From 7e5c43cc94858fed56963dcd6a4862cd57eacb34 Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Thu, 21 May 2026 22:45:40 +0200 Subject: [PATCH 1/7] ci(lint): delegate hadolint + shellcheck to org-wide reusable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces the inline hadolint container-run and ludeeus/action-shellcheck step with a single `uses:` of netresearch/.github/.github/workflows/lint-container.yml. Container-lint logic is now shared with phpbu-docker and other future container repos. Pinned to feat/reusable-container-workflows because PR netresearch/.github#141 is mergeable but BLOCKED on review at the time of this commit; a follow-up commit on this branch will flip the ref to @main once that PR merges. compose-validate (docker compose config with .env.example placeholder substitution) and yamllint stay inline — both depend on caller-shaped inputs that don't generalise to the reusable. Refs: netresearch/.github#141 Signed-off-by: Sebastian Mendel --- .github/workflows/lint.yml | 52 +++++++++++++++----------------------- 1 file changed, 21 insertions(+), 31 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index cc9e71f..62d6262 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,5 +1,19 @@ # SPDX-License-Identifier: MIT # Copyright (c) 2026 Netresearch DTT GmbH +# +# Static checks for the snipe-it-docker-compose-stack repo. +# +# Splits into: +# - container-lint → delegates Dockerfile (hadolint) + shellcheck on shipped +# scripts to netresearch/.github's reusable +# lint-container.yml. Pinned to the feature branch until +# PR netresearch/.github#141 merges; flip to @main then. +# - compose-validate → stays inline. Validates docker compose config with +# repo-specific .env.example placeholder substitution +# (caller-specific shape that doesn't generalise). +# - yamllint → stays inline. The repo has no .yamllint.yml config +# file; rules are passed via config_data here to keep +# the contract local. name: lint @@ -14,26 +28,13 @@ permissions: contents: read jobs: - hadolint: - name: hadolint (Dockerfile) - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - # hadolint/hadolint-action@v3.1.0 bundles hadolint v2.12.0 (Mar 2023), - # which predates Docker 25's HEALTHCHECK --start-interval flag and - # crashes with "invalid flag: --start-interval" on any Dockerfile - # that uses it. Use `hadolint:latest-alpine` directly so we track - # current hadolint releases (the action wraps the same image but - # version-pinned to whenever the action shipped). - - name: hadolint (via latest-alpine image) - run: | - docker run --rm -i \ - -v "${{ github.workspace }}/.hadolint.yaml:/.config/hadolint.yaml:ro" \ - hadolint/hadolint:latest-alpine \ - hadolint --config /.config/hadolint.yaml --failure-threshold warning - \ - < Dockerfile + container-lint: + # hadolint (always) + shellcheck (because shell-scandirs is set). + uses: netresearch/.github/.github/workflows/lint-container.yml@feat/reusable-container-workflows + permissions: + contents: read + with: + shell-scandirs: ./rootfs/usr/local/bin ./bin compose-validate: name: docker compose config @@ -54,17 +55,6 @@ jobs: docker compose config --quiet docker compose -f compose.yml config --quiet - shellcheck: - name: shellcheck (entrypoint + scripts) - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 - with: - scandir: ./rootfs/usr/local/bin ./bin - yamllint: name: yamllint runs-on: ubuntu-latest From 35f7fb79ba374df8e60cd0ea6c1b6470c5169aa2 Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Thu, 21 May 2026 22:45:57 +0200 Subject: [PATCH 2/7] ci(smoke-test): delegate image-surface job to org-wide reusable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces the inline buildx --load + container-structure-test steps in the `image-surface` job with a single `uses:` of netresearch/.github/.github/workflows/smoke-test-container.yml. Same behaviour (amd64 build at the `runtime` target, GHA cache scope `smoke-test`, cst config at tests/container-structure-test.yaml) — now shared with phpbu-docker and other future container