From cca07e7f048b65badaa36b62d18478b1f468125e Mon Sep 17 00:00:00 2001 From: Lucas Bedatty Date: Wed, 1 Apr 2026 12:10:43 -0300 Subject: [PATCH 1/9] fix(security): address CodeRabbit PR#195 review findings - scope id-token:write to build/docker jobs only (least privilege) - pin cosign-sign composite ref to v1.23.0 (remove mutable branch) - use inputs.ghcr_org fallback in build.yml cosign-refs step - scope certificate-identity-regexp in all cosign verify examples - add id-token:write to typescript-build.md basic example - qualify image ref in cosign-sign README single-image example - warn against secrets in docker_build_args descriptions - fix workflow_dispatch contradiction in cursor rules --- .cursor/rules/reusable-workflows.mdc | 2 +- .github/workflows/build.yml | 11 +++++++---- .github/workflows/go-release.yml | 7 +++++-- .github/workflows/pr-security-scan.yml | 2 +- .github/workflows/typescript-build.yml | 7 +++++-- docs/build-workflow.md | 2 +- docs/go-release-workflow.md | 2 +- docs/typescript-build.md | 3 ++- src/security/cosign-sign/README.md | 4 ++-- 9 files changed, 25 insertions(+), 15 deletions(-) diff --git a/.cursor/rules/reusable-workflows.mdc b/.cursor/rules/reusable-workflows.mdc index 3a3081f..e68023b 100644 --- a/.cursor/rules/reusable-workflows.mdc +++ b/.cursor/rules/reusable-workflows.mdc @@ -127,8 +127,8 @@ runs-on: self-hosted Every reusable workflow must: - support `workflow_call` (for external callers) -- support `workflow_dispatch` (for manual testing) - expose explicit `inputs` — never rely on implicit context +- **must NOT** include a `workflow_dispatch` trigger — if manual/interactive dispatch is needed, create a separate self-workflow under `.github/workflows/self-*` - **always include a `dry_run` input** (`type: boolean`, `default: false`) so the workflow can be safely tested before applying real changes ```yaml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1f1ab84..9363c9d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -123,7 +123,7 @@ on: type: boolean default: false docker_build_args: - description: 'Newline-separated Docker build arguments to pass to docker build (e.g., "APP_NAME=spi\nCOMPONENT_NAME=api"). Forwarded to docker/build-push-action build-args.' + description: 'Newline-separated Docker build arguments (e.g., "APP_NAME=spi\nCOMPONENT_NAME=api"). For sensitive values (tokens, keys, passwords), use BuildKit secrets instead — build arguments are visible in image history.' type: string required: false default: '' @@ -139,7 +139,6 @@ on: permissions: contents: read packages: write - id-token: write jobs: prepare: @@ -208,6 +207,10 @@ jobs: if: needs.prepare.outputs.has_builds == 'true' runs-on: ${{ inputs.runner_type }} name: Build ${{ matrix.app.name }} + permissions: + contents: read + packages: write + id-token: write strategy: max-parallel: 2 fail-fast: false @@ -320,7 +323,7 @@ jobs: ENABLE_GHCR: ${{ inputs.enable_ghcr }} DOCKERHUB_ORG: ${{ inputs.dockerhub_org }} APP_NAME: ${{ matrix.app.name }} - GHCR_ORG: ${{ steps.normalize.outputs.owner_lower }} + GHCR_ORG: ${{ inputs.ghcr_org || steps.normalize.outputs.owner_lower }} run: | REFS="" @@ -341,7 +344,7 @@ jobs: - name: Sign container images with cosign if: inputs.enable_cosign_sign - uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@feat/cosign-sign + uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@v1.23.0 with: image-refs: ${{ steps.cosign-refs.outputs.refs }} diff --git a/.github/workflows/go-release.yml b/.github/workflows/go-release.yml index acd1ec8..0b7f487 100644 --- a/.github/workflows/go-release.yml +++ b/.github/workflows/go-release.yml @@ -75,7 +75,6 @@ on: permissions: contents: write packages: write - id-token: write jobs: release: @@ -144,6 +143,10 @@ jobs: docker: name: Build and Push Docker Image runs-on: ${{ inputs.runner_type }} + permissions: + contents: read + packages: write + id-token: write needs: release if: inputs.enable_docker && startsWith(github.ref, 'refs/tags/v') @@ -194,7 +197,7 @@ jobs: - name: Sign container images with cosign if: inputs.enable_cosign_sign - uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@feat/cosign-sign + uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@v1.23.0 with: image-refs: ${{ steps.cosign-refs.outputs.refs }} diff --git a/.github/workflows/pr-security-scan.yml b/.github/workflows/pr-security-scan.yml index 3ead072..f6ed5c3 100644 --- a/.github/workflows/pr-security-scan.yml +++ b/.github/workflows/pr-security-scan.yml @@ -68,7 +68,7 @@ on: type: boolean default: true docker_build_args: - description: 'Newline-separated Docker build arguments to pass to docker build (e.g., "APP_NAME=spi\nCOMPONENT_NAME=api"). Forwarded to docker/build-push-action build-args.' + description: 'Newline-separated Docker build arguments (e.g., "APP_NAME=spi\nCOMPONENT_NAME=api"). For sensitive values (tokens, keys, passwords), use BuildKit secrets instead — build arguments are visible in image history.' type: string required: false default: '' diff --git a/.github/workflows/typescript-build.yml b/.github/workflows/typescript-build.yml index 91082e5..4f743a4 100644 --- a/.github/workflows/typescript-build.yml +++ b/.github/workflows/typescript-build.yml @@ -148,7 +148,6 @@ on: permissions: contents: read packages: write - id-token: write jobs: prepare: @@ -250,6 +249,10 @@ jobs: if: needs.prepare.outputs.has_builds == 'true' runs-on: ${{ inputs.runner_type }} name: Build ${{ matrix.app.name }} + permissions: + contents: read + packages: write + id-token: write strategy: max-parallel: 2 fail-fast: false @@ -333,7 +336,7 @@ jobs: - name: Sign container images with cosign if: inputs.enable_cosign_sign && !inputs.dry_run && steps.cosign-refs.outputs.refs != '' - uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@feat/cosign-sign + uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@v1.23.0 with: image-refs: ${{ steps.cosign-refs.outputs.refs }} diff --git a/docs/build-workflow.md b/docs/build-workflow.md index 3054f54..3991ce6 100644 --- a/docs/build-workflow.md +++ b/docs/build-workflow.md @@ -225,7 +225,7 @@ jobs: ```bash cosign verify \ - --certificate-identity-regexp=".*" \ + --certificate-identity-regexp="^https://github.com/LerianStudio/.*/.github/workflows/.*@refs/heads/.*$" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ docker.io/lerianstudio/my-app@sha256:abc123... ``` diff --git a/docs/go-release-workflow.md b/docs/go-release-workflow.md index 86412dd..e8b5a2d 100644 --- a/docs/go-release-workflow.md +++ b/docs/go-release-workflow.md @@ -204,7 +204,7 @@ jobs: ```bash cosign verify \ - --certificate-identity-regexp=".*" \ + --certificate-identity-regexp="^https://github.com/LerianStudio/.*/.github/workflows/.*@refs/heads/.*$" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ ghcr.io/myorg/my-app@sha256:abc123... ``` diff --git a/docs/typescript-build.md b/docs/typescript-build.md index 6623214..b8bdffd 100644 --- a/docs/typescript-build.md +++ b/docs/typescript-build.md @@ -37,6 +37,7 @@ on: permissions: contents: read packages: write + id-token: write # required for cosign keyless signing jobs: build: @@ -230,7 +231,7 @@ jobs: ```bash cosign verify \ - --certificate-identity-regexp=".*" \ + --certificate-identity-regexp="^https://github.com/LerianStudio/.*/.github/workflows/.*@refs/heads/.*$" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ ghcr.io/lerianstudio/my-app@sha256:abc123... ``` diff --git a/src/security/cosign-sign/README.md b/src/security/cosign-sign/README.md index 0151761..1bf4fbb 100644 --- a/src/security/cosign-sign/README.md +++ b/src/security/cosign-sign/README.md @@ -46,7 +46,7 @@ jobs: - name: Sign container image uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@v1.x.x with: - image-refs: myorg/myapp@${{ steps.build-push.outputs.digest }} + image-refs: docker.io/myorg/myapp@${{ steps.build-push.outputs.digest }} ``` ### Signing multiple registries @@ -64,7 +64,7 @@ jobs: ```bash cosign verify \ - --certificate-identity-regexp=".*" \ + --certificate-identity-regexp="^https://github.com/LerianStudio/.*/.github/workflows/.*@refs/heads/.