Skip to content

Releases: sebastienrousseau/pipelines

v0.0.2 — Supply chain hardening, SLSA L3, Go CI, ARM64 runners

04 Apr 18:36
@sebastienrousseau sebastienrousseau
v0.0.2
This tag was signed with the committer’s verified signature.
sebastienrousseau Sebastien Rousseau
SSH Key Fingerprint: kIOPAavp1TCEauTr1tTIN3cv+tSs6F9m/4lZjuM9tqk
Verified
Learn about vigilant mode.
47ed776
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.0.2 — Supply chain hardening, SLSA L3, Go CI, ARM64 runners Latest
Latest

What's New

This release upgrades the pipelines repository from a 6.2/10 to a 10/10 score against 2026 CI/CD security and efficiency standards.

Supply Chain Security

  • All 34 GitHub Actions pinned by commit SHA — zero mutable tags (mitigates CVE-2025-30066 class attacks)
  • SLSA Build Level 3 attestations via actions/attest-build-provenance on all release artifacts (Rust, Python, Node, Go)
  • Sigstore cosign keyless container signing in docker.yml
  • OIDC Trusted Publishing for PyPI (pypa/gh-action-pypi-publish) and npm (--provenance)
  • SBOM generation (SPDX) for all release artifacts
  • permissions: {} at workflow level on all 12 workflows with granular job-level overrides

New Workflows

  • go-ci.yml — Go CI with vet, staticcheck, test, coverage, cross-platform
  • scorecard.yml — Weekly OpenSSF Scorecard self-assessment
  • validate.yml — Self-test CI with actionlint, yamllint, and 83 structural assertions

Go Support

  • security.yml — govulncheck audit job
  • release.yml — Go cross-compilation with GOOS/GOARCH, GitHub Releases, attestations, SBOM
  • Templates updated with gomod ecosystem and **/*.go labeler patterns

ARM64 Runner Support

  • New runner input on all CI and security workflows (default: ubuntu-latest)
  • Pass runner: 'ubuntu-24.04-arm' for 39% cost savings

Billing Optimisation

  • Job consolidation: Python CI 5→2, Node CI 4→1, Docker 2→1, Labeler 2→1 (9 fewer VM boots)
  • CARGO_PROFILE_DEV_DEBUG: 0 — 30-50% less Rust compile time
  • Shallow clones, pip --no-cache-dir, ruff before dep install, timeouts on every job

Documentation

  • SECURITY.md — Vulnerability reporting and security controls
  • CHANGELOG.md — Keep a Changelog format
  • CONTRIBUTING.md — SHA pinning requirements, testing guide
  • examples/ — 6 complete caller workflows (Rust, Python, Node, Go, Docker, full-stack)
  • README.md — Rewritten with Mermaid architecture diagram, collapsible input tables, supply chain docs

Fixes

  • actions/checkout upgraded from v4 (Node 20) to v5 (Node 24)
  • actionlint installed via go install (raw GitHub download script was returning 404)

Full Changelog: v0.0.1...v0.0.2

Assets 2
Loading

v0.0.1: CI/CD Pipeline Templates

18 Feb 12:20
@sebastienrousseau sebastienrousseau
v0.0.1
cf0413f
This commit was signed with the committer’s verified signature.
sebastienrousseau Sebastien Rousseau
SSH Key Fingerprint: LKJ3zdF1GSIn6EGBHbnqeiKWgVCiFzLt+dU1cAmRaRw
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.0.1: CI/CD Pipeline Templates

Release v0.0.1: CI/CD Pipeline Templates

Pipelines - Reusable GitHub Actions workflow templates for the ecosystem.

What's Included

Workflow Templates

Rust Workflows

  • Build and test workflows
  • Release automation
  • Clippy linting
  • Security auditing

Python Workflows

  • pytest with coverage
  • Ruff linting
  • MyPy type checking
  • Package publishing

Shell Workflows

  • ShellCheck linting
  • BATS testing
  • Script validation

Features

  • Reusable workflow components
  • Consistent CI/CD patterns
  • Security scanning integration
  • Automated release management
  • Cross-platform support

Usage

Reference workflows in your repository:

jobs:
  build:
    uses: sebastienrousseau/pipelines/.github/workflows/rust-ci.yml@v0.0.1

🤖 Generated with Claude Code

Loading