ci: Split image publishing, unify variant testing #1829
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously, the CI workflow granted packages:write permission at the workflow level, making GITHUB_TOKEN with write access available to all jobs including those running on pull requests. While the actual push steps were gated with conditionals, malicious PR code could use the token to push arbitrary images to ghcr.io. Split image publishing into a dedicated build-and-publish.yml workflow that only runs on push to main, with no PR execution. This follows GitHub security best practices by isolating write credentials from untrusted PR code. The new workflow builds and publishes all image variants using a simple matrix with explicit exclude for centos-9 UKI (broken per bootc-dev#1812). Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
Consolidate test-integration and test-integration-cfs into a single job using a unified matrix (test_os × variant) matching the structure of build-and-publish.yml. This eliminates code duplication and simplifies maintenance. Updated required-checks sentinel to depend only on the unified job. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
Contributor
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
henrywang
approved these changes
Dec 5, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ci: Split image publishing into separate workflow for security
Previously, the CI workflow granted packages:write permission at the
workflow level, making GITHUB_TOKEN with write access available to all
jobs including those running on pull requests. While the actual push
steps were gated with conditionals, malicious PR code could use the
token to push arbitrary images to ghcr.io.
Split image publishing into a dedicated build-and-publish.yml workflow
that only runs on push to main, with no PR execution. This follows
GitHub security best practices by isolating write credentials from
untrusted PR code.
The new workflow builds and publishes all image variants using a simple
matrix with explicit exclude for centos-9 UKI (broken per #1812).
Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters walters@verbum.org
ci: Unify test-integration jobs into single matrix
Consolidate test-integration and test-integration-cfs into a single job
using a unified matrix (test_os × variant) matching the structure of
build-and-publish.yml. This eliminates code duplication and simplifies
maintenance.
Updated required-checks sentinel to depend only on the unified job.
Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters walters@verbum.org