Fix workflow lint and release summary handling

Author: SecAI-Hub

.github/actionlint.yml

@@ -0,0 +1,5 @@
+self-hosted-runner:
+  labels:
+    - linux
+    - x64
+    - kvm

.github/workflows/ci.yml

@@ -561,10 +561,9 @@ jobs:
           echo "=== Checking internal doc links ==="
           ERRORS=0
           # Find all markdown links to local files
-          for md in $(find docs/ README.md CONTRIBUTING.md SECURITY.md -name '*.md' 2>/dev/null); do
+          while IFS= read -r md; do
             # Extract relative links (not URLs, not anchors)
-            grep -oP '\[([^\]]*)\]\((?!https?://|#)([^)]+)\)' "$md" 2>/dev/null | \
-              grep -oP '\(([^)]+)\)' | tr -d '()' | while read -r link; do
+            while IFS= read -r link; do
                 # Strip anchor fragments
                 target="${link%%#*}"
                 [ -z "$target" ] && continue
@@ -575,8 +574,8 @@ jobs:
                   echo "BROKEN: ${md} -> ${link} (resolved: ${resolved})"
                   ERRORS=$((ERRORS + 1))
                 fi
-              done
-          done
+            done < <(grep -oP '\[([^\]]*)\]\((?!https?://|#)([^)]+)\)' "$md" 2>/dev/null | grep -oP '\(([^)]+)\)' | tr -d '()')
+          done < <(find docs/ README.md CONTRIBUTING.md SECURITY.md -name '*.md' 2>/dev/null)
           if [ "$ERRORS" -gt 0 ]; then
             echo "FAIL: ${ERRORS} broken internal links found"
             exit 1
@@ -849,6 +848,8 @@ jobs:
 
       - name: Release gate summary
         run: |
-          echo "## Release Gate: PASSED" >> "$GITHUB_STEP_SUMMARY"
-          echo "Branch: ${{ github.ref_name }}" >> "$GITHUB_STEP_SUMMARY"
-          echo "All hardened checks passed for release branch." >> "$GITHUB_STEP_SUMMARY"
+          {
+            echo "## Release Gate: PASSED"
+            echo "Branch: ${{ github.ref_name }}"
+            echo "All hardened checks passed for release branch."
+          } >> "$GITHUB_STEP_SUMMARY"

.github/workflows/release.yml

@@ -362,10 +362,12 @@ jobs:
           if [ -n "$DIGEST" ] && [ "$DIGEST" != "null" ]; then
             echo "${DIGEST}" > dist/IMAGE_DIGEST
             echo "${IMAGE_REF}@${DIGEST}" > dist/IMAGE_REF_PINNED
-            echo "## Install with digest pinning" >> "$GITHUB_STEP_SUMMARY"
-            echo '```bash' >> "$GITHUB_STEP_SUMMARY"
-            echo "sudo bash secai-bootstrap.sh --digest ${DIGEST}" >> "$GITHUB_STEP_SUMMARY"
-            echo '```' >> "$GITHUB_STEP_SUMMARY"
+            {
+              echo "## Install with digest pinning"
+              echo '```bash'
+              echo "sudo bash secai-bootstrap.sh --digest ${DIGEST}"
+              echo '```'
+            } >> "$GITHUB_STEP_SUMMARY"
           else
             echo "WARNING: Could not extract image digest for tag ${TAG}"
             echo "unknown" > dist/IMAGE_DIGEST
@@ -484,7 +486,8 @@ jobs:
       - name: Generate SHA256 checksums
         run: |
           cd dist
-          sha256sum * > SHA256SUMS
+          rm -f SHA256SUMS
+          find . -maxdepth 1 -type f -print0 | sort -z | xargs -0 sha256sum > SHA256SUMS
           cat SHA256SUMS
 
       - name: Sign checksums with cosign
@@ -505,10 +508,11 @@ jobs:
         run: |
           for sbom in dist/*-sbom.cdx.json; do
             service=$(basename "$sbom" -sbom.cdx.json)
+            image_ref="ghcr.io/${{ github.repository }}:${{ github.ref_name }}-${service}"
             cosign attest --yes --type cyclonedx \
               --predicate "$sbom" \
               --key env://COSIGN_PRIVATE_KEY \
-              ghcr.io/${{ github.repository }}:${{ github.ref_name }}-${service} || \
+              "$image_ref" || \
               echo "WARN: cosign attest skipped for ${service} (no matching image)"
           done
         env:
@@ -540,14 +544,16 @@ jobs:
       - name: Note on large artifacts
         if: ${{ !inputs.dry_run }}
         run: |
-          echo "## Large Artifacts" >> "$GITHUB_STEP_SUMMARY"
-          echo "" >> "$GITHUB_STEP_SUMMARY"
-          echo "Install media files can exceed GitHub Releases' 2GB limit." >> "$GITHUB_STEP_SUMMARY"
-          echo "Their cosign signatures (.sig) are included in the release." >> "$GITHUB_STEP_SUMMARY"
-          echo "Full images are available as workflow artifacts (90-day retention)." >> "$GITHUB_STEP_SUMMARY"
-          for f in dist/secai-os-*.iso dist/secai-os-*-usb.raw.xz dist/secai-os-*.qcow2 dist/secai-os-*.ova; do
-            [ -f "$f" ] || continue
-            SIZE=$(stat -c%s "$f" 2>/dev/null || echo 0)
-            SIZE_MB=$((SIZE / 1048576))
-            echo "  - $(basename "$f"): ${SIZE_MB} MB" >> "$GITHUB_STEP_SUMMARY"
-          done
+          {
+            echo "## Large Artifacts"
+            echo ""
+            echo "Install media files can exceed GitHub Releases' 2GB limit."
+            echo "Their cosign signatures (.sig) are included in the release."
+            echo "Full images are available as workflow artifacts (90-day retention)."
+            for f in dist/secai-os-*.iso dist/secai-os-*-usb.raw.xz dist/secai-os-*.qcow2 dist/secai-os-*.ova; do
+              [ -f "$f" ] || continue
+              SIZE=$(stat -c%s "$f" 2>/dev/null || echo 0)
+              SIZE_MB=$((SIZE / 1048576))
+              echo "  - $(basename "$f"): ${SIZE_MB} MB"
+            done
+          } >> "$GITHUB_STEP_SUMMARY"