chore: update action dependencies and bump wash to v2.0.0-rc.7#16
Open
ericgregory wants to merge 7 commits intowasmCloud:mainfrom
Open
chore: update action dependencies and bump wash to v2.0.0-rc.7#16ericgregory wants to merge 7 commits intowasmCloud:mainfrom
ericgregory wants to merge 7 commits intowasmCloud:mainfrom
Conversation
- Bump setup-wash-action submodule to latest (f27efbc) - Update wash-version in CI test to wash-v2.0.0-rc.7 - Bump actions/checkout from v4 to v6.0.2 (SHA-pinned) - Bump super-linter from v7.4.0 to v8.5.0 (SHA-pinned) - Bump docker/login-action from v3.5.0 to v3.7.0 (SHA-pinned) - Bump taiki-e/install-action from v2.62.6 to v2.68.3 (SHA-pinned) - Pin actions/attest-build-provenance to SHA for v3.2.0 - Pin actions/attest-sbom to SHA for v3.0.0 Signed-off-by: Eric Gregory <egregory04@gmail.com> Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Eric Gregory <egregory04@gmail.com>
Signed-off-by: Eric Gregory <egregory04@gmail.com>
CI failures:
- Update setup-wash-cargo-auditable to write .wash/config.yaml in wash
v2.0 YAML format (build.command string, component_path derived from
Cargo.toml package name) instead of the removed .wash/config.json schema
- Reorder test.yml steps so cargo init runs before setup-wash-cargo-auditable
(Cargo.toml must exist for package name resolution)
- Update test.yml config verification to check .wash/config.yaml
Lint failures (zizmor findings from super-linter v8.5.0):
- wash-oci-publish: move all ${{ inputs.* }} used in run: blocks to env:
blocks to prevent template injection
- wash-oci-publish: replace $GITHUB_ENV writes with $GITHUB_OUTPUT + step
ids (image-info, extract-sbom, convert-sbom) to eliminate github-env
findings
- wash-build: move ${{ steps.build.outputs.component_path }} to env: block
in the verify step
Signed-off-by: Eric Gregory <egregory04@gmail.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Eric Gregory <egregory04@gmail.com>
- setup-wash-cargo-auditable: replace Python heredoc with printf to write .wash/config.yaml — the heredoc's unindented content broke YAML parsing of the action manifest - wash-oci-publish: remove $GITHUB_PATH write by passing cyclonedx binary path via step output (install-cyclonedx) and referencing it via CYCLONEDX_BIN env var in convert-sbom step, eliminating last zizmor github-env finding Signed-off-by: Eric Gregory <egregory04@gmail.com> Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Eric Gregory <egregory04@gmail.com>
cargo init creates a binary crate; wasm components require a cdylib library crate to produce the expected .wasm artifact at target/wasm32-wasip2/release/<name>.wasm Signed-off-by: Eric Gregory <egregory04@gmail.com> Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Eric Gregory <egregory04@gmail.com>
Fork PRs run with a read-only GITHUB_TOKEN regardless of workflow permissions, so pushing to ghcr.io/wasmcloud/actions fails. Gate the OCI publish test to push-to-main only where the token has full package write access. Signed-off-by: Eric Gregory <egregory04@gmail.com>
ricochet
approved these changes
Feb 19, 2026
The grep check on .wash/config.yaml only guards against regressions in setup-wash-cargo-auditable's own source, which would be caught by code review. It cannot be triggered by a consumer of the action. Signed-off-by: Eric Gregory <egregory04@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
setup-wash-actionsubmodule to latest (f27efbc), picking up the wash v2.0.0-rc.7 default and all fixes from chore: update wash default version to v2.0.0-rc.7 setup-wash-action#10wash-versionin CI fromwash-v1.0.0-beta.8towash-v2.0.0-rc.7actions/checkout: v4 → v6.0.2 (SHA-pinned)super-linter/super-linter/slim: v7.4.0 → v8.5.0 (SHA-pinned)docker/login-action: v3.5.0 → v3.7.0 (SHA-pinned)taiki-e/install-action: v2.62.6 → v2.68.3 (SHA-pinned)actions/attest-build-provenance: floating@v3→ SHA-pinned v3.2.0actions/attest-sbom: floating@v3→ SHA-pinned v3.0.0setup-wash-cargo-auditable: wash v2.0 uses.wash/config.yaml(YAML) with abuild.commandstring andbuild.component_path, replacing the old.wash/config.json(JSON) format withbuild.rust.custom_commandarray${{ inputs.* }}references inrun:blocks toenv:blocks to prevent template injection (wash-build,wash-oci-publish)>> $GITHUB_ENV/>> $GITHUB_PATHwrites with>> $GITHUB_OUTPUTusing step IDs (wash-oci-publish)cargo initcreates a binary (command) crate, but wasmCloud components are reactor-style and requirecrate-type = ["cdylib"]to export WIT interfaces. Updated test to usecargo init --liband append the correct[lib]section toCargo.tomlGITHUB_TOKENfor fork PRs is read-only regardless of workflow permissions, so pushing to GHCR is deferred to post-merge runs onmainCreate test Rust projectstep now runs beforeSetup cargo-auditable(which readsCargo.tomlto derive the component path)Test plan
ericgregory/actionsfork (ubuntu-latest)wash buildproduces wasm component at expected path.wash/config.yamlcontainsauditablebuild command