Skip to content

ci: sync canonical workflows from tazama-lf and overhaul sync-workflows.yml#76

Merged
Justus-at-Tazama merged 2 commits intodevfrom
fix/scorecard-gpg-verify
Apr 7, 2026
Merged

ci: sync canonical workflows from tazama-lf and overhaul sync-workflows.yml#76
Justus-at-Tazama merged 2 commits intodevfrom
fix/scorecard-gpg-verify

Conversation

@Justus-at-Tazama
Copy link
Copy Markdown
Contributor

@Justus-at-Tazama Justus-at-Tazama commented Apr 7, 2026
edited
Loading

Summary

Commit 1: Sync 17 canonical workflow files from tazama-lf/workflows

  • Copies 16 generic workflows as-is (branch-target-check, codacy, codeql, conventional-commits, dco-check, dependency-review, gpg-verify, milestone, njsscan, node.js, package-rule, package-rule-rc, release, sbom, scorecard, version-check)
  • Patches publish.yml and release-train.yml: pinned action SHAs, node -p instead of jq, curl --fail -sS, GH_USERNAME env var (scope kept as @frmscoe)
  • Intentionally excludes Docker workflows (frmscoe has no Docker repos)

Commit 2: Overhaul sync-workflows.yml

  • Add concurrency block to cancel in-progress runs
  • Pin actions/checkout to SHA (v6.0.2)
  • Remove hardcoded GitHub CLI install step (pre-installed on ubuntu-latest)
  • Full SSH signing setup block with base64 decode and validation
  • Fix actor step: fall back to github.actor for push/workflow_dispatch (was calling pulls API with empty PR number)
  • Branch strategy: delete+recreate sync-workflows-update each run (was checkout+pull, prone to conflicts)
  • Add dev branch existence check with auto-create from default branch
  • Fix missing cd .. at end of repo loop (latent loop-breaking bug)
  • PR token: use GH_TOKEN env var directly (remove echo-to-file pattern)
  • PR_REVIEWERS source: vars.PR_REVIEWERS -> secrets.GH_USERNAME
  • Exclude publish.yml, version-check.yml, release-train.yml from rule-repo sync (library-only files)

@Justus-at-Tazama Justus-at-Tazama requested review from a team as code owners April 7, 2026 23:01
@Justus-at-Tazama
ci: sync workflows from tazama-lf/workflows
7d56021 
Sync 17 canonical workflow files from tazama-lf/workflows. branch-target-check.yml
was already up to date.

Changes applied across all synced files:
- Pin all action SHAs (checkout v6.0.2, setup-node v6.3.0, codeql v4.35.1,
  scorecard-action v2.4.3, upload-artifact v7.0.0, etc.)
- gpg-verify.yml: fix inverted git log range, replace circular check-runs API
  call with commit verification endpoint, add github-actions[bot] exclusion,
  guard empty commit range
- scorecard.yml: remove dev from push.branches trigger (ossf/scorecard-action
  enforces default branch only)
- package-rule-rc.yml / package-rule.yml: pull latest reusable workflow logic
- node.js.yml, conventional-commits.yml, dco-check.yml, etc.: pin SHAs

publish.yml / release-train.yml synced with improvements only (scope and
org references kept as @frmscoe):
- Pin checkout and setup-node SHAs
- publish.yml: use node -p instead of jq, add continue-on-error to Slack
  step, use curl --fail -sS
- release-train.yml: add GH_USERNAME env var, use \ instead of
  inline secret reference (prevents injection)

