fix: resolve CI failures in scorecard and image-scanning workflows

[clubanderson]

Summary

• Fix scorecard.yml: use job-level permissions instead of workflow-level to satisfy OSSF scorecard webapp restrictions
• Fix image-scanning.yml: update Dockerfile paths where needed

Details

The OpenSSF Scorecard action rejects workflows with global write permissions. This PR moves the permissions to job-level.

For repos with multiple Dockerfiles (galaxy, ui), a matrix build strategy is used to scan all components.

Test plan

• Verify OpenSSF Scorecard workflow passes
• Verify Container Image Scanning workflow passes (if applicable)

🤖 Generated with Claude Code

[kubestellar-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kunal-511 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubestellar-prow]

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

• 89c9f8d Marketplace Api & BrandNew Ui/uX (Marketplace All Apis Integration & BrandNew Premium Ui/UX  #1807)
• 7c761e2 Change the plugin query (fix: Change the plugin query to fix the plugin installation from the local #1809)
• d60ae80 Fix: Change installplugin directory-id with installed plugin id from plugin_details_id (Fix: Change installplugin directory-id with installed plugin id from plugin_details_id  #1811)
• 7f32314 refactor: change the color of Please sign in notification (refactor: change the color of Please sign in notification #1805)
• 48bc2d4 Remove plugins folder (Remove plugins folder #1813)
• e1704bc chore: Improve k8 deployer service for plugin (chore: Improve k8 deployer service for plugin #1815)
• 17c05e7 Fix bug in TreeView (issue Bug: TreeView Behaves Differently in Full-Screen Mode #1739): adjust z-index (Fix bug in TreeView (issue #1739): adjust z-index #1800)
• f5e4401 Fix responsiveness for /login page (Fix responsiveness for /login page #1762)
• dc4b303 Fixes Filters were not working in Listview of Deployed Workload (Fixes Filters were not working in Listview of Deployed Workload  #1690)
• 5a15841 Add working grafana dashboard to the UI (Add working grafana dashboard  #1817)
• 818dd98 doc: Add the documentation for installating the plugin from the local (doc: Add the documentation for installating the plugin from the local #1854)
• cc424f6 Fix: Install Now button of Feature plugin card (Fix: Install Now button of Feature plugin card #1856)
• b7710a5 refactor onboarding process: improve completion handling and remove unnecessary timeout (refactor onboarding process: improve completion handling and remove unnecessary timeout #1850)
• b40588c refactor: update marketplace's tags fetching result (refactor: update marketplace's tags fetching result #1858)
• 0239438 refactor: switching installed_plugin_id to plugin_details_id (global identification of plugins) (Switching installed_plugin_id to plugin_details_id (global identification of plugins) #1867)
• 58ae2b6 Fixing Plugin feedback submission issue on the Plugin Management page (Fixing Plugin feedback submission issue on the Plugin Management page #1873)
• 687adad Add DB auto migration (Add DB auto migration #1874)
• 435f630 feat(ci): add sbom generation and upload to artifact (feat(ci): add sbom generation and upload to artifact #1879)
• ba7fdef added Missing Translation for hi locale (added Missing Translation for hi locale #1881)
• bc43ba7 Fix: Manually Installed plugin can be uploaded to marketplace (Fix: Manually Installed plugin can be uploaded to marketplace  #1876)
• 7fa5007 add ui-plugins in .gitignore (add ui-plugins in .gitignore #1889)
• cbf3f8d Refactor Tooltip in Sidebar: Use Material-UI for Better Layering (Refactor Tooltip in Sidebar: Use Material-UI for Better Layering #1883)
• 4cf89ac feat: implement drag-and-drop file upload for kubeconfig in ImportCluster component (feat: implement drag-and-drop file upload for kubeconfig in ImportCluster component #1871)
• 1d42bbb refactor: update the DB migration (Update the DB auto migration #1888)
• ceb4d6f Designed Contribute Handbook Page (Designed Contribute Handbook Page #1891)
• a9a3de1 Optimize GetPodHealthMetrics to Use Single Kube Context (Optimize GetPodHealthMetrics to Use Single Kube Context #1864)
• be94db4 Fixes Binding policy rendering Issue (Fixes Binding policy rendering Issue #1784)
• 38d8408 Fixed the overlapping of header with marketplace (Fixed the overlapping of header with marketplace #1897)
• dddf446 feat(ImportClusters): implement file upload functionality with error handling for kubeconfig (Switching installed_plugin_id to plugin_details_id (global identification of plugins) #1867) (feat(ImportClusters): implement file upload functionality with error handling for kubeconfig  #1878)
• 7960547 Feat : Resource to Object Explorer (Feat : Resource to Object Explorer  #1898)
• 61eab04 Improved UI UX (Brand New Object Explorer with Best UI/ UX and Performance Optimizations  #1899)
• db4ae36 Fixed grafana dashboard (Fixed grafana dashboard #1884)
• 9fcd53a designed program page (KubeStellar/docs – Programs Page Design #1901)
• 013c25d KubeStellar/docs – Google Summer of Code (GSoC) Page Design ( KubeStellar/docs – Google Summer of Code (GSoC) Page Design #1902)
• f713750 removed chatbot logic (Removed Chatbot #1910)
• 37e176e feat(logging): enhance logging functionality by introducing dynamic log level configuration and updating log statements to debug level in Redis operations (feat(logging): enhance logging functionality  #1885)
• 38e7eb0 fix: prevent invalid token toast on login page (fix: prevent invalid token toast on login page #1892)
• 360d339 Added English & Hindi Strings for Kubestellar Galaxy Marketplace in i18n Local Files (Added English & Hindi Strings for Kubestellar Galaxy Marketplace in i18n Local Files #1862)
• 102ab37 Fix: Depolyment Object Status and Naming (Fix: Depolyment Object Status and Naming in Object Explorer #1915)
• 346a6d4 lfx page designed (KubeStellar/docs – LFX Page Design #1914)
• 038c3cc Implemented i18n support for Object Explorer strings (English & Hindi) (Implemented i18n support for Object Explorer strings (English & Hindi) #1918)
• ef612cc designed ifos page (KubeStellar/docs – IFoS Page Design  #1919)
• 363ea3b designed esoc page (KubeStellar/docs – ESOC Page Design #1921)
• 42396d2 link (Added Link in Resources #1922)
• 4c678e8 web designed of landing page (KubeStellar/docs – Landing Page Web Design  #1924)
• 527fc00 Fix: Navbar width set to full in Installtion Page (Fix: Navbar width set to full in Installtion Page #1920)
• 1c547b9 fix: Plugin system now works with docker (fix: Plugin system now works with docker #1908)
• eb570ce Fixed Tooltip (Fixed Tooltip for Podhealth #1905)
• f4fe0d3 web designed of handbook and program page (KubeStellar/docs – Contribute Handbook & Program Pages (Web Design) #1927)
• 97ac663 introduce grafana icon (introduce grafana icon  #1929)
• 24f0462 Removed Metrics Dashboard (grafana dashboard is used instead) (Removed Metrics Dashboard (grafana dashboard is used instead) #1931)
• 783e358 restructure metrics backend (restructure metrics backend #1930)
• 81dad04 opens KS metrics dasbboard by default (Opens KS metrics by default in grafana dashboard #1938)
• a64d2ff Fixes staged workload issue (Fixes staged workload issue #1941)
• 65dcd58 Removed: Platform-plugin details (Removed Platform from plugin details #1944)
• 7f40aaa fix: resolve marketplace header overflow and improve category filter UI (fix: resolve marketplace heading overflow with navbar #1906)
• 06278cd Revert "Fixes staged workload issue (Fixes staged workload issue #1941)" (Revert "Fixes staged workload issue" #1948)
• 8eefd19 Update design-progress.md (Update design-progress.md #1951)
