[PR #6986] [CLOSED] improve CI #16725

New Issue

GiteaMirror · 2026-04-23T08:03:49-05:00

GiteaMirror commented

2026-04-23 08:03:49 -05:00

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/6986
Author: @TriplEight
Created: 3/22/2026
Status: ❌ Closed

Base: main ← Head: main

📝 Commits (9)

3337014 ci: remove dead BASE_TAGS reference in release bake step
2f831e3 ci: replace unsecured curl hadolint download with an official action
2e2b9c1 ci: pin ubuntu-latest to ubuntu-24.04 in merge-manifests and zizmor
0442de2 Merge pull request #1 from TriplEight/3x8_improve-ci
695b8de ci: add Dependabot config for github-actions and cargo.
5f5127e Merge pull request #2 from TriplEight/3x8_dependabot
b8afae4 ci: add cargo-deny config for supply-chain checks.
dd9559c ci: run cargo deny in build workflow
1a7fb9e Merge pull request #5 from TriplEight/3x8_cargo-deny

📊 Changes

6 files changed (+138 additions, -13 deletions)

View changed files

➕ .github/dependabot.yml (+39 -0)
📝 .github/workflows/build.yml (+11 -0)
📝 .github/workflows/hadolint.yml (+11 -10)
📝 .github/workflows/release.yml (+1 -2)
📝 .github/workflows/zizmor.yml (+1 -1)
➕ deny.toml (+75 -0)

📄 Description

remove dead BASE_TAGS reference in release bake step.
steps.determine-version doesn't exist in docker-build; the expression
resolves to empty string. The HCL default (testing) would have
applied, but it's moot - the bake uses push-by-digest=true so tags are
only set in merge-manifests. Dead code.
replace unsecured curl hadolint download with an official action.
hadolint/hadolint-action uses a Docker-based runner with hadolint
pre-bundled in ghcr.io/hadolint/hadolint:v2.14.0-debian,so no binary
downloaded at runtime. Pinning the action to a commit SHA covers the
Dockerfile that specifies the image version, closing the supply-chain
gap from the previous unverified curl | sudo install.

Split {debian,alpine}: the action takes a single dockerfile argument,
so debian and alpine are linted separately.

pin ubuntu-latest to ubuntu-24.04 in merge-manifests and zizmor.
ubuntu-latest is a moving target that can silently change the runner OS
on the next GitHub-side update. All other jobs in this repo already pin
to ubuntu-24.04; this makes merge-manifests and zizmor consistent.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/6986 **Author:** [@TriplEight](https://github.com/TriplEight) **Created:** 3/22/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `main` --- ### 📝 Commits (9) - [`3337014`](https://github.com/dani-garcia/vaultwarden/commit/3337014f939d13d7971292220d8b6edba7026e0b) ci: remove dead BASE_TAGS reference in release bake step - [`2f831e3`](https://github.com/dani-garcia/vaultwarden/commit/2f831e386e152895a67dd7f78ae255fae8d76000) ci: replace unsecured curl hadolint download with an official action - [`2e2b9c1`](https://github.com/dani-garcia/vaultwarden/commit/2e2b9c131df9d0980b18c1ce4fff93ec1ecd492f) ci: pin ubuntu-latest to ubuntu-24.04 in merge-manifests and zizmor - [`0442de2`](https://github.com/dani-garcia/vaultwarden/commit/0442de234285540666008311354aae789ceddcc2) Merge pull request #1 from TriplEight/3x8_improve-ci - [`695b8de`](https://github.com/dani-garcia/vaultwarden/commit/695b8dec9e487ff8ce996697722a7ed24405e98b) ci: add Dependabot config for github-actions and cargo. - [`5f5127e`](https://github.com/dani-garcia/vaultwarden/commit/5f5127eea7b6a03b51ecb00938c3e9ba18dbeb72) Merge pull request #2 from TriplEight/3x8_dependabot - [`b8afae4`](https://github.com/dani-garcia/vaultwarden/commit/b8afae455a7ddf82e19b180765c2d4185c255fb0) ci: add cargo-deny config for supply-chain checks. - [`dd9559c`](https://github.com/dani-garcia/vaultwarden/commit/dd9559c993c27c3a0d93f12d365dd45ae7d1e765) ci: run cargo deny in build workflow - [`1a7fb9e`](https://github.com/dani-garcia/vaultwarden/commit/1a7fb9ee67a0621455a8f0f5de3bb9de4f2b4868) Merge pull request #5 from TriplEight/3x8_cargo-deny ### 📊 Changes **6 files changed** (+138 additions, -13 deletions) <details> <summary>View changed files</summary> ➕ `.github/dependabot.yml` (+39 -0) 📝 `.github/workflows/build.yml` (+11 -0) 📝 `.github/workflows/hadolint.yml` (+11 -10) 📝 `.github/workflows/release.yml` (+1 -2) 📝 `.github/workflows/zizmor.yml` (+1 -1) ➕ `deny.toml` (+75 -0) </details> ### 📄 Description 1. remove dead BASE_TAGS reference in release bake step. steps.determine-version doesn't exist in docker-build; the expression resolves to empty string. The HCL default (testing) would have applied, but it's moot - the bake uses push-by-digest=true so tags are only set in merge-manifests. Dead code. 2. replace unsecured curl hadolint download with an official action. hadolint/hadolint-action uses a Docker-based runner with hadolint pre-bundled in ghcr.io/hadolint/hadolint:v2.14.0-debian,so no binary downloaded at runtime. Pinning the action to a commit SHA covers the Dockerfile that specifies the image version, closing the supply-chain gap from the previous unverified curl | sudo install. Split {debian,alpine}: the action takes a single dockerfile argument, so debian and alpine are linted separately. 3. pin ubuntu-latest to ubuntu-24.04 in merge-manifests and zizmor. ubuntu-latest is a moving target that can silently change the runner OS on the next GitHub-side update. All other jobs in this repo already pin to ubuntu-24.04; this makes merge-manifests and zizmor consistent. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-23 08:03:49 -05:00

GiteaMirror closed this issue

2026-04-23 08:03:50 -05:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#16725