- Move packages:write permission to job level (zizmor: overly broad permissions)
- Use env variable for digest instead of template expansion (zizmor: code injection)
- Add shellcheck disable for intentional word splitting in imagetools create
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Split the single-job multi-platform Docker build into per-architecture
parallel jobs using native runners, then merge manifests in a separate job.
- linux/amd64: ubuntu-latest (native x86_64)
- linux/arm64: ubuntu-24.04-arm (native ARM64, no QEMU)
- linux/arm/v7: ubuntu-24.04-arm (QEMU only for armv7, much lighter than x86→armv7)
This eliminates QEMU emulation for arm64 builds, which is the slowest
platform due to full instruction-set translation overhead.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fix all findings from actionlint and zizmor security linters:
- Add persist-credentials: false to all checkout steps across 14 workflows
- Fix template injection in repomix action by using env vars instead of ${{ inputs.* }}
- Pin Homebrew actions to SHA (50b8c2ab) instead of @main tag
- Add zizmor config to ignore artipacked for schema-update.yml (needs credentials for push)
- Add zizmor linter job and config path to ci.yml
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This replaces the ratchet tool with pinact for managing GitHub Actions SHA pinning across all workflow files. The changes include:
- Remove ratchet-update.yml and ratchet-verify.yml workflows
- Add new pinact.yml workflow for automated SHA pinning
- Update all workflow files to use pinact-style comments (# v1.2.3 instead of # ratchet:action@v1)
- Add .pinact.yaml configuration file with ignore rules for Homebrew actions and local actions
- Update package.json scripts to use pinact commands instead of ratchet
Pinact provides more reliable SHA pinning with better GitHub Actions integration.
- Update all workflow files with latest action SHAs using ratchet
- Ensure security through SHA pinning while using current versions
- Automated update as part of ratchet workflow implementation
User asked about Docker release types - 'edited' is not needed:
- Docker images should only be built when releases are published
- Release note edits don't require image rebuilds
- Simplifies workflow triggers and reduces unnecessary CI runs
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Kazuki Yamada
renovate[bot]
dependabot[bot]
Krish Ray
Viktor Szépe
Kazuki Yamada
Juan Calderon-Perez