github-starred/gerbil
2
0
Fork 0
mirror of https://github.com/fosrl/gerbil.git synced 2026-03-10 07:32:10 -05:00
Code Issues 8 Packages Projects Releases 8 Wiki Activity

[PR #32] [MERGED] Adding GHCR to CI/CD Release Workflow & further improvements #31

New Issue
Closed
opened 2025-11-19 07:03:40 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-19 07:03:40 -06:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/gerbil/pull/32
Author: @marcschaeferger
Created: 10/20/2025
Status: Merged
Merged: 10/20/2025
Merged by: @oschwartz10612

Base: mainHead: gh-action

📝 Commits (4)

  • ca23ae7 ci(actions): pin action versions to commit SHAs for security
  • 2b7e93e ci(actions): add permissions section to CI/CD and test workflows
  • 06b1e84 feat(ci): add step to update version in main.go during CI/CD pipeline
  • 6cde07d ci(actions): add GHCR mirroring and cosign signing for Docker images

📊 Changes

2 files changed (+160 additions, -49 deletions)

View changed files

📝 .github/workflows/cicd.yml (+154 -46)
📝 .github/workflows/test.yml (+6 -3)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description Copilot

This pull request improves the security, reliability, and transparency of the CI/CD and test workflows by pinning all GitHub Actions to specific commit SHAs, adding explicit permissions, and enhancing the release process with image signing and mirroring. The CI/CD pipeline now includes steps for dual-signing container images, mirroring images to GHCR, updating version information in main.go, and installing required tools. The test workflow also receives minor security improvements.

CI/CD Pipeline Enhancements:

  • All actions in .github/workflows/cicd.yml are now pinned to specific commit SHAs to minimize supply-chain risks.
  • The workflow now dual-signs container images (both keyless/OIDC and key-based) and verifies signatures for both Docker Hub and GHCR images using Cosign.
  • Images are mirrored from Docker Hub to GHCR using Skopeo, ensuring availability and enabling signature verification.
  • The pipeline updates the version in main.go based on the pushed tag, ensuring version consistency in release builds.

Security and Permissions:

  • Explicit permissions are set for both CI/CD (cicd.yml) and test (test.yml) workflows, limiting access to only required scopes. [1] [2]

Test Workflow Improvements:

  • All actions in .github/workflows/test.yml are pinned to specific commit SHAs, improving supply-chain security.

How to test?

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/gerbil/pull/32 **Author:** [@marcschaeferger](https://github.com/marcschaeferger) **Created:** 10/20/2025 **Status:** ✅ Merged **Merged:** 10/20/2025 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `main` ← **Head:** `gh-action` --- ### 📝 Commits (4) - [`ca23ae7`](https://github.com/fosrl/gerbil/commit/ca23ae7a30a8294f1bd5e9dd948d35768a7583ab) ci(actions): pin action versions to commit SHAs for security - [`2b7e93e`](https://github.com/fosrl/gerbil/commit/2b7e93ec9219b529891ec73d2732e7d4dde5d5e7) ci(actions): add permissions section to CI/CD and test workflows - [`06b1e84`](https://github.com/fosrl/gerbil/commit/06b1e84f998afdafaf138c20eacb3aae0d1b2e3e) feat(ci): add step to update version in main.go during CI/CD pipeline - [`6cde07d`](https://github.com/fosrl/gerbil/commit/6cde07d47919a647dbbb19110934005da3107e21) ci(actions): add GHCR mirroring and cosign signing for Docker images ### 📊 Changes **2 files changed** (+160 additions, -49 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/cicd.yml` (+154 -46) 📝 `.github/workflows/test.yml` (+6 -3) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description Copilot This pull request improves the security, reliability, and transparency of the CI/CD and test workflows by pinning all GitHub Actions to specific commit SHAs, adding explicit permissions, and enhancing the release process with image signing and mirroring. The CI/CD pipeline now includes steps for dual-signing container images, mirroring images to GHCR, updating version information in `main.go`, and installing required tools. The test workflow also receives minor security improvements. **CI/CD Pipeline Enhancements:** * All actions in `.github/workflows/cicd.yml` are now pinned to specific commit SHAs to minimize supply-chain risks. * The workflow now dual-signs container images (both keyless/OIDC and key-based) and verifies signatures for both Docker Hub and GHCR images using Cosign. * Images are mirrored from Docker Hub to GHCR using Skopeo, ensuring availability and enabling signature verification. * The pipeline updates the version in `main.go` based on the pushed tag, ensuring version consistency in release builds. **Security and Permissions:** * Explicit permissions are set for both CI/CD (`cicd.yml`) and test (`test.yml`) workflows, limiting access to only required scopes. [[1]](diffhunk://#diff-6727e33ccc9195d67f0786e1384f8f1cdaf4090c3e77547943105bd2b28c99d0R3-L52) [[2]](diffhunk://#diff-faff1af3d8ff408964a57b2e475f69a6b7c7b71c9978cccc8f471798caac2c88R3-R5) **Test Workflow Improvements:** * All actions in `.github/workflows/test.yml` are pinned to specific commit SHAs, improving supply-chain security. ## How to test? --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2025-11-19 07:03:40 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
pull-request
Mirrored from GitHub Pull Request
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gerbil#31
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?