Skip to content

Fix reusable workflow permissions#1

Merged
cwaits6 merged 11 commits intomainfrom
fix/remove-top-level-permissions
Mar 16, 2026
Merged

Fix reusable workflow permissions#1
cwaits6 merged 11 commits intomainfrom
fix/remove-top-level-permissions

Conversation

@cwaits6
Copy link
Owner

@cwaits6 cwaits6 commented Mar 16, 2026

Summary

  • Remove top-level permissions blocks from dependency-review.yml, trivy.yml, and container-build.yml — reusable workflows must inherit permissions from the caller, otherwise GitHub rejects the run with startup_failure
  • Add .releaserc.json for semantic-release versioning
  • Add release-self.yml and pr.yml caller workflows for this repo

Test plan

  • Merge and verify the release workflow runs on push to main
  • Open a test PR to verify PR checks (dependency-review, trivy, semgrep) run
  • Re-run apk-datasource container-build workflow after this merges

cwaits6 added 11 commits March 15, 2026 21:07
@cwaits6
fix: remove top-level permissions from reusable workflows
38d5abd 
Reusable workflows inherit permissions from the caller. Top-level
permissions blocks in workflow_call workflows cause startup_failure
when the caller doesn't explicitly grant the same permissions.

Also adds release and PR caller workflows for this repo with
semantic-release support.
@cwaits6
feat: add Renovate config for GitHub Actions version updates
0a02387
@cwaits6
fix: detect new releases via tag comparison, gate features for privat…
b7c20e1 
…e repos

- Compare git tags before/after semantic-release to detect new releases
  and set step outputs for Go binary builds
- Skip dependency-review job on private repos (requires Advanced Security)
- Skip SBOM generation/submission on private repos
@cwaits6
feat: support release and push triggers for container builds
441ed9f
@cwaits6
feat: tag container builds with branch name for PRs
a29ef44
@cwaits6
fix: install QEMU for cross-platform container builds
9479417
@cwaits6
feat(container-build): use native ARM runners with QEMU fallback
c7b1cb4 
Split container build into 3 jobs (prepare, build matrix, manifest)
so each platform builds on its native runner. linux/arm64 uses
ubuntu-latest-arm by default, eliminating slow QEMU emulation.

Private repos without ARM runners can set use-qemu: true to fall
back to QEMU emulation on ubuntu-latest.
@cwaits6
fix(container-build): use ubuntu-24.04-arm runner label
d8b76ef
@cwaits6
feat(container-build): add cosign keyless signing
b65ef70
@cwaits6
fix(container-build): install cosign, sign by digest via --digestfile
643d653
@cwaits6
fix(container-build): add docker login for cosign signature push
ccebc90
@cwaits6 cwaits6 merged commit c4620c8 into main Mar 16, 2026
@cwaits6 cwaits6 deleted the fix/remove-top-level-permissions branch March 16, 2026 02:59
@github-actions
Copy link

github-actions bot commented Mar 16, 2026

🎉 This PR is included in version 1.0.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@github-actions
Copy link

github-actions bot commented Mar 16, 2026

🎉 This PR is included in version 1.1.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cwaits6