Skip to content

Update GitHub Actions workflow with security improvements and linting#50

Open
dguido wants to merge 1 commit intomasterfrom
update-github-actions-workflow
Open

Update GitHub Actions workflow with security improvements and linting#50
dguido wants to merge 1 commit intomasterfrom
update-github-actions-workflow

Conversation

@dguido
Copy link
Member

@dguido dguido commented Sep 6, 2025

Summary

  • Add Dockerfile linting to CI pipeline
  • Implement security best practices for GitHub Actions
  • Update to latest major versions of all actions

Changes

1. Added Checkout Step with Security Configuration

  • Added actions/checkout@v5 with persist-credentials: false
  • Prevents credentials from persisting in the workspace
  • Addresses security recommendation from zizmor audit

2. Added Hadolint Dockerfile Linting

  • Runs before Docker build to catch issues early
  • Configured to ignore intentional choices:
    • DL3007: Using :latest tag (intentional for echidna)
    • DL3008: Unpinned apt packages (flexibility over reproducibility)
    • DL3013: Unpinned pip packages (flexibility over reproducibility)
    • DL3016: Unpinned npm packages (flexibility over reproducibility)
  • Set to fail on warnings to maintain code quality

3. Updated Action Versions

  • actions/checkout@v5 - Latest major version (uses Node 24)
  • All other actions already on latest major versions:
    • docker/setup-qemu-action@v3
    • docker/setup-buildx-action@v3
    • docker/metadata-action@v5
    • docker/login-action@v3
    • docker/build-push-action@v6
    • hadolint/hadolint-action@v3

Security Review

  • ✅ Reviewed with zizmor security scanner
  • ✅ Using major version tags (automatic security updates within major versions)
  • ✅ Persist-credentials disabled for checkout
  • ✅ No other security issues identified

Testing

  • ✅ YAML syntax validated
  • ✅ All action versions verified to exist
  • ✅ Hadolint configuration tested locally

This improves CI security and adds quality checks without breaking existing functionality.

🤖 Generated with Claude Code
https://claude.ai/code

@dguido @claude
Update GitHub Actions workflow with security improvements and linting
15f6ddd 
- Add checkout step with persist-credentials: false for security
  Prevents credentials from persisting in the workspace (zizmor recommendation)

- Add hadolint Dockerfile linting step
  Runs before building to catch Dockerfile issues early
  Ignores intentional version pinning warnings (DL3007, DL3008, DL3013, DL3016)

- Update actions/checkout to v5 (latest major version)
  v5 uses Node 24 runtime for better performance

All actions use major version tags for automatic security updates
while avoiding breaking changes.

🤖 Generated with Claude Code
https://claude.ai/code

Co-Authored-By: Claude <noreply@anthropic.com>
@dguido dguido requested a review from elopez as a code owner September 6, 2025 15:34
elopez
elopez reviewed Sep 6, 2025
View reviewed changes
.github/workflows/docker.yml
Comment on lines +25 to +36
- name: Checkout code
uses: actions/checkout@v5
with:
persist-credentials: false

- name: Lint Dockerfile
uses: hadolint/hadolint-action@v3
with:
dockerfile: Dockerfile
ignore: DL3007,DL3008,DL3013,DL3016
failure-threshold: warning

Copy link
Member

@elopez elopez Sep 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you make this its own workflow instead, that runs on pull requests to master and dev? This docker.yml only runs on a schedule and merges to master/dev only, and I feel like linting then is too late.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elopez elopez elopez left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dguido @elopez