public/once-campfire
1
0
Fork 0
mirror of https://github.com/basecamp/once-campfire.git synced 2026-04-09 06:27:49 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
once-campfire/bin
History
Mike Dalessio 3fada3d997 ci: harden GitHub Actions workflows (#185) 
* Add GitHub Actions audit job (actionlint + zizmor) to CI

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Configure dependabot for GitHub Actions, bundler, and Docker

Batches all action updates into a single weekly PR. Adds cooldown
periods to all ecosystems.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add local GitHub Actions linting (actionlint + zizmor) to bin/setup and bin/ci

Install actionlint, shellcheck, and zizmor in bin/setup. Run both
linters as CI steps in config/ci.rb alongside existing style checks.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Pin all GitHub Actions to SHA hashes

Run pinact to pin action versions to specific commit SHAs,
preventing supply chain attacks from tag mutation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix high severity zizmor findings

- Suppress unpinned-images for redis service containers (digest
  pinning is nontrivial for service containers)
- Move workflow-level permissions to job-level in publish-image.yml
  (build gets full set, manifest gets only what it needs)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix medium severity zizmor findings

- Add persist-credentials: false to all checkout steps
- Add permissions: {} at workflow level in ci.yml
- Add job-level permissions (contents: read) to all CI jobs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix informational template-injection findings in publish-image.yml

Move steps.meta.outputs.tags from inline ${{ }} expressions to env
vars in both the manifest creation and cosign signing steps.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Update brakeman to 8.0.4

bin/brakeman uses --ensure-latest which fails if not on the newest version.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-20 19:26:25 -04:00
..
boot
Hello world
2025-08-21 09:31:59 +01:00
brakeman
Upgrade to Rails 8 and Ruby 3.4.5 (#1)
2025-09-02 17:02:41 +02:00
bundle
Hello world
2025-08-21 09:31:59 +01:00
bundler-audit
Upgrade to Rails 8 and Ruby 3.4.5 (#1)
2025-09-02 17:02:41 +02:00
ci
Upgrade to Rails 8 and Ruby 3.4.5 (#1)
2025-09-02 17:02:41 +02:00
dev
Upgrade to Rails 8 and Ruby 3.4.5 (#1)
2025-09-02 17:02:41 +02:00
importmap
Hello world
2025-08-21 09:31:59 +01:00
load
Hello world
2025-08-21 09:31:59 +01:00
rails
Hello world
2025-08-21 09:31:59 +01:00
rake
Hello world
2025-08-21 09:31:59 +01:00
release
Add safety checks to release script
2025-12-03 08:24:04 +01:00
rubocop
Upgrade to Rails 8 and Ruby 3.4.5 (#1)
2025-09-02 17:02:41 +02:00
setup
ci: harden GitHub Actions workflows (#185)
2026-03-20 19:26:25 -04:00
start-app
Hello world
2025-08-21 09:31:59 +01:00
thrust
Upgrade to Rails 8 and Ruby 3.4.5 (#1)
2025-09-02 17:02:41 +02:00