Skip to content

Comments

chore(ci): fix lint findings in build-docker#15145

Merged
zanieb merged 1 commit intomainfrom
ww/build-docker-lint
Aug 7, 2025
Merged

chore(ci): fix lint findings in build-docker#15145
zanieb merged 1 commit intomainfrom
ww/build-docker-lint

Conversation

@woodruffw
Copy link
Member

@woodruffw woodruffw commented Aug 7, 2025

Summary

Addresses zizmor findings in build-docker.yml.

Key changes: primarily removing template expansions and restricting some permissions.

Test Plan

Let the CI run.

@woodruffw woodruffw self-assigned this Aug 7, 2025
@woodruffw woodruffw added the internal A refactor or improvement that is not user-facing label Aug 7, 2025
woodruffw
woodruffw commented Aug 7, 2025
View reviewed changes
.github/workflows/build-docker.yml
# And the workflow itself
- .github/workflows/build-docker.yml

permissions: {}
Copy link
Member Author

@woodruffw woodruffw Aug 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This drops workflow-wide permissions; I confirmed that each of the jobs below that uses the GITHUB_TOKEN has its own permissions explicitly set.

@woodruffw woodruffw temporarily deployed to uv-test-registries August 7, 2025 19:09 — with GitHub Actions Inactive
@woodruffw woodruffw requested review from konstin and zanieb August 7, 2025 19:27
@zanieb zanieb merged commit 16cb6af into main Aug 7, 2025
120 checks passed
@zanieb zanieb deleted the ww/build-docker-lint branch August 7, 2025 19:58
zanieb added a commit that referenced this pull request Aug 8, 2025
@zanieb
Revert "chore(ci): fix lint findings in build-docker (#15145)"
a379a70 
This reverts commit 16cb6af.
zanieb added a commit that referenced this pull request Aug 8, 2025
@zanieb
Revert "chore(ci): fix lint findings in build-docker (#15145)" (#15174)
1567cc8 
This reverts commit 16cb6af.
@zanieb zanieb mentioned this pull request Aug 8, 2025
Merged
@woodruffw woodruffw mentioned this pull request Aug 12, 2025
Merged
zanieb pushed a commit that referenced this pull request Aug 12, 2025
@woodruffw
chore(ci): address lint findings in build-docker.yml (#15245)
65b4dbc 
## Summary

This re-creates #15145, with fixes following the revert in #15174.

The overall approach is the same, except that I've added an explicit
permissions block to `docker-annotate-base` that should cover the needed
permissions in that job.

(One confusion is around how that wasn't failing before -- FWICT it was
receiving the default `GITHUB_TOKEN`, which doesn't include `id-token:
write` or `packages: write`. So it _should_ have been failing even
before I explicitly did `permissions: {}`...)

Edit: Oh, I see why -- the actual release process does a
`workflow_call`, so this inherits its `GITHUB_TOKEN` from
`release.yml:custom-build-docker`, which in turn has the right
permissions granted to it.

## Test Plan

See what happens in CI. Plus maybe we could do a release dry-run?

Signed-off-by: William Woodruff <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zanieb zanieb zanieb approved these changes

@konstin konstin Awaiting requested review from konstin

Assignees

@woodruffw woodruffw

Labels

internal A refactor or improvement that is not user-facing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@woodruffw @zanieb