From 15f6ddd23e14f0d293a86e60718e31f60a1f0398 Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Sat, 6 Sep 2025 11:32:59 -0400
Subject: [PATCH] Update GitHub Actions workflow with security improvements and
 linting
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add checkout step with persist-credentials: false for security
  Prevents credentials from persisting in the workspace (zizmor recommendation)

- Add hadolint Dockerfile linting step
  Runs before building to catch Dockerfile issues early
  Ignores intentional version pinning warnings (DL3007, DL3008, DL3013, DL3016)

- Update actions/checkout to v5 (latest major version)
  v5 uses Node 24 runtime for better performance

All actions use major version tags for automatic security updates
while avoiding breaking changes.

🤖 Generated with Claude Code
https://claude.ai/code

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/docker.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index b3f1e53..942960a 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -22,6 +22,18 @@ jobs:
       contents: read
       packages: write
     steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
+      - name: Lint Dockerfile
+        uses: hadolint/hadolint-action@v3
+        with:
+          dockerfile: Dockerfile
+          ignore: DL3007,DL3008,DL3013,DL3016
+          failure-threshold: warning
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3