repos. Pinned to feat/reusable-container-workflows because PR netresearch/.github#141 is mergeable but BLOCKED on review at the time of this commit; a follow-up commit on this branch will flip the ref to @main once that PR merges. The other three jobs stay inline — all snipe-it-specific: - compose-up — stack boot with placeholder-substituted .env and HTTP probe of the known login route - init-idempotency — verifies bin/init.sh's APP_KEY / random-PW generation contract (must not re-roll on second run) - upstream-tests — builds the `tester` Dockerfile stage which runs the upstream Snipe-IT phpunit suite Refs: netresearch/.github#141 Signed-off-by: Sebastian Mendel --- .github/workflows/smoke-test.yml | 51 +++++++++++++++++--------------- 1 file changed, 27 insertions(+), 24 deletions(-) diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml index 9670832..de9eb4c 100644 --- a/.github/workflows/smoke-test.yml +++ b/.github/workflows/smoke-test.yml @@ -1,5 +1,24 @@ # SPDX-License-Identifier: MIT # Copyright (c) 2026 Netresearch DTT GmbH +# +# Smoke tests for the snipe-it-docker-compose-stack repo. +# +# Splits into: +# - image-surface → delegates buildx --load amd64 + +# container-structure-test to the netresearch/.github +# reusable smoke-test-container.yml. Pinned to the +# feature branch until PR netresearch/.github#141 +# merges; flip to @main then. +# - compose-up → stays inline. Boots the full compose stack with +# placeholder-substituted .env and probes / for +# HTTP 200/302 — snipe-it-specific bootstrap and +# known HTTP route. +# - init-idempotency → stays inline. Verifies bin/init.sh is idempotent — +# snipe-it-specific contract (APP_KEY / random PW +# generation must not re-roll on second run). +# - upstream-tests → stays inline. Builds the `tester` Dockerfile stage +# which runs the upstream Snipe-IT phpunit suite — +# snipe-it-specific target stage. name: smoke-test @@ -28,30 +47,14 @@ concurrency: jobs: image-surface: - name: container-structure-test - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - - name: Build amd64 image (load locally) - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 - with: - context: . - target: runtime - platforms: linux/amd64 - load: true - tags: snipe-it-php-fpm:test - cache-from: type=gha,scope=smoke-test - cache-to: type=gha,scope=smoke-test,mode=max - - name: Install container-structure-test - run: | - curl -fsSL -o /tmp/cst \ - "https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64" - sudo install /tmp/cst /usr/local/bin/container-structure-test - - name: Run image-surface tests - run: container-structure-test test --image snipe-it-php-fpm:test --config tests/container-structure-test.yaml + uses: netresearch/.github/.github/workflows/smoke-test-container.yml@feat/reusable-container-workflows + permissions: + contents: read + with: + image-tag: snipe-it-php-fpm:test + target: runtime + cst-config-path: tests/container-structure-test.yaml + cache-scope: smoke-test compose-up: name: stack boots healthy From e3eb51acffb31db6168fc86d10d623353e3af12e Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Thu, 21 May 2026 22:46:05 +0200 Subject: [PATCH 3/7] ci(scorecard): delegate to org-wide reusable workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces the four-step inline OpenSSF Scorecard job (checkout + scorecard-action + upload-artifact + upload-sarif) with a single `uses:` of netresearch/.github/.github/workflows/scorecard.yml@main. The reusable's job is functionally equivalent: same scorecard-action version, same publish_results=true, same SARIF upload to GitHub code-scanning. The only behavioural change is that the per-run raw results.sarif is no longer kept as a workflow artifact for 5 days — the SARIF is still uploaded to code-scanning (the canonical surface), and re-running the workflow regenerates it on demand. This reusable is already on `main` in netresearch/.github (predates the container-workflows PR), so no ref-flip follow-up is needed for this file. Signed-off-by: Sebastian Mendel --- .github/workflows/scorecard.yml | 35 +++++---------------------------- 1 file changed, 5 insertions(+), 30 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 1fa4ae0..3e86c5e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -2,6 +2,7 @@ # Copyright (c) 2026 Netresearch DTT GmbH # # OpenSSF Scorecard — supply-chain security health check. +# Delegates to the org-wide reusable in netresearch/.github. # Runs weekly against main and uploads SARIF to GitHub code-scanning. # Results also surface on the OpenSSF Scorecard public dashboard # (https://securityscorecards.dev/) once enabled. @@ -17,16 +18,15 @@ on: workflow_dispatch: # Top-level permissions explicitly enumerated (SonarCloud rule -# githubactions:S8234). The `analysis` job below requests its own -# additional permissions; this minimum lets supporting tooling read -# metadata without granting writes. +# githubactions:S8234). The reusable's job requests its own +# additional permissions via its own permissions block; this minimum +# lets supporting tooling read metadata without granting writes. permissions: contents: read jobs: analysis: name: Scorecard analysis - runs-on: ubuntu-latest permissions: # required by scorecard-action for publishing results security-events: write @@ -35,29 +35,4 @@ jobs: contents: read # needed for nested API calls (Branch-Protection, Webhooks checks) actions: read - steps: - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: Run analysis - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 - with: - results_file: results.sarif - results_format: sarif - # publish_results: true uploads to the OpenSSF public dashboard. - # Required for the org-level Scorecard badge. - publish_results: true - - - name: Upload artifact (raw results) - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@bc0b696b4103f5fe60f15749af68a046868d511a # codeql-bundle-v2.25.4 - with: - sarif_file: results.sarif + uses: netresearch/.github/.github/workflows/scorecard.yml@main From f78c9e56f6bb1b2a6a119c30132189a4605275f4 Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Thu, 21 May 2026 22:50:05 +0200 Subject: [PATCH 4/7] ci(lint): revert hadolint+shellcheck reusable migration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The netresearch/.github reusable lint-container.yml on branch feat/reusable-container-workflows (HEAD 1a56c99) pins hadolint to v2.12.0-alpine by digest. That's exactly the version the original snipe-it lint.yml warned against — it predates Docker 25's HEALTHCHECK --start-interval flag and crashes on the snipe-it Dockerfile's healthcheck line: /dev/stdin:228:5 invalid flag: --start-interval Process completed with exit code 1. The reusable's docstring still claims latest-alpine, so this is an upstream regression between PR review and the current branch HEAD. Reverting the lint.yml migration until netresearch/.github either: - re-pins to a hadolint version >= v2.13 (which supports --start-interval), or - adds a hadolint-image input so callers can override. The shellcheck migration is reverted together with hadolint — they share the same caller-job wrapping. Refs: netresearch/.github#141 Signed-off-by: Sebastian Mendel --- .github/workflows/lint.yml | 52 +++++++++++++++++++++++--------------- 1 file changed, 31 insertions(+), 21 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 62d6262..cc9e71f 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,19 +1,5 @@ # SPDX-License-Identifier: MIT # Copyright (c) 2026 Netresearch DTT GmbH -# -# Static checks for the snipe-it-docker-compose-stack repo. -# -# Splits into: -# - container-lint → delegates Dockerfile (hadolint) + shellcheck on shipped -# scripts to netresearch/.github's reusable -# lint-container.yml. Pinned to the feature branch until -# PR netresearch/.github#141 merges; flip to @main then. -# - compose-validate → stays inline. Validates docker compose config with -# repo-specific .env.example placeholder substitution -# (caller-specific shape that doesn't generalise). -# - yamllint → stays inline. The repo has no .yamllint.yml config -# file; rules are passed via config_data here to keep -# the contract local. name: lint @@ -28,13 +14,26 @@ permissions: contents: read jobs: - container-lint: - # hadolint (always) + shellcheck (because shell-scandirs is set). - uses: netresearch/.github/.github/workflows/lint-container.yml@feat/reusable-container-workflows - permissions: - contents: read - with: - shell-scandirs: ./rootfs/usr/local/bin ./bin + hadolint: + name: hadolint (Dockerfile) + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + # hadolint/hadolint-action@v3.1.0 bundles hadolint v2.12.0 (Mar 2023), + # which predates Docker 25's HEALTHCHECK --start-interval flag and + # crashes with "invalid flag: --start-interval" on any Dockerfile + # that uses it. Use `hadolint:latest-alpine` directly so we track + # current hadolint releases (the action wraps the same image but + # version-pinned to whenever the action shipped). + - name: hadolint (via latest-alpine image) + run: | + docker run --rm -i \ + -v "${{ github.workspace }}/.hadolint.yaml:/.config/hadolint.yaml:ro" \ + hadolint/hadolint:latest-alpine \ + hadolint --config /.config/hadolint.yaml --failure-threshold warning - \ + < Dockerfile compose-validate: name: docker compose config @@ -55,6 +54,17 @@ jobs: docker compose config --quiet docker compose -f compose.yml config --quiet + shellcheck: + name: shellcheck (entrypoint + scripts) + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 + with: + scandir: ./rootfs/usr/local/bin ./bin + yamllint: name: yamllint runs-on: ubuntu-latest From 820c16a83152d49e05f3e49999cb0c99c74a4aac Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Thu, 21 May 2026 23:00:08 +0200 Subject: [PATCH 5/7] ci: flip reusable refs to @main now that netresearch/.github#141 merged MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR netresearch/.github#141 merged at 2026-05-21T20:58:39Z with merge commit 7477e5e. Two follow-ups in this commit: 1. smoke-test.yml: ref flip @feat/reusable-container-workflows → @main 2. lint.yml: re-apply the container-lint migration that was reverted in f78c9e5. The revert was needed because the reusable's initial hadolint pin (v2.12.0-alpine) was the version that crashes on HEALTHCHECK --start-interval — exactly the bug the reusable's DESIGN NOTES warned about. The reusable's pin was corrected to v2.14.0 in netresearch/.github commit a4a763e (also part of the merged PR 141), so the migration now works end-to-end. Inline yamllint job stays as-is (the snipe-it repo has no .yamllint.yml so the contract is local — caller-specific, doesn't generalise to the reusable). Verified locally: actionlint clean on both files. CI should pick up the new state on push. TODOs still open (from the Phase 2 sub-agent's report): - build.yml not migrated. build-container.yml needs six additional inputs (custom tags fan-out, build-args, target, OCI labels, per-cell cache-scope, provenance/sbom) before the snipe-it track×composer matrix can call it. Follow-up PR upstream. - security.yml::trivy not migrated. Needs a tolerate-pull-failure step-level input on security-container.yml so callers can keep `continue-on-error: ${{ matrix.tag == 'rolling' }}` semantics (GitHub forbids continue-on-error on reusable-caller jobs). Follow-up PR upstream. - security.yml::osv-scanner stays inline (composer.lock extraction is snipe-it-specific). Signed-off-by: Sebastian Mendel --- .github/workflows/lint.yml | 54 ++++++++++++++------------------ .github/workflows/smoke-test.yml | 2 +- 2 files changed, 24 insertions(+), 32 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index cc9e71f..903c205 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,5 +1,21 @@ # SPDX-License-Identifier: MIT # Copyright (c) 2026 Netresearch DTT GmbH +# +# Static checks for the snipe-it-docker-compose-stack repo. +# +# Splits into: +# - container-lint → delegates Dockerfile (hadolint) + shellcheck on shipped +# scripts to netresearch/.github's reusable +# lint-container.yml on @main. Reusable pins hadolint to +# v2.14.0, which handles Docker 25's HEALTHCHECK +# --start-interval correctly. (Earlier