Adding GHCR to CI/CD Release Workflow & further improvements#32
Merged
oschwartz10612 merged 4 commits intofosrl:mainfrom Oct 20, 2025
Merged
Adding GHCR to CI/CD Release Workflow & further improvements#32oschwartz10612 merged 4 commits intofosrl:mainfrom
oschwartz10612 merged 4 commits intofosrl:mainfrom
Conversation
- Pin actions/checkout to SHA for v5.0.0 - Pin docker/setup-qemu-action to SHA for v3.6.0 - Pin docker/setup-buildx-action to SHA for v3.11.1 - Pin docker/login-action to SHA for v3.6.0 - Pin actions/setup-go to SHA for v6.0.0 - Pin actions/upload-artifact to SHA for v4.6.2
- mirror images from Docker Hub to GHCR using skopeo (preserves multi-arch manifests) - login to GHCR via docker/login-action for signing/pushing - install cosign and perform dual signing: keyless (OIDC) + key-based; verify signatures - add required permissions for id-token/packages and reference necessary secrets
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Community Contribution License Agreement
By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.
Description Copilot
This pull request improves the security, reliability, and transparency of the CI/CD and test workflows by pinning all GitHub Actions to specific commit SHAs, adding explicit permissions, and enhancing the release process with image signing and mirroring. The CI/CD pipeline now includes steps for dual-signing container images, mirroring images to GHCR, updating version information in
main.go, and installing required tools. The test workflow also receives minor security improvements.CI/CD Pipeline Enhancements:
.github/workflows/cicd.ymlare now pinned to specific commit SHAs to minimize supply-chain risks.main.gobased on the pushed tag, ensuring version consistency in release builds.Security and Permissions:
cicd.yml) and test (test.yml) workflows, limiting access to only required scopes. [1] [2]Test Workflow Improvements:
.github/workflows/test.ymlare pinned to specific commit SHAs, improving supply-chain security.How to test?