Automated cherry pick of #1328 upstream release 1.33#1391
Merged
k8s-ci-robot merged 3 commits intoApr 29, 2026
Merged
Conversation
k8s-ci-robot
added
the
release-note-none
k8s-ci-robot
added
needs-kind
Contributor
|
This issue is currently awaiting triage. If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the The DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
size/L
Member
Author
|
/retest |
1 similar comment
Member
|
/retest |
Member
|
/test pull-cloud-provider-aws-e2e-kubetest2 |
Member
|
/lgtm |
k8s-ci-robot
added
lgtm
Member
Author
|
/test all |
Signed-off-by: Min Jin <minkimzz@amazon.com>
Pin all GitHub Actions to full-length commit SHAs to comply with Kubernetes organization security policy that requires all actions must be pinned to prevent supply chain attacks. This change addresses the CI failures: "The actions actions/checkout@v4 and actions/dependency-review-action@v4 are not allowed in kubernetes/cloud-provider-aws because all actions must be pinned to a full-length commit SHA." Actions pinned with release verification: - actions/checkout@v4 → @34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 ``` Release: https://github.com/actions/checkout/releases/tag/v4.3.1 Commit: actions/checkout@34e1148 ``` - actions/dependency-review-action@v4 → @2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 ``` Release: https://github.com/actions/dependency-review-action/releases/tag/v4.9.0 Commit: actions/dependency-review-action@2031cfc ``` - golang/govulncheck-action@v1 → @31f7c5463448f83528bd771c2d978d940080c9fd # master (post-v1.0.4) ``` Commit: golang/govulncheck-action@31f7c54 Note: Using master HEAD instead of v1.0.4 because v1.0.4 contains unpinned transitive dependencies (actions/checkout@v4.1.1, actions/setup-go@v5.0.0). The master branch includes a fix from Feb 2026 that pins these dependencies. See: golang/govulncheck-action@31f7c54 ``` - helm/chart-releaser-action@v1.7.0 → @a0d2dc62c5e491af8ef6ba64a2e02bcf3fb33aa1 # v1.7.0 ``` Release: https://github.com/helm/chart-releaser-action/releases/tag/v1.7.0 Commit: helm/chart-releaser-action@a0d2dc6 ``` - actions/github-script@v7 → @f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 ``` Release: https://github.com/actions/github-script/releases/tag/v7.1.0 Commit: actions/github-script@f28e40c ``` Files modified: - .github/workflows/deps.yml - .github/workflows/tag.yml - .github/workflows/helm_chart_release.yaml - .github/workflows/kpromo-reminder.yaml Justification: Pinning actions to commit SHAs instead of mutable tags (v4, v1.7.0, etc.) prevents potential security vulnerabilities where a tag could be moved to point to malicious code. This is a required security practice in the Kubernetes organization to ensure supply chain integrity and is enforced by GitHub Actions policy for kubernetes/* repositories. GitHub enforces that not only direct action dependencies must be pinned, but also transitive dependencies (actions used within composite actions). This is why govulncheck-action required using the master branch commit instead of the latest release tag. Each SHA has been verified against the official release tags to ensure we're using the intended versions while meeting security requirements. Reviewed-by: Claude Sonnet 4.5 <noreply@anthropic.com>
yue9944882
force-pushed
the
automated-cherry-pick-of-#1328-upstream-release-1.33
branch
from
96afc72 to
63bee55
Compare
k8s-ci-robot
removed
the
lgtm
Member
|
/lgtm |
k8s-ci-robot
added
the
lgtm
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kmala The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cherry pick of #1328 on release-1.33.
#1328: Deregister elb targets before registering targets
For details on the cherry pick process, see the cherry pick requests page.