Skip to content

GHA: misc maintenance #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 64 commits into
base: main
Choose a base branch
from
Draft

GHA: misc maintenance #94

wants to merge 64 commits into from

Conversation

@vszakats
Copy link
Member

@vszakats vszakats commented Oct 23, 2025
edited
Loading

  • add zizmor in pedantic mode.
  • add comment saying why we need package: write perms.
  • avoid GHA macros in shell commands. Pass them as envs instead.
  • build_master_dev: delete duplicate steps saving cosign keys.
  • build*: delete steps extracting cosign.pub.
    The file is in the git repo root.
  • add typos-cli spellcheck job.
  • set/adjust concurrency.
  • prefer secrets.GITHUB_TOKEN over github.token.
    To match other curl repos and highlight its a secret.
  • fix typos found.
  • fix some issues reported by yamllint.
  • 01-design.md: replace UTF-8 line-drawing chars with ASCII-7.
  • fixup whitespace.
  • replace grype and trivy curl-to-shell installers with Linuxbrew installs.
  • pass secrets to podman and docker via stdin, also to avoid docker
    message: 
    WARNING! Using --password via the CLI is insecure. Use --password-stdin.
  • drop interim envs when passing creds to redhat-actions/podman-login.
    Tested OK via build_ci_multi_images.
  • build_ci_multi_images:
    • make it work in PRs, without secrets.
    • split login tests into their own workflow.
    • add login test for ghcr.io.
    • add login test for ghcr.io without redhat-actions/podman-login.
    • drop empty build matrix.
  • [WIP vv below]
  • install first, then checkout source.

TODO: podman --version, docker --version

@vszakats vszakats force-pushed the ciu branch 2 times, most recently from 86afc26 to 6d4a51d Compare October 23, 2025 16:46
@vszakats vszakats marked this pull request as draft October 23, 2025 21:09
vszakats added 26 commits November 2, 2025 17:33
@vszakats
add zizmor
83319c2
@vszakats
fixup EOLs at EOF
7f79fee
@vszakats
say why we need packages: write permissions
a0655fc
@vszakats
avoid GH macros in shell code
1fc9167
@vszakats
avoid GH macros in shell code 2
6a4989e
@vszakats
build_master_dev.yml drop redundant cosign privkey save step
bddbe79
@vszakats
avoid GH macros in shell code 3
5a3439a
@vszakats
build_master_dev.yml drop redundant cosign pubkey save step
e1f9f82
@vszakats
add spellchecker: typos
1dad046
@vszakats
fix typos
329aa99
@vszakats
fix some issues reported by yamllint
ae51d6e
@vszakats
fix some issues reported by yamllint 2
e2ce196
@vszakats
fix some issues reported by yamllint 3
8e83308
@vszakats
whitespace
ca20822
@vszakats
whitespace 2
a612a78
@vszakats
drop cosign.pub steps, the pubkey is in the git repo root
59476a0
@vszakats
01-design.md: replace UTF-8 line-drawing chars with ASCII-7
5e51edc
@vszakats
checksrc.yml cleanup
a1ec89f
@vszakats
try using grype and trivy from Linuxbrew
1523e3b
@vszakats
make GHA macro formatting consistent
e82cbc8
@vszakats
make GHA macro formatting consistent 2
2bde59a
@vszakats
make CI jobs testable without docker hub/quay login creds
4d9c27e
@vszakats
try something
f26fdd8 
https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#github-context
@vszakats
cleanup
fd57f87
@vszakats
cleanup-2
a12b36e
@vszakats
build_ci_multi.yml: split logins to separate workflow to verify them,…
e868b6a 
… without running anything else there

Also drop perms, and global secrets, that were not used.
vszakats added 29 commits November 2, 2025 17:33
@vszakats
try without podman-login action fixup
c821490
@vszakats
try simplify podman-login init
2cde6a7
@vszakats
pass secret via stdin in all jobs
563e400
@vszakats
drop interim envs in redhat-actions/podman-login actions
4c1826f
@vszakats
cleanup
760bad4
@vszakats
use secrets.GITHUB_TOKEN for consistency with other repos
35ae939 
Also to highlight it's a secret.
@vszakats
GHA: set/adjust concurrency
fae059d
@vszakats
ghcr: try logging in as repo owner instead of PR actor
2aca58f
@vszakats
replace ghcr user with curl (repo owner) (was: actor)
6ff79bb 
This should only make a (small) difference for PRs.
@vszakats
Revert "replace ghcr user with curl (repo owner) (was: actor)"
1827806 
This reverts commit 4bba648.
@vszakats
cleanups
a29fdf8
@vszakats
cleanups
331e5e3
@vszakats
try failed login
3bd4389
@vszakats
cleanup
d78be6d 
wrong password fails as expected.
@vszakats
simplify direct ghcr.io
05b302e
@vszakats
try applyinh curl apt-get tricks
bbb7b41
@vszakats
sync up two outlier "verify key" step names
6fb9f6f
@vszakats
GHA move step name: first when not there
ef89f08
@vszakats
GHA: drop step name from actions/checkout steps
24631f5
@vszakats
GHA: sync up yaml strings to use single-quotes
476f950
@vszakats
GHA: single-quote name: where missing
b963ae0
@vszakats
GHA: drop name: capitalization where missing
9792078
@vszakats
GHA: sync wording for some name:s
dd470c1
@vszakats
GHA: sync imperative name:
c2cbca0
@vszakats
drop duplicate cosign install step
5d40de3
@vszakats
GHA: yaml: move env: before run: where not there
24bec48
@vszakats
redhat-actions/podman-login upside/downside
55a020f
@vszakats
redhat-actions/podman-login upside/downside updated
d2cd502 
https://github.com/redhat-actions/podman-login/issues/ -> 36
@vszakats
try a little build speed optimization
f5ea1cc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vszakats