• e3f9efa fix: implement increase download for every installed plugin from marketplace (Implement download increment for every installed plugin from marketplace #1895)
• 125ced9 feat(ui): add collapse/expand button to toggle additional controls (feat(ui): add collapse/expand button to toggle additional controls #1869)
• ede2c32 Update design-progress.md (Added contributors with their github links  #1955)
• c3f3df1 FIX: changes (Add Playwright Documentation #1960)
• 8a5e846 Fix: Changes (Update Contribution.md for Playwright Setup #1961)
• 752ccd0 Rename: Object Explorer (Update name of "resource explorer" to "object explorer" in locale files #1965)
• 54ea99d Comprehensive Playwright testing environment for KubeStellar UI (Comprehensive Playwright testing environment for KubeStellar UI  #1956)
• 94ebc86 Configure Environment-Specific Playwright Setup and Update Documentation (Configure Environment-Specific Playwright Setup and Update Documentation #1964)
• 7544e4a Revert "Fix:cluster nodes view (Fix: Center cluster nodes for proper visibility #1916)" (Revert "Fix: Center cluster nodes for proper visibility" #1975)
• 52fdf18 Audit Delete User Activity (Audit Delete User Activity #1943)
• 8928dfb Update approvers in OWNERS file (Update approvers in OWNERS file #1984)
• 7eca107 fix(frontend): always generate nginx config to fix direct /login 404 ([Bug]: if I go directly to http://localhost:5173/login I get 404 error #1802) (fix(frontend): always generate nginx config to fix direct /login 404 (#1802) #1978)
• ecbc023 refactor(playwright): enhance global setup for dynamic browser selection (refactor(playwright): enhance global setup for dynamic browser selection #1990)
• 7040553 Setup CI/CD Pipeline with Playwright Tests (Setup CI/CD Pipeline with Playwright Tests #1958)
• 541e086 refactor(prerequisites): improve state management and error handling in prerequisites check (refactor(prerequisites): improve state management and error handling in prerequisites check #2002)
• b1a26f8 Add MSW for API mocking and enhance Playwright tests (Add MSW for API mocking and enhance Playwright tests #1998)
• 8a8f3d3 refactor: update the condition for displaying the invalid token warning, avoiding to show it on the login page (refactor: update the condition for displaying the invalid token #2042)
• 77c1b56 Internationalized all hardcoded strings from the Object Explorer components (Internationalized all hardcoded strings from the Object Explorer components #2039)
• 6142ae0 Internationalized empty state messages & Header (Internationalized empty state messages & Header #2040)
• b27356d chore: truncate Bearer Token in backend logged http request (chore: truncate Bearer Token in backend logged http request #2045)
• 485a114 fix: Inconsistency in hover effect in user management (fix: Inconsistency in hover effect in user management #2016)
• f4a874c e2e test for login page and also added scenarios in msw (e2e test for login page and also added scenarios in msw #2032)
• 7a2f791 renamed the buttons and functionality (renamed the buttons and functionality #2060)
• cf4486b feat: enhance resource handling with derived resource structure and optimized filtering to show NameSpaces (feat: enhance resource handling with derived resource structure and optimized filtering to show NameSpaces #2058)
• 00b515e Fix: Prometheus can now successfully scrape metrics from /api/v1/metrics (Fix: Prometheus can now successfully scrape metrics from /api/v1/metrics #2069)
• db3e334 Implement React Query workloads integration in useKubestellarData (Implement React Query workloads integration in useKubestellarData #2073)
• 9fe27da solved binding error (solved binding error #2062)
• 1a7351f feat: implement refresh token functionality with associated database model and routes (feat: implement refresh token functionality with associated database model and routes #2064)
