chore: updated CodeQL and Docker GitHub workflows

Author: ironman0x7b2

.github/workflows/build.yml

@@ -8,16 +8,19 @@ on:
       - master
 
 jobs:
-  run:
+  go:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
 
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: '1.25'
 
       - name: Go Build
         run: go build ./...

.github/workflows/codeql.yml

@@ -7,14 +7,21 @@ on:
 
 jobs:
   analyze:
-    name: Analyze
+    name: Analyze (${{ matrix.language }})
     runs-on: ubuntu-latest
-
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
     strategy:
       fail-fast: false
       matrix:
-        languages:
-          - go
+        include:
+          - language: actions
+            build-mode: none
+          - language: go
+            build-mode: autobuild
 
     steps:
       - name: Checkout repository
@@ -23,13 +30,11 @@ jobs:
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
-          languages: ${{ matrix.languages }}
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
           queries: security-extended,security-and-quality
 
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
-
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
         with:
-          category: /language:${{ matrix.languages }}
+          category: "/language:${{matrix.language}}"

.github/workflows/docker-publish.yml

@@ -11,21 +11,29 @@ env:
 
 jobs:
   build:
-    name: Build
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
 
-      - name: Setup Docker buildx
+      - name: Install cosign
+        if: github.event_name == 'release'
+        uses: sigstore/[email protected]
+
+      - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
       - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name == 'release'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
-          username: ${{ github.repository_owner }}
+          username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract Docker metadata
@@ -35,12 +43,20 @@ jobs:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       - name: Build and push Docker image
+        id: build-and-push
         uses: docker/build-push-action@v6
         with:
           context: .
+          push: ${{ github.event_name == 'release' }}
           labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta.outputs.tags }}
           platforms: |
             linux/amd64
             linux/arm64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
+
+      - name: Sign the published Docker image
+        if: github.event_name == 'release'
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}