improve CI (#6991)

* ci: remove dead BASE_TAGS reference in release bake step

  steps.determine-version doesn't exist in docker-build; the expression
  resolves to empty string. The HCL default (testing) would have
  applied, but it's moot - the bake uses push-by-digest=true so tags are
  only set in merge-manifests. Dead code.

* ci: replace unsecured curl hadolint download with an official action

  hadolint/hadolint-action uses a Docker-based runner with hadolint
  pre-bundled in ghcr.io/hadolint/hadolint:v2.14.0-debian,so no binary
  downloaded at runtime. Pinning the action to a commit SHA covers the
  Dockerfile that specifies the image version, closing the supply-chain
  gap from the previous unverified curl | sudo install.

  Split {debian,alpine}: the action takes a single dockerfile argument,
  so debian and alpine are linted separately.

* ci: pin ubuntu-latest to ubuntu-24.04 in merge-manifests and zizmor

  ubuntu-latest is a moving target that can silently change the runner OS
  on the next GitHub-side update. All other jobs in this repo already pin
  to ubuntu-24.04; this makes merge-manifests and zizmor consistent.

* ci: return BASE_TAGS - it's needed for bake step
This commit is contained in:
Denis Pisarev 2026-07-08 22:08:20 +02:00 committed by GitHub
parent 4720cdbe86
commit 64d28ab66e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 13 additions and 12 deletions

View File

@ -30,14 +30,6 @@ jobs:
driver-opts: |
network=host
# Download hadolint - https://github.com/hadolint/hadolint/releases
- name: Download hadolint
run: |
sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \
sudo chmod +x /usr/local/bin/hadolint
env:
HADOLINT_VERSION: 2.14.0
# End Download hadolint
# Checkout the repo
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@ -46,8 +38,17 @@ jobs:
# End Checkout the repo
# Test Dockerfiles with hadolint
- name: Run hadolint
run: hadolint docker/Dockerfile.{debian,alpine}
# Uses the Docker-based action (hadolint pre-bundled in ghcr.io/hadolint/hadolint:v2.14.0-debian)
# so no binary is downloaded at runtime. Pinned by commit SHA for supply-chain safety.
- name: Run hadolint on Dockerfile.debian
uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
with:
dockerfile: docker/Dockerfile.debian
- name: Run hadolint on Dockerfile.alpine
uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
with:
dockerfile: docker/Dockerfile.alpine
# End Test Dockerfiles with hadolint
# Test Dockerfiles with docker build checks

View File

@ -249,7 +249,7 @@ jobs:
merge-manifests:
name: Merge manifests
runs-on: ubuntu-latest
runs-on: ubuntu-24.04
needs: docker-build
environment:
name: release

View File

@ -14,7 +14,7 @@ on:
jobs:
zizmor:
name: Run zizmor
runs-on: ubuntu-latest
runs-on: ubuntu-24.04
permissions:
security-events: write # To write the security report
steps: