3590553519
Implements all 13 fixes identified in the CI/CD audit against github-actions-ci-cd-best-practices.instructions.md Critical fixes: Remove hardcoded encryption key from playwright.yml (security) Fix artifact filename mismatch in supply-chain-pr.yml (bug) Pin GoReleaser to ~> v2.5 instead of latest (supply chain) High priority fixes: Upgrade CodeQL action from v3 to v4 in supply-chain-pr.yml Add environment protection for release workflow Fix shell variable escaping ($$ → $) in release-goreleaser.yml Medium priority fixes: Add timeout-minutes to playwright.yml (20 min) Add explicit permissions to quality-checks.yml Add timeout-minutes to codecov-upload.yml jobs (15 min) Fix benchmark.yml permissions (workflow-level read, job-level write) Low priority fixes: Add timeout-minutes to docs.yml jobs (10/5 min) Add permissions block to docker-lint.yml Add timeout-minutes to renovate.yml (30 min)
31 lines
654 B
YAML
31 lines
654 B
YAML
name: Docker Lint
|
|
|
|
on:
|
|
push:
|
|
branches: [ main, development, 'feature/**' ]
|
|
paths:
|
|
- 'Dockerfile'
|
|
pull_request:
|
|
branches: [ main, development ]
|
|
paths:
|
|
- 'Dockerfile'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
hadolint:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
|
|
|
|
- name: Run Hadolint
|
|
uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
|
|
with:
|
|
dockerfile: Dockerfile
|
|
failure-threshold: warning
|