From 7653d52dab4f9f012397ac26e4f9efb0aac922a9 Mon Sep 17 00:00:00 2001 From: TriplEight Date: Sun, 22 Mar 2026 09:47:32 +0100 Subject: [PATCH 1/3] ci: remove dead BASE_TAGS reference in release bake step steps.determine-version doesn't exist in docker-build; the expression resolves to empty string. The HCL default (testing) would have applied, but it's moot - the bake uses push-by-digest=true so tags are only set in merge-manifests. Dead code. --- .github/workflows/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c3b0b9a7..5cb9355a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -183,7 +183,6 @@ jobs: id: bake_vw uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 env: - BASE_TAGS: "${{ steps.determine-version.outputs.BASE_TAGS }}" SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}" SOURCE_VERSION: "${{ env.SOURCE_VERSION }}" SOURCE_REPOSITORY_URL: "${{ env.SOURCE_REPOSITORY_URL }}" From 59d1f3b854222ea97cc12588856577ffffa77da2 Mon Sep 17 00:00:00 2001 From: TriplEight Date: Sun, 22 Mar 2026 09:57:36 +0100 Subject: [PATCH 2/3] ci: replace unsecured curl hadolint download with an official action hadolint/hadolint-action uses a Docker-based runner with hadolint pre-bundled in ghcr.io/hadolint/hadolint:v2.14.0-debian,so no binary downloaded at runtime. Pinning the action to a commit SHA covers the Dockerfile that specifies the image version, closing the supply-chain gap from the previous unverified curl | sudo install. Split {debian,alpine}: the action takes a single dockerfile argument, so debian and alpine are linted separately. --- .github/workflows/hadolint.yml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml index 2b476904..39f10c55 100644 --- a/.github/workflows/hadolint.yml +++ b/.github/workflows/hadolint.yml @@ -30,14 +30,6 @@ jobs: driver-opts: | network=host - # Download hadolint - https://github.com/hadolint/hadolint/releases - - name: Download hadolint - run: | - sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \ - sudo chmod +x /usr/local/bin/hadolint - env: - HADOLINT_VERSION: 2.14.0 - # End Download hadolint # Checkout the repo - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -46,8 +38,17 @@ jobs: # End Checkout the repo # Test Dockerfiles with hadolint - - name: Run hadolint - run: hadolint docker/Dockerfile.{debian,alpine} + # Uses the Docker-based action (hadolint pre-bundled in ghcr.io/hadolint/hadolint:v2.14.0-debian) + # so no binary is downloaded at runtime. Pinned by commit SHA for supply-chain safety. + - name: Run hadolint on Dockerfile.debian + uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 + with: + dockerfile: docker/Dockerfile.debian + + - name: Run hadolint on Dockerfile.alpine + uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 + with: + dockerfile: docker/Dockerfile.alpine # End Test Dockerfiles with hadolint # Test Dockerfiles with docker build checks From 1a5d00c228e3fbcc0e7a833fcbff622cf8656a7c Mon Sep 17 00:00:00 2001 From: TriplEight Date: Sun, 22 Mar 2026 10:00:54 +0100 Subject: [PATCH 3/3] ci: pin ubuntu-latest to ubuntu-24.04 in merge-manifests and zizmor ubuntu-latest is a moving target that can silently change the runner OS on the next GitHub-side update. All other jobs in this repo already pin to ubuntu-24.04; this makes merge-manifests and zizmor consistent. --- .github/workflows/release.yml | 2 +- .github/workflows/zizmor.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5cb9355a..a6aa4dd5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -244,7 +244,7 @@ jobs: merge-manifests: name: Merge manifests - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 needs: docker-build permissions: packages: write # Needed to upload packages and artifacts diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 22f3e7e9..a8f49a8c 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -14,7 +14,7 @@ on: jobs: zizmor: name: Run zizmor - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: security-events: write # To write the security report steps: