Align CI workflows with images-workbench

.github/actionlint.yaml

@@ -0,0 +1,4 @@
+self-hosted-runner:
+  labels:
+    - ubuntu-latest-4x
+    - ubuntu-latest-8x

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directories:
+      - "/"
+      - "/.github/actions/*"
+    schedule:
+      interval: "weekly"
+    groups:
+      actions:
+        patterns:
+          - "*"

.github/workflows/pr.yml

@@ -0,0 +1,63 @@
+name: Pull Request
+on:
+  pull_request:
+
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  ci:
+    name: CI
+    if: always()
+    runs-on: ubuntu-latest
+    permissions: {}
+    timeout-minutes: 10
+    needs:
+      - lint
+      - production
+      - zizmor
+    steps:
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2
+        with:
+          jobs: ${{ toJSON(needs) }}
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: "3.x"
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd  # v3.0.1
+        env:
+          SKIP: no-commit-to-branch
+
+  production:
+    name: Production
+    permissions:
+      contents: read
+      packages: write
+    uses: posit-dev/images-shared/.github/workflows/bakery-build-pr.yml@main
+    with:
+      dev-versions: "exclude"
+      matrix-versions: "exclude"
+
+  zizmor:
+    name: Zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e  # v0.5.3

.github/workflows/production.yml

@@ -1,31 +1,20 @@
 name: Production
 on:
+  workflow_dispatch:
+
   schedule:
     # Weekly rebuild of all images, to pick up any upstream changes.
     - cron: "15 3 * * 0" # At 03:15 on Sunday
 
-  pull_request:
-
   push:
     branches:
       - main
 
+
 concurrency:
-  # Only cancel in-progress runs for pull_request events, this prevents cancelling workflows against main or tags
-  # A pull_request will reuse the same group thus enabling cancelation, all others receive a unique run_id
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
-defaults:
-  run:
-    shell: bash
-
-# Security policy: No ${{ }} expressions in `run:` blocks.
-# All expression values are assigned to `env:` and referenced as
-# shell variables. This prevents script injection from runtime values
-# (matrix outputs, secrets) and keeps the rule enforceable by zizmor
-# without per-expression exceptions.
-
 jobs:
   ci:
     name: CI
@@ -36,14 +25,22 @@ jobs:
     if: always()
 
     runs-on: ubuntu-latest
+    permissions: {}
     timeout-minutes: 10
     needs:
       - build
 
     steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2
+        id: alls-green
         with:
           jobs: ${{ toJSON(needs) }}
+      - if: always() && github.ref == 'refs/heads/main'
+        continue-on-error: true
+        uses: posit-dev/images-shared/.github/actions/slack-build-notify@main
+        with:
+          result: ${{ steps.alls-green.outcome }}
+          slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
 
   matrix:
     name: Image Matrix
@@ -66,7 +63,7 @@ jobs:
           DEV_VERSIONS: "exclude"
           MATRIX_VERSIONS: "exclude"
         run: |
-          echo "matrix=$(bakery ci matrix --quiet --dev-versions "$DEV_VERSIONS" --matrix-versions "$MATRIX_VERSIONS" | jq --compact-output .)" >> $GITHUB_OUTPUT
+          echo "matrix=$(bakery ci matrix --quiet --dev-versions "$DEV_VERSIONS" --matrix-versions "$MATRIX_VERSIONS" | jq --compact-output .)" >> "$GITHUB_OUTPUT"
 
   build:
     name: "${{ matrix.img.image }}:${{ matrix.img.version }}"
@@ -103,14 +100,14 @@ jobs:
 
       - name: Authenticate to GCP
         id: gcp-auth
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'schedule' }}
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main' }}
         uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093  # v3.0.0
         with:
           workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
           service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
 
       - name: Configure Docker for GCP Artifact Registry
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'schedule' }}
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main' }}
         run: |
           gcloud auth configure-docker us-central1-docker.pkg.dev,us-docker.pkg.dev,europe-docker.pkg.dev,asia-docker.pkg.dev --quiet
 
@@ -151,7 +148,7 @@ jobs:
 
       - name: Push
         # Push images only for merges into main and weekly scheduled re-builds.
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'schedule' }}
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main' }}
         env:
           GIT_SHA: ${{ github.sha }}
           IMAGE_NAME: ${{ matrix.img.image }}

.github/zizmor.yml

@@ -0,0 +1,8 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        # Shared workflows and composite actions from images-shared
+        # are kept at @main intentionally.
+        "posit-dev/images-shared/*": ref-pin
+        "*": hash-pin

.pre-commit-config.yaml

@@ -0,0 +1,37 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+    -   id: check-added-large-files
+    -   id: check-case-conflict
+    -   id: check-executables-have-shebangs
+        exclude: "^.*\\.sh\\.jinja2$"
+    -   id: check-json
+    -   id: check-merge-conflict
+    -   id: check-shebang-scripts-are-executable
+    -   id: check-yaml
+        exclude: "^.*goss.yaml$"
+    -   id: detect-aws-credentials
+        args: [--allow-missing-credentials]
+    -   id: detect-private-key
+    -   id: end-of-file-fixer
+    -   id: fix-byte-order-marker
+    -   id: mixed-line-ending
+    -   id: no-commit-to-branch
+        args: [--branch, main]
+    -   id: pretty-format-json
+        exclude: "^\\.claude/settings\\.json$"
+        args: ["--autofix", "--indent", "2"]
+    -   id: trailing-whitespace
+-   repo: https://github.com/koalaman/shellcheck-precommit
+    rev: v0.11.0
+    hooks:
+    -   id: shellcheck
+        args: ["-s", "bash"]
+        exclude: "wait-for-it\\.sh$"
+-   repo: https://github.com/rhysd/actionlint
+    rev: v1.7.12
+    hooks:
+    -   id: actionlint

bakery.yaml

@@ -73,7 +73,7 @@ images:
           - dependency: python
             version: 3.14.4
   - name: workbench-for-microsoft-azure-ml
-    description: A professional integrated development environment for data 
+    description: A professional integrated development environment for data
       science teams using R and Python on Azure ML
     documentationUrl: https://posit.co/solutions/azure-ml
     dependencyConstraints:

workbench-for-google-cloud-workstations/2026.04/conf/jupyter/jupyter_notebook_config.json

@@ -1,15 +1,19 @@
 {
   "NotebookApp": {
-    "nbserver_extensions":{
+    "nbserver_extensions": {
       "rsconnect_jupyter": true
     },
     "terminado_settings": {
-      "shell_command": ["/bin/bash"]
+      "shell_command": [
+        "/bin/bash"
+      ]
     }
   },
   "ServerApp": {
     "terminado_settings": {
-      "shell_command": ["/bin/bash"]
+      "shell_command": [
+        "/bin/bash"
+      ]
     }
   }
-}
+}

workbench-for-google-cloud-workstations/2026.04/conf/rstudio/nginx.site.conf

@@ -1 +1 @@
-proxy_set_header X-CUSTOM-USER-NAME user/google;
+proxy_set_header X-CUSTOM-USER-NAME user/google;

workbench-for-google-cloud-workstations/2026.04/conf/rstudio/positron-user-settings.json

@@ -1,6 +1,6 @@
 {
-  "terminal.integrated.defaultProfile.linux": "bash",
-  "extensions.autoUpdate": false,
   "extensions.autoCheckUpdates": false,
-  "quarto.path": "/usr/lib/rstudio-server/bin/quarto/bin/quarto"
+  "extensions.autoUpdate": false,
+  "quarto.path": "/usr/lib/rstudio-server/bin/quarto/bin/quarto",
+  "terminal.integrated.defaultProfile.linux": "bash"
 }

workbench-for-google-cloud-workstations/2026.04/conf/rstudio/vscode-user-settings.json

@@ -1,5 +1,5 @@
 {
-      "terminal.integrated.defaultProfile.linux": "bash",
-      "extensions.autoUpdate": false,
-      "extensions.autoCheckUpdates": false
+  "extensions.autoCheckUpdates": false,
+  "extensions.autoUpdate": false,
+  "terminal.integrated.defaultProfile.linux": "bash"
 }

workbench-for-google-cloud-workstations/2026.04/deps/python_requirements.txt

@@ -1,4 +1,4 @@
 numpy
 scipy
 pandas
-matplotlib
+matplotlib

workbench-for-google-cloud-workstations/2026.04/scripts/startup.sh

@@ -15,17 +15,17 @@ deactivate() {
     echo "== Exiting =="
     rstudio-server stop
     echo "Deactivating license ..."
-    ${LICENSE_MANAGER_PATH}/license-manager deactivate >/dev/null 2>&1
+    "${LICENSE_MANAGER_PATH}"/license-manager deactivate >/dev/null 2>&1
 
     echo "== Done =="
 }
 trap deactivate EXIT
 
 verify_installation(){
    echo "==VERIFY INSTALLATION==";
-   mkdir -p $DIAGNOSTIC_DIR
-   chmod 777 $DIAGNOSTIC_DIR
-   rstudio-server verify-installation --verify-user=$RSW_TESTUSER | tee $DIAGNOSTIC_DIR/verify.log
+   mkdir -p "$DIAGNOSTIC_DIR"
+   chmod 777 "$DIAGNOSTIC_DIR"
+   rstudio-server verify-installation --verify-user="$RSW_TESTUSER" | tee "$DIAGNOSTIC_DIR"/verify.log
 }
 
 # Support RSP_ or RSW_ prefix
@@ -35,9 +35,9 @@ RSP_LICENSE_SERVER=${RSP_LICENSE_SERVER:-${RSW_LICENSE_SERVER}}
 # Activate License
 RSW_LICENSE_FILE_PATH=${RSW_LICENSE_FILE_PATH:-${RSP_LICENSE_FILE_PATH:-/etc/rstudio-server/license.lic}}
 if [ -n "$RSP_LICENSE" ]; then
-    ${LICENSE_MANAGER_PATH}/license-manager activate $RSP_LICENSE || true
+    "${LICENSE_MANAGER_PATH}"/license-manager activate "$RSP_LICENSE" || true
 elif [ -n "$RSP_LICENSE_SERVER" ]; then
-    ${LICENSE_MANAGER_PATH}/license-manager license-server $RSP_LICENSE_SERVER || true
+    "${LICENSE_MANAGER_PATH}"/license-manager license-server "$RSP_LICENSE_SERVER" || true
 elif test -f "${RSW_LICENSE_FILE_PATH}"; then
     rm -f /var/lib/rstudio-server/*.lic
     cp "${RSW_LICENSE_FILE_PATH}" /var/lib/rstudio-server/license.lic
@@ -58,14 +58,14 @@ unset RSW_LICENSE_FILE_PATH
 # Start Launcher
 if [ "$RSW_LAUNCHER" == "true" ]; then
   echo "Waiting for launcher to startup... to disable set RSW_LAUNCHER=false"
-  wait-for-it.sh localhost:5559 -t $RSW_LAUNCHER_TIMEOUT
+  wait-for-it.sh localhost:5559 -t "$RSW_LAUNCHER_TIMEOUT"
 fi
 
 # Check diagnostic configurations
 if [ "$DIAGNOSTIC_ENABLE" == "true" ]; then
   verify_installation
   if [ "$DIAGNOSTIC_ONLY" == "true" ]; then
-    echo $(<$DIAGNOSTIC_DIR/verify.log);
+    cat "$DIAGNOSTIC_DIR"/verify.log;
     echo "Exiting script because DIAGNOSTIC_ONLY=${DIAGNOSTIC_ONLY}";
     exit 0
   fi;

workbench-for-google-cloud-workstations/2026.04/test/goss.yaml

@@ -11,11 +11,11 @@ package:
     installed: true
     versions:
     - 2026.04.0+526.pro2
-  
+
   r-4.6.0:
     installed: true
     skip: {{ if eq .Env.IMAGE_VARIANT "Minimal" }}true{{ else }}false{{ end }}
-  
+
   rstudio-drivers:
     installed: true
     skip: {{ if eq .Env.IMAGE_VARIANT "Minimal" }}true{{ else }}false{{ end }}
@@ -43,15 +43,15 @@ file:
     exists: false
   /usr/lib/rstudio-server:
     exists: true
-  
+
   /opt/R/4.6.0/bin/R:
     exists: {{ if eq .Env.IMAGE_VARIANT "Standard" }}true{{ else }}false{{ end }}
     filetype: file
-  
-  
+
+
   /opt/python/3.14.4/bin/python:
     exists: {{ if eq .Env.IMAGE_VARIANT "Standard" }}true{{ else }}false{{ end }}
-  
+
   /opt/python/jupyter/bin/python:
     exists: {{ if eq .Env.IMAGE_VARIANT "Standard" }}true{{ else }}false{{ end }}
     filetype: symlink

workbench-for-google-cloud-workstations/template/conf/jupyter/jupyter_notebook_config.json

@@ -1,15 +1,19 @@
 {
   "NotebookApp": {
-    "nbserver_extensions":{
+    "nbserver_extensions": {
       "rsconnect_jupyter": true
     },
     "terminado_settings": {
-      "shell_command": ["/bin/bash"]
+      "shell_command": [
+        "/bin/bash"
+      ]
     }
   },
   "ServerApp": {
     "terminado_settings": {
-      "shell_command": ["/bin/bash"]
+      "shell_command": [
+        "/bin/bash"
+      ]
     }
   }
-}
+}