Signed-off-by: Justus-at-Tazama <jortlepp@contractor.linuxfoundation.org>
@Justus-at-Tazama
ci: overhaul sync-workflows.yml
207eb60 
- Add concurrency block: cancel-in-progress prevents parallel sync runs
- Pin actions/checkout to SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6.0.2)
- Remove manual gh CLI install step (pre-installed on ubuntu-latest; v2.14.7
  was 2 years out of date)
- Add SSH commit signing (base64-encoded SSH_SIGNING_KEY secret, same
  Justus-at-Tazama identity as tazama-lf/workflows). Fails fast if secret is
  missing or key is invalid.
- Fix Get actor details: previous version called pulls API on push/
  workflow_dispatch events where pull_request.number is empty; add fallback
  to github.actor for non-PR triggers
- Fix branch strategy: delete and recreate sync-workflows-update each run
  instead of checkout+pull (avoids accumulating stale changes)
- Add dev branch existence check: create from default branch if absent
- Add missing cd .. at end of loop (latent bug: loop was broken after first
  repo)
- Fix PR token handling: remove echo-to-file + gh auth login + unset pattern;
  GH_TOKEN env var used directly (gh CLI picks it up automatically)
- Fix PR body: use variable instead of inline interpolation; use two-arg
  commit message (-m msg -m body) instead of concatenation
- Change PR_REVIEWERS source: vars.PR_REVIEWERS -> secrets.GH_USERNAME
  (consistent with tazama-lf/workflows)
- Add publish.yml / version-check.yml / release-train.yml exclusion: these
  are library-only and should not be copied to rule repos

Signed-off-by: Justus-at-Tazama <jortlepp@contractor.linuxfoundation.org>
@Justus-at-Tazama Justus-at-Tazama force-pushed the fix/scorecard-gpg-verify branch from 13b1318 to 207eb60 Compare April 7, 2026 23:06
@github-actions github-actions Bot added the ci/cd label Apr 7, 2026
@Justus-at-Tazama Justus-at-Tazama merged commit 423e52b into dev Apr 7, 2026
2 checks passed
Justus-at-Tazama added a commit that referenced this pull request Apr 8, 2026
@Justus-at-Tazama
fix(workflows): sync workflow audit fixes from tazama-lf/workflows
596bf48 
Applies all changes from tazama-lf/workflows PR #76 (workflow audit fixes - batch 1)
to frmscoe/workflows. Changes are synced verbatim from the canonical source.

- fix(njsscan): fix SARIF upload guard, category, upgrade upload-sarif v4 (#68)
- fix(gpg-verify): make curl error handler reachable under bash -e (#69)
- fix(dco-check, gpg-verify): replace mutable branch refs with immutable SHAs (#70)
- fix(package-rule): add ref guard to prevent push from non-canonical branches (#71)
- fix(gpg-verify): rename workflow to Signature Verify, update header comment (#72)
- fix(package-rule): pass GH_TOKEN to docker build via BuildKit secret (#73)
- fix(sbom): pass GH_TOKEN to docker build via BuildKit secret (#74)
- fix(dockerfile-linter): skip hadolint and upload when no Dockerfile present (#75)
- fix(dockerfile-linter, sbom): address CodeRabbit review findings

Signed-off-by: Justus-at-Tazama <jortlepp@contractor.linuxfoundation.org>
@Justus-at-Tazama Justus-at-Tazama mentioned this pull request Apr 8, 2026
Merged
1 task
Justus-at-Tazama added a commit that referenced this pull request Apr 8, 2026
@Justus-at-Tazama
fix(workflows): sync workflow audit fixes from tazama-lf/workflows (#78)
a02fd0f 
Applies all changes from tazama-lf/workflows PR #76 (workflow audit fixes - batch 1)
to frmscoe/workflows. Changes are synced verbatim from the canonical source.

- fix(njsscan): fix SARIF upload guard, category, upgrade upload-sarif v4 (#68)
- fix(gpg-verify): make curl error handler reachable under bash -e (#69)
- fix(dco-check, gpg-verify): replace mutable branch refs with immutable SHAs (#70)
- fix(package-rule): add ref guard to prevent push from non-canonical branches (#71)
- fix(gpg-verify): rename workflow to Signature Verify, update header comment (#72)
- fix(package-rule): pass GH_TOKEN to docker build via BuildKit secret (#73)
- fix(sbom): pass GH_TOKEN to docker build via BuildKit secret (#74)
- fix(dockerfile-linter): skip hadolint and upload when no Dockerfile present (#75)
- fix(dockerfile-linter, sbom): address CodeRabbit review findings

Signed-off-by: Justus-at-Tazama <jortlepp@contractor.linuxfoundation.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci/cd

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Justus-at-Tazama