From 6334936e8a894509edbb042bf905c601910382d3 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Thu, 26 Mar 2026 16:44:02 +0100 Subject: [PATCH] fix(ci): resolve workflow and docker scan findings --- .github/workflows/ci.yml | 21 +++++++++++++++++++++ .github/workflows/lint-python.yml | 3 +++ .github/workflows/lint-shell.yml | 3 +++ .github/workflows/publish-containers.yml | 4 ++-- .github/workflows/test-e2e.yml | 3 +++ .github/workflows/test-env-nix.yml | 3 +++ .github/workflows/test-env-virtual.yml | 3 +++ .github/workflows/test-integration.yml | 3 +++ .github/workflows/test-unit.yml | 3 +++ .github/workflows/test-virgin-root.yml | 3 +++ .github/workflows/test-virgin-user.yml | 3 +++ Dockerfile | 7 +++---- 12 files changed, 53 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e43ccad..c8fcb57 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,9 @@ on: - '**' pull_request: +permissions: + contents: read + concurrency: group: global-ci-${{ github.repository }}-${{ github.ref_name }} cancel-in-progress: false @@ -19,30 +22,48 @@ jobs: uses: ./.github/workflows/security-codeql.yml test-unit: + permissions: + contents: read uses: ./.github/workflows/test-unit.yml test-integration: + permissions: + contents: read uses: ./.github/workflows/test-integration.yml test-env-virtual: + permissions: + contents: read uses: ./.github/workflows/test-env-virtual.yml test-env-nix: + permissions: + contents: read uses: ./.github/workflows/test-env-nix.yml test-e2e: + permissions: + contents: read uses: ./.github/workflows/test-e2e.yml test-virgin-user: + permissions: + contents: read uses: ./.github/workflows/test-virgin-user.yml test-virgin-root: + permissions: + contents: read uses: ./.github/workflows/test-virgin-root.yml lint-shell: + permissions: + contents: read uses: ./.github/workflows/lint-shell.yml lint-python: + permissions: + contents: read uses: ./.github/workflows/lint-python.yml lint-docker: diff --git a/.github/workflows/lint-python.yml b/.github/workflows/lint-python.yml index 84c2428..df403d9 100644 --- a/.github/workflows/lint-python.yml +++ b/.github/workflows/lint-python.yml @@ -3,6 +3,9 @@ name: Ruff (Python code sniffer) on: workflow_call: +permissions: + contents: read + jobs: lint-python: runs-on: ubuntu-latest diff --git a/.github/workflows/lint-shell.yml b/.github/workflows/lint-shell.yml index 4af233c..62207e8 100644 --- a/.github/workflows/lint-shell.yml +++ b/.github/workflows/lint-shell.yml @@ -3,6 +3,9 @@ name: ShellCheck on: workflow_call: +permissions: + contents: read + jobs: lint-shell: runs-on: ubuntu-latest diff --git a/.github/workflows/publish-containers.yml b/.github/workflows/publish-containers.yml index b7e34c5..05274ba 100644 --- a/.github/workflows/publish-containers.yml +++ b/.github/workflows/publish-containers.yml @@ -38,13 +38,13 @@ jobs: - name: Set up Docker Buildx if: ${{ steps.info.outputs.should_publish == 'true' }} - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f with: use: true - name: Login to GHCR if: ${{ steps.info.outputs.should_publish == 'true' }} - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index 174425b..184056f 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -3,6 +3,9 @@ name: Test End-To-End on: workflow_call: +permissions: + contents: read + jobs: test-e2e: runs-on: ubuntu-latest diff --git a/.github/workflows/test-env-nix.yml b/.github/workflows/test-env-nix.yml index 968a180..e067b98 100644 --- a/.github/workflows/test-env-nix.yml +++ b/.github/workflows/test-env-nix.yml @@ -3,6 +3,9 @@ name: Test Virgin Nix (flake only) on: workflow_call: +permissions: + contents: read + jobs: test-env-nix: runs-on: ubuntu-latest diff --git a/.github/workflows/test-env-virtual.yml b/.github/workflows/test-env-virtual.yml index 8052726..a205eef 100644 --- a/.github/workflows/test-env-virtual.yml +++ b/.github/workflows/test-env-virtual.yml @@ -3,6 +3,9 @@ name: Test OS Containers on: workflow_call: +permissions: + contents: read + jobs: test-env-virtual: runs-on: ubuntu-latest diff --git a/.github/workflows/test-integration.yml b/.github/workflows/test-integration.yml index 2436d96..cc49f88 100644 --- a/.github/workflows/test-integration.yml +++ b/.github/workflows/test-integration.yml @@ -3,6 +3,9 @@ name: Test Code Integration on: workflow_call: +permissions: + contents: read + jobs: test-integration: runs-on: ubuntu-latest diff --git a/.github/workflows/test-unit.yml b/.github/workflows/test-unit.yml index 0b25f05..c54d9a4 100644 --- a/.github/workflows/test-unit.yml +++ b/.github/workflows/test-unit.yml @@ -3,6 +3,9 @@ name: Test Units on: workflow_call: +permissions: + contents: read + jobs: test-unit: runs-on: ubuntu-latest diff --git a/.github/workflows/test-virgin-root.yml b/.github/workflows/test-virgin-root.yml index 4399b76..ae66d6a 100644 --- a/.github/workflows/test-virgin-root.yml +++ b/.github/workflows/test-virgin-root.yml @@ -3,6 +3,9 @@ name: Test Virgin Root on: workflow_call: +permissions: + contents: read + jobs: test-virgin-root: runs-on: ubuntu-latest diff --git a/.github/workflows/test-virgin-user.yml b/.github/workflows/test-virgin-user.yml index d1585cf..e1aa92a 100644 --- a/.github/workflows/test-virgin-user.yml +++ b/.github/workflows/test-virgin-user.yml @@ -3,6 +3,9 @@ name: Test Virgin User on: workflow_call: +permissions: + contents: read + jobs: test-virgin-user: runs-on: ubuntu-latest diff --git a/Dockerfile b/Dockerfile index b388f0e..9ad35e2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -43,10 +43,10 @@ WORKDIR /build COPY . . # Build and install distro-native package-manager package -RUN set -euo pipefail; \ +RUN set -eu; \ echo "Building and installing package-manager via make install..."; \ make install; \ - cd /; rm -rf /build + rm -rf /build # Entry point COPY scripts/docker/entry.sh /usr/local/bin/docker-entry.sh @@ -64,5 +64,4 @@ CMD ["pkgmgr", "--help"] FROM full AS slim COPY scripts/docker/slim.sh /usr/local/bin/slim.sh -RUN chmod +x /usr/local/bin/slim.sh -RUN /usr/local/bin/slim.sh +RUN chmod +x /usr/local/bin/slim.sh && /usr/local/bin/slim.sh