Elgato_dark/datahaven
1
0
Fork 0
mirror of https://github.com/datahaven-xyz/datahaven synced 2026-05-24 09:50:01 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
424 commits 43 branches 56 tags 33 MiB
Commit graph

13 commits

Author SHA1 Message Date
Steve Degosserie
62393dee23
ci: migrate from self-hosted to standard GitHub runners (#482) 
## Summary
- Self-hosted `DH-runners` have been decommissioned — all Rust build,
test, and lint workflows now use `ubuntu-latest`
- Removed `install-deps: false` overrides so workflows use the default
apt-based dependency installation path
- Updated `setup-env` action descriptions to remove self-hosted runner
references

### Workflows updated
- `task-build-operator.yml`
- `task-build-static-operator.yaml`
- `task-publish-binary.yml`
- `task-rust-lint.yml` (3 jobs)
- `task-rust-tests.yml`
- `task-warm-sccache.yml`
- `task-e2e.yml`

## Test plan
- [x] Verify all Rust CI jobs pass on `ubuntu-latest` (build, lint,
test, warm-cache)
- [x] Confirm sccache and dependency installation work correctly on
standard runners
- [x] Ensure E2E workflow runs with Docker (instead of Podman) on
standard runners

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-02 23:11:39 +02:00
Steve Degosserie
746fce9328
security: 🛡️ Harden GitHub Actions workflows (#349) 
## Summary

This PR addresses several security vulnerabilities and applies hardening
measures to the GitHub Actions workflows:

- **Replace `secrets: inherit` with explicit secret passing** - Prevents
unnecessary exposure of all repository secrets to called workflows
- **Add SHA256 checksum verification for downloaded binaries** -
Protects against supply chain attacks via compromised upstream releases
- **Add GitHub Environment protections for release workflows** -
Requires approval before publishing to Docker Hub or creating releases
- **Add explicit minimal permissions to all workflows** - Follows
principle of least privilege, removes unnecessary `packages: write` from
CI.yml

## Changes by Category

### 1. Explicit Secret Passing
| Workflow | Before | After |
|----------|--------|-------|
| CI.yml → docker-build-ci | `secrets: inherit` | No secrets
(GITHUB_TOKEN is automatic) |
| CI.yml → docker-build-release | `secrets: inherit` | Explicit
`DOCKERHUB_USERNAME`, `DOCKERHUB_TOKEN` |
| CI.yml → e2e-tests | `secrets: inherit` | No secrets (GITHUB_TOKEN is
automatic) |

### 2. Binary Checksum Verification
| Workflow | Binary | SHA256 |
|----------|--------|--------|
| task-rust-lint.yml | taplo 0.8.1 | `c62baa73c9d7c1572...` |
| task-e2e.yml | kurtosis 1.11.99 | `5e88e98c1b255362...` |

### 3. Environment Protections
| Workflow | Job | Environment |
|----------|-----|-------------|
| task-docker-release.yml | build-test-push | `production` |
| task-publish-binary.yml | publish-draft-release | `releases` |
| task-publish-binary.yml | docker-release-candidate | `production` |
| task-publish-runtime.yml | publish-draft-release | `releases` |

### 4. Explicit Permissions
All 14 workflow files now have explicit `permissions:` blocks with
minimal required access.

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Ahmad Kaouk <56095276+ahmadkaouk@users.noreply.github.com>
 2025-12-12 09:52:50 +00:00
Steve Degosserie
51ffcae5f0
Revert "feat: statically build binary (#292)" (#330) 
This reverts commit f84b6debb7.
 2025-12-02 15:42:43 +01:00
Steve Degosserie
e38843455b
fix: 🔨 Disable static binary build for now (#328) 2025-12-02 14:53:05 +01:00
undercover-cactus
f84b6debb7
feat: statically build binary (#292) 
Co-authored-by: Gonza Montiel <gonzamontiel@users.noreply.github.com>
 2025-11-28 13:38:05 +00:00
Steve Degosserie
ba1cc63cb0
fix: 🔨 Run publish binary task on ephemeral runner (#307) 
Co-authored-by: Ahmad Kaouk <56095276+ahmadkaouk@users.noreply.github.com>
 2025-11-22 15:54:49 +01:00
Steve Degosserie
b5bc2de11e
fix: 🔧 Fix incorrect args in release Docker image publishing workflow (#256) 2025-10-27 15:13:14 +02:00
Steve Degosserie
696a716ff8
fix: Use DH self-hosted runners for the Publish Draft Binary gh action (#183) 2025-09-23 00:05:06 +02:00
Steve Degosserie
34488aab25
fix: Use DH self-hosted runners for the Publish Draft Binary gh action (#182) 2025-09-22 22:06:39 +02:00
Steve Degosserie
72f8963fdf
fix: 🔧 Temporarily disable Skylake & Zenv3 binaries on client release (#179) 
Temporarily disable Skylake & Zenv3 binaries when publishing a client
release
 2025-09-18 16:14:38 +02:00
Steve Degosserie
5c2fe2a7a1
fix: Fix publish binary gh action (#177) 2025-09-18 08:04:54 +02:00
Steve Degosserie
5b55659bba
fix: Fix publish binary gh action (#176) 2025-09-18 07:46:33 +02:00
Steve Degosserie
a2b385889f
fix: Fix publish binary gh action (#175) 2025-09-18 07:39:04 +02:00
Renamed from .github/workflows/task-publish-binary (Browse further)