Skip to content

Release tweaks#690

Merged
rkistner merged 5 commits into
mainfrom
fix-release-ref-injection
Jun 25, 2026
Merged

Release tweaks#690
rkistner merged 5 commits into
mainfrom
fix-release-ref-injection

Conversation

@rkistner

@rkistner rkistner commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

These are minor tweaks to the release workflow:

  1. Prevent command injection using github ref. The workflow is fairly safe since only approved users can run it, but it's better to do this properly.
  2. Remove the stevenontong/${{vars.DOCKER_REGISTRY}}:cache cache in test builds - this cache did not work anyway, and I'm restricting the access of the default dockerhub user now.
  3. Run dev images in the dockerhub environment, same as the next and stable releases.
  4. For dev releases, add a check to ensure we don't accidentally publish a "stable" tag if there are no changesets.

This allows us to use separate users for dockerhub:

  1. A read-only user for normal actions - only using an authenticated user here to avoid dockerhub rate limits.
  2. A priviledged user in the dockerhub environment. This is only used when we need to push to dockerhub, and these workflows now require an additional approval step.

@rkistner rkistner requested a review from stevensJourney June 25, 2026 12:45
@changeset-bot

changeset-bot Bot commented Jun 25, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: ad1bf8f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Comment thread .github/workflows/test.yml
stevensJourney
stevensJourney previously approved these changes Jun 25, 2026
@rkistner

Copy link
Copy Markdown
Contributor Author

@stevensJourney I added a check to ensure the docker-dev workflow doesn't publish a stable version if there are no changesets. The "This branch had an error being deployed" is expected - that's this check in action.

@stevensJourney

Copy link
Copy Markdown
Collaborator

Nice! The new changes look good to me :D

@rkistner rkistner merged commit 4091088 into main Jun 25, 2026
46 of 47 checks passed
@rkistner rkistner deleted the fix-release-ref-injection branch June 25, 2026 13:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants