chore(ci): fix reference

Bumps the utilities group with 1 update: [actions/github-script](https://github.com/actions/github-script).


Updates `actions/github-script` from 7 to 8
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](actions/github-script@v7...v8)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: utilities
...

Signed-off-by: dependabot[bot] <support@github.com>

fix(ci): removing secret values

…rkflow

…tag validation

feat(build): add typescript docker build workflow and composite

fix(build): use per-app build context with fallback to global input

Replace ubuntu-latest with blacksmith-4vcpu-ubuntu-2404 across
remaining workflows and add runner requirement to command rules.

…h-runner

chore(ci): standardize runner to blacksmith-4vcpu-ubuntu-2404

Add reusable workflow for Go fuzz testing with configurable command,
Go version, artifact upload on failure, and dry_run support.

feat(ci): add go-fuzz reusable workflow

… Slack composites

- Prefer github.event.release.tag_name with fallback to gh release list
- Map secrets to job-level env vars (secrets context unavailable in step if:)
- Detect beta via release-tag input instead of github.ref
- Complete dry-run summary with all resolved inputs

…kflow

Composite actions referenced via `uses: ./path` in reusable workflows
resolve to the caller's workspace, not the called repo. Changed to
external refs (@develop) matching the typescript-build.yml pattern.

Also corrected the local path rule in AGENTS.md and
.cursor/rules/reusable-workflows.mdc to document the correct behavior.

…ref docs

…flags

…orkflow

feat(ci): add release-notification reusable workflow

… use it

…ase to composite

…evelop/docker-1590fac0fc

chore(deps): bump the docker group with 5 updates

Bumps the actions-core group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `4` | `6` |
| [actions/setup-node](https://github.com/actions/setup-node) | `4` | `6` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4` | `7` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `4` | `8` |
| [actions/setup-go](https://github.com/actions/setup-go) | `5` | `6` |


Updates `actions/checkout` from 4 to 6
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v6)

Updates `actions/setup-node` from 4 to 6
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@v4...v6)

Updates `actions/upload-artifact` from 4 to 7
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v4...v7)

Updates `actions/download-artifact` from 4 to 8
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v4...v8)

Updates `actions/setup-go` from 5 to 6
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-core
- dependency-name: actions/setup-node
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-core
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-core
- dependency-name: actions/download-artifact
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-core
- dependency-name: actions/setup-go
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-core
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ons (#135)

* fix(ci): use path segment boundary matching to prevent prefix collisions

* fix(ci): strip trailing slash from filter paths before matching

* fix(ci): strip all trailing slashes from filter paths

…site (#137)

* refactor(ci): migrate basic workflows to internal changed-paths composite

Replace external github-actions-changed-paths@main with the internal
composite action (src/config/changed-paths) in gptchangelog,
pr-security-scan, and typescript-release workflows.

* refactor(ci): migrate build workflows and support newline filter_paths

Migrate build and typescript-build to the internal changed-paths
composite. Update composite to accept both JSON array and
newline-separated formats for filter_paths input, ensuring
backward compatibility with all callers.

* fix(changed-paths): fail on malformed JSON filter_paths instead of silent fallback

Detect if filter_paths starts with '[' and validate strictly with jq -er.
Malformed JSON now fails with a clear error instead of silently producing
an empty matrix. Also fix stale comment in build.yml.

* feat(ci): add force_multiplatform input to build workflow

* fix: gate QEMU setup on arm64 platform presence instead of is_release

…atibility (#138)

- actions/checkout v4 → v6 (labels-sync composite)
- docker/setup-qemu-action v3 → v4
- docker/setup-buildx-action v3 → v4
- docker/login-action v3 → v4
- docker/metadata-action v5 → v6
- docker/build-push-action v6 → v7
- gaurav-nelson/github-action-markdown-link-check → tcort/markdown-link-check-action (deprecated)

…alysis (#139)

* feat(ci): add integration tests and test determinism jobs to go-pr-analysis

Add optional jobs for integration testing and test determinism
verification, enabling callers to consolidate CI workflows.

