[PR #166] [MERGED] Adding GHCR to CI/CD Release Workflow & further improvements #158

New Issue

Closed

opened 2025-11-19 07:15:19 -06:00 by GiteaMirror · 0 comments

GiteaMirror commented 2025-11-19 07:15:19 -06:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/newt/pull/166
Author: @marcschaeferger
Created: 10/21/2025
Status: ✅ Merged
Merged: 10/21/2025
Merged by: @oschwartz10612

Base: main ← Head: gh-action

---

📝 Commits (3)

• ec05686 ci(actions): pin action versions to commit SHAs for security
• 2a273dc ci(actions): add GHCR mirroring and cosign signing for Docker images
• a1a3d63 ci(actions): change runner from ubuntu-latest to amd64-runner for CI/CD workflows

📊 Changes

2 files changed (+155 additions, -59 deletions)

View changed files

📝 .github/workflows/cicd.yml (+152 -56)
📝 .github/workflows/test.yml (+3 -3)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description Copilot

This pull request enhances the CI/CD pipeline and test workflow for improved security, reliability, and container image handling. The main changes include pinning all GitHub Actions to specific commit SHAs, adding multi-registry container image publishing and signing (including dual-signing with Cosign), and improving runner consistency.

CI/CD Workflow Improvements:

• All GitHub Actions in .github/workflows/cicd.yml are now pinned to specific SHAs to reduce supply-chain risk. [1] [2]
• The pipeline now builds and pushes Docker images to both Docker Hub and GHCR, then mirrors images between registries using skopeo.
• Container images are dual-signed using Cosign (both keyless OIDC and key-based), and signatures are verified for both registries.
• Added job-level timeout and concurrency controls to prevent stuck or overlapping runs.
• Improved documentation and environment variable management for clarity and maintainability.

Test Workflow Improvements:

• The test workflow now uses the same self-hosted amd64-runner as the CI/CD pipeline for consistency.
• Actions in .github/workflows/test.yml are also pinned to specific SHAs.

How to test?

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/newt/pull/166 **Author:** [@marcschaeferger](https://github.com/marcschaeferger) **Created:** 10/21/2025 **Status:** ✅ Merged **Merged:** 10/21/2025 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `main` ← **Head:** `gh-action` --- ### 📝 Commits (3) - [`ec05686`](https://github.com/fosrl/newt/commit/ec05686523cc8ef1344c6d575576ff69eb3b50e6) ci(actions): pin action versions to commit SHAs for security - [`2a273dc`](https://github.com/fosrl/newt/commit/2a273dc435fb08cf4ced903b9dbfd767c645b946) ci(actions): add GHCR mirroring and cosign signing for Docker images - [`a1a3d63`](https://github.com/fosrl/newt/commit/a1a3d63fcffbdf6c783edcf9cb53867154e0f3da) ci(actions): change runner from ubuntu-latest to amd64-runner for CI/CD workflows ### 📊 Changes **2 files changed** (+155 additions, -59 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/cicd.yml` (+152 -56) 📝 `.github/workflows/test.yml` (+3 -3) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description Copilot This pull request enhances the CI/CD pipeline and test workflow for improved security, reliability, and container image handling. The main changes include pinning all GitHub Actions to specific commit SHAs, adding multi-registry container image publishing and signing (including dual-signing with Cosign), and improving runner consistency. **CI/CD Workflow Improvements:** * All GitHub Actions in `.github/workflows/cicd.yml` are now pinned to specific SHAs to reduce supply-chain risk. [[1]](diffhunk://#diff-6727e33ccc9195d67f0786e1384f8f1cdaf4090c3e77547943105bd2b28c99d0R3-R59) [[2]](diffhunk://#diff-6727e33ccc9195d67f0786e1384f8f1cdaf4090c3e77547943105bd2b28c99d0R72-R157) * The pipeline now builds and pushes Docker images to both Docker Hub and GHCR, then mirrors images between registries using `skopeo`. * Container images are dual-signed using Cosign (both keyless OIDC and key-based), and signatures are verified for both registries. * Added job-level timeout and concurrency controls to prevent stuck or overlapping runs. * Improved documentation and environment variable management for clarity and maintainability. **Test Workflow Improvements:** * The test workflow now uses the same self-hosted `amd64-runner` as the CI/CD pipeline for consistency. * Actions in `.github/workflows/test.yml` are also pinned to specific SHAs. ## How to test? --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2025-11-19 07:15:19 -06:00

GiteaMirror closed this issue 2025-11-19 07:15:19 -06:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/github_actions/docker/build-push-action-7.0.0

dependabot/github_actions/docker/login-action-4.0.0

dependabot/github_actions/aquasecurity/trivy-action-0.35.0

dependabot/go_modules/prod-patch-updates-3194e6d214

dependabot/github_actions/docker/setup-buildx-action-4.0.0

dependabot/github_actions/actions/stale-10.2.0

dependabot/docker/minor-updates-1134f52710

dev

msg-opt

ssh-agent

msg-delivery

icmp2

port-firewall

platform

hp-multi-client

holepunch

updown

1.10.2

v1.10.2

1.10.1

v1.10.1

1.10.0

v1.10.0

1.9.5

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

v1.9.0

1.8.1

v1.8.1

v1.8.0

1.8.0

1.8.0-rc.0

1.7.0

1.6.1

1.7.0-rc.0

1.6.0

v1.0.1

1.4.9

1.5.2

1.5.1

1.5.0

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.4

1.3.3

1.3.2

1.3.1

1.3.0

1.2.1

1.2.0

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

bug

enhancement

good first issue

help wanted

Improvement

pull-request

Mirrored from GitHub Pull Request

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/newt#158