main
3 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 akanealw
|
eec8c28fb3 |
changed perms
Go Benchmark / Performance Regression Check (push) Has been cancelled
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Quality Checks / Backend (Go) (push) Has been cancelled
Quality Checks / Frontend (React) (push) Has been cancelled
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
WAF integration / Coraza WAF Integration (push) Has been cancelled
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
Repo Health Check / Repo health (push) Has been cancelled
History Rewrite Dry-Run / Dry-run preview for history rewrite (push) Has been cancelled
Prune Renovate Branches / prune (push) Has been cancelled
Renovate / renovate (push) Has been cancelled
Nightly Build & Package / sync-development-to-nightly (push) Has been cancelled
Nightly Build & Package / Trigger Nightly Validation Workflows (push) Has been cancelled
Nightly Build & Package / build-and-push-nightly (push) Has been cancelled
Nightly Build & Package / test-nightly-image (push) Has been cancelled
Nightly Build & Package / verify-nightly-supply-chain (push) Has been cancelled
Update GeoLite2 Checksum / update-checksum (push) Has been cancelled
Container Registry Prune / prune-ghcr (push) Has been cancelled
Container Registry Prune / prune-dockerhub (push) Has been cancelled
Container Registry Prune / summarize (push) Has been cancelled
Supply Chain Verification / Verify SBOM (push) Has been cancelled
Supply Chain Verification / Verify Release Artifacts (push) Has been cancelled
Supply Chain Verification / Verify Docker Image Supply Chain (push) Has been cancelled
Monitor Caddy Major Release / check-caddy-major (push) Has been cancelled
Weekly Nightly to Main Promotion / Verify Nightly Branch Health (push) Has been cancelled
Weekly Nightly to Main Promotion / Create Promotion PR (push) Has been cancelled
Weekly Nightly to Main Promotion / Trigger Missing Required Checks (push) Has been cancelled
Weekly Nightly to Main Promotion / Notify on Failure (push) Has been cancelled
Weekly Nightly to Main Promotion / Workflow Summary (push) Has been cancelled
Weekly Security Rebuild / Security Rebuild & Scan (push) Has been cancelled
|
||
 GitHub Actions
|
4adcd9eda1 | feat: add nightly branch workflow | ||
|
GitHub Actions
|
6c99372c52 |
fix(ci): add workflow orchestration for supply chain verification
Resolves issue where supply-chain-verify.yml ran before docker-build.yml completed, causing verification to skip on PRs because Docker image didn't exist yet. **Root Cause:** Both workflows triggered independently on PR events with no dependency, running concurrently instead of sequentially. **Solution:** Add workflow_run trigger to supply-chain-verify that waits for docker-build to complete successfully before running. **Changes:** - Remove pull_request trigger from supply-chain-verify.yml - Add workflow_run trigger for "Docker Build, Publish & Test" - Add job conditional checking workflow_run.conclusion == 'success' - Update tag determination to handle workflow_run context - Extract PR number from workflow_run metadata - Update PR comment logic for workflow_run events - Add debug logging for workflow_run context - Document workflow_run depth limitation **Behavior:** - PRs: docker-build → supply-chain-verify (sequential) - Push to main: docker-build → supply-chain-verify (sequential) - Failed builds: verification skipped (correct behavior) - Manual triggers: preserved via workflow_dispatch - Scheduled runs: preserved for weekly scans **Security:** - Workflow security validated: LOW risk - workflow_run runs in default branch context (prevents privilege escalation) - No secret exposure in logs or comments - Proper input sanitization for workflow metadata - YAML validation passed - Pre-commit hooks passed **Testing:** - YAML syntax validated - All references verified correct - Regression testing completed (no breaking changes) - Debug instrumentation added for validation **Documentation:** - Implementation summary created - QA report with security audit - Plan archived for reference - Testing guidelines provided Related: #461 (PR where issue was discovered) Resolves: Supply chain verification skipping on PRs Co-authored-by: GitHub Copilot <copilot@github.com> |