigstore/cosign-installer@main + uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3 - name: Write signing key to disk (only needed for `cosign sign --key`) run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key - name: Sign image with a key diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..227dfa2 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,16 @@ + +# Security Policy + +See curl's +[SECURITY-PROCESS.md](https://github.com/curl/curl/blob/master/docs/SECURITY-PROCESS.md) +for full details. + +## Reporting a Vulnerability + +If you have found or just suspect a security problem somewhere in curl, +report it on [https://hackerone.com/curl](https://hackerone.com/curl). + +We treat security issues with confidentiality until controlled and disclosed responsibly. From 122097937833f74b4f9331e74beae63d56941be4 Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Wed, 24 Sep 2025 15:19:26 +0200 Subject: [PATCH 04/10] ci: enable dependabot (#87) On a monthly schedule. Ref: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#schedule- --- .github/dependabot.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..f9b368c --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,9 @@ +# Copyright (C) Viktor Szakats. See LICENSE.md +# SPDX-License-Identifier: MIT + +version: 2 +updates: + - package-ecosystem: 'github-actions' + directory: '/' + schedule: + interval: 'monthly' From 082ca7567aed4e507be9c4e45f798edaf27c686e Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Wed, 24 Sep 2025 15:27:24 +0200 Subject: [PATCH 05/10] ci: add CodeQL for GHA and Python (#88) --- .github/workflows/codeql.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..ad5f802 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,36 @@ +name: 'CodeQL' + +'on': + push: + branches: + - main + pull_request: + branches: + - main + schedule: + - cron: '0 0 * * 4' + +concurrency: + group: ${{ github.workflow }} + +permissions: {} + +jobs: + gha_python: + name: 'GHA and Python' + runs-on: ubuntu-latest + permissions: + security-events: write # To create/update security events + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + persist-credentials: false + + - name: 'initialize' + uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3 + with: + languages: actions, python + queries: security-extended + + - name: 'perform analysis' + uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3 From 7d4a91d0b149b809301eedda33a77794760108c7 Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Tue, 30 Sep 2025 23:40:41 +0200 Subject: [PATCH 06/10] CHANGELOG.md: use YYYY-MM-DD date format (#90) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also update release notes at: https://github.com/curl/curl-container/releases Reported-by: Mikkel Hesselager Blanné Fixes #84 --- CHANGELOG.md | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9070dd0..594c303 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,38 +6,38 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## Unreleased -## [8.16.0] - 2025-12-09 +## [8.16.0] - 2025-09-12 ### Changed - bump to curl 8.16.0 -## [8.15.0] - 2025-16-07 +## [8.15.0] - 2025-07-16 ### Changed - bump to curl 8.15.0 - bump to alpine 3.22.1 -## [8.14.1] - 2025-15-06 +## [8.14.1] - 2025-06-15 ### Changed -- bump to curl 8.14.1 +- bump to curl 8.14.1 - bump to alpine 3.22.0 -- -## [8.13.0] - 2025-05-04 + +## [8.13.0] - 2025-04-05 ### Changed -- bump to curl 8.13.0 -- bump to alpine:3.21.3 +- bump to curl 8.13.0 +- bump to alpine 3.21.3 -## [8.12.1] - 2025-13-02 +## [8.12.1] - 2025-02-13 ### Changed - bump to curl 8.12.1 -## [8.12.0] - 2025-05-02 +## [8.12.0] - 2025-02-05 ### Changed - bump to curl 8.12.0 -- bump to alpine:3.21.2 +- bump to alpine 3.21.2 ## [8.11.1] - 2024-12-11 ### Changed - bump to curl 8.11.1 -- bump to alpine:3.21.0 +- bump to alpine 3.21.0 ## [8.11.0] - 2024-11-06 ### Changed @@ -50,7 +50,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [8.10.0] - 2024-09-11 ### Changed - bump to curl 8.10.0 -- bump to alpine:3.20.3 +- bump to alpine 3.20.3 ## [8.9.1] - 2024-07-30 ### Changed @@ -74,7 +74,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - bump to curl 8.6.0 - bump to alpine 3.19.1 - ## [8.5.0-1] - 2023-01-19 ### Changed - add libpsl @@ -96,7 +95,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - bump to curl 8.3.0 - bump to alpine 3.18.3 - ## [8.2.1] - 2023-07-26 ### Changed - bump to curl 8.2.1 From 39b8b5da38bcd29fa09cb1bbe8e4f46b261899f9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 