From 64d28ab66e10cee86ef62d1c4874c1919daa7e69 Mon Sep 17 00:00:00 2001 From: Denis Pisarev Date: Wed, 8 Jul 2026 22:08:20 +0200 Subject: [PATCH] improve CI (#6991) * ci: remove dead BASE_TAGS reference in release bake step steps.determine-version doesn't exist in docker-build; the expression resolves to empty string. The HCL default (testing) would have applied, but it's moot - the bake uses push-by-digest=true so tags are only set in merge-manifests. Dead code. * ci: replace unsecured curl hadolint download with an official action hadolint/hadolint-action uses a Docker-based runner with hadolint pre-bundled in ghcr.io/hadolint/hadolint:v2.14.0-debian,so no binary downloaded at runtime. Pinning the action to a commit SHA covers the Dockerfile that specifies the image version, closing the supply-chain gap from the previous unverified curl | sudo install. Split {debian,alpine}: the action takes a single dockerfile argument, so debian and alpine are linted separately. * ci: pin ubuntu-latest to ubuntu-24.04 in merge-manifests and zizmor ubuntu-latest is a moving target that can silently change the runner OS on the next GitHub-side update. All other jobs in this repo already pin to ubuntu-24.04; this makes merge-manifests and zizmor consistent. * ci: return BASE_TAGS - it's needed for bake step --- .github/workflows/hadolint.yml | 21 +++++++++++---------- .github/workflows/release.yml | 2 +- .github/workflows/zizmor.yml | 2 +- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml index 074bf2fc..917ba54a 100644 --- a/.github/workflows/hadolint.yml +++ b/.github/workflows/hadolint.yml @@ -30,14 +30,6 @@ jobs: driver-opts: | network=host - # Download hadolint - https://github.com/hadolint/hadolint/releases - - name: Download hadolint - run: | - sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \ - sudo chmod +x /usr/local/bin/hadolint - env: - HADOLINT_VERSION: 2.14.0 - # End Download hadolint # Checkout the repo - name: Checkout uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 @@ -46,8 +38,17 @@ jobs: # End Checkout the repo # Test Dockerfiles with hadolint - - name: Run hadolint - run: hadolint docker/Dockerfile.{debian,alpine} + # Uses the Docker-based action (hadolint pre-bundled in ghcr.io/hadolint/hadolint:v2.14.0-debian) + # so no binary is downloaded at runtime. Pinned by commit SHA for supply-chain safety. + - name: Run hadolint on Dockerfile.debian + uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 + with: + dockerfile: docker/Dockerfile.debian + + - name: Run hadolint on Dockerfile.alpine + uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 + with: + dockerfile: docker/Dockerfile.alpine # End Test Dockerfiles with hadolint # Test Dockerfiles with docker build checks diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3c6d8574..d4ef21b9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -249,7 +249,7 @@ jobs: merge-manifests: name: Merge manifests - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 needs: docker-build environment: name: release diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 1036b1ce..36163e39 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -14,7 +14,7 @@ on: jobs: zizmor: name: Run zizmor - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: security-events: write # To write the security report steps: