feat: add GitHub Actions CI pipeline and ko release workflow (#4, #5)

JAORMX · claude · JAORMX · commit 6c75af21caab · 2026-02-18T18:53:39.000+02:00
Add reusable lint/test/build workflows composed by PR and main triggers,
Trivy security scanning, and a ko+cosign container release on v* tags.
All actions SHA-pinned, propolis sibling checkout for the go.mod replace
directive, and script injection mitigations in run blocks.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,50 @@
+# SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Build artifacts
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build and Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+
+      - name: Checkout propolis (sibling dependency)
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        with:
+          repository: stacklok/propolis
+          ref: 6a81046b0472c54c877b965c34c97c094f373d74 # v0.1.0
+          path: ../propolis
+
+      - name: Set up Go
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Install Task
+        uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2
+        with:
+          version: '3.x'
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build
+        run: task build
+
+      - name: Test
+        run: task test
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        with:
+          name: waggle
+          path: bin/waggle
+          retention-days: 7
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,35 @@
+# SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Linting
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+
+      - name: Checkout propolis (sibling dependency)
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        with:
+          repository: stacklok/propolis
+          ref: 6a81046b0472c54c877b965c34c97c094f373d74 # v0.1.0
+          path: ../propolis
+
+      - name: Set up Go
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Lint
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+        with:
+          args: --timeout=5m
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,95 @@
+# SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions: {}
+
+jobs:
+  release:
+    name: Release Container
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        with:
+          fetch-depth: 0
+
+      - name: Checkout propolis (sibling dependency)
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        with:
+          repository: stacklok/propolis
+          ref: 6a81046b0472c54c877b965c34c97c094f373d74 # v0.1.0
+          path: ../propolis
+
+      - name: Set up Go
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Install Task
+        uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2
+        with:
+          version: '3.x'
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Test
+        run: task test
+
+      - name: Setup Ko
+        uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract tag version
+        id: tag
+        run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
+
+      - name: Set repository owner lowercase
+        id: repo_owner
+        env:
+          REPO_OWNER: ${{ github.repository_owner }}
+        run: echo "OWNER=$(echo "$REPO_OWNER" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
+
+      - name: Build and push container
+        env:
+          KO_DOCKER_REPO: ghcr.io/${{ steps.repo_owner.outputs.OWNER }}/waggle
+          VERSION: ${{ steps.tag.outputs.VERSION }}
+          CREATION_TIME: ${{ github.event.head_commit.timestamp }}
+        run: |
+          ko build \
+            --bare \
+            --sbom=spdx \
+            --platform=linux/amd64,linux/arm64 \
+            --tags $VERSION,latest \
+            ./cmd/waggle
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+      - name: Sign Image with Cosign
+        env:
+          KO_DOCKER_REPO: ghcr.io/${{ steps.repo_owner.outputs.OWNER }}/waggle
+          TAG_VERSION: ${{ steps.tag.outputs.VERSION }}
+          GH_REF: ${{ github.ref }}
+        run: |
+          TAG=$(echo "$TAG_VERSION" | sed 's/+/_/g')
+          cosign sign -y "$KO_DOCKER_REPO:$TAG"
+          if [[ "$GH_REF" == refs/tags/* ]]; then
+            cosign sign -y "$KO_DOCKER_REPO:latest"
+          fi
diff --git a/.github/workflows/run-on-main.yml b/.github/workflows/run-on-main.yml
@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+# These set of workflows run on every push to the main branch
+name: Main build
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ main ]
+
+jobs:
+  linting:
+    name: Linting
+    uses: ./.github/workflows/lint.yml
+  tests:
+    name: Tests
+    uses: ./.github/workflows/test.yml
+  build:
+    name: Build
+    uses: ./.github/workflows/build.yml
diff --git a/.github/workflows/run-on-pr.yml b/.github/workflows/run-on-pr.yml
@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+# These set of workflows run on every pull request
+name: PR Checks
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  pull_request:
+
+jobs:
+  linting:
+    name: Linting
+    uses: ./.github/workflows/lint.yml
+  tests:
+    name: Tests
+    uses: ./.github/workflows/test.yml
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,55 @@
+# SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Security Scan
+
+on:
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 0 * * 0'  # Run weekly on Sundays at midnight
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  trivy-scan:
+    name: Trivy Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: 'trivy-fs'
+
+      - name: Run Trivy vulnerability scanner in IaC mode
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
+        with:
+          scan-type: 'config'
+          hide-progress: false
+          format: 'sarif'
+          output: 'trivy-config-results.sarif'
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy IaC scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4
+        if: always()
+        with:
+          sarif_file: 'trivy-config-results.sarif'
+          category: 'trivy-config'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Tests
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+
+      - name: Checkout propolis (sibling dependency)
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        with:
+          repository: stacklok/propolis
+          ref: 6a81046b0472c54c877b965c34c97c094f373d74 # v0.1.0
+          path: ../propolis
+
+      - name: Set up Go
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Install Task
+        uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2
+        with:
+          version: '3.x'
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Test
+        run: task test
diff --git a/.ko.yaml b/.ko.yaml
@@ -0,0 +1,20 @@
+# SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+builds:
+- id: waggle
+  dir: .
+  main: ./cmd/waggle
+  ldflags:
+  - -X main.version={{.Env.VERSION}}
+  - -X main.commit={{.Env.GITHUB_SHA}}
+  - -X main.buildDate={{.Env.CREATION_TIME}}
+  labels:
+    org.opencontainers.image.created: "{{.Env.CREATION_TIME}}"
+    org.opencontainers.image.description: "Waggle - MCP server for isolated code execution via propolis microVMs"
+    org.opencontainers.image.licenses: "Apache-2.0"
+    org.opencontainers.image.revision: "{{.Env.GITHUB_SHA}}"
+    org.opencontainers.image.source: "{{.Env.GITHUB_SERVER_URL}}/{{.Env.GITHUB_REPOSITORY}}"
+    org.opencontainers.image.title: "waggle"
+    org.opencontainers.image.url: "{{.Env.GITHUB_SERVER_URL}}/{{.Env.GITHUB_REPOSITORY}}"
+    org.opencontainers.image.version: "{{.Env.VERSION}}"
diff --git a/renovate.json b/renovate.json
@@ -1,6 +1,7 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:recommended"
+    "config:recommended",
+    "helpers:pinGitHubActionDigests"
   ]
 }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"$schema": "https://docs.renovatebot.com/renovate-schema.json",`
`3`	`3`	`"extends": [`
`4`		`- "config:recommended"`
	`4`	`+ "config:recommended",`
	`5`	`+ "helpers:pinGitHubActionDigests"`
`5`	`6`	`]`
`6`	`7`	`}`