From 4e0ff1fa10834f5a2d28cab371fcb07fa2a5677a Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 6 Oct 2025 11:30:54 +0000 Subject: [PATCH 01/22] ci: replace marocchino/sticky-pull-request-comment by gh cli --- .github/workflows/pr-conventional-title.yml | 50 +++++++++++++++------ 1 file changed, 37 insertions(+), 13 deletions(-) diff --git a/.github/workflows/pr-conventional-title.yml b/.github/workflows/pr-conventional-title.yml index 22ad16ab..3c451d4c 100644 --- a/.github/workflows/pr-conventional-title.yml +++ b/.github/workflows/pr-conventional-title.yml @@ -32,21 +32,45 @@ jobs: doesn't start with an uppercase character. env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 + - name: Add a PR comment with semantic title suggestions if: always() && steps.pr-title.outputs.error_message != null - with: - header: pr-title-lint-error - message: | - Hey there and thank you for opening this pull request! 👋🏼 + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # gh also respects GH_TOKEN + PR_NUMBER: ${{ github.event.pull_request.number }} + run: | + set -Eeuo pipefail - We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted. + MARKER="" + BODY_HEADER="Hey there and thank you for opening this pull request! 👋🏼\n\nWe require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted.\n\n:warning: Details\n\n${{ steps.pr-title.outputs.error_message }}" + FULL_BODY="$MARKER\n\n$BODY_HEADER" + EXISTING_ID=$(gh api repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments --jq \ + ".[] | select(.body|contains(\"$MARKER\")) | .id" | head -n1 || true) - :warning: Details + if [ -n "${EXISTING_ID}" ]; then + echo "Updating existing sticky comment (${EXISTING_ID})" + gh api repos/${GITHUB_REPOSITORY}/issues/comments/${EXISTING_ID} -X PATCH -f body="${FULL_BODY}" + else + echo "Creating new sticky comment" + gh api repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments -f body="${FULL_BODY}" + fi + - name: Remove PR comment + if: steps.pr-title.outputs.error_message == null + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.pull_request.number }} + run: | + set -Eeuo pipefail - ${{ steps.pr-title.outputs.error_message }} + MARKER="" + IDS=$(gh api repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments --jq \ + ".[] | select(.body|contains(\"$MARKER\")) | .id" || true) - - if: steps.pr-title.outputs.error_message == null - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 - with: - header: pr-title-lint-error - delete: true + if [ -z "${IDS}" ]; then + echo "No sticky comment to remove." + exit 0 + fi + + for id in $IDS; do + echo "Deleting sticky comment $id" + gh api repos/${GITHUB_REPOSITORY}/issues/comments/${id} -X DELETE + done From c3861642949ca3d57054990809142a9b3be80a2f Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 6 Oct 2025 11:32:16 +0000 Subject: [PATCH 02/22] ci: update comments --- .github/workflows/pr-conventional-title.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-conventional-title.yml b/.github/workflows/pr-conventional-title.yml index 3c451d4c..3d8e8c77 100644 --- a/.github/workflows/pr-conventional-title.yml +++ b/.github/workflows/pr-conventional-title.yml @@ -14,6 +14,7 @@ jobs: validate-pr-title: runs-on: ubuntu-latest permissions: + # We need `pull-requests: write` to be able to post comments on PRs pull-requests: write steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 @@ -35,7 +36,7 @@ jobs: - name: Add a PR comment with semantic title suggestions if: always() && steps.pr-title.outputs.error_message != null env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # gh also respects GH_TOKEN + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.pull_request.number }} run: | set -Eeuo pipefail From 4a13d4096c9f0b8925a464f132cd4c3580dfac4e Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 6 Oct 2025 11:44:51 +0000 Subject: [PATCH 03/22] ci: remove social-interaction workflow Rely on the content in the README, CONTRIBUTING and GitHubs native functionality surrounding that documentation to help first-time contributers. --- .github/workflows/social-interaction.yml | 31 ------------------------ 1 file changed, 31 deletions(-) delete mode 100644 .github/workflows/social-interaction.yml diff --git a/.github/workflows/social-interaction.yml b/.github/workflows/social-interaction.yml deleted file mode 100644 index 64e07ffb..00000000 --- a/.github/workflows/social-interaction.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -name: Social Interaction - -on: - issues: - types: [opened] - pull_request: - types: [opened] - -permissions: {} - -jobs: - greeting: - runs-on: ubuntu-latest - permissions: - issues: write - pull-requests: write - if: github.actor != 'dependabot[bot]' - steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 - with: - disable-sudo-and-containers: true - egress-policy: block - allowed-endpoints: > - api.github.com:443 - - uses: actions/first-interaction@1c4688942c71f71d4f5502a26ea67c331730fa4d # v3.1.0 - continue-on-error: true - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: "Thank you for adding your first issue. We will be looking into it as soon as possible." - pr-message: "Thanks for your first PR. We really appreciate it!" From dba12f63e90104a3cbbe5e5871880fec3010ec5e Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 6 Oct 2025 13:47:35 +0200 Subject: [PATCH 04/22] Update .github/workflows/pr-conventional-title.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Ron <45816308+rjaegers@users.noreply.github.com> --- .github/workflows/pr-conventional-title.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-conventional-title.yml b/.github/workflows/pr-conventional-title.yml index 3d8e8c77..3d3fa87c 100644 --- a/.github/workflows/pr-conventional-title.yml +++ b/.github/workflows/pr-conventional-title.yml @@ -42,7 +42,15 @@ jobs: set -Eeuo pipefail MARKER="" - BODY_HEADER="Hey there and thank you for opening this pull request! 👋🏼\n\nWe require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted.\n\n:warning: Details\n\n${{ steps.pr-title.outputs.error_message }}" + read -r -d '' BODY_HEADER <<'EOF' +Hey there and thank you for opening this pull request! 👋🏼 + +We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted. + +:warning: Details + +${{ steps.pr-title.outputs.error_message }} +EOF FULL_BODY="$MARKER\n\n$BODY_HEADER" EXISTING_ID=$(gh api repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments --jq \ ".[] | select(.body|contains(\"$MARKER\")) | .id" | head -n1 || true) From ef6036eef8ef09d643a9fa11f6d2c331a6895a84 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 6 Oct 2025 11:51:07 +0000 Subject: [PATCH 05/22] chore: fix issues identified in workflow --- .github/workflows/pr-conventional-title.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/pr-conventional-title.yml b/.github/workflows/pr-conventional-title.yml index 3d3fa87c..879a3121 100644 --- a/.github/workflows/pr-conventional-title.yml +++ b/.github/workflows/pr-conventional-title.yml @@ -43,24 +43,24 @@ jobs: MARKER="" read -r -d '' BODY_HEADER <<'EOF' -Hey there and thank you for opening this pull request! 👋🏼 + Hey there and thank you for opening this pull request! 👋🏼 -We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted. + We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted. -:warning: Details + :warning: Details -${{ steps.pr-title.outputs.error_message }} -EOF + ${{ steps.pr-title.outputs.error_message }} + EOF FULL_BODY="$MARKER\n\n$BODY_HEADER" - EXISTING_ID=$(gh api repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments --jq \ + EXISTING_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --jq \ ".[] | select(.body|contains(\"$MARKER\")) | .id" | head -n1 || true) if [ -n "${EXISTING_ID}" ]; then echo "Updating existing sticky comment (${EXISTING_ID})" - gh api repos/${GITHUB_REPOSITORY}/issues/comments/${EXISTING_ID} -X PATCH -f body="${FULL_BODY}" + gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${EXISTING_ID}" -X PATCH -f body="${FULL_BODY}" else echo "Creating new sticky comment" - gh api repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments -f body="${FULL_BODY}" + gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" -f body="${FULL_BODY}" fi - name: Remove PR comment if: steps.pr-title.outputs.error_message == null @@ -71,7 +71,7 @@ EOF set -Eeuo pipefail MARKER="" - IDS=$(gh api repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments --jq \ + IDS=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --jq \ ".[] | select(.body|contains(\"$MARKER\")) | .id" || true) if [ -z "${IDS}" ]; then @@ -81,5 +81,5 @@ EOF for id in $IDS; do echo "Deleting sticky comment $id" - gh api repos/${GITHUB_REPOSITORY}/issues/comments/${id} -X DELETE + gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${id}" -X DELETE done From 880c89156032863dc261427c81d20b1d6e0fae4f Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 6 Oct 2025 12:11:48 +0000 Subject: [PATCH 06/22] ci: refactor to re-usable workflow --- .github/actions/sticky-pr-comment/action.yml | 90 ++++++++++++++++++++ .github/workflows/pr-conventional-title.yml | 59 +++---------- .github/workflows/wc-build-push.yml | 7 +- 3 files changed, 108 insertions(+), 48 deletions(-) create mode 100644 .github/actions/sticky-pr-comment/action.yml diff --git a/.github/actions/sticky-pr-comment/action.yml b/.github/actions/sticky-pr-comment/action.yml new file mode 100644 index 00000000..8691ab91 --- /dev/null +++ b/.github/actions/sticky-pr-comment/action.yml @@ -0,0 +1,90 @@ +name: 'Sticky PR Comment' +description: 'Creates, updates or deletes a PR comment identified by a hidden marker' +branding: + icon: message-circle + color: blue + +inputs: + pr-number: + description: 'Pull request number' + required: true + body: + description: 'Comment body content (without marker) to upsert. Required unless mode=delete.' + required: false + marker: + description: 'Unique hidden marker to identify the sticky comment' + default: 'sticky-comment' + required: false + mode: + description: 'Operation mode: upsert or delete' + default: 'upsert' + required: false + +runs: + using: 'composite' + steps: + - name: Validate inputs + env: + MODE: ${{ inputs.mode }} + BODY: ${{ inputs.body }} + shell: bash + run: | + set -Eeuo pipefail + + case "${MODE}" in + upsert|delete) ;; + *) echo "Invalid mode: ${MODE} (expected upsert|delete)" >&2; exit 1;; + esac + + if [ "${MODE}" = delete ]; then + exit 0 + fi + + if [ -z "${BODY}" ]; then + echo 'Input "body" is required in upsert mode' >&2 + exit 1 + fi + - name: Upsert comment + if: inputs.mode == 'upsert' + env: + GH_TOKEN: ${{ github.token }} + PR_NUMBER: ${{ inputs.pr-number }} + MARKER: ${{ inputs.marker }} + shell: bash + run: | + set -Eeuo pipefail + + MARKER_COMMENT="" + FULL_BODY="${MARKER_COMMENT}\n${{ inputs.body }}" + EXISTING_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --jq \ + ".[] | select(.body|contains(\"${MARKER_COMMENT}\")) | .id" | head -n1 || true) + + if [ -n "${EXISTING_ID}" ]; then + echo "Updating existing sticky comment (${EXISTING_ID})" + gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${EXISTING_ID}" -X PATCH -f body="${FULL_BODY}" + else + echo "Creating new sticky comment" + gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" -f body="${FULL_BODY}" + fi + - name: Delete comment(s) + if: inputs.mode == 'delete' + env: + GH_TOKEN: ${{ github.token }} + PR_NUMBER: ${{ inputs.pr-number }} + MARKER: ${{ inputs.marker }} + shell: bash + run: | + set -Eeuo pipefail + + MARKER_COMMENT="" + FOUND_IDS=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --jq ".[] | select(.body|contains(\"${MARKER_COMMENT}\")) | .id" || true) + + if [ -z "${FOUND_IDS}" ]; then + echo "No sticky comment(s) to delete"; + exit 0; + fi + + for id in $FOUND_IDS; do + echo "Deleting sticky comment $id" + gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${id}" -X DELETE + done diff --git a/.github/workflows/pr-conventional-title.yml b/.github/workflows/pr-conventional-title.yml index 879a3121..25e2e538 100644 --- a/.github/workflows/pr-conventional-title.yml +++ b/.github/workflows/pr-conventional-title.yml @@ -33,53 +33,22 @@ jobs: doesn't start with an uppercase character. env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Add a PR comment with semantic title suggestions + - uses: ./.github/actions/sticky-pr-comment if: always() && steps.pr-title.outputs.error_message != null - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PR_NUMBER: ${{ github.event.pull_request.number }} - run: | - set -Eeuo pipefail - - MARKER="" - read -r -d '' BODY_HEADER <<'EOF' - Hey there and thank you for opening this pull request! 👋🏼 - - We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted. + with: + pr-number: ${{ github.event.pull_request.number }} + marker: pr-title-lint-error + body: | + Hey there and thank you for opening this pull request! 