Skip to content

fix(ci): harden against template injection and credential exposure #2514

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
egibs merged 5 commits into from
May 5, 2026
Merged

fix(ci): harden against template injection and credential exposure #2514

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0eb4b00
fix(ci): resolve template injection findings
stevebeattie May 3, 2026
58c2ff5
fix(ci): add persist-credentials: false to checkout steps
stevebeattie May 3, 2026
a50ddb2
fix(ci): add pedantic persona, zizmor config, and dependabot cooldown
stevebeattie May 3, 2026
79e4a57
fix(ci): address actionlint and shellcheck findings
stevebeattie May 3, 2026
25d0bd0
fix(ci): add missing version comments to SHA-pinned action refs
stevebeattie May 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .actionlint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
self-hosted-runner:
labels:
- ubuntu-latest-8-core
4 changes: 4 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ updates:
directory: "/"
schedule:
interval: daily
cooldown:
default-days: 3
open-pull-requests-limit: 10
groups:
gomod:
Expand All @@ -15,6 +17,8 @@ updates:
directory: "/"
schedule:
interval: daily
cooldown:
default-days: 3
open-pull-requests-limit: 10
groups:
actions:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/actionlint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
name: Action lint
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
- uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
allowed-endpoints: >
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
contents: read

steps:
- uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
- uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
allowed-endpoints: >
Expand All @@ -35,6 +35,8 @@ jobs:
sum.golang.org:443

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
Expand Down
10 changes: 7 additions & 3 deletions .github/workflows/e2e.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,11 +38,13 @@
--cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined

steps:
- uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
- uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: "go.mod"
Expand All @@ -58,9 +60,11 @@
./melange keygen

- name: Build package
env:
MATRIX_CFG: ${{ matrix.cfg }}
run: |

Check warning on line 65 in .github/workflows/e2e.yaml

View workflow job for this annotation

GitHub Actions / Action lint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:5:17: Double quote to prevent globbing and word splitting [shellcheck]

Raw Output:
i:.github/workflows/e2e.yaml:65:9: shellcheck reported issue in this script: SC2086:info:5:17: Double quote to prevent globbing and word splitting [shellcheck]
path=examples/${{matrix.cfg}}
if [ "${{matrix.cfg}}" == "melange.yaml" ]; then
path=examples/$MATRIX_CFG
if [ "$MATRIX_CFG" == "melange.yaml" ]; then
path="melange.yaml"
fi
./melange build $path --arch=x86_64 --namespace=wolfi
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/go-tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
contents: read

steps:
- uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
- uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
allowed-endpoints: >
Expand Down Expand Up @@ -47,6 +47,8 @@ jobs:
translationproject.org:443

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
Expand Down
18 changes: 13 additions & 5 deletions .github/workflows/melange-test-pipelines.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
contents: read

steps:
- uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
- uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
allowed-endpoints: >
Expand All @@ -35,6 +35,8 @@
sum.golang.org:443

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
Expand All @@ -55,13 +57,13 @@
name: Test packages
needs:
- build-melange
runs-on: ubuntu-latest-8-core

Check failure on line 60 in .github/workflows/melange-test-pipelines.yaml

View workflow job for this annotation

GitHub Actions / Action lint 

[actionlint] reported by reviewdog 🐶
label "ubuntu-latest-8-core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2025-vs2026", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xlarge", "macos-latest-large", "macos-26-intel", "macos-26-xlarge", "macos-26-large", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xlarge", "macos-14-large", "macos-14", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file [runner-label]

Raw Output:
e:.github/workflows/melange-test-pipelines.yaml:60:14: label "ubuntu-latest-8-core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2025-vs2026", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xlarge", "macos-latest-large", "macos-26-intel", "macos-26-xlarge", "macos-26-large", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xlarge", "macos-14-large", "macos-14", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file [runner-label]

permissions:
contents: read

steps:
- uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
- uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
allowed-endpoints: >
Expand Down Expand Up @@ -105,6 +107,8 @@
us.download.nvidia.com:443

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

# Grab the melange we uploaded above, and install it.
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
Expand All @@ -113,21 +117,25 @@
path: ${{ github.workspace }}/.melange-dir
run-id: ${{ github.run_id }}

- run: |
sudo mv ${{ github.workspace }}/.melange-dir/melange /usr/bin/melange
- env:
GITHUB_WORKSPACE: ${{ github.workspace }}
run: |
sudo mv "$GITHUB_WORKSPACE"/.melange-dir/melange /usr/bin/melange
sudo chmod a+x /usr/bin/melange
melange version

- run: |
sudo apt-get -y install bubblewrap
- uses: ./.github/actions/setup-bubblewrap
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: "./go.mod"
check-latest: true

- uses: cue-lang/setup-cue@a93fa358375740cd8b0078f76355512b9208acb1
- uses: cue-lang/setup-cue@a93fa358375740cd8b0078f76355512b9208acb1 # v1.0.1

