Commit 93fcdd6
authored
TT-16964 - remove sbom job from release workflow (#962)
* fix: remove sbom job from release workflow
The sbom job was requesting 'id-token: write' permission but the
workflow-level permissions only grant 'id-token: none', causing
the workflow validation to fail with:
Error calling workflow '...sbom.yaml': The nested job 'sbom' is
requesting 'id-token: write', but is only allowed 'id-token: none'.
Removing the sbom job resolves the validation error.
Refs: TT-16964
Signed-off-by: bsten-tyk <221599321+bsten-tyk@users.noreply.github.com>
* fix: use go install instead of go run for goimports in ci-test
The security hardening commit 339740c changed 'go install' to 'go run'
for goimports, which only executes it once without installing the
binary. This caused ci-test.sh to fail with 'goimports: command not
found' since the binary was never placed on PATH.
Using 'go install' with a pinned version (@v0.33.0) satisfies both
the security requirement (pinned, not @latest) and the functional
requirement (binary available for ci-test.sh).
Refs: TT-16964
Signed-off-by: bsten-tyk <221599321+bsten-tyk@users.noreply.github.com>
* fix: upgrade gotestsum to v1.13.0 for Go 1.25 compatibility
gotestsum@v1.12.1 depends on golang.org/x/tools@v0.24.0 which is
incompatible with Go 1.25 (invalid array length -delta * delta in
tokeninternal.go:64). Upgrading to gotestsum@v1.13.0 pulls in
golang.org/x/tools@v0.36.0 which compiles cleanly.
Refs: TT-16964
Signed-off-by: bsten-tyk <221599321+bsten-tyk@users.noreply.github.com>
* fix: use multi-platform manifest list digests in Dockerfile.distroless
The security hardening commit 339740c pinned base images to SHA256
digests, but used single-platform (amd64-only) digests instead of
multi-platform manifest list digests. This breaks multi-arch Docker
builds because arm64/s390x build stages pull the amd64-only base image.
Replace with manifest list digests that cover all required platforms:
- debian:trixie-slim: amd64, arm64, s390x, and others
- gcr.io/distroless/static-debian12:nonroot: amd64, arm64, s390x, ppc64le
Verified via: docker buildx imagetools inspect <image>
Refs: TT-16964
Signed-off-by: bsten-tyk <221599321+bsten-tyk@users.noreply.github.com>
* fix: use unpinned tags in Dockerfile.distroless per code review
SHA pinning base images prevents automatic Debian security patch
updates from flowing through. Without automated digest bumping
(dependabot/digestabot), pinned digests will fall behind on CVE
fixes. Revert to unpinned tags matching the tyk gateway project
and gromit-generated templates.
Refs: TT-16964
Signed-off-by: bsten-tyk <221599321+bsten-tyk@users.noreply.github.com>
---------
Signed-off-by: bsten-tyk <221599321+bsten-tyk@users.noreply.github.com>1 parent b30deed commit 93fcdd6
File tree
4 files changed
+4
-11
lines changed- .github/workflows
- ci
4 files changed
+4
-11
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
64 | 64 | | |
65 | 65 | | |
66 | 66 | | |
67 | | - | |
| 67 | + | |
68 | 68 | | |
69 | 69 | | |
70 | 70 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
61 | 61 | | |
62 | 62 | | |
63 | 63 | | |
64 | | - | |
| 64 | + | |
65 | 65 | | |
66 | 66 | | |
67 | 67 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
515 | 515 | | |
516 | 516 | | |
517 | 517 | | |
518 | | - | |
519 | | - | |
520 | | - | |
521 | | - | |
522 | | - | |
523 | | - | |
524 | | - | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | | - | |
| 3 | + | |
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| |||
10 | 10 | | |
11 | 11 | | |
12 | 12 | | |
13 | | - | |
| 13 | + | |
14 | 14 | | |
15 | 15 | | |
16 | 16 | | |
| |||
0 commit comments