👋🏼 - :warning: Details + We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted. - ${{ steps.pr-title.outputs.error_message }} - EOF - FULL_BODY="$MARKER\n\n$BODY_HEADER" - EXISTING_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --jq \ - ".[] | select(.body|contains(\"$MARKER\")) | .id" | head -n1 || true) + :warning: Details - if [ -n "${EXISTING_ID}" ]; then - echo "Updating existing sticky comment (${EXISTING_ID})" - gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${EXISTING_ID}" -X PATCH -f body="${FULL_BODY}" - else - echo "Creating new sticky comment" - gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" -f body="${FULL_BODY}" - fi - - name: Remove PR comment + ${{ steps.pr-title.outputs.error_message }} + - uses: ./.github/actions/sticky-pr-comment if: steps.pr-title.outputs.error_message == null - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PR_NUMBER: ${{ github.event.pull_request.number }} - run: | - set -Eeuo pipefail - - MARKER="" - IDS=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --jq \ - ".[] | select(.body|contains(\"$MARKER\")) | .id" || true) - - if [ -z "${IDS}" ]; then - echo "No sticky comment to remove." - exit 0 - fi - - for id in $IDS; do - echo "Deleting sticky comment $id" - gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${id}" -X DELETE - done + with: + pr-number: ${{ github.event.pull_request.number }} + marker: pr-title-lint-error + mode: delete diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml index 2f0af7c4..15fcda42 100644 --- a/.github/workflows/wc-build-push.yml +++ b/.github/workflows/wc-build-push.yml @@ -180,10 +180,11 @@ jobs: with: from-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}:edge to-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}:${{ steps.metadata.outputs.version }} - - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 + - uses: ./.github/actions/sticky-pr-comment with: - header: container-size-diff-${{ inputs.flavor }} - message: | + pr-number: ${{ github.event.pull_request.number }} + marker: container-size-diff-${{ inputs.flavor }} + body: | ${{ steps.container-size-diff.outputs.size-diff-markdown }} - uses: anchore/sbom-action@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6 with: From 0bc63b6486b6eddc7b1448178fdab902a498f3f9 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 6 Oct 2025 12:23:03 +0000 Subject: [PATCH 07/22] chore: process more review feedback --- .github/actions/sticky-pr-comment/action.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/actions/sticky-pr-comment/action.yml b/.github/actions/sticky-pr-comment/action.yml index 8691ab91..64f6f88d 100644 --- a/.github/actions/sticky-pr-comment/action.yml +++ b/.github/actions/sticky-pr-comment/action.yml @@ -50,15 +50,15 @@ runs: GH_TOKEN: ${{ github.token }} PR_NUMBER: ${{ inputs.pr-number }} MARKER: ${{ inputs.marker }} + BODY: ${{ inputs.body }} shell: bash run: | set -Eeuo pipefail MARKER_COMMENT="" - FULL_BODY="${MARKER_COMMENT}\n${{ inputs.body }}" - EXISTING_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --jq \ - ".[] | select(.body|contains(\"${MARKER_COMMENT}\")) | .id" | head -n1 || true) - + FULL_BODY="${MARKER_COMMENT}\n${BODY}" + EXISTING_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --jq ".[] | select(.body|contains(\"${MARKER_COMMENT}\")) | .id" | head -n1 || true) + if [ -n "${EXISTING_ID}" ]; then echo "Updating existing sticky comment (${EXISTING_ID})" gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${EXISTING_ID}" -X PATCH -f body="${FULL_BODY}" @@ -84,7 +84,7 @@ runs: exit 0; fi - for id in $FOUND_IDS; do + for id in ${FOUND_IDS}; do echo "Deleting sticky comment $id" gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${id}" -X DELETE done From 0fdad3a8000058620fc87facf0b16908b1e3ac04 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 6 Oct 2025 12:32:55 +0000 Subject: [PATCH 08/22] style: add yaml start token --- .github/actions/sticky-pr-comment/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/actions/sticky-pr-comment/action.yml b/.github/actions/sticky-pr-comment/action.yml index 64f6f88d..a3852125 100644 --- a/.github/actions/sticky-pr-comment/action.yml +++ b/.github/actions/sticky-pr-comment/action.yml @@ -1,3 +1,4 @@ +--- name: 'Sticky PR Comment' description: 'Creates, updates or deletes a PR comment identified by a hidden marker' branding: From 642f0afdb84713e80085cbe3259c4acb15ad2dba Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 6 Oct 2025 12:37:34 +0000 Subject: [PATCH 09/22] chore: apply review comments --- .github/actions/sticky-pr-comment/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/sticky-pr-comment/action.yml b/.github/actions/sticky-pr-comment/action.yml index a3852125..3d7f5562 100644 --- a/.github/actions/sticky-pr-comment/action.yml +++ b/.github/actions/sticky-pr-comment/action.yml @@ -57,7 +57,7 @@ runs: set -Eeuo pipefail MARKER_COMMENT="" - FULL_BODY="${MARKER_COMMENT}\n${BODY}" + FULL_BODY=$(printf "%s\n%s" "${MARKER_COMMENT}" "${BODY}") EXISTING_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --jq ".[] | select(.body|contains(\"${MARKER_COMMENT}\")) | .id" | head -n1 || true) if [ -n "${EXISTING_ID}" ]; then From 81a45275d87f30ec8c1a96b61077372cc2d16cda Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 6 Oct 2025 12:41:22 +0000 Subject: [PATCH 10/22] chore: add checkout action --- .github/workflows/pr-conventional-title.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/pr-conventional-title.yml b/.github/workflows/pr-conventional-title.yml index 25e2e538..c9ecbe77 100644 --- a/.github/workflows/pr-conventional-title.yml +++ b/.github/workflows/pr-conventional-title.yml @@ -14,6 +14,8 @@ jobs: validate-pr-title: runs-on: ubuntu-latest permissions: + # We need `contents: read` to be able to use the local GitHub Action + contents: read # We need `pull-requests: write` to be able to post comments on PRs pull-requests: write steps: @@ -33,6 +35,9 @@ jobs: doesn't start with an uppercase character. env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - uses: ./.github/actions/sticky-pr-comment if: always() && steps.pr-title.outputs.error_message != null with: From 0d64ddfc8f79ca486c9b5613256b1c668198f903 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 6 Oct 2025 12:53:07 +0000 Subject: [PATCH 11/22] chore: restore after failed experiment --- .github/actions/sticky-pr-comment/action.yml | 91 -------------------- .github/workflows/pr-conventional-title.yml | 14 ++- .github/workflows/wc-build-push.yml | 