diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index cc9e71f..903c205 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,5 +1,21 @@ # SPDX-License-Identifier: MIT # Copyright (c) 2026 Netresearch DTT GmbH +# +# Static checks for the snipe-it-docker-compose-stack repo. +# +# Splits into: +# - container-lint → delegates Dockerfile (hadolint) + shellcheck on shipped +# scripts to netresearch/.github's reusable +# lint-container.yml on @main. Reusable pins hadolint to +# v2.14.0, which handles Docker 25's HEALTHCHECK +# --start-interval correctly. (Earlier v2.12.0 pin was a +# bug — see netresearch/.github#141 + a4a763e.) +# - compose-validate → stays inline. Validates docker compose config with +# repo-specific .env.example placeholder substitution +# (caller-specific shape that doesn't generalise). +# - yamllint → stays inline. The repo has no .yamllint.yml config +# file; rules are passed via config_data here to keep +# the contract local. name: lint @@ -14,26 +30,13 @@ permissions: contents: read jobs: - hadolint: - name: hadolint (Dockerfile) - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - # hadolint/hadolint-action@v3.1.0 bundles hadolint v2.12.0 (Mar 2023), - # which predates Docker 25's HEALTHCHECK --start-interval flag and - # crashes with "invalid flag: --start-interval" on any Dockerfile - # that uses it. Use `hadolint:latest-alpine` directly so we track - # current hadolint releases (the action wraps the same image but - # version-pinned to whenever the action shipped). - - name: hadolint (via latest-alpine image) - run: | - docker run --rm -i \ - -v "${{ github.workspace }}/.hadolint.yaml:/.config/hadolint.yaml:ro" \ - hadolint/hadolint:latest-alpine \ - hadolint --config /.config/hadolint.yaml --failure-threshold warning - \ - < Dockerfile + container-lint: + # hadolint (always) + shellcheck (because shell-scandirs is set). + uses: netresearch/.github/.github/workflows/lint-container.yml@main + permissions: + contents: read + with: + shell-scandirs: ./rootfs/usr/local/bin ./bin compose-validate: name: docker compose config @@ -54,17 +57,6 @@ jobs: docker compose config --quiet docker compose -f compose.yml config --quiet - shellcheck: - name: shellcheck (entrypoint + scripts) - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 - with: - scandir: ./rootfs/usr/local/bin ./bin - yamllint: name: yamllint runs-on: ubuntu-latest diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 1fa4ae0..3e86c5e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -2,6 +2,7 @@ # Copyright (c) 2026 Netresearch DTT GmbH # # OpenSSF Scorecard — supply-chain security health check. +# Delegates to the org-wide reusable in netresearch/.github. # Runs weekly against main and uploads SARIF to GitHub code-scanning. # Results also surface on the OpenSSF Scorecard public dashboard # (https://securityscorecards.dev/) once enabled. @@ -17,16 +18,15 @@ on: workflow_dispatch: # Top-level permissions explicitly enumerated (SonarCloud rule -# githubactions:S8234). The `analysis` job below requests its own -# additional permissions; this minimum lets supporting tooling read -# metadata without granting writes. +# githubactions:S8234). The reusable's job requests its own +# additional permissions via its own permissions block; this minimum +# lets supporting tooling read metadata without granting writes. permissions: contents: read jobs: analysis: name: Scorecard analysis - runs-on: ubuntu-latest permissions: # required by scorecard-action for publishing results security-events: write @@ -35,29 +35,4 @@ jobs: contents: read # needed for nested API calls (Branch-Protection, Webhooks checks) actions: read - steps: - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: Run analysis - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 - with: - results_file: results.sarif - results_format: sarif - # publish_results: true uploads to the OpenSSF public dashboard. - # Required for the org-level Scorecard badge. - publish_results: true - - - name: Upload artifact (raw results) - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@bc0b696b4103f5fe60f15749af68a046868d511a # codeql-bundle-v2.25.4 - with: - sarif_file: results.sarif + uses: netresearch/.github/.github/workflows/scorecard.yml@main diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml index 9670832..0db1ba5 100644 --- a/.github/workflows/smoke-test.yml +++ b/.github/workflows/smoke-test.yml @@ -1,5 +1,24 @@ # SPDX-License-Identifier: MIT # Copyright (c) 2026 Netresearch DTT GmbH +# +# Smoke tests for the snipe-it-docker-compose-stack repo. +# +# Splits into: +# - image-surface → delegates buildx --load amd64 + +# container-structure-test to the netresearch/.github +# reusable smoke-test-container.yml. Pinned to the +# feature branch until PR netresearch/.github#141 +# merges; flip to @main then. +# - compose-up → stays inline. Boots the full compose stack with +# placeholder-substituted .env and probes / for +# HTTP 200/302 — snipe-it-specific bootstrap and +# known HTTP route. +# - init-idempotency → stays inline. Verifies bin/init.sh is idempotent — +# snipe-it-specific contract (APP_KEY / random PW +# generation must not re-roll on second run). +# - upstream-tests → stays inline. Builds the `tester` Dockerfile stage +# which runs the upstream Snipe-IT phpunit suite — +# snipe-it-specific target stage. name: smoke-test @@ -28,30 +47,14 @@ concurrency: jobs: image-surface: - name: container-structure-test - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - - name: Build amd64 image (load locally) - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 - with: - context: . - target: runtime - platforms: linux/amd64 - load: true - tags: snipe-it-php-fpm:test - cache-from: type=gha,scope=smoke-test - cache-to: type=gha,scope=smoke-test,mode=max - - name: Install container-structure-test - run: | - curl -fsSL -o /tmp/cst \ - "https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64" - sudo install /tmp/cst /usr/local/bin/container-structure-test - - name: Run image-surface tests - run: container-structure-test test --image snipe-it-php-fpm:test --config tests/container-structure-test.yaml + uses: netresearch/.github/.github/workflows/smoke-test-container.yml@main + permissions: + contents: read + with: + image-tag: snipe-it-php-fpm:test + target: runtime + cst-config-path: tests/container-structure-test.yaml + cache-scope: smoke-test compose-up: name: stack boots healthy