5 Oct 2025 13:28:50 +0200 Subject: [PATCH 07/10] GHA: bump github/codeql-action from 3.30.3 to 3.30.5 (#91) --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ad5f802..4198281 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,10 +27,10 @@ jobs: persist-credentials: false - name: 'initialize' - uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3 + uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3 with: languages: actions, python queries: security-extended - name: 'perform analysis' - uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3 + uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3 From baa245a7ce2e68898fd0161f29bb5fd3dd1cf220 Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Sun, 5 Oct 2025 13:33:12 +0200 Subject: [PATCH 08/10] GHA: show full versions in pinned hash comments --- .github/workflows/build_ci_multi.yml | 2 +- .github/workflows/build_latest_release_multi.yml | 6 +++--- .github/workflows/build_master.yml | 6 +++--- .github/workflows/build_master_dev.yml | 8 ++++---- .github/workflows/build_master_multi.yml | 6 +++--- .github/workflows/codeql.yml | 6 +++--- 6 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml index ffb3164..5dade27 100644 --- a/.github/workflows/build_ci_multi.yml +++ b/.github/workflows/build_ci_multi.yml @@ -33,7 +33,7 @@ jobs: podman login -u ${{secrets.QUAY_USER}} -p ${{secrets.QUAY_TOKEN}} quay.io docker login -u ${{secrets.QUAY_USER}} -p ${{secrets.QUAY_TOKEN}} quay.io - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - run: | diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml index d7bcce3..edf904c 100644 --- a/.github/workflows/build_latest_release_multi.yml +++ b/.github/workflows/build_latest_release_multi.yml @@ -24,12 +24,12 @@ jobs: install_latest: [ true ] steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false tag_name: ${{ github.ref }} - name: Log in to ghcr.io - uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1 + uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 with: username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} @@ -65,7 +65,7 @@ jobs: buildah manifest push --format v2s2 --all curl-base-multi:$REL "docker://ghcr.io/curl/curl-container/curl-base-multi:${REL}" name: 'push images to github registry' - name: Install Cosign - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3 + uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 - name: Write signing key to disk (only needed for `cosign sign --key`) run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key - name: Sign images with sigstore key diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml index 25b68de..712e267 100644 --- a/.github/workflows/build_master.yml +++ b/.github/workflows/build_master.yml @@ -26,12 +26,12 @@ jobs: install_latest: [ true ] steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false ref: "main" - name: Log in to ghcr.io - uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1 + uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 with: username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} @@ -60,7 +60,7 @@ jobs: buildah push curl:master "docker://ghcr.io/curl/curl-container/curl:master" name: 'push images to github registry' - name: Install Cosign - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3 + uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 - name: Write signing key to disk (only needed for `cosign sign --key`) run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key - name: Sign image with a key diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml index c4b51c9..ed0b88b 100644 --- a/.github/workflows/build_master_dev.yml +++ b/.github/workflows/build_master_dev.yml @@ -27,12 +27,12 @@ jobs: install_latest: [ true ] steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false ref: "main" - name: Log in to ghcr.io - uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1 + uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 with: username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} @@ -57,7 +57,7 @@ jobs: buildah push curl-dev-debian:master "docker://ghcr.io/curl/curl-container/curl-dev-debian:master" name: 'push images to github registry' - name: Install Cosign - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3 + uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 - name: Write signing key to disk (only needed for `cosign sign --key`) run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key - name: Sign image with a key @@ -78,7 +78,7 @@ jobs: buildah