• b480c94 chore: add success status to JSON response (chore: add success status to JSON response #2041)
• 058d4c7 Implement cluster-scoped resource API and update frontend fetching logic (Implement cluster-scoped resource API and update frontend fetching logic #2085)
• 12fa6b8 FIX:Docker postgres authdb (FIX:Docker postgres authdb #2089)
• c679f3c Adopt React Query for cluster loading in useKubestellarData (Adopt React Query for cluster loading in useKubestellarData #2075)
• 700384c Adopt React Query cache for namespaces in (Adopt React Query cache for namespaces in useTreeViewData #2074)
• f36b99d Fix: Visibility (Fix: object type names are in white font on white background when selected #2090)
• 3bda8db refactor: add Grafana to Command Palette (refactor: add Grafana to Command Palette #2070)
• e93c846 Change Plugin Folder Name to PluginNameAuthorVersion (Change Plugin Folder Name to PluginName~Author~Version #2034)
• bde533f sanitise repoURL (Refractored fetchGitHubYAMLs function #1928)
• 5f71ea9 Revert "Solve The src/components/wds_topology/FlowCanvas.tsx (fix : On 50% zoom the nodes are overlapping #1994)" (Revert "fix : On 50% zoom the nodes are overlapping" #2094)
• 8a2eac4 Revert "Solve the Confict (Fix : object type names are in white font on white background when selected  #2067)" (Revert "Fix : object type names are in white font on white background when selected " #2093)
• 99dbb46 Improve filter chip and auto-refresh toggle visibility across themes (Improve filter chip and auto-refresh toggle visibility across themes #2096)
• a83e8e5 Revert "feat: Integrate React Query for data fetching in ListViewComponent" (Fix list view #2102)
• c971254 Fixed Event details, now shows Clusterscoped and namespaced objects (Fixed Event details, now shows Clusterscoped and namespaced objects #2111)
• 9d4b637 E2E : Comprehensive testing Navbar (E2E : Comprehensive testing Navbar #2110)
• 6e17047 feat: add ImportClusterByURLHandler for importing clusters via URL (feat: add ImportClusterByURLHandler for importing clusters via URL #1983)
• ad862e8 Fix: Change default Prometheus and Grafana ports to avoid conflicts (Fix: Change default Prometheus and Grafana ports to avoid conflicts #2126)
• c7446ad e2e : comprehensive test suit for Sidebar (e2e : comprehensive test suit for Sidebar #2122)
• ab605a1 fix: css fix (fix: css fix #2107)
• 8b65638 e2e : Comprehensive test suit for Language Switcher (e2e : Comprehensive test suit for Language Switcher #2135)
• c370121 e2e : Test suit for Theme Toggle (e2e : Test suit for Theme Toggle #2151)
• b9b6b4f fix: added pagination in explore page (fix: added pagination in explore page #2129)
• c70d2af Playwright e2e --> fixes firefox WebGl and adds handlers (Playwright e2e --> fixes firefox WebGl and adds handlers #2153)
• b2c9994 added its tests (Playwright tests for ITS page  #2154)
• d2318dd added cluster action tests (Playwright tests for cluster action #2155)
• e8507f2 added tests for cluster import (Playwright tests for Labels and Filtering in its #2156)
• 15d12c0 added test for labels and filters (Added Playwright tests for labels and filters #2157)
• f5d07b1 added tests for table features in its page (Added Playwright tests for table features in its page #2158)
• e224449 refactor: fixing version string problem (refactor: fixing version string problem #2163)
• 9410b73 Fix: hindi i18n command palette [Bug]: Command palette has incomplete Hindi i18n coverage - several entries remain in English #2142 (Fix: hindi i18n command palette #2142  #2146)
• 7e96285 Fixed the EPIPE error giving in CI pipeline (Fixed the EPIPE error giving in CI pipeline #2168)
• 5b7d6a7 Update monitoring configurations and frontend components (Update monitoring configurations and frontend components #2173)
• 3ca941e E2E : Comprehensive Test suit for Profile Section (E2E : Comprehensive Test suit for Profile Section #2164)
