From d50375b97cce0b7fb0c4db6fb64bf74143368a45 Mon Sep 17 00:00:00 2001 From: Eric Gregory Date: Thu, 19 Feb 2026 13:45:16 -0500 Subject: [PATCH 1/7] chore: update action dependencies and bump wash to v2.0.0-rc.7 - Bump setup-wash-action submodule to latest (f27efbc) - Update wash-version in CI test to wash-v2.0.0-rc.7 - Bump actions/checkout from v4 to v6.0.2 (SHA-pinned) - Bump super-linter from v7.4.0 to v8.5.0 (SHA-pinned) - Bump docker/login-action from v3.5.0 to v3.7.0 (SHA-pinned) - Bump taiki-e/install-action from v2.62.6 to v2.68.3 (SHA-pinned) - Pin actions/attest-build-provenance to SHA for v3.2.0 - Pin actions/attest-sbom to SHA for v3.0.0 Signed-off-by: Eric Gregory Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Eric Gregory --- .github/workflows/lint.yml | 4 ++-- .github/workflows/test.yml | 4 ++-- setup-wash-action | 2 +- setup-wash-cargo-auditable/action.yml | 2 +- wash-oci-publish/action.yml | 8 ++++---- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 76302a4..24494c3 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -21,14 +21,14 @@ jobs: steps: - name: Checkout id: checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: false - name: Lint Codebase id: super-linter - uses: super-linter/super-linter/slim@12150456a73e248bdc94d0794898f94e23127c88 # v7.4.0 + uses: super-linter/super-linter/slim@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0 env: DEFAULT_BRANCH: main FILTER_REGEX_EXCLUDE: dist/**/* diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0bfe952..141f6fa 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive fetch-depth: 0 @@ -30,7 +30,7 @@ jobs: - name: Setup wash CLI uses: ./setup-wash-action with: - wash-version: wash-v1.0.0-beta.8 + wash-version: wash-v2.0.0-rc.7 # create a test working directory - name: Create test directory diff --git a/setup-wash-action b/setup-wash-action index 49c62a9..f27efbc 160000 --- a/setup-wash-action +++ b/setup-wash-action @@ -1 +1 @@ -Subproject commit 49c62a9834282ebac849a3043d37306a625820a3 +Subproject commit f27efbc3b7f728027a859df2b873b86789107ca1 diff --git a/setup-wash-cargo-auditable/action.yml b/setup-wash-cargo-auditable/action.yml index 17fb184..c1fcdca 100644 --- a/setup-wash-cargo-auditable/action.yml +++ b/setup-wash-cargo-auditable/action.yml @@ -15,7 +15,7 @@ inputs: runs: using: "composite" steps: - - uses: taiki-e/install-action@4575ae687efd0e2c78240087f26013fb2484987f # v2.62.6 + - uses: taiki-e/install-action@1cf3de8de323df92fe08c793e53eaef58799aec4 # v2.68.3 with: tool: cargo-auditable,cargo-audit diff --git a/wash-oci-publish/action.yml b/wash-oci-publish/action.yml index 96c28a1..44eae0e 100644 --- a/wash-oci-publish/action.yml +++ b/wash-oci-publish/action.yml @@ -37,7 +37,7 @@ runs: using: "composite" steps: - name: Login to container registry - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ${{ inputs.registry }} username: ${{ github.actor }} @@ -81,13 +81,13 @@ runs: - name: Generate artifact attestation if: ${{ inputs.attestation == 'true' }} - uses: actions/attest-build-provenance@v3 + uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 with: subject-name: ${{ inputs.registry }}/${{ env.IMAGE_NAME }} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true - - uses: taiki-e/install-action@4575ae687efd0e2c78240087f26013fb2484987f # v2.62.6 + - uses: taiki-e/install-action@1cf3de8de323df92fe08c793e53eaef58799aec4 # v2.68.3 if: ${{ inputs.attestation == 'true' }} with: tool: auditable2cdx @@ -168,7 +168,7 @@ runs: echo "SPDX SBOM file format detection:" file "$SBOM_PATH" - - uses: actions/attest-sbom@v3 + - uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0 if: ${{ inputs.attestation == 'true' }} with: subject-name: ${{ inputs.registry }}/${{ env.IMAGE_NAME }} From a8e04c49d879e206fa50e989458cd6de1cfe60ba Mon Sep 17 00:00:00 2001 From: Eric Gregory Date: Thu, 19 Feb 2026 13:47:15 -0500 Subject: [PATCH 2/7] ci: trigger Actions run Signed-off-by: Eric Gregory From 5485b612f844a419b1bb0e46a27d185d64d87cbb Mon Sep 17 00:00:00 2001 From: Eric Gregory Date: Thu, 19 Feb 2026 13:57:46 -0500 Subject: [PATCH 3/7] fix: resolve wash v2.0 config format and zizmor security findings CI failures: - Update setup-wash-cargo-auditable to write .wash/config.yaml in wash v2.0 YAML format (build.command string, component_path derived from Cargo.toml package name) instead of the removed .wash/config.json schema - Reorder test.yml steps so cargo init runs before setup-wash-cargo-auditable (Cargo.toml must exist for package name resolution) - Update test.yml config verification to check .wash/config.yaml Lint failures (zizmor findings from super-linter v8.5.0): - wash-oci-publish: move all ${{ inputs.* }} used in run: blocks to env: blocks to prevent template injection - wash-oci-publish: replace $GITHUB_ENV writes with $GITHUB_OUTPUT + step ids (image-info, extract-sbom, convert-sbom) to eliminate github-env findings - wash-build: move ${{ steps.build.outputs.component_path }} to env: block in the verify step Signed-off-by: Eric Gregory Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Eric Gregory --- .github/workflows/test.yml | 19 +++++---- setup-wash-cargo-auditable/action.yml | 55 +++++++++++++++------------ wash-build/action.yml | 6 ++- wash-oci-publish/action.yml | 55 +++++++++++++++++---------- 4 files changed, 78 insertions(+), 57 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 141f6fa..ffe4199 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -32,22 +32,21 @@ jobs: with: wash-version: wash-v2.0.0-rc.7 - # create a test working directory + # create a test working directory with a Rust project - name: Create test directory run: | mkdir test-dir - cd test-dir - - - name: Setup cargo-auditable - uses: ./setup-wash-cargo-auditable - with: - working-directory: test-dir - name: Create test Rust project working-directory: test-dir run: | cargo init --name test-component + - name: Setup cargo-auditable + uses: ./setup-wash-cargo-auditable + with: + working-directory: test-dir + - name: Test wash-build action id: build uses: ./wash-build @@ -70,9 +69,9 @@ jobs: shell: bash working-directory: test-dir run: | - jq . .wash/config.json - if ! jq -e '.build.rust.custom_command | arrays | contains(["auditable"])' .wash/config.json; then - echo "Error: .wash/config.json does not contain 'auditable' in custom_command" + cat .wash/config.yaml + if ! grep -q 'auditable' .wash/config.yaml; then + echo "Error: .wash/config.yaml does not contain 'auditable' in build command" exit 1 fi diff --git a/setup-wash-cargo-auditable/action.yml b/setup-wash-cargo-auditable/action.yml index c1fcdca..b6fb352 100644 --- a/setup-wash-cargo-auditable/action.yml +++ b/setup-wash-cargo-auditable/action.yml @@ -6,6 +6,10 @@ description: | wash CLI must be installed and available in PATH. We recommend using the wasmcloud/setup-wash-action prior to this action to install wash. + A Cargo project (Cargo.toml) must already exist in the working directory + before calling this action, as it reads the package name to determine + the component output path. + inputs: working-directory: description: "Directory containing the WebAssembly project" @@ -19,32 +23,35 @@ runs: with: tool: cargo-auditable,cargo-audit - - name: Set auditable as custom build command in .wash/config.json + - name: Set auditable as custom build command in .wash/config.yaml shell: bash working-directory: ${{ inputs.working-directory }} run: | + set -euo pipefail + + # Derive the wasm artifact path from the Cargo package name + PACKAGE_NAME=$(cargo metadata --no-deps --format-version 1 | jq -r '.packages[0].name' | tr '-' '_') + COMPONENT_PATH="target/wasm32-wasip2/release/${PACKAGE_NAME}.wasm" + mkdir -p .wash - # Create or update config with jq, merging with existing config - if [ -f .wash/config.json ]; then - # Merge with existing config, ensuring nested objects exist - jq '(.build // {}) as $build | - (.build.rust // {}) as $rust | - .build = ($build | .rust = ($rust | - .custom_command = ["cargo", "auditable", "build", "--release", "--target", "wasm32-wasip2", "--message-format", "json"] | - .target = "wasm32-wasip2" | - .release = true - ))' .wash/config.json > .wash/config.json.tmp - mv .wash/config.json.tmp .wash/config.json - else - # Create new config - jq -n '{ - "build": { - "rust": { - "target": "wasm32-wasip2", - "release": true, - "custom_command": ["cargo", "auditable", "build", "--release", "--target", "wasm32-wasip2", "--message-format", "json"] - } - } - }' > .wash/config.json - fi + # Write .wash/config.yaml in wash v2.0 format, preserving any existing + # non-build settings by merging via Python's yaml module + python3 - << 'PYSCRIPT' +import yaml, os, sys + +config_path = '.wash/config.yaml' +config = {} +if os.path.exists(config_path): + with open(config_path) as f: + config = yaml.safe_load(f) or {} + +config['build'] = { + 'command': 'cargo auditable build --release --target wasm32-wasip2', + 'component_path': os.environ['COMPONENT_PATH'], +} + +os.makedirs('.wash', exist_ok=True) +with open(config_path, 'w') as f: + yaml.dump(config, f, default_flow_style=False) +PYSCRIPT diff --git a/wash-build/action.yml b/wash-build/action.yml index 26b7577..d33682c 100644 --- a/wash-build/action.yml +++ b/wash-build/action.yml @@ -62,8 +62,10 @@ runs: - name: Verify Wasm binary exists shell: bash working-directory: ${{ inputs.working-directory }} + env: + COMPONENT_PATH: ${{ steps.build.outputs.component_path }} run: | - if [ ! -f "${{ steps.build.outputs.component_path }}" ]; then - echo "Error: ${{ steps.build.outputs.component_path }} not found!" >&2 + if [ ! -f "$COMPONENT_PATH" ]; then + echo "Error: $COMPONENT_PATH not found!" >&2 exit 1 fi diff --git a/wash-oci-publish/action.yml b/wash-oci-publish/action.yml index 44eae0e..ab35e3a 100644 --- a/wash-oci-publish/action.yml +++ b/wash-oci-publish/action.yml @@ -43,34 +43,39 @@ runs: username: ${{ github.actor }} password: ${{ inputs.token }} - - name: Set IMAGE_NAME env as lower-case repository name + - name: Set image name and SBOM filename + id: image-info shell: bash run: | - echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV - # Create a sanitized filename for SBOM (replace / with -) - echo "SBOM_FILENAME=$(echo "${GITHUB_REPOSITORY,,}" | tr '/' '-').spdx.json" >> $GITHUB_ENV + echo "image_name=${GITHUB_REPOSITORY,,}" >> $GITHUB_OUTPUT + echo "sbom_filename=$(echo "${GITHUB_REPOSITORY,,}" | tr '/' '-').spdx.json" >> $GITHUB_OUTPUT - name: Push Wasm component to container registry id: push shell: bash + env: + IMAGE_TAGS: ${{ inputs.image_tags }} + REGISTRY: ${{ inputs.registry }} + IMAGE_NAME: ${{ steps.image-info.outputs.image_name }} + COMPONENT_PATH: ${{ inputs.component_path }} run: | # Split comma-separated tags and push each one - IFS=',' read -ra TAGS <<< "${{ inputs.image_tags }}" + IFS=',' read -ra TAGS <<< "$IMAGE_TAGS" digests=() for tag in "${TAGS[@]}"; do # Trim whitespace tag=$(echo "$tag" | xargs) - echo "Pushing ${{ inputs.registry }}/${{ env.IMAGE_NAME }}:$tag" - - push_output=$(wash oci push --output json "${{ inputs.registry }}/${{ env.IMAGE_NAME }}:$tag" "${{ inputs.component_path }}") + echo "Pushing $REGISTRY/$IMAGE_NAME:$tag" + + push_output=$(wash oci push --output json "$REGISTRY/$IMAGE_NAME:$tag" "$COMPONENT_PATH") digest=$(echo "$push_output" | jq -r .data.digest) - + if [ -z "$digest" ] || [ "$digest" = "null" ]; then echo "Failed to determine pushed component digest for tag $tag: $push_output" >&2 exit 1 fi - + echo "Component pushed with digest: $digest for tag: $tag" digests+=("$digest") done @@ -83,7 +88,7 @@ runs: if: ${{ inputs.attestation == 'true' }} uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 with: - subject-name: ${{ inputs.registry }}/${{ env.IMAGE_NAME }} + subject-name: ${{ inputs.registry }}/${{ steps.image-info.outputs.image_name }} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true @@ -95,6 +100,8 @@ runs: - name: Install CycloneDX CLI if: ${{ inputs.attestation == 'true' }} shell: bash + env: + CYCLONEDX_VERSION: ${{ inputs.cyclonedx-version }} run: | # Detect OS and architecture for cyclonedx-cli binary case "$(uname -s)" in @@ -124,9 +131,9 @@ runs: *) echo "Unsupported OS: $(uname -s)"; exit 1 ;; esac - # Pin to known good version 0.29.1 + # Pin to known good version echo "Downloading cyclonedx-cli binary: $BINARY_NAME" - curl -LO "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v${{ inputs.cyclonedx-version }}/$BINARY_NAME" + curl -LO "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v${CYCLONEDX_VERSION}/${BINARY_NAME}" chmod +x "$BINARY_NAME" # Create a directory for the binary and add to PATH @@ -135,30 +142,36 @@ runs: echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Extract SBOM from component + id: extract-sbom if: ${{ inputs.attestation == 'true' }} shell: bash + env: + COMPONENT_PATH: ${{ inputs.component_path }} run: | # Create absolute path for CycloneDX SBOM file CYCLONEDX_PATH="$(pwd)/$(echo "${GITHUB_REPOSITORY,,}" | tr '/' '-').cyclonedx.json" # Extract CycloneDX SBOM - auditable2cdx ${{ inputs.component_path }} > "$CYCLONEDX_PATH" + auditable2cdx "$COMPONENT_PATH" > "$CYCLONEDX_PATH" echo "CycloneDX SBOM created at: $CYCLONEDX_PATH" - # Store path for next step - echo "CYCLONEDX_ABS_PATH=$CYCLONEDX_PATH" >> $GITHUB_ENV + echo "cyclonedx_path=$CYCLONEDX_PATH" >> $GITHUB_OUTPUT - name: Convert SBOM to SPDX + id: convert-sbom if: ${{ inputs.attestation == 'true' }} shell: bash + env: + SBOM_FILENAME: ${{ steps.image-info.outputs.sbom_filename }} + CYCLONEDX_ABS_PATH: ${{ steps.extract-sbom.outputs.cyclonedx_path }} run: | # Create absolute path for SPDX SBOM file - SBOM_PATH="$(pwd)/${{ env.SBOM_FILENAME }}" + SBOM_PATH="$(pwd)/$SBOM_FILENAME" # Convert CycloneDX to SPDX format for GitHub attestation - cyclonedx convert --input-file "${{ env.CYCLONEDX_ABS_PATH }}" --output-file "$SBOM_PATH" --output-format spdxjson + cyclonedx convert --input-file "$CYCLONEDX_ABS_PATH" --output-file "$SBOM_PATH" --output-format spdxjson - echo "SBOM_ABS_PATH=$SBOM_PATH" >> $GITHUB_ENV + echo "sbom_abs_path=$SBOM_PATH" >> $GITHUB_OUTPUT # Debug: Print SBOM file info and contents echo "SPDX SBOM file created at: $SBOM_PATH" @@ -171,6 +184,6 @@ runs: - uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0 if: ${{ inputs.attestation == 'true' }} with: - subject-name: ${{ inputs.registry }}/${{ env.IMAGE_NAME }} + subject-name: ${{ inputs.registry }}/${{ steps.image-info.outputs.image_name }} subject-digest: ${{ steps.push.outputs.digest }} - sbom-path: ${{ env.SBOM_ABS_PATH }} + sbom-path: ${{ steps.convert-sbom.outputs.sbom_abs_path }} From fe234f7f86c9368d660d19be985bc65c19543a7e Mon Sep 17 00:00:00 2001 From: Eric Gregory Date: Thu, 19 Feb 2026 14:02:23 -0500 Subject: [PATCH 4/7] fix: replace Python heredoc with printf and remove GITHUB_PATH write MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - setup-wash-cargo-auditable: replace Python heredoc with printf to write .wash/config.yaml — the heredoc's unindented content broke YAML parsing of the action manifest - wash-oci-publish: remove $GITHUB_PATH write by passing cyclonedx binary path via step output (install-cyclonedx) and referencing it via CYCLONEDX_BIN env var in convert-sbom step, eliminating last zizmor github-env finding Signed-off-by: Eric Gregory Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Eric Gregory --- setup-wash-cargo-auditable/action.yml | 23 +++-------------------- wash-oci-publish/action.yml | 10 ++++++---- 2 files changed, 9 insertions(+), 24 deletions(-) diff --git a/setup-wash-cargo-auditable/action.yml b/setup-wash-cargo-auditable/action.yml index b6fb352..e2d9449 100644 --- a/setup-wash-cargo-auditable/action.yml +++ b/setup-wash-cargo-auditable/action.yml @@ -35,23 +35,6 @@ runs: mkdir -p .wash - # Write .wash/config.yaml in wash v2.0 format, preserving any existing - # non-build settings by merging via Python's yaml module - python3 - << 'PYSCRIPT' -import yaml, os, sys - -config_path = '.wash/config.yaml' -config = {} -if os.path.exists(config_path): - with open(config_path) as f: - config = yaml.safe_load(f) or {} - -config['build'] = { - 'command': 'cargo auditable build --release --target wasm32-wasip2', - 'component_path': os.environ['COMPONENT_PATH'], -} - -os.makedirs('.wash', exist_ok=True) -with open(config_path, 'w') as f: - yaml.dump(config, f, default_flow_style=False) -PYSCRIPT + # Write .wash/config.yaml in wash v2.0 format + printf 'build:\n command: cargo auditable build --release --target wasm32-wasip2\n component_path: "%s"\n' \ + "$COMPONENT_PATH" > .wash/config.yaml diff --git a/wash-oci-publish/action.yml b/wash-oci-publish/action.yml index ab35e3a..9cb521e 100644 --- a/wash-oci-publish/action.yml +++ b/wash-oci-publish/action.yml @@ -98,6 +98,7 @@ runs: tool: auditable2cdx - name: Install CycloneDX CLI + id: install-cyclonedx if: ${{ inputs.attestation == 'true' }} shell: bash env: @@ -134,12 +135,12 @@ runs: # Pin to known good version echo "Downloading cyclonedx-cli binary: $BINARY_NAME" curl -LO "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v${CYCLONEDX_VERSION}/${BINARY_NAME}" - chmod +x "$BINARY_NAME" - # Create a directory for the binary and add to PATH mkdir -p "$HOME/.local/bin" mv "$BINARY_NAME" "$HOME/.local/bin/cyclonedx" - echo "$HOME/.local/bin" >> $GITHUB_PATH + chmod +x "$HOME/.local/bin/cyclonedx" + + echo "cyclonedx_bin=$HOME/.local/bin/cyclonedx" >> $GITHUB_OUTPUT - name: Extract SBOM from component id: extract-sbom @@ -164,12 +165,13 @@ runs: env: SBOM_FILENAME: ${{ steps.image-info.outputs.sbom_filename }} CYCLONEDX_ABS_PATH: ${{ steps.extract-sbom.outputs.cyclonedx_path }} + CYCLONEDX_BIN: ${{ steps.install-cyclonedx.outputs.cyclonedx_bin }} run: | # Create absolute path for SPDX SBOM file SBOM_PATH="$(pwd)/$SBOM_FILENAME" # Convert CycloneDX to SPDX format for GitHub attestation - cyclonedx convert --input-file "$CYCLONEDX_ABS_PATH" --output-file "$SBOM_PATH" --output-format spdxjson + "$CYCLONEDX_BIN" convert --input-file "$CYCLONEDX_ABS_PATH" --output-file "$SBOM_PATH" --output-format spdxjson echo "sbom_abs_path=$SBOM_PATH" >> $GITHUB_OUTPUT From ed734e644c538f4a8706e6beb5d94eec284d28fa Mon Sep 17 00:00:00 2001 From: Eric Gregory Date: Thu, 19 Feb 2026 14:11:19 -0500 Subject: [PATCH 5/7] fix: use cdylib library crate for wasm component test project cargo init creates a binary crate; wasm components require a cdylib library crate to produce the expected .wasm artifact at target/wasm32-wasip2/release/.wasm Signed-off-by: Eric Gregory Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Eric Gregory --- .github/workflows/test.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ffe4199..2c544db 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -40,7 +40,8 @@ jobs: - name: Create test Rust project working-directory: test-dir run: | - cargo init --name test-component + cargo init --lib --name test-component + printf '\n[lib]\ncrate-type = ["cdylib"]\n' >> Cargo.toml - name: Setup cargo-auditable uses: ./setup-wash-cargo-auditable From ba95748a271dc42b05d3fbe3f7b5b6d224bb1c80 Mon Sep 17 00:00:00 2001 From: Eric Gregory Date: Thu, 19 Feb 2026 14:55:12 -0500 Subject: [PATCH 6/7] ci: skip OCI publish test on pull requests from forks Fork PRs run with a read-only GITHUB_TOKEN regardless of workflow permissions, so pushing to ghcr.io/wasmcloud/actions fails. Gate the OCI publish test to push-to-main only where the token has full package write access. Signed-off-by: Eric Gregory --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2c544db..39de798 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -77,6 +77,7 @@ jobs: fi - name: Test wash-oci-publish action (multiple tags) + if: github.event_name == 'push' uses: ./wash-oci-publish with: component_path: ${{ steps.build.outputs.component_path }} From 39a2ac868a2adc96390869fee738f9cc71ad9207 Mon Sep 17 00:00:00 2001 From: Eric Gregory Date: Thu, 19 Feb 2026 16:23:25 -0500 Subject: [PATCH 7/7] ci: remove redundant wash config auditable check The grep check on .wash/config.yaml only guards against regressions in setup-wash-cargo-auditable's own source, which would be caught by code review. It cannot be triggered by a consumer of the action. Signed-off-by: Eric Gregory --- .github/workflows/test.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 39de798..01aded0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -66,16 +66,6 @@ jobs: env: STEPS_BUILD_OUTPUTS_COMPONENT_PATH: ${{ steps.build.outputs.component_path }} - - name: Verify wash config updated with cargo-auditable - shell: bash - working-directory: test-dir - run: | - cat .wash/config.yaml - if ! grep -q 'auditable' .wash/config.yaml; then - echo "Error: .wash/config.yaml does not contain 'auditable' in build command" - exit 1 - fi - - name: Test wash-oci-publish action (multiple tags) if: github.event_name == 'push' uses: ./wash-oci-publish