*$" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ docker.io/myorg/myapp@sha256:abc123... ``` From 8f52c0eb2ee0b6c1d5ec782f6d97f5fb772a3a7e Mon Sep 17 00:00:00 2001 From: Lucas Bedatty Date: Wed, 1 Apr 2026 13:44:13 -0300 Subject: [PATCH 2/9] fix(build): remove floating minor version tag from Docker metadata The {{major}}.{{minor}} semver pattern (e.g. 1.4) conflicts with DockerHub tag immutability on patch releases. When v1.4.0 is published the 1.4 tag is created and locked, so subsequent patch releases like v1.4.1 fail trying to overwrite it. Remove the floating minor tag, keeping only the exact version tag (e.g. 1.4.1) and the major tag (e.g. 1). --- .github/workflows/build.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9363c9d..9636e20 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -292,7 +292,6 @@ jobs: images: ${{ steps.image-names.outputs.images }} tags: | type=semver,pattern={{version}},value=${{ steps.version.outputs.version }} - type=semver,pattern={{major}}.{{minor}},value=${{ steps.version.outputs.version }} type=semver,pattern={{major}},value=${{ steps.version.outputs.version }},enable=${{ needs.prepare.outputs.is_release }} - name: Build and push Docker image From bb34537e3b7fb18eea2d6012f851bded27a055d9 Mon Sep 17 00:00:00 2001 From: Lucas Bedatty Date: Wed, 1 Apr 2026 13:46:46 -0300 Subject: [PATCH 3/9] fix(gitops-update): add retry with rebase and exponential backoff on push When multiple services update the same GitOps repo concurrently, the push can be rejected because the remote already has new commits. This adds a retry loop (up to 5 attempts) with git pull --rebase and exponential backoff (2s, 4s, 6s, 8s, 10s) to handle race conditions. Closes #197 --- .github/workflows/gitops-update.yml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/workflows/gitops-update.yml b/.github/workflows/gitops-update.yml index cf80378..6226c78 100644 --- a/.github/workflows/gitops-update.yml +++ b/.github/workflows/gitops-update.yml @@ -444,7 +444,25 @@ jobs: fi git commit -am "ci(${{ steps.setup.outputs.commit_prefix }}): update image tags ($ENV_LABEL)" || echo "No changes to commit" - git push origin main + + # Retry push with rebase and exponential backoff to handle concurrent updates + MAX_RETRIES=5 + for i in $(seq 1 $MAX_RETRIES); do + if git push origin main; then + echo "Push succeeded on attempt $i" + break + fi + + if [ "$i" -eq "$MAX_RETRIES" ]; then + echo "ERROR: Failed to push after $MAX_RETRIES attempts" + exit 1 + fi + + BACKOFF=$((i * 2)) + echo "Push failed (attempt $i/$MAX_RETRIES), rebasing and retrying in ${BACKOFF}s..." + sleep "$BACKOFF" + git pull --rebase origin main + done # ArgoCD Sync Job - runs in parallel for each server/env combination argocd_sync: From 023287c1e68ad5ec43c0de4b63ba443076f5f0d3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Apr 2026 11:12:08 +0000 Subject: [PATCH 4/9] chore(deps): bump docker/login-action in the docker group Bumps the docker group with 1 update: [docker/login-action](https://github.com/docker/login-action). Updates `docker/login-action` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/b45d80f862d83dbcd57f89517bcf500b2ab88fb2...4907a6ddec9925e35a0a9e82d7399ccc52663121) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 4 ++-- .github/workflows/gitops-update.yml | 2 +- .github/workflows/go-release.yml | 2 +- .github/workflows/pr-security-scan.yml | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9636e20..eee7339 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -230,14 +230,14 @@ jobs: - name: Log in to DockerHub if: inputs.enable_dockerhub - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKERHUB_IMAGE_PUSH_TOKEN }} - name: Log in to GHCR if: inputs.enable_ghcr - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/gitops-update.yml b/.github/workflows/gitops-update.yml index 6226c78..3ea186c 100644 --- a/.github/workflows/gitops-update.yml +++ b/.github/workflows/gitops-update.yml @@ -75,7 +75,7 @@ jobs: steps: - name: Log in to Docker Hub if: ${{ inputs.enable_docker_login }} - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKERHUB_IMAGE_PULL_TOKEN }} diff --git a/.github/workflows/go-release.yml b/.github/workflows/go-release.yml index 0b7f487..0753f18 100644 --- a/.github/workflows/go-release.yml +++ b/.github/workflows/go-release.yml @@ -158,7 +158,7 @@ jobs: uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Log in to Docker Registry - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ${{ inputs.docker_registry }} username: ${{ secrets.DOCKER_USERNAME || github.actor }} diff --git a/.github/workflows/pr-security-scan.yml b/.github/workflows/pr-security-scan.yml index f6ed5c3..7405445 100644 --- a/.github/workflows/pr-security-scan.yml +++ b/.github/workflows/pr-security-scan.yml @@ -91,7 +91,7 @@ jobs: steps: # ----------------- Setup ----------------- - name: Login to Docker Registry - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ${{ inputs.docker_registry }} username: ${{ secrets.DOCKER_USERNAME }} @@ -133,7 +133,7 @@ jobs: steps: # ----------------- Setup ----------------- - name: Login to Docker Registry - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ${{ inputs.docker_registry }} username: ${{ secrets.DOCKER_USERNAME }} From 9b0c1eab026762195646261f617d59094d806a8f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Apr 2026 11:15:03 +0000 Subject: [PATCH 5/9] chore(deps): bump goreleaser/goreleaser-action Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 9a127d869fb706213d29cdf8eef3a4ea2b869415 to ec59f474b9834571250b370d4735c50f8e2d1e29. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](https://github.com/goreleaser/goreleaser-action/compare/9a127d869fb706213d29cdf8eef3a4ea2b869415...ec59f474b9834571250b370d4735c50f8e2d1e29) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-version: ec59f474b9834571250b370d4735c50f8e2d1e29 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- .github/workflows/go-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go-release.yml b/.github/workflows/go-release.yml index 0b7f487..1d61811 100644 --- a/.github/workflows/go-release.yml +++ b/.github/workflows/go-release.yml @@ -101,7 +101,7 @@ jobs: run: ${{ inputs.test_cmd }} - name: Run GoReleaser - uses: goreleaser/goreleaser-action@9a127d869fb706213d29cdf8eef3a4ea2b869415 # v7 + uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7 with: distribution: ${{ inputs.goreleaser_distribution }} version: ${{ inputs.goreleaser_version }} From 6059c0f89c463005e78d471c64574e874dd1e240 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Apr 2026 11:48:55 -0300 Subject: [PATCH 6/9] chore(deps): bump actions/create-github-app-token from 2 to 3 in the release group across 1 directory (#147) * chore(deps): bump actions/create-github-app-token in the release group Bumps the release group with 1 update: [actions/create-github-app-token](https://github.com/actions/create-github-app-token). Updates `actions/create-github-app-token` from 2 to 3 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](https://github.com/actions/create-github-app-token/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major dependency-group: release ... Signed-off-by: dependabot[bot] * fix(deps): pin create-github-app-token to SHA for v3 tag * fix(deps): pin all remaining actions to commit SHA * fix(deps): revert internal modules back to tags --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Lucas Bedatty --- .github/workflows/gptchangelog.yml | 12 ++++++------ .github/workflows/helm-update-chart.yml | 2 +- .github/workflows/release-notification.yml | 4 ++-- .github/workflows/release.yml | 2 +- .github/workflows/typescript-release.yml | 2 +- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/gptchangelog.yml b/.github/workflows/gptchangelog.yml index 180b8bf..88003b2 100644 --- a/.github/workflows/gptchangelog.yml +++ b/.github/workflows/gptchangelog.yml @@ -62,7 +62,7 @@ jobs: is_stable: ${{ steps.check-tag.outputs.is_stable }} steps: - name: Checkout for branch check - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -139,7 +139,7 @@ jobs: - name: Checkout repository if: steps.check-tag.outputs.is_stable == 'true' || inputs.stable_releases_only == false - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -252,14 +252,14 @@ jobs: steps: - name: Create GitHub App Token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 id: app-token with: app-id: ${{ secrets.LERIAN_STUDIO_MIDAZ_PUSH_BOT_APP_ID }} private-key: ${{ secrets.LERIAN_STUDIO_MIDAZ_PUSH_BOT_PRIVATE_KEY }} - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 token: ${{ steps.app-token.outputs.token }} @@ -279,7 +279,7 @@ jobs: fi - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@v7 + uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7 id: import_gpg with: gpg_private_key: ${{ secrets.LERIAN_CI_CD_USER_GPG_KEY }} @@ -733,7 +733,7 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 steps: - name: Send Slack notification for sync PR - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 with: payload: | { diff --git a/.github/workflows/helm-update-chart.yml b/.github/workflows/helm-update-chart.yml index 20cf074..72f1f21 100644 --- a/.github/workflows/helm-update-chart.yml +++ b/.github/workflows/helm-update-chart.yml @@ -100,7 +100,7 @@ jobs: steps: - name: Generate GitHub App Token id: app-token - uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 with: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} diff --git a/.github/workflows/release-notification.yml b/.github/workflows/release-notification.yml index d025a58..a2444ce 100644 --- a/.github/workflows/release-notification.yml +++ b/.github/workflows/release-notification.yml @@ -114,14 +114,14 @@ jobs: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} steps: - name: Create GitHub App token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 id: app-token with: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Fetch latest release tag id: release diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a26472c..4b6e573 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -103,7 +103,7 @@ jobs: gpg_fingerprint: ${{ steps.import_gpg.outputs.fingerprint }} steps: - - uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2 + - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 id: app-token with: app-id: ${{ secrets.LERIAN_STUDIO_MIDAZ_PUSH_BOT_APP_ID }} diff --git a/.github/workflows/typescript-release.yml b/.github/workflows/typescript-release.yml index 92704d1..4cea8ea 100644 --- a/.github/workflows/typescript-release.yml +++ b/.github/workflows/typescript-release.yml @@ -114,7 +114,7 @@ jobs: gpg_fingerprint: ${{ steps.import_gpg.outputs.fingerprint }} steps: - - uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2 + - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 id: app-token with: app-id: ${{ secrets.LERIAN_STUDIO_MIDAZ_PUSH_BOT_APP_ID }} From f63bad1a8ab817c0c60fde820a90f1a5f355922a Mon Sep 17 00:00:00 2001 From: Bedatty <79675696+bedatty@users.noreply.github.com> Date: Mon, 6 Apr 2026 13:43:35 -0300 Subject: [PATCH 7/9] fix: address CodeRabbit review findings (#204) - Remove contradictory workflow_dispatch example from reusable-workflows rules - Remove stale {{major}}.{{minor}} tag from build-workflow docs - Fix linear backoff to true exponential (2**i) in gitops-update retry loop --- .cursor/rules/reusable-workflows.mdc | 9 --------- .github/workflows/gitops-update.yml | 2 +- docs/build-workflow.md | 1 - 3 files changed, 1 insertion(+), 11 deletions(-) diff --git a/.cursor/rules/reusable-workflows.mdc b/.cursor/rules/reusable-workflows.mdc index e68023b..ab460b8 100644 --- a/.cursor/rules/reusable-workflows.mdc +++ b/.cursor/rules/reusable-workflows.mdc @@ -146,15 +146,6 @@ on: secrets: DEPLOY_TOKEN: required: true - workflow_dispatch: - inputs: - environment: - required: true - type: string - dry_run: - description: Preview changes without applying them - type: boolean - default: false ``` The two modes have opposite goals — design them accordingly: diff --git a/.github/workflows/gitops-update.yml b/.github/workflows/gitops-update.yml index 3ea186c..5f3acb0 100644 --- a/.github/workflows/gitops-update.yml +++ b/.github/workflows/gitops-update.yml @@ -458,7 +458,7 @@ jobs: exit 1 fi - BACKOFF=$((i * 2)) + BACKOFF=$((2 ** i)) echo "Push failed (attempt $i/$MAX_RETRIES), rebasing and retrying in ${BACKOFF}s..." sleep "$BACKOFF" git pull --rebase origin main diff --git a/docs/build-workflow.md b/docs/build-workflow.md index 3991ce6..379cb5b 100644 --- a/docs/build-workflow.md +++ b/docs/build-workflow.md @@ -139,7 +139,6 @@ Generated tags based on semantic versioning: | Tag Pattern | Example | When Applied | |-------------|---------|--------------| | `{{version}}` | `1.0.0-beta.1` | Always | -| `{{major}}.