7 +- 3 files changed, 9 insertions(+), 103 deletions(-) delete mode 100644 .github/actions/sticky-pr-comment/action.yml diff --git a/.github/actions/sticky-pr-comment/action.yml b/.github/actions/sticky-pr-comment/action.yml deleted file mode 100644 index 3d7f5562..00000000 --- a/.github/actions/sticky-pr-comment/action.yml +++ /dev/null @@ -1,91 +0,0 @@ ---- -name: 'Sticky PR Comment' -description: 'Creates, updates or deletes a PR comment identified by a hidden marker' -branding: - icon: message-circle - color: blue - -inputs: - pr-number: - description: 'Pull request number' - required: true - body: - description: 'Comment body content (without marker) to upsert. Required unless mode=delete.' - required: false - marker: - description: 'Unique hidden marker to identify the sticky comment' - default: 'sticky-comment' - required: false - mode: - description: 'Operation mode: upsert or delete' - default: 'upsert' - required: false - -runs: - using: 'composite' - steps: - - name: Validate inputs - env: - MODE: ${{ inputs.mode }} - BODY: ${{ inputs.body }} - shell: bash - run: | - set -Eeuo pipefail - - case "${MODE}" in - upsert|delete) ;; - *) echo "Invalid mode: ${MODE} (expected upsert|delete)" >&2; exit 1;; - esac - - if [ "${MODE}" = delete ]; then - exit 0 - fi - - if [ -z "${BODY}" ]; then - echo 'Input "body" is required in upsert mode' >&2 - exit 1 - fi - - name: Upsert comment - if: inputs.mode == 'upsert' - env: - GH_TOKEN: ${{ github.token }} - PR_NUMBER: ${{ inputs.pr-number }} - MARKER: ${{ inputs.marker }} - BODY: ${{ inputs.body }} - shell: bash - run: | - set -Eeuo pipefail - - MARKER_COMMENT="" - FULL_BODY=$(printf "%s\n%s" "${MARKER_COMMENT}" "${BODY}") - EXISTING_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --jq ".[] | select(.body|contains(\"${MARKER_COMMENT}\")) | .id" | head -n1 || true) - - if [ -n "${EXISTING_ID}" ]; then - echo "Updating existing sticky comment (${EXISTING_ID})" - gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${EXISTING_ID}" -X PATCH -f body="${FULL_BODY}" - else - echo "Creating new sticky comment" - gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" -f body="${FULL_BODY}" - fi - - name: Delete comment(s) - if: inputs.mode == 'delete' - env: - GH_TOKEN: ${{ github.token }} - PR_NUMBER: ${{ inputs.pr-number }} - MARKER: ${{ inputs.marker }} - shell: bash - run: | - set -Eeuo pipefail - - MARKER_COMMENT="" - FOUND_IDS=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --jq ".[] | select(.body|contains(\"${MARKER_COMMENT}\")) | .id" || true) - - if [ -z "${FOUND_IDS}" ]; then - echo "No sticky comment(s) to delete"; - exit 0; - fi - - for id in ${FOUND_IDS}; do - echo "Deleting sticky comment $id" - gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${id}" -X DELETE - done diff --git a/.github/workflows/pr-conventional-title.yml b/.github/workflows/pr-conventional-title.yml index c9ecbe77..edf754e8 100644 --- a/.github/workflows/pr-conventional-title.yml +++ b/.github/workflows/pr-conventional-title.yml @@ -38,12 +38,11 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: ./.github/actions/sticky-pr-comment + - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 if: always() && steps.pr-title.outputs.error_message != null with: - pr-number: ${{ github.event.pull_request.number }} - marker: pr-title-lint-error - body: | + header: pr-title-lint-error + message: | Hey there and thank you for opening this pull request! 👋🏼 We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted. @@ -51,9 +50,8 @@ jobs: :warning: Details ${{ steps.pr-title.outputs.error_message }} - - uses: ./.github/actions/sticky-pr-comment + - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 if: steps.pr-title.outputs.error_message == null with: - pr-number: ${{ github.event.pull_request.number }} - marker: pr-title-lint-error - mode: delete + header: pr-title-lint-error + delete: true diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml index 15fcda42..2f0af7c4 100644 --- a/.github/workflows/wc-build-push.yml +++ b/.github/workflows/wc-build-push.yml @@ -180,11 +180,10 @@ jobs: with: from-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}:edge to-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}:${{ steps.metadata.outputs.version }} - - uses: ./.github/actions/sticky-pr-comment + - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 with: - pr-number: ${{ github.event.pull_request.number }} - marker: container-size-diff-${{ inputs.flavor }} - body: | + header: container-size-diff-${{ inputs.flavor }} + message: | ${{ steps.container-size-diff.outputs.size-diff-markdown }} - uses: anchore/sbom-action@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6 with: From a99e6e621e53578886823abb4b5a36d64a79a5c3 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 6 Oct 2025 12:55:07 +0000 Subject: [PATCH 12/22] chore: remove more fall-out --- .github/workflows/pr-conventional-title.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/pr-conventional-title.yml b/.github/workflows/pr-conventional-title.yml index edf754e8..310bedf7 100644 --- a/.github/workflows/pr-conventional-title.yml +++ b/.github/workflows/pr-conventional-title.yml @@ -14,8 +14,6 @@ jobs: validate-pr-title: runs-on: ubuntu-latest permissions: - # We need `contents: read` to be able to use the local GitHub Action - contents: read # We need `pull-requests: write` to be able to post comments on PRs pull-requests: write steps: @@ -35,9 +33,6 @@ jobs: doesn't start with an uppercase character. env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 if: always() && steps.pr-title.outputs.error_message != null with: From dcf4ad4014a667917a9c4ad810e11dd725fdcd00 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 6 Oct 2025 13:36:07 +0000 Subject: [PATCH 13/22] ci: least privilege and add documentation --- .github/workflows/image-cleanup.yml | 4 +--- .github/workflows/issue-cleanup.yml | 4 ++-- .github/workflows/issue-creation-tool-versions.yml | 2 +- .github/workflows/linting-formatting.yml | 3 +-- .github/workflows/wc-document-generation.yml | 5 +++-- .github/workflows/wc-integration-test.yml | 5 +++-- 6 files changed, 11 insertions(+), 12 deletions(-) diff --git a/.github/workflows/image-cleanup.yml b/.github/workflows/image-cleanup.yml index 8c519166..f22675fc 100644 --- a/.github/workflows/image-cleanup.yml +++ b/.github/workflows/image-cleanup.yml @@ -12,9 +12,7 @@ jobs: delete-images: runs-on: ubuntu-latest permissions: - # dataaxiom/ghcr-cleanup-action needs packages write permission - # to delete untagged and orphaned images - packages: write + packages: write # `packages: write` is needed to delete untagged and orphaned images (dataaxiom/ghcr-cleanup-action) steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/issue-cleanup.yml b/.github/workflows/issue-cleanup.yml index eb938768..3a6c4923 100644 --- a/.github/workflows/issue-cleanup.yml +++ b/.github/workflows/issue-cleanup.yml @@ -11,8 +11,8 @@ jobs: close-issues: runs-on: ubuntu-latest permissions: - issues: write - pull-requests: write + issues: write # `issues: write` is needed to close/comment on issues (actions/stale) + pull-requests: write # `pull-requests: write` is needed to close/comment on PRs (actions/stale) steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/issue-creation-tool-versions.yml b/.github/workflows/issue-creation-tool-versions.yml index c4b73cde..462bd955 100644 --- a/.github/workflows/issue-creation-tool-versions.yml +++ b/.github/workflows/issue-creation-tool-versions.yml @@ -13,7 +13,7 @@ jobs: name: Create tool version evaluation issue runs-on: ubuntu-latest permissions: - issues: write + issues: write # `issues: write` is needed to create/close/pin/unpin issues (gh cli) steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/linting-formatting.yml b/.github/workflows/linting-formatting.yml index 06444f10..78b906a9 100644 --- a/.github/workflows/linting-formatting.yml +++ b/.github/workflows/linting-formatting.yml @@ -14,8 +14,7 @@ concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true -permissions: - contents: read +permissions: {} jobs: linter: diff --git a/.github/workflows/wc-document-generation.yml b/.github/workflows/wc-document-generation.yml index 95ec7e24..48e38b93 100644 --- a/.github/workflows/wc-document-generation.yml +++ b/.github/workflows/wc-document-generation.yml @@ -4,12 +4,13 @@ name: Document Generation on: workflow_call: -permissions: - contents: read +permissions: {} jobs: generate-documents: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/wc-integration-test.yml b/.github/workflows/wc-integration-test.yml index 26b899d8..5421706c 100644 --- a/.github/workflows/wc-integration-test.yml +++ b/.github/workflows/wc-integration-test.yml @@ -11,8 +11,7 @@ on: required: true type: string -permissions: - contents: read +permissions: {} env: CONTAINER_FLAVOR: ${{ inputs.flavor }} @@ -42,6 +41,8 @@ jobs: run-test: needs: determine-container runs-on: ${{ inputs.runner }} + permissions: + contents: read container: ${{ needs.determine-container.outputs.container }} steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 From 61945f8a32dd30e6388791b03746fdd02d94ce40 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 6 Oct 2025 13:39:32 +0000 Subject: [PATCH 14/22] ci: fix out of date version comment --- .github/workflows/linting-formatting.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linting-formatting.yml b/.github/workflows/linting-formatting.yml index 78b906a9..ac27e7a4 100644 --- a/.github/workflows/linting-formatting.yml +++ b/.github/workflows/linting-formatting.yml @@ -53,6 +53,6 @@ jobs: name: Linter Report path: | megalinter-reports - - uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff # v1.19.0 + - uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff # v1.24.0 with: tool_name: MegaLinter From bebaa47438981b0a70b089eec3f8e5207bc9397a Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 6 Oct 2025 13:56:05 +0000 Subject: [PATCH 15/22] ci: fix more zizmor findings --- .github/workflows/image-cleanup.yml | 2 +- .github/workflows/issue-cleanup.yml | 4 ++-- .github/workflows/issue-creation-tool-versions.yml | 2 +- .github/workflows/linting-formatting.yml | 4 ++-- .github/workflows/ossf-scorecard.yml | 7 ++++--- .github/workflows/pr-conventional-title.yml | 3 +-- .github/workflows/pr-image-cleanup.yml | 5 ++--- .github/workflows/pr-report.yml | 8 ++++---- .github/workflows/release-please.yml | 5 +++-- .github/workflows/release-published.yml | 2 +- .github/workflows/vulnerability-scan.yml | 2 +- 11 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/image-cleanup.yml b/.github/workflows/image-cleanup.yml index f22675fc..7a0e7d98 100644 --- a/.github/workflows/image-cleanup.yml +++ b/.github/workflows/image-cleanup.yml @@ -12,7 +12,7 @@ jobs: delete-images: runs-on: ubuntu-latest permissions: - packages: write # `packages: write` is needed to delete untagged and orphaned images (dataaxiom/ghcr-cleanup-action) + packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete untagged and orphaned images steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/issue-cleanup.yml b/.github/workflows/issue-cleanup.yml index 3a6c4923..16eedd8e 100644 --- a/.github/workflows/issue-cleanup.yml +++ b/.github/workflows/issue-cleanup.yml @@ -11,8 +11,8 @@ jobs: close-issues: runs-on: ubuntu-latest permissions: - issues: write # `issues: write` is needed to close/comment on issues (actions/stale) - pull-requests: write # `pull-requests: write` is needed to close/comment on PRs (actions/stale) + issues: write # is needed by actions/stale to close/comment on issues + pull-requests: write # is needed by actions/stale to close/comment on PRs steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/issue-creation-tool-versions.yml b/.github/workflows/issue-creation-tool-versions.yml index 462bd955..c8184729 100644 --- a/.github/workflows/issue-creation-tool-versions.yml +++ b/.github/workflows/issue-creation-tool-versions.yml @@ -13,7 +13,7 @@ jobs: name: Create tool version evaluation issue runs-on: ubuntu-latest permissions: - issues: write # `issues: write` is needed to create/close/pin/unpin issues (gh cli) + issues: write # is by gh cli needed to create/close/pin/unpin issues steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/linting-formatting.yml b/.github/workflows/linting-formatting.yml index ac27e7a4..3f23f250 100644 --- a/.github/workflows/linting-formatting.yml +++ b/.github/workflows/linting-formatting.yml @@ -22,8 +22,8 @@ jobs: permissions: contents: read actions: read - pull-requests: write - security-events: write + pull-requests: write # is needed by oxsecurity/megalinter and reviewdog/action-suggester to post PR comments + security-events: write # is needed by oxsecurity/megalinter for uploading sarif files steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 0e36ec99..9c20f947 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -9,14 +9,15 @@ on: push: branches: [main] -permissions: read-all +permissions: {} jobs: ossf-scorecard: runs-on: ubuntu-latest permissions: - security-events: write - id-token: write + contents: read + security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files + id-token: write # is needed by ossf/scorecard-action to authenticate with OIDC steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/pr-conventional-title.yml b/.github/workflows/pr-conventional-title.yml index 310bedf7..02633f72 100644 --- a/.github/workflows/pr-conventional-title.yml +++ b/.github/workflows/pr-conventional-title.yml @@ -14,8 +14,7 @@ jobs: validate-pr-title: runs-on: ubuntu-latest permissions: - # We need `pull-requests: write` to be able to post comments on PRs - pull-requests: write + pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments on PRs steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/pr-image-cleanup.yml b/.github/workflows/pr-image-cleanup.yml index 1c770cb4..443e650d 100644 --- a/.github/workflows/pr-image-cleanup.yml +++ b/.github/workflows/pr-image-cleanup.yml @@ -11,7 +11,7 @@ jobs: delete-images: runs-on: ubuntu-latest permissions: - packages: write + packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete images steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: @@ -24,8 +24,7 @@ jobs: cleanup-cache: runs-on: ubuntu-latest permissions: - # actions: write permission is required to delete the cache - actions: write + actions: write # is needed to delete workflow run caches steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/pr-report.yml b/.github/workflows/pr-report.yml index 839b6b53..0bf66155 100644 --- a/.github/workflows/pr-report.yml +++ b/.github/workflows/pr-report.yml @@ -11,10 +11,10 @@ jobs: add-pr-report: permissions: contents: read - checks: read - pull-requests: write - repository-projects: read - actions: read + checks: read # is needed by philips-software/pull-request-report-action to fetch check run information + pull-requests: write # is needed by philips-software/pull-request-report-action to post the report as a comment on the PR + repository-projects: read # is needed by philips-software/pull-request-report-action to fetch project information + actions: read # is needed by philips-software/pull-request-report-action to fetch workflow run information runs-on: ubuntu-latest steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 30c23ec8..db721b26 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -9,12 +9,13 @@ on: concurrency: group: ${{ github.ref }}-${{ github.workflow }} -permissions: - contents: read +permissions: {} jobs: create-release: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/release-published.yml b/.github/workflows/release-published.yml index 541cfc8d..c277859e 100644 --- a/.github/workflows/release-published.yml +++ b/.github/workflows/release-published.yml @@ -12,7 +12,7 @@ jobs: name: Comment on released PRs runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: write # is needed by rdlf0/comment-released-prs-action to post comments on PRs steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 961df017..269fd22f 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -15,7 +15,7 @@ jobs: matrix: flavor: ["cpp", "rust"] permissions: - security-events: write + security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: From 615187b83ed32891b43dd2e3f5eae161dd24e3de Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Fri, 10 Oct 2025 12:25:01 +0000 Subject: [PATCH 16/22] chore: fix more zizmor findings --- .github/workflows/wc-acceptance-test.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml index 6390a304..324cdf1f 100644 --- a/.github/workflows/wc-acceptance-test.yml +++ b/.github/workflows/wc-acceptance-test.yml @@ -41,17 +41,18 @@ jobs: run: | set -Eeuo pipefail - if [[ "${{ github.event_name }}" == "pull_request" ]]; then + if [[ "${EVENT_NAME}" == "pull_request" ]]; then gh secret set -a codespaces IMAGE_VERSION --body "pr-${{ github.event.pull_request.number }}" - elif [[ "${{ github.event_name }}" == "push" && "${{ startsWith(github.ref, 'refs/tags/') }}" == "true" ]]; then + elif [[ "${EVENT_NAME}" == "push" && "${{ startsWith(github.ref, 'refs/tags/') }}" == "true" ]]; then gh secret set -a codespaces IMAGE_VERSION --body "${GITHUB_REF#refs/tags/}" else gh secret set -a codespaces IMAGE_VERSION --body "edge" fi - echo CODESPACE_NAME="$(gh codespace create -R "${{ github.repository }}" -b "$HEAD_REF" -m basicLinux32gb --devcontainer-path ".devcontainer/${CONTAINER_FLAVOR}-test/devcontainer.json" --idle-timeout 10m --retention-period 1h)" >> "$GITHUB_ENV" + echo CODESPACE_NAME="$(gh codespace create -R "${GITHUB_REPOSITORY}" -b "${HEAD_REF}" -m basicLinux32gb --devcontainer-path ".devcontainer/${CONTAINER_FLAVOR}-test/devcontainer.json" --idle-timeout 10m --retention-period 1h)" >> "$GITHUB_ENV" env: CONTAINER_FLAVOR: ${{ inputs.flavor }} + EVENT_NAME: ${{ github.event_name }} GH_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }} HEAD_REF: ${{ github.head_ref }} - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 From 8e5a5dd037c06d3b0e8f8ef0140a78a88d160970 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Wed, 22 Oct 2025 19:42:51 +0200 Subject: [PATCH 17/22] Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Ron <45816308+rjaegers@users.noreply.github.com> --- .github/workflows/issue-creation-tool-versions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/issue-creation-tool-versions.yml b/.github/workflows/issue-creation-tool-versions.yml index c8184729..5d680d83 100644 --- a/.github/workflows/issue-creation-tool-versions.yml +++ b/.github/workflows/issue-creation-tool-versions.yml @@ -13,7 +13,7 @@ jobs: name: Create tool version evaluation issue runs-on: ubuntu-latest permissions: - issues: write # is by gh cli needed to create/close/pin/unpin issues + issues: write # is needed by gh cli to create/close/pin/unpin issues steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: From f0fbc353ab1690b0947f8acb2115edc73dc171ef Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Wed, 22 Oct 2025 17:51:07 +0000 Subject: [PATCH 18/22] ci: add cooldown to dependabot --- .github/dependabot.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index dcb79b06..867c18db 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,6 +3,8 @@ version: 2 updates: - package-ecosystem: github-actions + cooldown: + default-days: 7 directory: / schedule: interval: weekly @@ -14,16 +16,22 @@ updates: commit-message: prefix: "ci(deps)" - package-ecosystem: docker + cooldown: + default-days: 7 directories: - .devcontainer/cpp - .devcontainer/rust schedule: interval: weekly - package-ecosystem: devcontainers + cooldown: + default-days: 7 directory: / schedule: interval: weekly - package-ecosystem: npm + cooldown: + default-days: 7 directory: / schedule: interval: weekly @@ -35,6 +43,8 @@ updates: commit-message: prefix: "test(deps)" - package-ecosystem: pip + cooldown: + default-days: 7 directory: .devcontainer schedule: interval: weekly From 262644d1aa631500575ece9d05b4ed6b6764f077 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Wed, 22 Oct 2025 18:08:02 +0000 Subject: [PATCH 19/22] ci: document permissions --- .github/workflows/linting-formatting.yml | 2 +- .github/workflows/release-build.yml | 3 +-- .github/workflows/update-dependencies.yml | 8 ++++---- .github/workflows/wc-build-push.yml | 2 +- .github/workflows/wc-dependency-review.yml | 2 +- 5 files changed, 8 insertions(+), 9 deletions(-) diff --git a/.github/workflows/linting-formatting.yml b/.github/workflows/linting-formatting.yml index 3040ce14..ae04d9f7 100644 --- a/.github/workflows/linting-formatting.yml +++ b/.github/workflows/linting-formatting.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - actions: read + actions: read # is needed by zizmorcore/zizmor-action pull-requests: write # is needed by oxsecurity/megalinter and reviewdog/action-suggester to post PR comments security-events: write # is needed by oxsecurity/megalinter for uploading sarif files steps: diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index c6e83388..9c6a15b5 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -124,10 +124,9 @@ jobs: name: 📄 Upload Documents runs-on: ubuntu-latest permissions: - # `contents: write` is needed to modify a release. # Please note that this is an overly broad scope, but GitHub does not # currently provide a more fine-grained permission for release modification. - contents: write + contents: write # is needed to modify a release needs: [build-push-test] steps: - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index 75b36424..e257028a 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -19,8 +19,8 @@ jobs: # set-up correctly. container: ghcr.io/philips-software/amp-devcontainer-${{ matrix.flavor }}:edge permissions: - contents: write - pull-requests: write + contents: write # is needed by peter-evans/create-pull-request to create branches and push commits + pull-requests: write # is needed by peter-evans/create-pull-request to create a PR steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: @@ -53,8 +53,8 @@ jobs: flavor: ["cpp", "rust"] file: ["devcontainer-metadata.json", "devcontainer.json"] permissions: - contents: write - pull-requests: write + contents: write # is needed by peter-evans/create-pull-request to create branches and push commits + pull-requests: write # is needed by peter-evans/create-pull-request to create a PR steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml index bee6a44f..3c2fef64 100644 --- a/.github/workflows/wc-build-push.yml +++ b/.github/workflows/wc-build-push.yml @@ -65,7 +65,7 @@ jobs: needs: sanitize-image-name permissions: contents: read - packages: write + packages: write # is needed by docker/build-push-action to push images to GitHub Container Registry steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/wc-dependency-review.yml b/.github/workflows/wc-dependency-review.yml index b3c49c2a..03bc2d3c 100644 --- a/.github/workflows/wc-dependency-review.yml +++ b/.github/workflows/wc-dependency-review.yml @@ -24,7 +24,7 @@ jobs: runs-on: ${{ fromJson(inputs.runner-labels) }} permissions: contents: read - pull-requests: write + pull-requests: write # is needed by actions/dependency-review-action to write PR summaries steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: From 89ed11dfe13410e1c75864ee06815ace2c67d4a4 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Fri, 24 Oct 2025 10:28:37 +0000 Subject: [PATCH 20/22] chore: fix more findings --- .github/workflows/continuous-integration.yml | 5 ++--- .github/workflows/wc-acceptance-test.yml | 3 ++- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 4985568e..decbc125 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -27,7 +27,6 @@ jobs: permissions: actions: read attestations: write - checks: write contents: write id-token: write packages: write @@ -46,14 +45,14 @@ jobs: uses: ./.github/workflows/wc-dependency-review.yml permissions: contents: read - pull-requests: write + pull-requests: write # is needed by actions/dependency-review-action to write PR summaries publish-test-results: name: 📊 Publish Test Results runs-on: ubuntu-latest permissions: checks: write - pull-requests: write + pull-requests: write # is needed by EnricoMi/publish-unit-test-result-action to annotate PRs needs: build-push-test if: ${{ !cancelled() }} steps: diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml index a87d3c8b..145ef0b1 100644 --- a/.github/workflows/wc-acceptance-test.yml +++ b/.github/workflows/wc-acceptance-test.yml @@ -49,7 +49,7 @@ jobs: set -Eeuo pipefail if [[ "${EVENT_NAME}" == "pull_request" ]]; then - gh secret set -a codespaces IMAGE_VERSION --body "pr-${{ github.event.pull_request.number }}" + gh secret set -a codespaces IMAGE_VERSION --body "pr-${PR_NUMBER}" elif [[ "${EVENT_NAME}" == "push" && "${{ startsWith(github.ref, 'refs/tags/') }}" == "true" ]]; then gh secret set -a codespaces IMAGE_VERSION --body "${GITHUB_REF#refs/tags/}" else @@ -62,6 +62,7 @@ jobs: EVENT_NAME: ${{ github.event_name }} GH_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }} HEAD_REF: ${{ github.head_ref }} + PR_NUMBER: ${{ github.event.pull_request.number }} - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: 24.8.0 From e098064f9c1c5ff43082459571937670c55b0450 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 27 Oct 2025 08:11:32 +0000 Subject: [PATCH 21/22] chore: document all permissions --- .github/workflows/continuous-integration.yml | 14 +++++++------- .github/workflows/release-build.yml | 19 ++++++++----------- .github/workflows/wc-build-push-test.yml | 12 ++++++------ .github/workflows/wc-build-push.yml | 16 +++++++--------- 4 files changed, 28 insertions(+), 33 deletions(-) diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index decbc125..37aaf595 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -25,12 +25,12 @@ jobs: TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }} TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }} permissions: - actions: read - attestations: write - contents: write - id-token: write - packages: write - pull-requests: write + actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets + attestations: write # is needed by actions/attest-build-provenance to push attestations + contents: write # is needed by anchore/sbom-action for artifact uploads + id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token + packages: write # is needed to push image manifest when using GitHub Container Registry + pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments with: devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile @@ -51,7 +51,7 @@ jobs: name: 📊 Publish Test Results runs-on: ubuntu-latest permissions: - checks: write + checks: write # is needed by EnricoMi/publish-unit-test-result-action to add a check run with test results pull-requests: write # is needed by EnricoMi/publish-unit-test-result-action to annotate PRs needs: build-push-test if: ${{ !cancelled() }} diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index ace44a4e..00f1eab2 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -27,13 +27,12 @@ jobs: TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }} TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }} permissions: - actions: read - attestations: write - checks: write - contents: write - id-token: write - packages: write - pull-requests: write + actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets + attestations: write # is needed by actions/attest-build-provenance to push attestations + contents: write # is needed by anchore/sbom-action for artifact uploads + id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token + packages: write # is needed to push image manifest when using GitHub Container Registry + pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments with: devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile @@ -45,10 +44,9 @@ jobs: name: 📝 Apply Release Template runs-on: ubuntu-latest permissions: - # `contents: write` is needed to modify a release. # Please note that this is an overly broad scope, but GitHub does not # currently provide a more fine-grained permission for release modification. - contents: write + contents: write # is needed to modify a release steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: @@ -75,10 +73,9 @@ jobs: flavor: [cpp, rust] runs-on: ubuntu-latest permissions: - # `contents: write` is needed to modify a release. # Please note that this is an overly broad scope, but GitHub does not # currently provide a more fine-grained permission for release modification. - contents: write + contents: write # is needed to modify a release needs: [build-push-test, apply-release-notes-template] env: CONTAINER_FLAVOR: ${{ matrix.flavor }} diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml index df501abd..d85953b2 100644 --- a/.github/workflows/wc-build-push-test.yml +++ b/.github/workflows/wc-build-push-test.yml @@ -91,12 +91,12 @@ jobs: name: 🛠️ uses: ./.github/workflows/wc-build-push.yml permissions: - actions: read - attestations: write - contents: write - id-token: write - packages: write - pull-requests: write + actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets + attestations: write # is needed by actions/attest-build-provenance to push attestations + contents: write # is needed by anchore/sbom-action for artifact uploads + id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token + packages: write # is needed to push image manifest when using GitHub Container Registry + pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments secrets: DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME }} DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml index 3c2fef64..7ccd5b80 100644 --- a/.github/workflows/wc-build-push.yml +++ b/.github/workflows/wc-build-push.yml @@ -65,7 +65,7 @@ jobs: needs: sanitize-image-name permissions: contents: read - packages: write # is needed by docker/build-push-action to push images to GitHub Container Registry + packages: write # is needed by docker/build-push-action to push images when using GitHub Container Registry steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: @@ -142,14 +142,12 @@ jobs: - build-push - sanitize-image-name permissions: - actions: read - attestations: write - # dependency-submission needs contents write permission. - contents: write - # attest-build-provenance needs id-token write permission. - id-token: write - packages: write - pull-requests: write + actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets + attestations: write # is needed by actions/attest-build-provenance to push attestations + contents: write # is needed by anchore/sbom-action for artifact uploads + id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token + packages: write # is needed to push image manifest when using GitHub Container Registry + pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments outputs: digest: ${{ steps.inspect-manifest.outputs.digest }} steps: From 87e46a654b2bf84c7c7736c15df5f4401cb2daaf Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Mon, 27 Oct 2025 09:09:46 +0000 Subject: [PATCH 22/22] chore: fix template injection possibility --- .github/workflows/wc-acceptance-test.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml index 145ef0b1..5324bcbc 100644 --- a/.github/workflows/wc-acceptance-test.yml +++ b/.github/workflows/wc-acceptance-test.yml @@ -50,7 +50,7 @@ jobs: if [[ "${EVENT_NAME}" == "pull_request" ]]; then gh secret set -a codespaces IMAGE_VERSION --body "pr-${PR_NUMBER}" - elif [[ "${EVENT_NAME}" == "push" && "${{ startsWith(github.ref, 'refs/tags/') }}" == "true" ]]; then + elif [[ "${EVENT_NAME}" == "push" && "${REF_STARTS_WITH_TAG}" == "true" ]]; then gh secret set -a codespaces IMAGE_VERSION --body "${GITHUB_REF#refs/tags/}" else gh secret set -a codespaces IMAGE_VERSION --body "edge" @@ -58,6 +58,7 @@ jobs: echo CODESPACE_NAME="$(gh codespace create -R "${GITHUB_REPOSITORY}" -b "${HEAD_REF}" -m basicLinux32gb --devcontainer-path "${DEVCONTAINER_FILE}" --idle-timeout 10m --retention-period 1h)" >> "$GITHUB_ENV" env: + REF_STARTS_WITH_TAG: ${{ startsWith(github.ref, 'refs/tags/') }} DEVCONTAINER_FILE: ${{ inputs.devcontainer-file }} EVENT_NAME: ${{ github.event_name }} GH_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}