Remove unused pull-requests: write permission from auto-versioning workflow.
The workflow uses GitHub Release API which only requires contents: write
permission. This follows the principle of least privilege.
Changes:
- Removed unused pull-requests: write permission
- Added documentation for cancel-in-progress: false setting
- Created backup of original workflow file
- QA verification complete with all security checks passing
Security Impact:
- Reduces attack surface by removing unnecessary permission
- Maintains functionality (no breaking changes)
- Follows OWASP and CIS security best practices
Related Issues:
- Fixes GH013 repository rule violation on tag creation
- CVE-2024-45337 in build cache (fix available, not in production)
- CVE-2025-68156 in CrowdSec awaiting upstream fix
QA Report: docs/reports/qa_report.md
Linter Configuration Updates:
Add version: 2 to .golangci.yml for golangci-lint v2 compatibility
Scope errcheck exclusions to test files only via path-based rules
Maintain production code error checking while allowing test flexibility
CI/CD Documentation:
Fix CodeQL action version comment in security-pr.yml (v3.28.10 → v4)
Create workflow modularization specification (docs/plans/workflow_modularization_spec.md)
Document GitHub environment protection setup for releases
Verification:
Validated linter runs successfully with properly scoped rules
Confirmed all three workflows (playwright, security-pr, supply-chain-pr) are properly modularized
Feature branch pushes were failing to save artifacts because the image
was pushed to GHCR but not loaded locally. Multi-platform builds
cannot use load:true, so feature branch pushes now build single-platform.
Update branch triggers and downstream workflow logic to support all
branches defined in docker-build.yml (main, development, feature/**).
Changes:
docker-build.yml: Expand branch glob to feature/**, use branch-based tags
playwright.yml: Replace is_beta_push with generic is_push detection
security-pr.yml: Same branch-agnostic pattern
supply-chain-pr.yml: Same pattern, skip PR comments for push events
The workflows now support any push that triggers docker-build:
main branch → tag: latest
development branch → tag: dev
feature/* branches → tag: {branch-name}
Pull requests → tag: pr-{number}
Dynamic artifact naming:
Push events: push-image (shared across all branches)
Pull requests: pr-image-{number}
This ensures CI/CD pipelines work for stable releases, bug fixes,
and new feature development without hardcoded branch names.
Implements all 13 fixes identified in the CI/CD audit against
github-actions-ci-cd-best-practices.instructions.md
Critical fixes:
Remove hardcoded encryption key from playwright.yml (security)
Fix artifact filename mismatch in supply-chain-pr.yml (bug)
Pin GoReleaser to ~> v2.5 instead of latest (supply chain)
High priority fixes:
Upgrade CodeQL action from v3 to v4 in supply-chain-pr.yml
Add environment protection for release workflow
Fix shell variable escaping ($$ → $) in release-goreleaser.yml
Medium priority fixes:
Add timeout-minutes to playwright.yml (20 min)
Add explicit permissions to quality-checks.yml
Add timeout-minutes to codecov-upload.yml jobs (15 min)
Fix benchmark.yml permissions (workflow-level read, job-level write)
Low priority fixes:
Add timeout-minutes to docs.yml jobs (10/5 min)
Add permissions block to docker-lint.yml
Add timeout-minutes to renovate.yml (30 min)
Separate PR-specific tests from docker-build.yml into dedicated workflows
that trigger via workflow_run. This creates a cleaner CI architecture where:
playwright.yml: E2E tests triggered after docker-build completes
security-pr.yml: Trivy binary scanning for PRs
supply-chain-pr.yml: SBOM generation + Grype vulnerability scanning
The skip condition used github.ref to detect the beta-release branch,
but for PRs github.ref is "refs/pull/N/merge", not the branch name.
Added github.head_ref to env variables for PR branch detection
Updated condition to check both REF and HEAD_REF
This ensures E2E tests run for PRs from feature/beta-release branch
The DNS provider API endpoints were returning 404 in CI because the
encryption service failed to initialize with an invalid key.
Changed CHARON_ENCRYPTION_KEY from plain text to valid base64 string
Key "dGVzdC1lbmNyeXB0aW9uLWtleS1mb3ItY2ktMzJieXQ=" decodes to 32 bytes
Without valid encryption key, DNS provider routes don't register
This was causing all dns-provider-types.spec.ts tests to fail
Root cause: AES-256-GCM requires exactly 32 bytes for the key