{{minor}}` | `1.0` | Always | | `{{major}}` | `1` | Release tags only | ## Monorepo Change Detection From baa43a272da785bfb0252f2d321fb88286e77e37 Mon Sep 17 00:00:00 2001 From: Bedatty <79675696+bedatty@users.noreply.github.com> Date: Mon, 6 Apr 2026 14:17:50 -0300 Subject: [PATCH 8/9] fix(docs): update cosign verification regex to support tag-triggered workflows (#205) --- docs/build-workflow.md | 2 +- docs/go-release-workflow.md | 2 +- docs/typescript-build.md | 2 +- src/security/cosign-sign/README.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/build-workflow.md b/docs/build-workflow.md index 379cb5b..b44b227 100644 --- a/docs/build-workflow.md +++ b/docs/build-workflow.md @@ -224,7 +224,7 @@ jobs: ```bash cosign verify \ - --certificate-identity-regexp="^https://github.com/LerianStudio/.*/.github/workflows/.*@refs/heads/.*$" \ + --certificate-identity-regexp="^https://github\.com/LerianStudio/.+/.github/workflows/.+@refs/(heads|tags)/.+$" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ docker.io/lerianstudio/my-app@sha256:abc123... ``` diff --git a/docs/go-release-workflow.md b/docs/go-release-workflow.md index e8b5a2d..d8d1fc4 100644 --- a/docs/go-release-workflow.md +++ b/docs/go-release-workflow.md @@ -204,7 +204,7 @@ jobs: ```bash cosign verify \ - --certificate-identity-regexp="^https://github.com/LerianStudio/.*/.github/workflows/.*@refs/heads/.*$" \ + --certificate-identity-regexp="^https://github\.com/LerianStudio/.+/.github/workflows/.+@refs/(heads|tags)/.+$" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ ghcr.io/myorg/my-app@sha256:abc123... ``` diff --git a/docs/typescript-build.md b/docs/typescript-build.md index b8bdffd..aab3b88 100644 --- a/docs/typescript-build.md +++ b/docs/typescript-build.md @@ -231,7 +231,7 @@ jobs: ```bash cosign verify \ - --certificate-identity-regexp="^https://github.com/LerianStudio/.*/.github/workflows/.*@refs/heads/.*$" \ + --certificate-identity-regexp="^https://github\.com/LerianStudio/.+/.github/workflows/.+@refs/(heads|tags)/.+$" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ ghcr.io/lerianstudio/my-app@sha256:abc123... ``` diff --git a/src/security/cosign-sign/README.md b/src/security/cosign-sign/README.md index 1bf4fbb..d107920 100644 --- a/src/security/cosign-sign/README.md +++ b/src/security/cosign-sign/README.md @@ -64,7 +64,7 @@ jobs: ```bash cosign verify \ - --certificate-identity-regexp="^https://github.com/LerianStudio/.*/.github/workflows/.*@refs/heads/.*$" \ + --certificate-identity-regexp="^https://github\.com/LerianStudio/.+/.github/workflows/.+@refs/(heads|tags)/.+$" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ docker.io/myorg/myapp@sha256:abc123... ``` From 49c021673a6e1a8d11d45618c579af3a2a68a33b Mon Sep 17 00:00:00 2001 From: Bedatty <79675696+bedatty@users.noreply.github.com> Date: Mon, 6 Apr 2026 14:38:14 -0300 Subject: [PATCH 9/9] fix(build): add docker.io prefix to DockerHub cosign image refs (#206) --- .github/workflows/build.yml | 2 +- .github/workflows/typescript-build.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index eee7339..7459ff0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -327,7 +327,7 @@ jobs: REFS="" if [ "$ENABLE_DOCKERHUB" == "true" ]; then - REFS="${DOCKERHUB_ORG}/${APP_NAME}@${DIGEST}" + REFS="docker.io/${DOCKERHUB_ORG}/${APP_NAME}@${DIGEST}" fi if [ "$ENABLE_GHCR" == "true" ]; then diff --git a/.github/workflows/typescript-build.yml b/.github/workflows/typescript-build.yml index 4f743a4..31d8533 100644 --- a/.github/workflows/typescript-build.yml +++ b/.github/workflows/typescript-build.yml @@ -320,7 +320,7 @@ jobs: fi if [ "$ENABLE_DOCKERHUB" == "true" ]; then - REFS="${DOCKERHUB_ORG}/${APP_NAME}@${DIGEST}" + REFS="docker.io/${DOCKERHUB_ORG}/${APP_NAME}@${DIGEST}" fi if [ "$ENABLE_GHCR" == "true" ]; then