v2.12.0 pin was a +# bug — see netresearch/.github#141 + a4a763e.) +# - compose-validate → stays inline. Validates docker compose config with +# repo-specific .env.example placeholder substitution +# (caller-specific shape that doesn't generalise). +# - yamllint → stays inline. The repo has no .yamllint.yml config +# file; rules are passed via config_data here to keep +# the contract local. name: lint @@ -14,26 +30,13 @@ permissions: contents: read jobs: - hadolint: - name: hadolint (Dockerfile) - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - # hadolint/hadolint-action@v3.1.0 bundles hadolint v2.12.0 (Mar 2023), - # which predates Docker 25's HEALTHCHECK --start-interval flag and - # crashes with "invalid flag: --start-interval" on any Dockerfile - # that uses it. Use `hadolint:latest-alpine` directly so we track - # current hadolint releases (the action wraps the same image but - # version-pinned to whenever the action shipped). - - name: hadolint (via latest-alpine image) - run: | - docker run --rm -i \ - -v "${{ github.workspace }}/.hadolint.yaml:/.config/hadolint.yaml:ro" \ - hadolint/hadolint:latest-alpine \ - hadolint --config /.config/hadolint.yaml --failure-threshold warning - \ - < Dockerfile + container-lint: + # hadolint (always) + shellcheck (because shell-scandirs is set). + uses: netresearch/.github/.github/workflows/lint-container.yml@main + permissions: + contents: read + with: + shell-scandirs: ./rootfs/usr/local/bin ./bin compose-validate: name: docker compose config @@ -54,17 +57,6 @@ jobs: docker compose config --quiet docker compose -f compose.yml config --quiet - shellcheck: - name: shellcheck (entrypoint + scripts) - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 - with: - scandir: ./rootfs/usr/local/bin ./bin - yamllint: name: yamllint runs-on: ubuntu-latest diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml index de9eb4c..0db1ba5 100644 --- a/.github/workflows/smoke-test.yml +++ b/.github/workflows/smoke-test.yml @@ -47,7 +47,7 @@ concurrency: jobs: image-surface: - uses: netresearch/.github/.github/workflows/smoke-test-container.yml@feat/reusable-container-workflows + uses: netresearch/.github/.github/workflows/smoke-test-container.yml@main permissions: contents: read with: From b38104d857528f3cf91397fdab65d2201cf92c68 Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Thu, 21 May 2026 23:02:03 +0200 Subject: [PATCH 6/7] ci: SHA-pin reusable workflow refs (SonarCloud hotspots) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SonarCloud's quality gate fails on 3 LOW hotspots — one per reusable call — with message "Use full commit SHA hash for this dependency". This is the same org-policy that already SHA-pins third-party actions in this repo; SonarCloud applies it to internal reusable workflow refs as well. Pinned all three to netresearch/.github main SHA 5ce9b7d44245a76416317ff3af38589f475e055f (current main, includes the v2.14.0 hadolint fix from PR 141 + one subsequent merge). Trade-off: SHA pin loses the auto-update benefit of `@main`. Two follow-ups make this less painful: 1. Renovate's github-actions manager can be configured to bump these refs — `netresearch/.github/.github/workflows/...@` matches its default detection patterns. 2. If `netresearch/.github` adopts tagged releases (`@v1`, `@v1.2`), we can switch to those and let `v1` be the moving major. Org-wide decision; the open question raised in PR 141's discovery is still on the table. For now, SHA pin satisfies SonarCloud + matches the existing third-party action convention in this repo. Signed-off-by: Sebastian Mendel --- .github/workflows/lint.yml | 2 +- .github/workflows/scorecard.yml | 2 +- .github/workflows/smoke-test.