From f1bfe06351978d79ef85082de7390b0a8cca1d9f Mon Sep 17 00:00:00 2001 From: bogdandina Date: Tue, 12 May 2026 08:57:53 +0300 Subject: [PATCH 1/9] feat(79894): add zizmor workflow security audit and pin all action SHAs Add a zizmor job to ci.yml that runs on every PR and push to main, auditing all workflow files for unpinned actions, template injection, excessive permissions, and other insecure patterns via zizmorcore/zizmor-action (SARIF results uploaded to GitHub Security tab). Pin every uses: reference across all four shared workflows to an immutable commit SHA with a human-readable version comment, eliminating the supply-chain risk of mutable tags being silently redirected to malicious commits. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/ci-cd-java.yml | 4 ++-- .github/workflows/ci.yml | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-cd-java.yml b/.github/workflows/ci-cd-java.yml index 2e403cd..761207e 100644 --- a/.github/workflows/ci-cd-java.yml +++ b/.github/workflows/ci-cd-java.yml @@ -233,5 +233,5 @@ jobs: labels: ${{ steps.meta.outputs.labels }} secrets: | github_token=${{ secrets.GITHUB_TOKEN }} - build-args: | - GITHUB_ACTOR=${{ github.actor }} + build-args: | + GITHUB_ACTOR=${{ github.actor }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b857286..f87152f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,3 +42,18 @@ jobs: - name: Run script tests run: pytest scripts/ -v + + zizmor: + name: Workflow security audit (zizmor) + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 From 252d354c6c04251d01c4f2dca174df7fb446c137 Mon Sep 17 00:00:00 2001 From: bogdandina Date: Wed, 13 May 2026 08:49:31 +0300 Subject: [PATCH 2/9] feat(79897): fix security alerts --- .github/workflows/ci-cd-java.yml | 1 - .github/workflows/ci-cd-kotlin.yml | 1 - .github/workflows/ci-cd-typescript.yml | 1 - 3 files changed, 3 deletions(-) diff --git a/.github/workflows/ci-cd-java.yml b/.github/workflows/ci-cd-java.yml index 761207e..5949ad0 100644 --- a/.github/workflows/ci-cd-java.yml +++ b/.github/workflows/ci-cd-java.yml @@ -72,7 +72,6 @@ jobs: with: distribution: 'temurin' java-version: '25' - cache: 'maven' - name: Validate Java version consistency working-directory: ${{ inputs.workingDirectory }} diff --git a/.github/workflows/ci-cd-kotlin.yml b/.github/workflows/ci-cd-kotlin.yml index fa17a57..63669ed 100644 --- a/.github/workflows/ci-cd-kotlin.yml +++ b/.github/workflows/ci-cd-kotlin.yml @@ -73,7 +73,6 @@ jobs: with: distribution: 'temurin' java-version: '11' - cache: 'gradle' - name: Validate Java version consistency env: diff --git a/.github/workflows/ci-cd-typescript.yml b/.github/workflows/ci-cd-typescript.yml index 4955461..0d112dc 100644 --- a/.github/workflows/ci-cd-typescript.yml +++ b/.github/workflows/ci-cd-typescript.yml @@ -41,7 +41,6 @@ jobs: uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "lts/*" - cache: "npm" - name: Install NPM dependencies run: npm ci From f41e8bbf4b143e0043bfb931fdc7d4b2a5cd07d0 Mon Sep 17 00:00:00 2001 From: bogdandina Date: Wed, 13 May 2026 09:02:22 +0300 Subject: [PATCH 3/9] feat(79897): fix TS cache poison issue --- .github/workflows/ci-cd-typescript.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci-cd-typescript.yml b/.github/workflows/ci-cd-typescript.yml index 0d112dc..7933bfc 100644 --- a/.github/workflows/ci-cd-typescript.yml +++ b/.github/workflows/ci-cd-typescript.yml @@ -38,6 +38,7 @@ jobs: fetch-depth: 2 - name: Install Node + # zizmor:ignore[cache-poisoning] Node binary tool-cache is implicit and cannot be disabled; no npm package cache is configured uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "lts/*" From bed8a860c037b18b6cf886c92500d52a8f38809f Mon Sep 17 00:00:00 2001 From: bogdandina Date: Wed, 13 May 2026 09:10:54 +0300 Subject: [PATCH 4/9] feat(79897): one more fix for cache poisoning issue --- .github/workflows/ci-cd-typescript.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci-cd-typescript.yml b/.github/workflows/ci-cd-typescript.yml index 7933bfc..5566869 100644 --- a/.github/workflows/ci-cd-typescript.yml +++ b/.github/workflows/ci-cd-typescript.yml @@ -105,6 +105,7 @@ jobs: with: context: . load: true + no-cache: true target: "${{ env.TEST_STAGE }}" tags: "${{ env.IMAGE_NAME }}:${{ env.TEST_STAGE }}" @@ -126,6 +127,7 @@ jobs: with: context: . push: true + no-cache: true target: "${{ env.PRODUCTION_STAGE }}" tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From c06b6554058b06db0dd45c71c75cb6937db045b8 Mon Sep 17 00:00:00 2001 From: bogdandina Date: Wed, 13 May 2026 22:42:32 +0300 Subject: [PATCH 5/9] feat(79896): disable cache usage --- .github/workflows/ci-cd-java.yml | 41 ++++++++++++++++-------------- .github/workflows/ci-cd-kotlin.yml | 41 ++++++++++++++++-------------- 2 files changed, 44 insertions(+), 38 deletions(-) diff --git a/.github/workflows/ci-cd-java.yml b/.github/workflows/ci-cd-java.yml index 5949ad0..3b93922 100644 --- a/.github/workflows/ci-cd-java.yml +++ b/.github/workflows/ci-cd-java.yml @@ -67,11 +67,28 @@ jobs: ref: ${{ steps.resolve_shared_workflow_ref.outputs.shared_workflow_ref }} path: .shared-workflows + - name: Check if release build + id: release_check + env: + PERFORM_RELEASE_INPUT: ${{ inputs.performRelease }} + run: | + PERFORM_RELEASE=false + if [[ "${GITHUB_REF}" == "refs/heads/main" || \ + "${GITHUB_REF}" == "refs/heads/develop" || \ + "${GITHUB_REF}" == "refs/heads/aks-dev" || \ + "${GITHUB_REF}" == refs/tags/* ]]; then + PERFORM_RELEASE=true + elif [[ "${PERFORM_RELEASE_INPUT}" == "true" ]]; then + PERFORM_RELEASE=true + fi + echo "perform_release=${PERFORM_RELEASE}" >> "$GITHUB_OUTPUT" + - name: Setup JDK uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: 'temurin' java-version: '25' + cache: ${{ steps.release_check.outputs.perform_release != 'true' && 'maven' || '' }} - name: Validate Java version consistency working-directory: ${{ inputs.workingDirectory }} @@ -183,22 +200,8 @@ jobs: build-args: GITHUB_ACTOR=${{ github.actor }} - - name: Check if perform release - id: perform_release - run: | - PERFORM_RELEASE=false - if [[ "${GITHUB_REF}" == "refs/heads/main" || "${GITHUB_REF}" == "refs/heads/develop" || "${GITHUB_REF}" == "refs/heads/aks-dev" ]]; then - PERFORM_RELEASE=true - elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then - PERFORM_RELEASE=true - elif [[ "${{ inputs.performRelease }}" == "true" ]]; then - PERFORM_RELEASE=true - fi - echo "PERFORM_RELEASE=${PERFORM_RELEASE}" >> $GITHUB_ENV - echo "Perform release: ${PERFORM_RELEASE}" - - name: Extract Docker metadata - if: ${{ env.PERFORM_RELEASE == 'true' }} + if: ${{ steps.release_check.outputs.perform_release == 'true' }} id: meta uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: @@ -212,22 +215,22 @@ jobs: org.opencontainers.image.vendor=hsldevcom - name: Setup Docker Buildx - if: ${{ env.PERFORM_RELEASE == 'true' }} + if: ${{ steps.release_check.outputs.perform_release == 'true' }} uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Login to Docker Hub - if: ${{ env.PERFORM_RELEASE == 'true' }} + if: ${{ steps.release_check.outputs.perform_release == 'true' }} uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }} password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }} - name: Build & Push Docker image - if: ${{ env.PERFORM_RELEASE == 'true' }} + if: ${{ steps.release_check.outputs.perform_release == 'true' }} uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: ${{ inputs.workingDirectory }} - push: ${{ env.PERFORM_RELEASE }} + push: ${{ steps.release_check.outputs.perform_release }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} secrets: | diff --git a/.github/workflows/ci-cd-kotlin.yml b/.github/workflows/ci-cd-kotlin.yml index 63669ed..b7d6456 100644 --- a/.github/workflows/ci-cd-kotlin.yml +++ b/.github/workflows/ci-cd-kotlin.yml @@ -68,11 +68,28 @@ jobs: ref: ${{ env.SHARED_WORKFLOW_REF }} path: .shared-workflows + - name: Check if release build + id: release_check + env: + PERFORM_RELEASE_INPUT: ${{ inputs.performRelease }} + run: | + PERFORM_RELEASE=false + if [[ "${GITHUB_REF}" == "refs/heads/main" || \ + "${GITHUB_REF}" == "refs/heads/develop" || \ + "${GITHUB_REF}" == "refs/heads/aks-dev" || \ + "${GITHUB_REF}" == refs/tags/* ]]; then + PERFORM_RELEASE=true + elif [[ "${PERFORM_RELEASE_INPUT}" == "true" ]]; then + PERFORM_RELEASE=true + fi + echo "perform_release=${PERFORM_RELEASE}" >> "$GITHUB_OUTPUT" + - name: Setup JDK uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: 'temurin' java-version: '11' + cache: ${{ steps.release_check.outputs.perform_release != 'true' && 'gradle' || '' }} - name: Validate Java version consistency env: @@ -162,26 +179,12 @@ jobs: push: 'false' tags: 'hsldevcom/${{ env.IMAGE_NAME }}:${{ github.sha }}' - - name: Check if perform release - id: perform_release - run: | - PERFORM_RELEASE=false - if [[ "${GITHUB_REF}" == "refs/heads/main" || "${GITHUB_REF}" == "refs/heads/develop" || "${GITHUB_REF}" == "refs/heads/aks-dev" ]]; then - PERFORM_RELEASE=true - elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then - PERFORM_RELEASE=true - elif [[ "${{ inputs.performRelease }}" == "true" ]]; then - PERFORM_RELEASE=true - fi - echo "PERFORM_RELEASE=${PERFORM_RELEASE}" >> $GITHUB_ENV - echo "Perform release: ${PERFORM_RELEASE}" - - name: Setup Docker Buildx - if: env.PERFORM_RELEASE == 'true' + if: steps.release_check.outputs.perform_release == 'true' uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Extract Docker metadata - if: env.PERFORM_RELEASE == 'true' + if: steps.release_check.outputs.perform_release == 'true' id: meta uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: @@ -195,17 +198,17 @@ jobs: org.opencontainers.image.vendor=hsldevcom - name: Login to Docker Hub - if: env.PERFORM_RELEASE == 'true' + if: steps.release_check.outputs.perform_release == 'true' uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }} password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }} - name: Build & Push Docker image - if: env.PERFORM_RELEASE == 'true' + if: steps.release_check.outputs.perform_release == 'true' uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: . - push: ${{ env.PERFORM_RELEASE }} + push: ${{ steps.release_check.outputs.perform_release }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From 48e333e8b014a81b58549c4f2343e3adc5d53d55 Mon Sep 17 00:00:00 2001 From: bogdandina Date: Tue, 19 May 2026 22:42:03 +0300 Subject: [PATCH 6/9] feat(79897): fix --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f87152f..b5e5a7a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,7 +51,7 @@ jobs: security-events: write steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false From 32395d37feedd2c5d1af406662f93e7f56e94347 Mon Sep 17 00:00:00 2001 From: bogdandina Date: Tue, 19 May 2026 23:07:55 +0300 Subject: [PATCH 7/9] feat(79895): split job in ci & cd --- .github/workflows/ci-cd-java.yml | 78 +++++++++++-------------- .github/workflows/ci-cd-kotlin.yml | 68 ++++++++++----------- .github/workflows/ci-cd-typescript.yml | 81 ++++++++++++++------------ 3 files changed, 109 insertions(+), 118 deletions(-) diff --git a/.github/workflows/ci-cd-java.yml b/.github/workflows/ci-cd-java.yml index 3b93922..5724e91 100644 --- a/.github/workflows/ci-cd-java.yml +++ b/.github/workflows/ci-cd-java.yml @@ -1,8 +1,6 @@ name: ci-cd-java.yml -permissions: - contents: read - packages: read +permissions: {} on: workflow_call: @@ -32,9 +30,12 @@ env: IMAGE_NAME_MIXED_CASE: "${{ github.repository }}" jobs: - build-check-test-push: - name: Build, check, test, push + ci: + name: Build, check, test runs-on: ubuntu-latest + permissions: + contents: read + packages: read steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 @@ -67,28 +68,12 @@ jobs: ref: ${{ steps.resolve_shared_workflow_ref.outputs.shared_workflow_ref }} path: .shared-workflows - - name: Check if release build - id: release_check - env: - PERFORM_RELEASE_INPUT: ${{ inputs.performRelease }} - run: | - PERFORM_RELEASE=false - if [[ "${GITHUB_REF}" == "refs/heads/main" || \ - "${GITHUB_REF}" == "refs/heads/develop" || \ - "${GITHUB_REF}" == "refs/heads/aks-dev" || \ - "${GITHUB_REF}" == refs/tags/* ]]; then - PERFORM_RELEASE=true - elif [[ "${PERFORM_RELEASE_INPUT}" == "true" ]]; then - PERFORM_RELEASE=true - fi - echo "perform_release=${PERFORM_RELEASE}" >> "$GITHUB_OUTPUT" - - name: Setup JDK uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: 'temurin' java-version: '25' - cache: ${{ steps.release_check.outputs.perform_release != 'true' && 'maven' || '' }} + cache: 'maven' - name: Validate Java version consistency working-directory: ${{ inputs.workingDirectory }} @@ -177,31 +162,43 @@ jobs: name: 'app.jar' path: '/app/app.jar' + release: + name: Build & push Docker image + needs: ci + if: >- + github.ref == 'refs/heads/main' || + github.ref == 'refs/heads/develop' || + github.ref == 'refs/heads/aks-dev' || + startsWith(github.ref, 'refs/tags/') || + inputs.performRelease == true + runs-on: ubuntu-latest + environment: docker-hub-release + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + clean: 'true' + - name: Set Docker Image Name + env: + IMAGE_NAME_INPUT: ${{ inputs.imageName }} run: | OWNER="${GITHUB_REPOSITORY%%/*}" - if [[ -n "${{ inputs.imageName }}" ]]; then - IMAGE_NAME="${OWNER,,}/${{ inputs.imageName }}" + if [[ -n "${IMAGE_NAME_INPUT}" ]]; then + IMAGE_NAME="${OWNER,,}/${IMAGE_NAME_INPUT}" else IMAGE_NAME="${GITHUB_REPOSITORY,,}" fi echo "IMAGE_NAME=${IMAGE_NAME}" >> "$GITHUB_ENV" - - name: Build Docker Image - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 - with: - context: ${{ inputs.workingDirectory }} - push: 'false' - tags: 'hsldevcom/${{ env.IMAGE_NAME }}:${{ github.sha }}' - secrets: | - github_token=${{ secrets.GITHUB_TOKEN }} - build-args: - GITHUB_ACTOR=${{ github.actor }} + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Extract Docker metadata - if: ${{ steps.release_check.outputs.perform_release == 'true' }} id: meta uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: @@ -214,26 +211,19 @@ jobs: org.opencontainers.image.title=${{ env.IMAGE_NAME }} org.opencontainers.image.vendor=hsldevcom - - name: Setup Docker Buildx - if: ${{ steps.release_check.outputs.perform_release == 'true' }} - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - - name: Login to Docker Hub - if: ${{ steps.release_check.outputs.perform_release == 'true' }} uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }} password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }} - name: Build & Push Docker image - if: ${{ steps.release_check.outputs.perform_release == 'true' }} uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: ${{ inputs.workingDirectory }} - push: ${{ steps.release_check.outputs.perform_release }} + push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} secrets: | github_token=${{ secrets.GITHUB_TOKEN }} - build-args: | - GITHUB_ACTOR=${{ github.actor }} + github_actor=${{ github.actor }} diff --git a/.github/workflows/ci-cd-kotlin.yml b/.github/workflows/ci-cd-kotlin.yml index b7d6456..77d3c62 100644 --- a/.github/workflows/ci-cd-kotlin.yml +++ b/.github/workflows/ci-cd-kotlin.yml @@ -1,8 +1,6 @@ name: ci-cd-kotlin.yml -permissions: - contents: read - packages: read +permissions: {} on: workflow_call: @@ -34,9 +32,12 @@ env: IMAGE_NAME_MIXED_CASE: "${{ github.repository }}" jobs: - build-check-test-push: - name: Build, check, test, push + ci: + name: Build, check, test runs-on: ubuntu-latest + permissions: + contents: read + packages: read steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 @@ -68,28 +69,12 @@ jobs: ref: ${{ env.SHARED_WORKFLOW_REF }} path: .shared-workflows - - name: Check if release build - id: release_check - env: - PERFORM_RELEASE_INPUT: ${{ inputs.performRelease }} - run: | - PERFORM_RELEASE=false - if [[ "${GITHUB_REF}" == "refs/heads/main" || \ - "${GITHUB_REF}" == "refs/heads/develop" || \ - "${GITHUB_REF}" == "refs/heads/aks-dev" || \ - "${GITHUB_REF}" == refs/tags/* ]]; then - PERFORM_RELEASE=true - elif [[ "${PERFORM_RELEASE_INPUT}" == "true" ]]; then - PERFORM_RELEASE=true - fi - echo "perform_release=${PERFORM_RELEASE}" >> "$GITHUB_OUTPUT" - - name: Setup JDK uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: 'temurin' java-version: '11' - cache: ${{ steps.release_check.outputs.perform_release != 'true' && 'gradle' || '' }} + cache: 'gradle' - name: Validate Java version consistency env: @@ -106,7 +91,7 @@ jobs: if: ${{ inputs.runTestsInsideDocker }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITHUB_ACTOR_ARG: ${{ github.actor }} + GITHUB_ACTOR: ${{ github.actor }} DOCKER_BUILDKIT: "1" run: | cat > /tmp/Dockerfile.test << DOCKERFILE @@ -114,16 +99,16 @@ jobs: # check=error=true FROM ${TEST_BASE_IMAGE} WORKDIR /usr/app - ARG GITHUB_ACTOR=github-actions COPY . . RUN --mount=type=secret,id=github_token \ + --mount=type=secret,id=github_actor \ export GITHUB_TOKEN="\$(cat /run/secrets/github_token)" && \ - export GITHUB_ACTOR="\$GITHUB_ACTOR" && \ + export GITHUB_ACTOR="\$(cat /run/secrets/github_actor)" && \ ./gradlew test --stacktrace --no-daemon DOCKERFILE docker build \ --secret id=github_token,env=GITHUB_TOKEN \ - --build-arg "GITHUB_ACTOR=${GITHUB_ACTOR_ARG}" \ + --secret id=github_actor,env=GITHUB_ACTOR \ -f /tmp/Dockerfile.test \ . @@ -169,22 +154,33 @@ jobs: GITHUB_ACTOR: ${{ github.actor }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + release: + name: Build & push Docker image + needs: ci + if: >- + github.ref == 'refs/heads/main' || + github.ref == 'refs/heads/develop' || + github.ref == 'refs/heads/aks-dev' || + startsWith(github.ref, 