- name: Install QEMU/KVM
run: |
Expand Down
15 changes: 9 additions & 6 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
contents: write

steps:
- uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
- uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
allowed-endpoints: >
Expand All @@ -45,26 +45,28 @@ jobs:
uploads.github.com:443

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Check if any changes since last release
id: check
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git fetch --tags
git fetch --tags # no creds needed: repo is public; if this ever goes private, pass token explicitly here
TAG=$(git tag --points-at HEAD)
if [ -z "$TAG" ]; then
echo "No tag points at HEAD, so we need a new tag and then a new release."
echo "need_release=yes" >> $GITHUB_OUTPUT
echo "need_release=yes" >> "$GITHUB_OUTPUT"
else
RELEASE=$(gh release view "$TAG" --json tagName --jq '.tagName' || echo "none")
if [ "$RELEASE" == "$TAG" ]; then
echo "A release exists for tag $TAG, which has the latest changes, so no need for a new tag or release."
echo "need_release=no" >> $GITHUB_OUTPUT
echo "need_release=no" >> "$GITHUB_OUTPUT"
else
echo "Tag $TAG exists, but no release is associated. Need a new release."
echo "need_release=yes" >> $GITHUB_OUTPUT
echo "existing_tag=$TAG" >> $GITHUB_OUTPUT
echo "need_release=yes" >> "$GITHUB_OUTPUT"
echo "existing_tag=$TAG" >> "$GITHUB_OUTPUT"
fi
fi

Expand All @@ -79,6 +81,7 @@ jobs:
if: steps.check.outputs.need_release == 'yes'
with:
ref: ${{ steps.check.outputs.existing_tag || steps.create_tag.outputs.new_tag }}
persist-credentials: false

- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
if: steps.check.outputs.need_release == 'yes'
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/verify.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
contents: read

steps:
- uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
- uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
allowed-endpoints: >
Expand All @@ -36,6 +36,8 @@ jobs:
sum.golang.org:443

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
Expand Down
60 changes: 40 additions & 20 deletions .github/workflows/wolfi-presubmit.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
contents: read

steps:
- uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
- uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
allowed-endpoints: >
Expand All @@ -34,6 +34,8 @@
sum.golang.org:443

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
Expand All @@ -54,7 +56,7 @@
name: Build packages
needs:
- build-melange
runs-on: ubuntu-latest-8-core

Check failure on line 59 in .github/workflows/wolfi-presubmit.yaml

View workflow job for this annotation

GitHub Actions / Action lint 

[actionlint] reported by reviewdog 🐶
label "ubuntu-latest-8-core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2025-vs2026", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xlarge", "macos-latest-large", "macos-26-intel", "macos-26-xlarge", "macos-26-large", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xlarge", "macos-14-large", "macos-14", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file [runner-label]

Raw Output:
e:.github/workflows/wolfi-presubmit.yaml:59:14: label "ubuntu-latest-8-core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2025-vs2026", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xlarge", "macos-latest-large", "macos-26-intel", "macos-26-xlarge", "macos-26-large", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xlarge", "macos-14-large", "macos-14", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file [runner-label]

permissions:
contents: read
Expand Down Expand Up @@ -96,7 +98,7 @@
- tini

steps:
- uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
- uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
allowed-endpoints: >
Expand Down Expand Up @@ -166,15 +168,18 @@
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: wolfi-dev/os
persist-credentials: false

- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: melange-${{ github.run_id }}
path: ${{ github.workspace }}/.melange-dir
run-id: ${{ github.run_id }}

- run: |
sudo mv ${{ github.workspace }}/.melange-dir/melange /usr/bin/melange
- env:
GITHUB_WORKSPACE: ${{ github.workspace }}
run: |
sudo mv "$GITHUB_WORKSPACE"/.melange-dir/melange /usr/bin/melange
sudo chmod a+x /usr/bin/melange
melange version

Expand All @@ -184,8 +189,10 @@
# this need to point to main to always get the latest action
- uses: wolfi-dev/actions/install-wolfictl@d8faf0b2bf2a7c6eefc571567ef370faae5baed2 # last commit that had the scan command

- run: |
wolfictl bump ${{ matrix.package }}
- env:
MATRIX_PACKAGE: ${{ matrix.package }}
run: |
wolfictl bump "$MATRIX_PACKAGE"

- if: matrix.runner == 'bubblewrap'
run: |
Expand All @@ -194,14 +201,19 @@
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
path: melange-src
persist-credentials: false
- if: matrix.runner == 'bubblewrap'
uses: ./melange-src/.github/actions/setup-bubblewrap
- if: matrix.runner == 'bubblewrap'
env:
MATRIX_PACKAGE: ${{ matrix.package }}
run: |
make SHELL="/bin/bash" MELANGE="sudo melange" MELANGE_RUNNER="bubblewrap" MELANGE_EXTRA_OPTS="--generate-provenance" package/${{ matrix.package }}
make SHELL="/bin/bash" MELANGE="sudo melange" MELANGE_RUNNER="bubblewrap" MELANGE_EXTRA_OPTS="--generate-provenance" package/"$MATRIX_PACKAGE"
- if: matrix.runner == 'bubblewrap'
env:
MATRIX_PACKAGE: ${{ matrix.package }}
run: |
make SHELL="/bin/bash" MELANGE="sudo melange" MELANGE_RUNNER="docker" test/${{ matrix.package }}
make SHELL="/bin/bash" MELANGE="sudo melange" MELANGE_RUNNER="docker" test/"$MATRIX_PACKAGE"