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 903c205..e87e894 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -32,7 +32,7 @@ permissions: jobs: container-lint: # hadolint (always) + shellcheck (because shell-scandirs is set). - uses: netresearch/.github/.github/workflows/lint-container.yml@main + uses: netresearch/.github/.github/workflows/lint-container.yml@5ce9b7d44245a76416317ff3af38589f475e055f # netresearch/.github main as of 2026-05-21 permissions: contents: read with: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 3e86c5e..f630d72 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -35,4 +35,4 @@ jobs: contents: read # needed for nested API calls (Branch-Protection, Webhooks checks) actions: read - uses: netresearch/.github/.github/workflows/scorecard.yml@main + uses: netresearch/.github/.github/workflows/scorecard.yml@5ce9b7d44245a76416317ff3af38589f475e055f # netresearch/.github main as of 2026-05-21 diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml index 0db1ba5..c7358ba 100644 --- a/.github/workflows/smoke-test.yml +++ b/.github/workflows/smoke-test.yml @@ -47,7 +47,7 @@ concurrency: jobs: image-surface: - uses: netresearch/.github/.github/workflows/smoke-test-container.yml@main + uses: netresearch/.github/.github/workflows/smoke-test-container.yml@5ce9b7d44245a76416317ff3af38589f475e055f # netresearch/.github main as of 2026-05-21 permissions: contents: read with: From 5aa57b9001063b43871dfdd8ba375a31f2f5b4b4 Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Thu, 21 May 2026 23:26:30 +0200 Subject: [PATCH 7/7] Revert "ci: SHA-pin reusable workflow refs (SonarCloud hotspots)" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts b38104d. Hard org policy from user: first-party reusable workflows (anything under netresearch/) are called with @main, never SHA-pinned. SHA-pinning defeats the central-reusables architecture by freezing every consumer to a snapshot — every reusable improvement would require a per-consumer SHA-bump PR. This is distinct from third-party actions (actions/checkout, docker/build-push-action, etc.) which DO get SHA-pinned per supply-chain policy. Different trust models. SonarCloud's 3 LOW hotspots ("Use full commit SHA hash for this dependency") are NOT addressed by this revert — they need to be addressed at the SonarCloud config layer: - Mark each as REVIEWED + SAFE via SonarCloud web UI (one click each; requires a project admin), OR - Disable the rule at Quality Profile level for this project, OR - Get the rule's hotspot equivalent in the project's Quality Gate configured so that org-internal reusable refs don't count. I cannot do any of those without a SonarCloud admin token. Surfacing this to the user as the next manual step. Captured in memory feedback (feedback_no_sha_pin_own_reusables.md) so this mistake doesn't repeat. Signed-off-by: Sebastian Mendel --- .github/workflows/lint.yml | 2 +- .github/workflows/scorecard.yml | 2 +- .github/workflows/smoke-test.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index e87e894..903c205 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -32,7 +32,7 @@ permissions: jobs: container-lint: # hadolint (always) + shellcheck (because shell-scandirs is set). - uses: netresearch/.github/.github/workflows/lint-container.yml@5ce9b7d44245a76416317ff3af38589f475e055f # netresearch/.github main as of 2026-05-21 + uses: netresearch/.github/.github/workflows/lint-container.yml@main permissions: contents: read with: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index f630d72..3e86c5e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -35,4 +35,4 @@ jobs: contents: read # needed for nested API calls (Branch-Protection, Webhooks checks) actions: read - uses: netresearch/.github/.github/workflows/scorecard.yml@5ce9b7d44245a76416317ff3af38589f475e055f # netresearch/.github main as of 2026-05-21 + uses: netresearch/.github/.github/workflows/scorecard.yml@main diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml index c7358ba..0db1ba5 100644 --- a/.github/workflows/smoke-test.yml +++ b/.github/workflows/smoke-test.yml @@ -47,7 +47,7 @@ concurrency: jobs: image-surface: - uses: netresearch/.github/.github/workflows/smoke-test-container.yml@5ce9b7d44245a76416317ff3af38589f475e055f # netresearch/.github main as of 2026-05-21 + uses: netresearch/.github/.github/workflows/smoke-test-container.yml@main permissions: contents: read with: