1010env :
1111 BINK_VERSION : v0.1.1
1212
13+ permissions : {}
14+
1315concurrency :
1416 group : ci-${{ github.head_ref || github.ref }}
1517 cancel-in-progress : true
1618
1719jobs :
1820 unit :
1921 runs-on : ubuntu-latest
22+ permissions :
23+ contents : read
2024 steps :
2125 - name : Checkout
22- uses : actions/checkout@v6
26+ uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
27+ with :
28+ persist-credentials : false
2329
2430 - name : Set up Go
25- uses : actions/setup-go@v6
31+ uses : actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
2632 with :
2733 go-version-file : go.mod
28- cache : true
34+ cache : true # zizmor: ignore[cache-poisoning]
2935
3036 - name : Unit tests
3137 run : make unit
4652 IMAGE : ghcr.io/${{ github.repository }}
4753 steps :
4854 - name : Checkout
49- uses : actions/checkout@v6
55+ uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
56+ with :
57+ persist-credentials : false
5058
5159 - name : Download bink release
5260 run : |
@@ -55,10 +63,10 @@ jobs:
5563 sudo chmod +x /usr/local/bin/bink
5664
5765 - name : Set up Go
58- uses : actions/setup-go@v6
66+ uses : actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
5967 with :
6068 go-version-file : go.mod
61- cache : true
69+ cache : true # zizmor: ignore[cache-poisoning]
6270
6371 - name : Set up KVM
6472 run : sudo chmod 666 /dev/kvm
@@ -90,15 +98,21 @@ jobs:
9098
9199 - name : Push to GHCR
92100 if : github.event_name == 'push'
101+ env :
102+ ACTOR : ${{ github.actor }}
103+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
104+ SHA : ${{ github.sha }}
105+ REF : ${{ github.ref }}
106+ REF_NAME : ${{ github.ref_name }}
93107 run : |
94- podman login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} ghcr.io
95- podman push bootc-operator:dev ${{ env. IMAGE }} :dev
96- podman push bootc-operator:dev ${{ env. IMAGE }}:${{ github.sha }}
108+ podman login -u "${ACTOR}" -p "${GH_TOKEN}" ghcr.io
109+ podman push bootc-operator:dev "${ IMAGE}" :dev
110+ podman push bootc-operator:dev "${ IMAGE}":"${SHA}"
97111
98- if [[ "${{ github.ref } }" == refs/tags/v* ]]; then
99- podman push bootc-operator:dev ${{ env. IMAGE }}:${{ github.ref_name }}
112+ if [[ "${REF }" == refs/tags/v* ]]; then
113+ podman push bootc-operator:dev "${ IMAGE}":"${REF_NAME}"
100114 fi
101115
102- if [[ "${{ github.ref } }" == refs/heads/main ]]; then
103- podman push bootc-operator:dev ${{ env. IMAGE }} :latest
116+ if [[ "${REF }" == refs/heads/main ]]; then
117+ podman push bootc-operator:dev "${ IMAGE}" :latest
104118 fi
0 commit comments