🤖 Generated by the Daily AI Assistant
Part of #252 (roadmap: complete · consistent · secure).
Problem
Every reusable workflow has a [Test] job in ci.yaml aggregated under CI - Required Checks — except publish-app.yaml, the newest workflow. It publishes a container image + Kubernetes manifests as an OCI artifact and performs keyless cosign signing (Fulcio/Rekor via GitHub OIDC). An unsigned/unverified change to a signing-and-publish path is exactly what CI should catch before it reaches a consumer; right now nothing exercises it on PR.
Proposed direction
Add a [Test] Publish App - Dry Run job to ci.yaml following the established pattern (the existing [Test] Publish .NET Library - Dry Run / [Test] Deploy GitHub Pages - Dry Run jobs are the template):
- Drive it from a minimal fixture under
.github/fixtures/ (a tiny deploy/ manifest dir + app-name), reusing the existing fixture style.
- Run in a safe/dry-run mode that exercises build + manifest packaging without pushing to GHCR or producing a real signature (mirror how publish-dotnet-library's dry-run avoids a real NuGet push). If
publish-app.yaml lacks a dry-run/safe path, add one as an input (backward-compatible default false).
- Wire the new job into the
CI - Required Checks aggregation.
Acceptance criteria
ci.yaml has a publish-app [Test] job, green on PR, no real registry push / signature.- Aggregated by
CI - Required Checks.
actionlint-clean; additive only.
Rough size
Small (one new [Test] job + a small fixture; possibly a dry-run input on publish-app.yaml).
Part of #252 (roadmap: complete · consistent · secure).
Problem
Every reusable workflow has a
[Test]job inci.yamlaggregated underCI - Required Checks— exceptpublish-app.yaml, the newest workflow. It publishes a container image + Kubernetes manifests as an OCI artifact and performs keyless cosign signing (Fulcio/Rekor via GitHub OIDC). An unsigned/unverified change to a signing-and-publish path is exactly what CI should catch before it reaches a consumer; right now nothing exercises it on PR.Proposed direction
Add a
[Test] Publish App - Dry Runjob toci.yamlfollowing the established pattern (the existing[Test] Publish .NET Library - Dry Run/[Test] Deploy GitHub Pages - Dry Runjobs are the template):.github/fixtures/(a tinydeploy/manifest dir +app-name), reusing the existing fixture style.publish-app.yamllacks a dry-run/safe path, add one as an input (backward-compatible defaultfalse).CI - Required Checksaggregation.Acceptance criteria
ci.yamlhas apublish-app[Test]job, green on PR, no real registry push / signature.CI - Required Checks.actionlint-clean; additive only.Rough size
Small (one new
[Test]job + a small fixture; possibly adry-runinput onpublish-app.yaml).