diff --git a/.cursor/rules/reusable-workflows.mdc b/.cursor/rules/reusable-workflows.mdc index 3a3081f..e68023b 100644 --- a/.cursor/rules/reusable-workflows.mdc +++ b/.cursor/rules/reusable-workflows.mdc @@ -127,8 +127,8 @@ runs-on: self-hosted Every reusable workflow must: - support `workflow_call` (for external callers) -- support `workflow_dispatch` (for manual testing) - expose explicit `inputs` — never rely on implicit context +- **must NOT** include a `workflow_dispatch` trigger — if manual/interactive dispatch is needed, create a separate self-workflow under `.github/workflows/self-*` - **always include a `dry_run` input** (`type: boolean`, `default: false`) so the workflow can be safely tested before applying real changes ```yaml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1f1ab84..9363c9d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -123,7 +123,7 @@ on: type: boolean default: false docker_build_args: - description: 'Newline-separated Docker build arguments to pass to docker build (e.g., "APP_NAME=spi\nCOMPONENT_NAME=api"). Forwarded to docker/build-push-action build-args.' + description: 'Newline-separated Docker build arguments (e.g., "APP_NAME=spi\nCOMPONENT_NAME=api"). For sensitive values (tokens, keys, passwords), use BuildKit secrets instead — build arguments are visible in image history.' type: string required: false default: '' @@ -139,7 +139,6 @@ on: permissions: contents: read packages: write - id-token: write jobs: prepare: @@ -208,6 +207,10 @@ jobs: if: needs.prepare.outputs.has_builds == 'true' runs-on: ${{ inputs.runner_type }} name: Build ${{ matrix.app.name }} + permissions: + contents: read + packages: write + id-token: write strategy: max-parallel: 2 fail-fast: false @@ -320,7 +323,7 @@ jobs: ENABLE_GHCR: ${{ inputs.enable_ghcr }} DOCKERHUB_ORG: ${{ inputs.dockerhub_org }} APP_NAME: ${{ matrix.app.name }} - GHCR_ORG: ${{ steps.normalize.outputs.owner_lower }} + GHCR_ORG: ${{ inputs.ghcr_org || steps.normalize.outputs.owner_lower }} run: | REFS="" @@ -341,7 +344,7 @@ jobs: - name: Sign container images with cosign if: inputs.enable_cosign_sign - uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@feat/cosign-sign + uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@v1.23.0 with: image-refs: ${{ steps.cosign-refs.outputs.refs }} diff --git a/.github/workflows/go-release.yml b/.github/workflows/go-release.yml index acd1ec8..0b7f487 100644 --- a/.github/workflows/go-release.yml +++ b/.github/workflows/go-release.yml @@ -75,7 +75,6 @@ on: permissions: contents: write packages: write - id-token: write jobs: release: @@ -144,6 +143,10 @@ jobs: docker: name: Build and Push Docker Image runs-on: ${{ inputs.runner_type }} + permissions: + contents: read + packages: write + id-token: write needs: release if: inputs.enable_docker && startsWith(github.ref, 'refs/tags/v') @@ -194,7 +197,7 @@ jobs: - name: Sign container images with cosign if: inputs.enable_cosign_sign - uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@feat/cosign-sign + uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@v1.23.0 with: image-refs: ${{ steps.cosign-refs.outputs.refs }} diff --git a/.github/workflows/pr-security-scan.yml b/.github/workflows/pr-security-scan.yml index 3ead072..f6ed5c3 100644 --- a/.github/workflows/pr-security-scan.yml +++ b/.github/workflows/pr-security-scan.yml @@ -68,7 +68,7 @@ on: type: boolean default: true docker_build_args: - description: 'Newline-separated Docker build arguments to pass to docker build (e.g., "APP_NAME=spi\nCOMPONENT_NAME=api"). Forwarded to docker/build-push-action build-args.' + description: 'Newline-separated Docker build arguments (e.g., "APP_NAME=spi\nCOMPONENT_NAME=api"). For sensitive values (tokens, keys, passwords), use BuildKit secrets instead — build arguments are visible in image history.' type: string required: false default: '' diff --git a/.github/workflows/typescript-build.yml b/.github/workflows/typescript-build.yml index 91082e5..4f743a4 100644 --- a/.github/workflows/typescript-build.yml +++ b/.github/workflows/typescript-build.yml @@ -148,7 +148,6 @@ on: permissions: contents: read packages: write - id-token: write jobs: prepare: @@ -250,6 +249,10 @@ jobs: if: needs.prepare.outputs.has_builds == 'true' runs-on: ${{ inputs.runner_type }} name: Build ${{ matrix.app.name }} + permissions: + contents: read + packages: write + id-token: write strategy: max-parallel: 2 fail-fast: false @@ -333,7 +336,7 @@ jobs: - name: Sign container images with cosign if: inputs.enable_cosign_sign && !inputs.dry_run && steps.cosign-refs.outputs.refs != '' - uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@feat/cosign-sign + uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@v1.23.0 with: image-refs: ${{ steps.cosign-refs.outputs.refs }} diff --git a/docs/build-workflow.md b/docs/build-workflow.md index 3054f54..3991ce6 100644 --- a/docs/build-workflow.md +++ b/docs/build-workflow.md @@ -225,7 +225,7 @@ jobs: ```bash cosign verify \ - --certificate-identity-regexp=".*" \ + --certificate-identity-regexp="^https://github.com/LerianStudio/.*/.github/workflows/.*@refs/heads/.*$" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ docker.io/lerianstudio/my-app@sha256:abc123... ``` diff --git a/docs/go-release-workflow.md b/docs/go-release-workflow.md index 86412dd..e8b5a2d 100644 --- a/docs/go-release-workflow.md +++ b/docs/go-release-workflow.md @@ -204,7 +204,7 @@ jobs: ```bash cosign verify \ - --certificate-identity-regexp=".*" \ + --certificate-identity-regexp="^https://github.com/LerianStudio/.*/.github/workflows/.*@refs/heads/.*$" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ ghcr.io/myorg/my-app@sha256:abc123... ``` diff --git a/docs/typescript-build.md b/docs/typescript-build.md index 6623214..b8bdffd 100644 --- a/docs/typescript-build.md +++ b/docs/typescript-build.md @@ -37,6 +37,7 @@ on: permissions: contents: read packages: write + id-token: write # required for cosign keyless signing jobs: build: @@ -230,7 +231,7 @@ jobs: ```bash cosign verify \ - --certificate-identity-regexp=".*" \ + --certificate-identity-regexp="^https://github.com/LerianStudio/.*/.github/workflows/.*@refs/heads/.*$" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ ghcr.io/lerianstudio/my-app@sha256:abc123... ``` diff --git a/src/security/cosign-sign/README.md b/src/security/cosign-sign/README.md index 0151761..1bf4fbb 100644 --- a/src/security/cosign-sign/README.md +++ b/src/security/cosign-sign/README.md @@ -46,7 +46,7 @@ jobs: - name: Sign container image uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@v1.x.x with: - image-refs: myorg/myapp@${{ steps.build-push.outputs.digest }} + image-refs: docker.io/myorg/myapp@${{ steps.build-push.outputs.digest }} ``` ### Signing multiple registries @@ -64,7 +64,7 @@ jobs: ```bash cosign verify \ - --certificate-identity-regexp=".*" \ + --certificate-identity-regexp="^https://github.com/LerianStudio/.*/.github/workflows/.*@refs/heads/.*$" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ docker.io/myorg/myapp@sha256:abc123... ```