push curl-dev-fedora:master "docker://ghcr.io/curl/curl-container/curl-dev-fedora:master" name: 'push images to github registry' - name: Install Cosign - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3 + uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 - name: Write signing key to disk (only needed for `cosign sign --key`) run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key - name: Sign image with a key diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml index 73fe470..23dafb9 100644 --- a/.github/workflows/build_master_multi.yml +++ b/.github/workflows/build_master_multi.yml @@ -26,12 +26,12 @@ jobs: install_latest: [ true ] steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false ref: "main" - name: Log in to ghcr.io - uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1 + uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7 with: username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} @@ -59,7 +59,7 @@ jobs: buildah manifest push --all --format v2s2 localhost/curl-multi:master "docker://ghcr.io/curl/curl-container/curl-multi:master" name: 'push multi images to github registry' - name: Install Cosign - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3 + uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 - name: Write signing key to disk (only needed for `cosign sign --key`) run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key - name: Sign image with a key diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4198281..2438221 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,15 +22,15 @@ jobs: permissions: security-events: write # To create/update security events steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: 'initialize' - uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3 + uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 with: languages: actions, python queries: security-extended - name: 'perform analysis' - uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3 + uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 From 1e8e7910dc87419c5170d88419a8c83d8b81606c Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Mon, 20 Oct 2025 16:46:53 +0200 Subject: [PATCH 09/10] drop pip packages from the image (#89) They don't seem to install: ``` error: externally-managed-environment Error: while running runtime: exit status 1 ``` Ref: https://github.com/curl/curl-container/actions/runs/18084279232/job/51452471235#step:7:6234 --- Containerfile | 4 ---- create_dev_image.sh | 4 ---- requirements.txt | 6 ------ 3 files changed, 14 deletions(-) delete mode 100644 requirements.txt diff --git a/Containerfile b/Containerfile index 30494a0..0e13d62 100644 --- a/Containerfile +++ b/Containerfile @@ -13,8 +13,4 @@ from quay.io/buildah/stable:latest RUN dnf --nodocs --setopt install_weak_deps=false -y install less git make podman qemu qemu-user-static buildah clamav clamav-freshclam -COPY requirements.txt requirements.txt -RUN python3 -m ensurepip -RUN pip3 install --no-input -r requirements.txt - WORKDIR /opt/app-root/src/ diff --git a/create_dev_image.sh b/create_dev_image.sh index ce4f871..3762284 100755 --- a/create_dev_image.sh +++ b/create_dev_image.sh @@ -88,10 +88,6 @@ fi # install curl in /build buildah run $bdr make DESTDIR="/build/" install -j$(nproc) -# install useful dev deps¡ -buildah run $bdr python3 -m ensurepip -#buildah run $bdr pip3 --no-input install -r ./requirements.txt - # label image buildah config --label org.opencontainers.image.source="https://github.com/curl/curl-container" $bdr buildah config --label org.opencontainers.image.description="minimal dev image for curl" $bdr diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index 047213b..0000000 --- a/requirements.txt +++ /dev/null @@ -1,6 +0,0 @@ -pytest -pytest-cov -pytest-sugar -factory-boy -lxml -behave \ No newline at end of file From 9dd325acb19d77186b3ac31c20f861f8aa088c52 Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Thu, 23 Oct 2025 00:18:38 +0200 Subject: [PATCH 10/10] SECURITY.md: update broken link to the security process doc (#93) --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 227dfa2..9db9eba 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -5,7 +5,7 @@ SPDX-License-Identifier: curl # Security Policy See curl's -[SECURITY-PROCESS.md](https://github.com/curl/curl/blob/master/docs/SECURITY-PROCESS.md) +[VULN-DISCLOSURE-POLICY.md](https://github.com/curl/curl/blob/master/docs/VULN-DISCLOSURE-POLICY.md) for full details. ## Reporting a Vulnerability