webui

Sabo/webui

Fork 0

Commit Graph

Author	SHA1	Message	Date
Nathan Esquenazi	2766314e81	fix(ci): use standard version tags for GitHub Actions The SHA-pinned versions from the security hardening commit referenced non-existent commit hashes, causing the workflow to fail with 'unable to resolve action'. Switch to standard major version tags (v4, v3, v2, v6, v5) which are the recommended approach for GitHub-maintained and well-known actions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-03 14:09:36 -07:00
Nathan Esquenazi	4a3b9571f1	fix(ci): pin all GitHub Actions to full commit SHAs for supply chain security Pinned all 7 third-party actions from mutable version tags to immutable commit SHAs. Mutable tags (e.g. @v4) can be force-pushed by the action author (or a compromised account) to inject malicious code into the workflow, which runs with write access to the repo and GHCR registry. Also moved 'permissions' from workflow level to job level (best practice: scope permissions as narrowly as possible). Pin mapping: actions/checkout@v4 -> @11bd71901bbe... (v4.2.2) softprops/action-gh-release@v2 -> @c062e08bd532... (v2.2.1) docker/setup-qemu-action@v3 -> @49b3bc8e6bdd... (v3.2.0) docker/setup-buildx-action@v3 -> @c47758b77c97... (v3.7.1) docker/login-action@v3 -> @9780b0c442fb... (v3.3.0) docker/metadata-action@v5 -> @369eb591f429... (v5.6.1) docker/build-push-action@v6 -> @ca877d9245fe... (v6.10.0)	2026-04-03 21:02:08 +00:00
Nathan Esquenazi	6a61f36280	ci: add GitHub Actions workflow for multi-arch Docker + releases On tag push (v*): - Creates a GitHub Release with auto-generated release notes - Builds multi-arch Docker image (linux/amd64, linux/arm64) - Pushes to ghcr.io/nesquena/hermes-webui with semver tags - Uses GitHub Actions cache for faster builds Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-03 13:55:41 -07:00

Author

SHA1

Message

Date

Nathan Esquenazi

2766314e81

fix(ci): use standard version tags for GitHub Actions

The SHA-pinned versions from the security hardening commit referenced
non-existent commit hashes, causing the workflow to fail with 'unable
to resolve action'. Switch to standard major version tags (v4, v3, v2,
v6, v5) which are the recommended approach for GitHub-maintained and
well-known actions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-03 14:09:36 -07:00

Nathan Esquenazi

4a3b9571f1

fix(ci): pin all GitHub Actions to full commit SHAs for supply chain security

Pinned all 7 third-party actions from mutable version tags to immutable
commit SHAs. Mutable tags (e.g. @v4) can be force-pushed by the action
author (or a compromised account) to inject malicious code into the workflow,
which runs with write access to the repo and GHCR registry.

Also moved 'permissions' from workflow level to job level (best practice:
scope permissions as narrowly as possible).

Pin mapping:
  actions/checkout@v4               -> @11bd71901bbe...  (v4.2.2)
  softprops/action-gh-release@v2    -> @c062e08bd532...  (v2.2.1)
  docker/setup-qemu-action@v3       -> @49b3bc8e6bdd...  (v3.2.0)
  docker/setup-buildx-action@v3     -> @c47758b77c97...  (v3.7.1)
  docker/login-action@v3            -> @9780b0c442fb...  (v3.3.0)
  docker/metadata-action@v5         -> @369eb591f429...  (v5.6.1)
  docker/build-push-action@v6       -> @ca877d9245fe...  (v6.10.0)

2026-04-03 21:02:08 +00:00

Nathan Esquenazi

6a61f36280

ci: add GitHub Actions workflow for multi-arch Docker + releases

On tag push (v*):
- Creates a GitHub Release with auto-generated release notes
- Builds multi-arch Docker image (linux/amd64, linux/arm64)
- Pushes to ghcr.io/nesquena/hermes-webui with semver tags
- Uses GitHub Actions cache for faster builds

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-03 13:55:41 -07:00

3 Commits