Skip to content

ci: Split image publishing, unify variant testing#1829

Merged
cgwalters merged 2 commits intobootc-dev:mainfrom
cgwalters:drop-stream9-cfs
Dec 5, 2025
Merged

ci: Split image publishing, unify variant testing#1829
cgwalters merged 2 commits intobootc-dev:mainfrom
cgwalters:drop-stream9-cfs

Conversation

@cgwalters
Copy link
Collaborator

@cgwalters cgwalters commented Dec 5, 2025

ci: Split image publishing into separate workflow for security

Previously, the CI workflow granted packages:write permission at the
workflow level, making GITHUB_TOKEN with write access available to all
jobs including those running on pull requests. While the actual push
steps were gated with conditionals, malicious PR code could use the
token to push arbitrary images to ghcr.io.

Split image publishing into a dedicated build-and-publish.yml workflow
that only runs on push to main, with no PR execution. This follows
GitHub security best practices by isolating write credentials from
untrusted PR code.

The new workflow builds and publishes all image variants using a simple
matrix with explicit exclude for centos-9 UKI (broken per #1812).

Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters walters@verbum.org

ci: Unify test-integration jobs into single matrix

Consolidate test-integration and test-integration-cfs into a single job
using a unified matrix (test_os × variant) matching the structure of
build-and-publish.yml. This eliminates code duplication and simplifies
maintenance.

Updated required-checks sentinel to depend only on the unified job.

Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters walters@verbum.org

@cgwalters
ci: Split image publishing into separate workflow for security
08c9eb4 
Previously, the CI workflow granted packages:write permission at the
workflow level, making GITHUB_TOKEN with write access available to all
jobs including those running on pull requests. While the actual push
steps were gated with conditionals, malicious PR code could use the
token to push arbitrary images to ghcr.io.

Split image publishing into a dedicated build-and-publish.yml workflow
that only runs on push to main, with no PR execution. This follows
GitHub security best practices by isolating write credentials from
untrusted PR code.

The new workflow builds and publishes all image variants using a simple
matrix with explicit exclude for centos-9 UKI (broken per bootc-dev#1812).

Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
@cgwalters
ci: Unify test-integration jobs into single matrix
0ca59fc 
Consolidate test-integration and test-integration-cfs into a single job
using a unified matrix (test_os × variant) matching the structure of
build-and-publish.yml. This eliminates code duplication and simplifies
maintenance.

Updated required-checks sentinel to depend only on the unified job.

Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Dec 5, 2025

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@bootc-bot bootc-bot bot requested a review from jmarrero December 5, 2025 01:07
@cgwalters cgwalters merged commit e71787f into bootc-dev:main Dec 5, 2025
51 of 56 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@henrywang henrywang henrywang approved these changes

@jmarrero jmarrero Awaiting requested review from jmarrero

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cgwalters @henrywang