Skip to content

Add CI workflow linting and publish :main image#3

Merged
ThomasK33 merged 2 commits into
mainfrom
ci-cd-6a9g
Feb 9, 2026
Merged

Add CI workflow linting and publish :main image#3
ThomasK33 merged 2 commits into
mainfrom
ci-cd-6a9g

Conversation

@ThomasK33
Copy link
Copy Markdown
Member

@ThomasK33 ThomasK33 commented Feb 9, 2026

Summary

  • add actionlint and zizmor to the Nix dev shell (flake.nix)
  • extend CI to run on both pull requests and pushes to main
  • add a dedicated lint-actions job that runs actionlint and zizmor
  • add a publish-main job that builds and pushes ghcr.io/coder/coder-k8s:main on merges to main
  • harden workflow actions for security linting (pinned SHAs, persist-credentials: false, publish job cache disabled)

Validation

  • go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.10
  • zizmor .github/workflows/ci.yaml
📋 Implementation Plan

Plan: Publish :main image on main merges + add Actions linting (actionlint + zizmor)

Context / Why

The request now includes three deliverables in one PR: (1) publish ghcr.io/coder/coder-k8s:main on merges to main, (2) enforce GitHub Actions validation with actionlint, and (3) run zizmor checks for workflow security issues, while also adding both tools to flake.nix for reproducible local use. The plan keeps these changes minimal by extending the existing ci.yaml workflow and updating the existing Nix dev shell.

Evidence

  • Explore report 51ee42b024 (workflow baseline):
    • .github/workflows/ci.yaml currently only triggers on PRs.
    • .github/workflows/release.yaml already uses GHCR login via docker/login-action@v3 + GITHUB_TOKEN.
  • Explore report 2afaa89579 (release conventions):
    • Existing image coordinates are ghcr.io/coder/coder-k8s with Dockerfile.goreleaser.
  • Explore report 3863c6adc3 (Nix tooling):
    • flake.nix provides tooling via devShells.<system>.default.packages.
    • pkgs.actionlint and pkgs.zizmor are available in the current nixpkgs input.
  • Explore report 8231c45f71 (CI integration shape):
    • A dedicated workflow lint job in ci.yaml fits the current style and contents: read permissions.

These findings are sufficient to define concrete edit locations and commands for all requested additions.

Implementation details

  1. Update flake.nix dev shell tooling

    • Edit devShells.<system>.default.packages to include both workflow linters.
    • Keep the existing package set; append:
    default = pkgs.mkShell {
  packages = with pkgs; [
    go
    gnumake
    git
    goreleaser
    actionlint
    zizmor
  ];
};

  2. Extend .github/workflows/ci.yaml trigger to include merged main pushes

    • Keep existing PR trigger.
    • Add push trigger for main so merge commits run CI:
    on:
  pull_request:
  push:
    branches: [main]

  3. Add workflow lint/security job in .github/workflows/ci.yaml

    • Add a dedicated lint-actions job for GH Actions validation.
    • Run both actionlint and zizmor in CI to catch syntax/semantic issues and security footguns.
    • Keep permissions minimal (contents: read); optionally pass ${{ github.token }} to reduce rate-limit risk for metadata lookups.
    jobs:
  lint-actions:
    name: Lint GitHub Actions
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v4

      - name: actionlint
        uses: rhysd/actionlint-action@v1

      - name: zizmor
        uses: woodruffw/zizmor-action@v1
        env:
          GH_TOKEN: ${{ github.token }}

  4. Add main-branch image publish job in .github/workflows/ci.yaml

    • Add publish-main job gated on successful test and lint-actions.
    • Restrict execution to push on refs/heads/main.
    • Reuse GHCR auth convention from release.yaml.
    • Build coder-k8s binary before Docker build (required by Dockerfile.goreleaser).
    jobs:
  test:
    ...

  lint-actions:
    ...

  publish-main:
    name: Publish GHCR :main
    needs: [test, lint-actions]
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
          cache: true
      - name: Build linux/amd64 binary for image
        run: CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o coder-k8s ./
      - uses: docker/setup-buildx-action@v3
      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push :main
        uses: docker/build-push-action@v5
        with:
          context: .
          file: Dockerfile.goreleaser
          push: true
          tags: ghcr.io/coder/coder-k8s:main

  5. Validation checklist for the PR

    • Confirm flake.nix evaluates and dev shell exposes actionlint + zizmor.
    • Confirm ci.yaml remains valid (actionlint passes in CI).
    • Confirm zizmor runs on PRs and fails on actionable workflow security findings.
    • Confirm publish-main is skipped on PRs and runs only on push to main.
    • After merge to main, verify ghcr.io/coder/coder-k8s:main exists.
Why this approach (concise)
  • Single CI workflow extension: keeps changes localized to ci.yaml plus one Nix file.
  • Defensive gating: publish-main waits for both code tests and workflow lint/security checks.
  • Reproducibility: adding tools to flake.nix makes local verification match CI expectations.
  • Convention reuse: preserves existing GHCR image naming and authentication patterns already used by release automation.

Generated with mux • Model: openai:gpt-5.3-codex • Thinking: xhigh

@ThomasK33
Copy link
Copy Markdown
Member Author

ThomasK33 commented Feb 9, 2026

@codex review

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Feb 9, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 86f583bc69

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/ci.yaml Outdated
@ThomasK33
Copy link
Copy Markdown
Member Author

ThomasK33 commented Feb 9, 2026

@codex review

@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector Bot commented Feb 9, 2026

Codex Review: Didn't find any major issues. Can't wait for the next one!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@ThomasK33 ThomasK33 merged commit c19721b into main Feb 9, 2026
3 checks passed
@ThomasK33 ThomasK33 deleted the ci-cd-6a9g branch February 9, 2026 10:46
@ThomasK33
Copy link
Copy Markdown
Member Author

ThomasK33 commented Feb 9, 2026

https://mux.md/cpHuy#l1a6tHG0WssLuA

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ThomasK33