Skip to content

fix(workflows): sync workflow audit fixes from tazama-lf/workflows#78

Merged
Justus-at-Tazama merged 1 commit intodevfrom
fix/sync-workflow-audit-fixes
Apr 8, 2026
Merged

fix(workflows): sync workflow audit fixes from tazama-lf/workflows#78
Justus-at-Tazama merged 1 commit intodevfrom
fix/sync-workflow-audit-fixes

Conversation

@Justus-at-Tazama
Copy link
Copy Markdown
Contributor

@Justus-at-Tazama Justus-at-Tazama commented Apr 8, 2026

SPDX-License-Identifier: Apache-2.0

What did we change?

Syncs all workflow audit fixes from tazama-lf/workflows PR #76 to frmscoe/workflows.

Changes applied

  • fix(njsscan): fix SARIF upload guard (steps.njsscan.outcome == 'success' instead of hashFiles() which always evaluates false at job-setup time), add category: njsscan, upgrade upload-sarif v3 -> v4
  • fix(codacy): add category: codacy to disambiguate SARIF uploads, upgrade upload-sarif v3 -> v4
  • fix(gpg-verify): make curl error handler reachable under bash -e (replace command-substitution pattern with || { } block); add -sS to print errors to stderr; quote URL; propagate original exit code
  • fix(dco-check, gpg-verify): replace mutable branch refs (head.ref/base.ref) with immutable SHAs (head.sha/base.sha) to fix fork PRs and eliminate racy branch-name lookups
  • fix(package-rule, package-rule-rc): add ref guard to prevent workflow_dispatch from pushing images from non-canonical branches
  • fix(gpg-verify): rename workflow name to "Signature Verify" and update header comment to reflect that the check covers all verified signatures (GPG, SSH, S/MIME), not just GPG
  • fix(package-rule, package-rule-rc): pass GH_TOKEN to docker build via BuildKit secret so npm ci can authenticate against GitHub Packages
  • fix(sbom): pass GH_TOKEN to docker build via BuildKit secret; move Docker build context (.) to end of command for canonical form
  • feat(dockerfile-linter): add dockerfile-linter.yml (Hadolint workflow) with hashFiles guard and steps.hadolint.outcome == 'success' upload guard

How was it tested?

  • Not needed - files copied verbatim from canonical source (tazama-lf/workflows dev @ 31b3f0d)

@Justus-at-Tazama
fix(workflows): sync workflow audit fixes from tazama-lf/workflows
596bf48 
Applies all changes from tazama-lf/workflows PR #76 (workflow audit fixes - batch 1)
to frmscoe/workflows. Changes are synced verbatim from the canonical source.

- fix(njsscan): fix SARIF upload guard, category, upgrade upload-sarif v4 (#68)
- fix(gpg-verify): make curl error handler reachable under bash -e (#69)
- fix(dco-check, gpg-verify): replace mutable branch refs with immutable SHAs (#70)
- fix(package-rule): add ref guard to prevent push from non-canonical branches (#71)
- fix(gpg-verify): rename workflow to Signature Verify, update header comment (#72)
- fix(package-rule): pass GH_TOKEN to docker build via BuildKit secret (#73)
- fix(sbom): pass GH_TOKEN to docker build via BuildKit secret (#74)
- fix(dockerfile-linter): skip hadolint and upload when no Dockerfile present (#75)
- fix(dockerfile-linter, sbom): address CodeRabbit review findings

Signed-off-by: Justus-at-Tazama <jortlepp@contractor.linuxfoundation.org>
@Justus-at-Tazama Justus-at-Tazama requested review from a team as code owners April 8, 2026 21:35
@github-actions github-actions Bot added the bug Something isn't working label Apr 8, 2026
@Justus-at-Tazama Justus-at-Tazama merged commit a02fd0f into dev Apr 8, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Justus-at-Tazama