Skip to content

ci: sync canonical workflow fixes from tazama-lf/workflows#75

Merged
Sandy-at-Tazama merged 1 commit intodevfrom
fix/sync-canonical-workflows
Apr 6, 2026
Merged

ci: sync canonical workflow fixes from tazama-lf/workflows#75
Sandy-at-Tazama merged 1 commit intodevfrom
fix/sync-canonical-workflows

Conversation

@Justus-at-Tazama
Copy link
Copy Markdown
Contributor

@Justus-at-Tazama Justus-at-Tazama commented Apr 6, 2026
edited
Loading

Replicates all org-neutral bug fixes from tazama-lf/workflows to frmscoe/workflows.

Changes

gpg-verify.yml (security + logic fixes):

  • Pass PR refs via env: block to prevent expression injection
  • Use printf instead of echo for safe GITHUB_ENV writes
  • Fix inverted git log range (was BASE..HEAD backwards)
  • Add exit 1 + error message on failed GPG verification

scorecard.yml:

  • Remove dev from push.branches (ossf/scorecard-action only supports the default branch)

release.yml:

  • Upgrade actions/checkout from v2 to v4
  • Replace deprecated set-output with GITHUB_OUTPUT
  • Heredoc syntax for multi-line outputs
  • Add continue-on-error: true to Get Latest Release step
  • Fix Slack notification to use env var not inline secret expression

dco-check.yml, milestone.yml: minor canonical updates

workflow-docs: updated to match current workflow behaviour

Not changed: sync-workflows.yml, publish.yml, release-train.yml (have intentional org-specific differences)

@Justus-at-Tazama
ci: sync canonical workflow fixes from tazama-lf/workflows
5d7bdfa 
Replicate all bug fixes and improvements from tazama-lf/workflows
that apply to org-neutral workflow files:

gpg-verify.yml:
- Pass PR_HEAD_REF, PR_BASE_REF, GH_TOKEN, GH_REPO via env: block to
  prevent injection from github.event.pull_request.head.ref
- Use printf instead of echo to safely write to GITHUB_ENV
- Fix inverted git log range (was HEAD..BASE, now BASE..HEAD)
- Add exit 1 + error message on failed GPG verification

scorecard.yml:
- Remove dev from push.branches trigger (ossf/scorecard-action only
  supports the default branch regardless of publish_results)

release.yml:
- Upgrade actions/checkout from v2 to v4
- Replace deprecated set-output with GITHUB_OUTPUT
- Use heredoc syntax for multi-line outputs (changelog_contents,
  milestone_description)
- Add continue-on-error: true to Get Latest Release step
- Fix Slack notification to use SLACK_WEBHOOK_URL env var (not secret
  inline) and reference step output instead of env var

dco-check.yml, milestone.yml:
- Minor canonical updates from central workflow source

workflow-docs: update all five docs to match current workflow behaviour
@github-actions github-actions Bot added the ci/cd label Apr 6, 2026
@Sandy-at-Tazama Sandy-at-Tazama self-requested a review April 6, 2026 18:44
@Sandy-at-Tazama Sandy-at-Tazama merged commit 9ee34c6 into dev Apr 6, 2026
2 checks passed
@Sandy-at-Tazama Sandy-at-Tazama deleted the fix/sync-canonical-workflows branch April 6, 2026 18:45
@github-actions github-actions Bot added ci/cd and removed ci/cd labels Apr 6, 2026
Justus-at-Tazama added a commit that referenced this pull request Apr 8, 2026
@Justus-at-Tazama
fix(workflows): sync workflow audit fixes from tazama-lf/workflows
596bf48 
Applies all changes from tazama-lf/workflows PR #76 (workflow audit fixes - batch 1)
to frmscoe/workflows. Changes are synced verbatim from the canonical source.

- fix(njsscan): fix SARIF upload guard, category, upgrade upload-sarif v4 (#68)
- fix(gpg-verify): make curl error handler reachable under bash -e (#69)
- fix(dco-check, gpg-verify): replace mutable branch refs with immutable SHAs (#70)
- fix(package-rule): add ref guard to prevent push from non-canonical branches (#71)
- fix(gpg-verify): rename workflow to Signature Verify, update header comment (#72)
- fix(package-rule): pass GH_TOKEN to docker build via BuildKit secret (#73)
- fix(sbom): pass GH_TOKEN to docker build via BuildKit secret (#74)
- fix(dockerfile-linter): skip hadolint and upload when no Dockerfile present (#75)
- fix(dockerfile-linter, sbom): address CodeRabbit review findings

Signed-off-by: Justus-at-Tazama <jortlepp@contractor.linuxfoundation.org>
Justus-at-Tazama added a commit that referenced this pull request Apr 8, 2026
@Justus-at-Tazama
fix(workflows): sync workflow audit fixes from tazama-lf/workflows (#78)
a02fd0f 
Applies all changes from tazama-lf/workflows PR #76 (workflow audit fixes - batch 1)
to frmscoe/workflows. Changes are synced verbatim from the canonical source.

- fix(njsscan): fix SARIF upload guard, category, upgrade upload-sarif v4 (#68)
- fix(gpg-verify): make curl error handler reachable under bash -e (#69)
- fix(dco-check, gpg-verify): replace mutable branch refs with immutable SHAs (#70)
- fix(package-rule): add ref guard to prevent push from non-canonical branches (#71)
- fix(gpg-verify): rename workflow to Signature Verify, update header comment (#72)
- fix(package-rule): pass GH_TOKEN to docker build via BuildKit secret (#73)
- fix(sbom): pass GH_TOKEN to docker build via BuildKit secret (#74)
- fix(dockerfile-linter): skip hadolint and upload when no Dockerfile present (#75)
- fix(dockerfile-linter, sbom): address CodeRabbit review findings

Signed-off-by: Justus-at-Tazama <jortlepp@contractor.linuxfoundation.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Sandy-at-Tazama Sandy-at-Tazama Sandy-at-Tazama approved these changes

Assignees

No one assigned

Labels

ci/cd

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Justus-at-Tazama @Sandy-at-Tazama