• 0d79a87 corrected the inconsistency in env (Corrected the inconsistency in .env.example #2183)
• 2f03d16 E2E: Test Suit for Command Palette (E2E: Test Suit for Command Palette #2165)
• 5cc2740 Fix Docker FE→BE connectivity and stabilize NPM install flow (Fix Docker FE→BE connectivity and stabilize NPM install flow #2181)
• 0d5827d Fix : corrected the language switcher error (Fix : corrected the language switcher error #2191)
• 80b3e49 Added the handlers and api mocks for testing the user management (Added the handlers and api mocks for testing the user management #2199)
• 39665cd Added POM for user management (Added POM for user management #2203)
• 4ee8fd8 fix: Disable/Uninstall action for plugin works (fix: Disable/Uninstall action for plugin works as expected #2196)
• cfaa97c Fix: Disable caching behaviour for plugin icon (Fix: Disable caching behaviour for plugin icon #2211)
• 296bbd7 Added pom for object explorer (Added pom for object explorer #2213)
• 366c7ac fix: Update Prometheus URL to use localhost in Grafana datasource (fIX dashboard issue #2221)
• fcb20e5 Documentation update: (Documentation update: #2222)
• a0f348b feat: Add feedback request workflow for merged pull requests in GitHub Actions (feat: Add feedback request workflow for merged pull requests in GitHub Actions #2227)
• 6750710 e2e : POM for Binding Policy (e2e : POM for Binding Policy #2234)
• c0c60c3 added changes (Feat : added binding policy browser changes #2236)
• 92ed385 fix(backend): handle user creation errors (fix(backend): handle user creation errors #2245)
• bd795f8 Added e2e playwright tests for User Management (Added e2e playwright tests for User Management #2204)
• d40853a Added Playwright e2e tests for user management for filters (Added Playwright e2e tests for user management for filters #2206)
• b29d2a6 Added PLaywright e2e tests for user management testing the crud (Added PLaywright e2e tests for user management testing the crud  #2205)
• d64e97d Added Playwright e2e tests for Permissions in user management (Added Playwright e2e tests for Permissions in user management #2207)
• 2a39d44 Added POM for ITS Page (Added POM for ITS Page #2212)
• cd8cbb6 added tests for object explorer page (Added tests for object explorer page #2216)
• feedfa7 added test for kind namespaces in object explorer page (Added test for kind namespaces in object explorer page #2215)
• febb94b Added tests for resources actions section in object Explorer page (Added tests for resources actions section in object Explorer page #2217)
• c9cc6b6 Added e2e tests for view modes in object explorer (Added e2e tests for view modes in object explorer #2219)
• 2745ac4 E2E : Test suit for Binding Policy (E2E : Test suit for Binding Policy #2237)
• 52ad5e9 Remove unnecessary / falky tests (Remove unnecessary / falky tests #2255)
• 994fe9f feat(ci): enable parallel test execution with sharding (feat(ci): enable parallel test execution with sharding #2275)
• 00b7979 fix: Update Docker setup for redis and postgres (Fix: Docker Setup - Redis and Postgres Connectivity #2291)
• 158d1fd fix: update KubeStellar Slack community URL (fix: update KubeStellar Slack community URL #2304)
• 6d578c6 fix: correct Code of Conduct contact text (fix: correct Code of Conduct contact text #2307)
• 488e089 Fixed: Spelling error in design-progress.md (Fixed: Spelling error in design-progress.md #2308)
• eabfac8 Make locale sync check informational instead of failing
• 39424b0 ci: skip pr-verifier for dependabot PRs
• a483907 ci: standardize workflow naming and add common workflows
• 3993ce2 chore: add OpenSSF Scorecard workflow (chore: add OpenSSF Scorecard workflow #2334)
• 0c5dcfe chore: add Trivy container image scanning (chore: add Trivy container image scanning #2335)

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.