- name: Download kernel for VMs
if: matrix.runner == 'qemu'
Expand All @@ -224,16 +236,18 @@
sudo udevadm control --reload-rules
sudo udevadm trigger --name-match=kvm

- name: Make package ${{matrix.package}} with QEMU Runner
- name: Make package ${{ matrix.package }} with QEMU Runner
if: matrix.runner == 'qemu'
env:
MATRIX_PACKAGE: ${{ matrix.package }}
run: |
make \
SHELL="/bin/bash" \
QEMU_KERNEL_IMAGE=/tmp/kernel/boot/vmlinuz-virt \
QEMU_KERNEL_MODULES=/tmp/kernel/lib/modules/ \
MELANGE="/usr/bin/melange" \
MELANGE_EXTRA_OPTS="--runner qemu --generate-provenance" \
package/${{ matrix.package }}
package/"$MATRIX_PACKAGE"

- name: Output SLSA provenance
run: |
Expand All @@ -246,19 +260,23 @@

- name: Run tests to verify xattrs with bubblewrap runner
if: matrix.runner == 'bubblewrap' && matrix.package == 'fping'
env:
MATRIX_PACKAGE: ${{ matrix.package }}
run: |
make SHELL="/bin/bash" MELANGE="sudo melange" MELANGE_RUNNER="bubblewrap" test/${{ matrix.package }}
make SHELL="/bin/bash" MELANGE="sudo melange" MELANGE_RUNNER="bubblewrap" test/"$MATRIX_PACKAGE"

- name: Run tests with QEMU runner
if: matrix.runner == 'qemu'
env:
MATRIX_PACKAGE: ${{ matrix.package }}
run: |
make \
SHELL="/bin/bash" \
QEMU_KERNEL_IMAGE=/tmp/kernel/boot/vmlinuz-virt \
QEMU_KERNEL_MODULES=/tmp/kernel/lib/modules/ \
MELANGE="/usr/bin/melange" \
MELANGE_EXTRA_OPTS="--runner qemu" \
test/${{ matrix.package }}
test/"$MATRIX_PACKAGE"

- name: Check package ${{ matrix.package }} xattrs for QEMU-built package
if: matrix.runner == 'qemu' && matrix.package == 'fping'
Expand All @@ -277,18 +295,20 @@
ls -hal packages/x86_64/usr/bin/sudo

- name: Test installable and Scan for CVEs
env:
MATRIX_PACKAGE: ${{ matrix.package }}
run: |
if [[ "${{ matrix.package }}" == "fping" ]]; then
docker run --rm -v $(pwd):/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/${{ matrix.package }}-*.apk; apk add libcap-utils; getcap /usr/sbin/fping"
elif [[ "${{ matrix.package }}" == "sudo" ]]; then
docker run --rm -v $(pwd):/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/${{ matrix.package }}-*.apk; ls -hal /usr/bin/sudo"
elif [[ "${{ matrix.package }}" == "postfix" ]]; then
docker run --rm -v $(pwd):/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/${{ matrix.package }}-*.apk; ls -hal /var/spool/postfix; ls -hal /var/lib/postfix"
if [[ "$MATRIX_PACKAGE" == "fping" ]]; then
docker run --rm -v "$(pwd)":/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/$MATRIX_PACKAGE-*.apk; apk add libcap-utils; getcap /usr/sbin/fping"
elif [[ "$MATRIX_PACKAGE" == "sudo" ]]; then
docker run --rm -v "$(pwd)":/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/$MATRIX_PACKAGE-*.apk; ls -hal /usr/bin/sudo"
elif [[ "$MATRIX_PACKAGE" == "postfix" ]]; then
docker run --rm -v "$(pwd)":/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/$MATRIX_PACKAGE-*.apk; ls -hal /var/spool/postfix; ls -hal /var/lib/postfix"
else
docker run --rm -v $(pwd):/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/${{ matrix.package }}-*.apk"
docker run --rm -v "$(pwd)":/work --workdir /work cgr.dev/chainguard/wolfi-base /bin/sh -c "sed 's|=.*||' -i /etc/apk/world; apk add --allow-untrusted -X ./packages/ packages/x86_64/$MATRIX_PACKAGE-*.apk"
fi
# There is a huge fixed cost for every wolfictl scan invocation for grype DB init.
# Do this outside of the loop in one invocation with every package.
wolfictl scan \
packages/x86_64/${{ matrix.package }}-*.apk \
packages/x86_64/"$MATRIX_PACKAGE"-*.apk \
2> /dev/null # The error message renders strangely on GitHub Actions, and the important information is already being sent to stdout.
Loading
Loading