'refs/tags/') || + inputs.performRelease == true + runs-on: ubuntu-latest + environment: docker-hub-release + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + clean: 'true' + - name: Lowercase Docker Image Name run: | echo "IMAGE_NAME=${IMAGE_NAME_MIXED_CASE,,}" >> "${GITHUB_ENV}" - - name: Build Docker Image - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 - with: - context: . - push: 'false' - tags: 'hsldevcom/${{ env.IMAGE_NAME }}:${{ github.sha }}' - name: Setup Docker Buildx - if: steps.release_check.outputs.perform_release == 'true' uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Extract Docker metadata - if: steps.release_check.outputs.perform_release == 'true' id: meta uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: @@ -198,17 +194,15 @@ jobs: org.opencontainers.image.vendor=hsldevcom - name: Login to Docker Hub - if: steps.release_check.outputs.perform_release == 'true' uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }} password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }} - name: Build & Push Docker image - if: steps.release_check.outputs.perform_release == 'true' uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: . - push: ${{ steps.release_check.outputs.perform_release }} + push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/ci-cd-typescript.yml b/.github/workflows/ci-cd-typescript.yml index 5566869..b826faf 100644 --- a/.github/workflows/ci-cd-typescript.yml +++ b/.github/workflows/ci-cd-typescript.yml @@ -1,8 +1,6 @@ name: ci-cd-typescript.yml -permissions: - contents: read - packages: read +permissions: {} on: workflow_call: @@ -27,9 +25,12 @@ env: PRODUCTION_STAGE: production jobs: - build-check-test-push: - name: Build, check, test, push + ci: + name: Build, check, test runs-on: ubuntu-latest + permissions: + contents: read + packages: read steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 @@ -65,40 +66,10 @@ jobs: fail_ci_if_error: true report_type: test_results - - name: Check if perform release - id: perform_release - run: | - PERFORM_RELEASE=false - if [[ "${GITHUB_REF}" == "refs/heads/main" || "${GITHUB_REF}" == "refs/heads/develop" || "${GITHUB_REF}" == "refs/heads/aks-dev" ]]; then - PERFORM_RELEASE=true - elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then - PERFORM_RELEASE=true - elif [[ "${{ inputs.performRelease }}" == "true" ]]; then - PERFORM_RELEASE=true - fi - echo "PERFORM_RELEASE=${PERFORM_RELEASE}" >> $GITHUB_ENV - echo "Perform release: ${PERFORM_RELEASE}" - - name: Lowercase Docker Image Name run: | echo "IMAGE_NAME=${IMAGE_NAME_MIXED_CASE,,}" >> "${GITHUB_ENV}" - - name: Extract docker metadata - id: meta - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 - with: - images: ${{ env.IMAGE_NAME }} - tags: | - type=edge,branch=main - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} - type=sha,format=long - - - name: Setup Docker Buildx - if: env.PERFORM_RELEASE == 'true' - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - - name: Build and export to Docker if: ${{ inputs.checkAndTestInsideDocker }} uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 @@ -114,15 +85,51 @@ jobs: run: | docker run --rm "${{ env.IMAGE_NAME }}:${{ env.TEST_STAGE }}" + release: + name: Build & push Docker image + needs: ci + if: >- + github.ref == 'refs/heads/main' || + github.ref == 'refs/heads/develop' || + github.ref == 'refs/heads/aks-dev' || + startsWith(github.ref, 'refs/tags/') || + inputs.performRelease == true + runs-on: ubuntu-latest + environment: docker-hub-release + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + clean: 'true' + + - name: Lowercase Docker Image Name + run: | + echo "IMAGE_NAME=${IMAGE_NAME_MIXED_CASE,,}" >> "${GITHUB_ENV}" + + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + + - name: Extract docker metadata + id: meta + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 + with: + images: ${{ env.IMAGE_NAME }} + tags: | + type=edge,branch=main + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} + type=sha,format=long + - name: Login to Docker Hub - if: env.PERFORM_RELEASE == 'true' uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }} password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }} - name: Build and push - if: env.PERFORM_RELEASE == 'true' uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: . From e529057dbeb8d9663be3be4a0181f41072e22986 Mon Sep 17 00:00:00 2001 From: bogdandina Date: Thu, 21 May 2026 09:23:09 +0300 Subject: [PATCH 8/9] feat(79895): fixes for zizmor --- .github/workflows/ci-cd-java.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci-cd-java.yml b/.github/workflows/ci-cd-java.yml index 5724e91..f400ae7 100644 --- a/.github/workflows/ci-cd-java.yml +++ b/.github/workflows/ci-cd-java.yml @@ -42,6 +42,7 @@ jobs: with: clean: 'true' fetch-depth: 2 + persist-credentials: false # Required since custom scripts from /scripts are being used - name: Resolve shared workflow ref @@ -67,6 +68,7 @@ jobs: repository: HSLdevcom/transitdata-shared-workflows ref: ${{ steps.resolve_shared_workflow_ref.outputs.shared_workflow_ref }} path: .shared-workflows + persist-credentials: false - name: Setup JDK uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 @@ -180,6 +182,7 @@ jobs: uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: clean: 'true' + persist-credentials: false - name: Set Docker Image Name env: From a901418325263833ffa1901d1b2e57c1ac9dc42c Mon Sep 17 00:00:00 2001 From: bogdandina Date: Thu, 21 May 2026 09:28:06 +0300 Subject: [PATCH 9/9] feat(79895): more zizmor fixes --- .github/workflows/ci-cd-kotlin.yml | 3 +++ .github/workflows/ci-cd-typescript.yml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/.github/workflows/ci-cd-kotlin.yml b/.github/workflows/ci-cd-kotlin.yml index 77d3c62..fdf08e6 100644 --- a/.github/workflows/ci-cd-kotlin.yml +++ b/.github/workflows/ci-cd-kotlin.yml @@ -44,6 +44,7 @@ jobs: with: clean: 'true' fetch-depth: 2 + persist-credentials: false # Required since custom scripts from /scripts are being used - name: Resolve shared workflow ref @@ -68,6 +69,7 @@ jobs: repository: HSLdevcom/transitdata-shared-workflows ref: ${{ env.SHARED_WORKFLOW_REF }} path: .shared-workflows + persist-credentials: false - name: Setup JDK uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 @@ -172,6 +174,7 @@ jobs: uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: clean: 'true' + persist-credentials: false - name: Lowercase Docker Image Name run: | diff --git a/.github/workflows/ci-cd-typescript.yml b/.github/workflows/ci-cd-typescript.yml index b826faf..4918304 100644 --- a/.github/workflows/ci-cd-typescript.yml +++ b/.github/workflows/ci-cd-typescript.yml @@ -37,6 +37,7 @@ jobs: with: clean: 'true' fetch-depth: 2 + persist-credentials: false - name: Install Node # zizmor:ignore[cache-poisoning] Node binary tool-cache is implicit and cannot be disabled; no npm package cache is configured @@ -103,6 +104,7 @@ jobs: uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: clean: 'true' + persist-credentials: false - name: Lowercase Docker Image Name run: |