Alex Goodman
87d6a288d7
Tighten workflow permissions and update release shape ( #4899 )
...
* Rework release workflow to canonical shape
Replace the custom quality-gate job with the reusable check-version-available
and check-gate workflows from anchore/workflows. Remove the phase
workflow_dispatch input; the install-script-only path is now a standalone
workflow (release-install-script.yaml) that can be triggered independently.
- add version-available and check-gate jobs using pinned anchore/workflows SHA
- remove phase input and quality-gate job
- release job now needs [check-gate, version-available]
- release-install-script job no longer conditionally skips based on phase
- add release-install-script.yaml for standalone install script runs
- set permissions: {} at workflow level (contents pushed to release job)
- add concurrency: group: release
Signed-off-by: wagoodman <wagoodman@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Tighten workflow-level permissions to {}
Change top-level permissions from contents: read to {} in validations.yaml
and validate-github-actions.yaml, pushing the needed contents: read down
to each job that performs a checkout.
Signed-off-by: wagoodman <wagoodman@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep install script phase, remove workflow
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove schema detection workflow
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: wagoodman <wagoodman@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-08 17:16:31 -04:00
dependabot[bot]
47cda2b5ef
chore(deps): bump the actions-minor-patch group across 2 directories with 5 updates ( #4846 )
...
Bumps the actions-minor-patch group with 4 updates in the / directory: [github/codeql-action](https://github.com/github/codeql-action ), [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment ), [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action ) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action ).
Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [actions/cache](https://github.com/actions/cache ).
Updates `github/codeql-action` from 4.35.1 to 4.35.2
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](c10b8064de...95e58e9a2chttps://github.com/marocchino/sticky-pull-request-comment/releases )
- [Commits](d4d6b09364...0ea0beb66ehttps://github.com/slackapi/slack-github-action/releases )
- [Changelog](https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md )
- [Commits](af78098f53...03ea5433c1https://github.com/zizmorcore/zizmor-action/releases )
- [Commits](71321a20a9...b1d7e1fb5dhttps://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](668228422a...27d5ce7f10
2026-05-05 11:42:04 -04:00
Alex Goodman
2089d086fe
chore: update zizmor workflow triggers ( #4732 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-02 14:56:46 -04:00
Alex Goodman
b0dc65a4fb
improve automation ( #4730 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-02 12:44:54 -04:00
dependabot[bot]
0bb3741c87
chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates ( #4622 )
...
Bumps the actions-minor-patch group with 2 updates in the / directory: [anchore/sbom-action](https://github.com/anchore/sbom-action ) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action ).
Updates `anchore/sbom-action` from 0.21.1 to 0.22.2
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md )
- [Commits](0b82b0b1a2...28d71544dehttps://github.com/zizmorcore/zizmor-action/releases )
- [Commits](135698455d...0dce2577a4
2026-02-17 11:16:26 -05:00
dependabot[bot]
e136ebc44f
chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates ( #4584 )
...
Bumps the actions-minor-patch group with 2 updates in the / directory: [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request ) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action ).
Updates `peter-evans/create-pull-request` from 8.0.0 to 8.1.0
- [Release notes](https://github.com/peter-evans/create-pull-request/releases )
- [Commits](98357b18bf...c0f553fe54https://github.com/zizmorcore/zizmor-action/releases )
- [Commits](e639db9933...135698455d
2026-01-30 10:33:32 -05:00
dependabot[bot]
27b1219e98
chore(deps): bump the actions-minor-patch group across 2 directories with 3 updates ( #4568 )
...
Bumps the actions-minor-patch group with 3 updates in the / directory: [actions/checkout](https://github.com/actions/checkout ), [actions/setup-go](https://github.com/actions/setup-go ) and [github/codeql-action](https://github.com/github/codeql-action ).
Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [actions/setup-go](https://github.com/actions/setup-go ).
Updates `actions/checkout` from 6.0.1 to 6.0.2
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](8e8c483db8...de0fac2e45https://github.com/actions/setup-go/releases )
- [Commits](4dc6199c7b...7a3fe6cf4chttps://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](5d4e8d1aca...cdefb33c0fhttps://github.com/actions/setup-go/releases )
- [Commits](4dc6199c7b...7a3fe6cf4c
2026-01-23 10:37:23 -05:00
Will Murphy
3e563d90d5
ci: enable zizmor to fail PRs ( #4556 )
...
* ci: enable zizmor to fail PRs
Enable zizmor (gh actions yaml linter) to fail builds in PRs. Fix any
outstanding linting errors found by this tool.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* fix outdated version comments
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-01-16 10:49:00 -05:00
dependabot[bot]
63273b1b00
chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates ( #4525 )
...
Bumps the actions-minor-patch group with 2 updates in the / directory: [docker/login-action](https://github.com/docker/login-action ) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action ).
Updates `docker/login-action` from 3.5.0 to 3.6.0
- [Release notes](https://github.com/docker/login-action/releases )
- [Commits](184bdaa072...5e57cd1181https://github.com/zizmorcore/zizmor-action/releases )
- [Commits](e673c3917a...e639db9933
2026-01-05 12:48:30 -05:00
dependabot[bot]
a80679beba
chore(deps): bump actions/checkout from 6.0.0 to 6.0.1 ( #4431 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 6.0.0 to 6.0.1.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](1af3b93b68...8e8c483db8
2025-12-03 20:18:45 -05:00
dependabot[bot]
023a14f869
chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 ( #4396 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 5.0.0 to 6.0.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](08c6903cd8...1af3b93b68
2025-11-25 23:03:02 -05:00
dependabot[bot]
333b951be3
chore(deps): bump zizmorcore/zizmor-action from 0.1.2 to 0.2.0 ( #4216 )
...
Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action ) from 0.1.2 to 0.2.0.
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases )
- [Commits](5ca5fc7a47...e673c3917a
2025-09-15 14:30:16 -04:00
dependabot[bot]
ab9db0024e
chore(deps): bump zizmorcore/zizmor-action from 0.1.1 to 0.1.2 ( #4135 )
...
Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action ) from 0.1.1 to 0.1.2.
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases )
- [Commits](f52a838cfa...5ca5fc7a47
2025-08-13 10:07:03 -04:00
dependabot[bot]
6452a19009
chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 ( #4130 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.2.2 to 5.0.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](11bd71901b...08c6903cd8
2025-08-11 16:54:59 -04:00
Will Murphy
9cda2de2ad
chore: lint gh actions with zizmor ( #4062 )
...
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2025-07-16 17:12:38 -04:00