New inputs:
- enable_integration_tests (boolean, default false)
- integration_test_command (string, default 'make test-integration')
- enable_test_determinism (boolean, default false)
- test_determinism_runs (number, default 3)

* fix(ci): align test-determinism with tests job package exclusions

Detect Makefile test target and exclude /tests/ and /api/ packages
to match the same suite executed by the tests job.

* fix(deps): correct tcort markdown-link-check action name

* Revert "fix(deps): correct tcort markdown-link-check action name"

This reverts commit 6d22810.

* fix(ci): always use go test with shuffle flags for determinism job

Remove Makefile detection from test-determinism job. The tests job
already validates that tests pass via Makefile; this job must always
use go test with -count=1 -shuffle=on to actually verify determinism.

* docs(ci): document integration tests and test determinism inputs

…140)

…-security-scan workflow (#142)

* feat(security): add Docker Scout scan composite and integrate into pr-security-scan workflow

* feat(security): add pr-security-reporter composite for PR comment orchestration

…supply chain attestations (#144)

* fix(security): remove code fences from Scout HTML outputs in pr-security-reporter

* fix(ci): point composite refs to fix branch for testing

* fix(security): add divider between Trivy and Docker Scout sections in PR comment

* fix(security): add section headers and divider for Trivy and Docker Scout in PR comment

* fix(security): disable auto PR comment on Scout recommendations to avoid duplicates

* feat(security): add Scout compare with environments and environment recording in build workflow

* feat(security): fallback docker_scout_compare_env to github.base_ref when not provided

* docs(security): fix docker_scout_compare_env input description to reflect fallback behavior

* fix(config): suppress broken pipe error in changed-paths tag comparison

* fix(ci): temporarily point changed-paths ref to fix branch for broken pipe fix

* fix(security): pass organization to all Scout steps and graceful compare fallback

Pass organization input to quickview, cves, and recommendations steps
to fix "no organization configured" warning. Add continue-on-error to
compare step so missing environment baselines don't fail the workflow.

* fix(ci): use metadata-action version for Scout environment image tag

The version step outputs v1.5.0-beta.6 (with v prefix) but
docker/metadata-action strips it to 1.5.0-beta.6. Scout environment
was using the wrong tag, causing MANIFEST_UNKNOWN on pull.

* feat(security): add app_name_prefix and app_name_overrides inputs to pr-security-scan

Aligns component names between build and security scan workflows so
Docker Scout compare can find the correct image in the environment.

* fix(security): hide Scout recommendations when no actionable findings

Skip rendering the recommendations section when Scout reports
"image version is up to date" and "no tag recommendations",
avoiding empty/unhelpful output in PR comments.

* fix(security): show positive message when no Scout recommendations found

* fix(security): show positive message when no CVEs found by Scout

* feat(security): improve Scout PR comment with policy grades and visual cues

- Rename Quickview to Overview & Policies with derived letter grade (A-F)
  from policy pass ratio so devs know at a glance if they need to expand
- Add alert emoji on CVE Details when vulnerabilities are found
- Add lightbulb emoji on recommendations when actionable suggestions exist
- Scout CVEs now set hasFindings=true to fail the security gate

* fix(security): replace derived grade with policy pass/fail status

Custom A-F grade didn't match Docker Hub's actual scoring. Show
policy count and PASSED/FAILED status instead.

* fix(security): reorder Scout sections — compare after overview

* fix(security): remove redundant Scout success message

* fix(security): remove redundant final success message from PR comment

* refactor(security): restructure pr-security-reporter into functions

Extract Trivy FS scan, Docker image scan, and Scout analysis into
separate functions for readability. Add shared helpers for severity
sorting, markdown escaping, truncation, and details blocks.

* style(security): improve PR comment visual hierarchy

- Main title promoted to h1 with separator
- Section headers (Trivy, Docker Scout) as h2
- Sub-sections (Filesystem Scan, Docker Image Scan, CVE Details,
  Recommendations) promoted to h3
- Added dividers between major sections

* Revert "style(security): improve PR comment visual hierarchy"

This reverts commit b396a66.

* feat(security): add docker_scout_fail_on_policy option to break on policy failures

New opt-in input (default false) that fails the security gate when
Docker Scout policies are not fully met (e.g., non-root user, missing
attestations). Callers can enable it when ready to enforce policies.

* feat(security): default docker_scout_fail_on_policy to true

When Docker Scout is enabled, enforce policy compliance by default.
Callers can opt out with docker_scout_fail_on_policy: false.

* fix(security): pass Scout outputs via files instead of env vars

Env vars truncate multiline HTML content from Docker Scout outputs.
Write outputs to files in a .scout-outputs directory and read them
in the reporter, fixing empty quickview/cves/recommendations.

* fix(security): propagate reporter outputs via shell step

core.setOutput in actions/github-script inside composite actions
does not propagate to the composite outputs. Use the script return
value (result) and parse it in a shell step that writes directly
to GITHUB_OUTPUT.

* fix(security): fix double-encoded JSON output and unreachable PR comment code

The github-script default result-encoding (json) was double-encoding
the returned JSON string, causing jq parse failure (exit code 5).
Added result-encoding: string to fix. Also moved the return statement
after the Post Comment block which was unreachable.

* fix(security): use hyphenated output names from reporter composite

The composite outputs are defined as has-findings/has-errors (hyphens)
but the gate step was referencing has_findings/has_errors (underscores),
resulting in empty values and the gate never failing.

* fix(security): default docker_scout_fail_on_policy to false

Disable policy failure gate by default so Scout findings are
informational unless callers explicitly opt in.

* feat(build): enable SBOM and provenance attestations on Docker builds

Adds sbom: true and provenance: mode=max to docker/build-push-action
to satisfy Docker Scout supply chain attestation policies.

* feat(build): auto-enable Docker Scout for repo before environment recording

Runs docker scout repo enable before recording the image in a Scout
environment. The command is idempotent and the || true ensures it
doesn't fail the build if the repo is already enabled.

* fix(gitops): fix invalid GITHUB_OUTPUT format when no files updated

When UPDATED_FILES was empty, grep -c returned 0 with exit code 1,
triggering || echo 0 which appended a second 0 to the output line,
producing an invalid format for GITHUB_OUTPUT.

* fix(security): add continue-on-error to all Docker Scout steps

Scout quickview fails with "image has no base image" on locally built
images without provenance. All Scout steps should be non-blocking since
the reporter handles missing outputs gracefully.

* fix(security): show fallback message when Scout quickview is unavailable

When the quickview step fails (e.g. base image not detected on local
builds), display an informational message instead of silently omitting
the Overview & Policies section.

* fix(security): add if: always() to all Docker Scout composite steps

When quickview fails (e.g. base image not detected), subsequent steps
(cves, recommendations, compare) were skipped because composite actions
stop on failure by default. Adding if: always() ensures all steps run
independently.

* fix(security): only show quickview fallback when compare is also unavailable

When quickview fails but compare is active, policies are already shown
in the compare section. The fallback warning is now only displayed when
neither quickview nor compare have data.

* fix(security): use generic fallback message for unavailable policy evaluation

* feat(security): show policy status in compare section header

When quickview is unavailable and compare is active, parse the compare
output for policy status icons and display a summary (e.g. 5/7 policies
met) in the collapsible header. Also enforce fail-on-policy from compare
data when quickview is missing.

* refactor(security): remove quickview in favor of compare for policy evaluation

Quickview requires provenance attestations to detect the base image,
which is not possible with load: true (local builds). The compare
command already provides policy evaluation via the Scout backend.

- Remove quickview step from docker-scout composite
- Remove quickview output and file saving
- Simplify reporter to use compare for policy status
- Show informational message when no environment is configured

* fix(security): parse policy count from PR column only in compare output

The compare table has policy status for both environment and PR images.
Counting all icons doubled the total. Now parses each row and reads
only the PR column (second status) for accurate policy counts.

* revert(build): remove explicit sbom and provenance attestations

Docker Scout cannot read attestations from image indexes, making
explicit sbom: true and provenance: mode=max ineffective. BuildKit
default (provenance: mode=min) is kept implicitly.

* feat(build): use Scout SBOM indexer for attestations

Use docker/scout-sbom-indexer as the SBOM generator instead of the
default BuildKit generator. This produces attestations in the format
that Docker Scout expects for policy evaluation.

* fix(build): install Scout CLI before repo enable command

The docker scout CLI plugin is not available on the runner by default.
Install it before running docker scout repo enable.

* fix(build): install Scout CLI as Docker plugin instead of standalone binary

The install script without -b flag installs to ~/.docker/cli-plugins/
by default, which is required for docker scout subcommand to work.

* fix(security): fix policy row parsing in compare output

The compare table format is |Name|env_status|pr_status|Change|Standing|.
The regex was matching from the first column expecting a status icon,
but the first column is the policy name. Fixed to match rows with
status icons in the second and third columns, and read PR status
from column index 3.

* feat(security): show policy summary table outside collapsible

Extract policy status from compare output and display as a visible
table with pass/fail count header. The full compare details remain
in a collapsible section below.

* feat(security): render clean policy status text in summary table

Replace raw markdown icons (:white_check_mark:, :warning:, :question:)
with readable text (Passed, Failed, No data) in the policy summary.

* feat(security): add environment tag and PR image columns to policy table

Show both the remote environment version and the local PR image status
side by side in the policy summary table for better comparison.

* fix(security): remove redundant status column from policy table

* fix(security): omit policies that can't be evaluated on local builds

Skip supply chain attestations, outdated base images, and unapproved
base images from the policy summary since they require provenance
data not available on locally built images.

* fix(security): always show recommendations section even when empty

The recommendations step can fail silently (base image not detected),
leaving the output empty. Show the positive message as fallback.

* refactor(security): remove recommendations from PR scan

Recommendations depends on base image detection which fails on locally
built images (load: true). Remove the step, input, output, and reporter
section to reduce noise. Recommendations will be available via the
Scout dashboard for pushed images.

* refactor(security): replace Docker Scout with internal health score checks

* refactor(build): remove Scout environment recording and switch SBOM generator to syft

* feat(security): add high-profile vulnerabilities check via CISA KEV catalog

* fix(build): revert SBOM generator to docker/scout-sbom-indexer

* feat(security): use org token for PR comments and add useful links

* fix(security): keep only scan logs link in PR comment

* chore(security): add emoji to scan link and bump trivy to v0.69.3

* fix(security): exclude USER root/0 from non-root user check and remove dead code

* refactor(security): extract trivy scans and checks into reusable composites

* fix(security): scope Trivy fs scanners explicitly and fix README output reference

* chore: update all composite refs from fix/scout-html-output to develop

chore: backmerge

…rison

fix(changed-paths): use channel-aware tag comparison for beta/rc/release

* feat(ci): add YAML and GitHub Actions lint analysis for PRs

Add self-pr-analysis workflow that runs yamllint and actionlint
on pull requests to validate YAML syntax and GitHub Actions
workflow correctness.

* fix(ci): scope yamllint and actionlint to changed files only

Filter both linters to only check files modified in the PR instead
of scanning the entire repository. Falls back to full scan on
workflow_dispatch.

* fix(ci): register blacksmith runner label for actionlint

Add actionlint config with blacksmith-4vcpu-ubuntu-2404 as a known
self-hosted runner label to avoid false-positive runner-label errors.

* feat(ci): add pinned actions check, markdown link check, typos, and self-pr-validation

- Pinned Actions Check: fails on uses: @main/@master (skips LerianStudio)
- Markdown Link Check: validates links in changed .md files
- Spelling Check: typos-cli across the codebase
- self-pr-validation: thin entrypoint calling pr-validation.yml
  with source branch enforcement for PRs to main
- Add .github/markdown-link-check-config.json
- Update dependabot groups for new actions

* refactor(ci): merge self-pr-analysis into self-pr-validation

Consolidate all PR checks into a single self-pr-validation workflow:
PR validation, YAML lint, actionlint, pinned actions, markdown link
check, and spelling. Remove self-pr-analysis.yml.

* feat(lint): add lint composites and refactor self-pr-validation

Create 5 composite actions under src/lint/:
- yamllint: YAML syntax validation
- actionlint: GitHub Actions workflow validation
- pinned-actions: ensures uses: refs are pinned
- markdown-link-check: validates links in .md files
- typos: spelling check via typos-cli

Refactor self-pr-validation to use composites directly with a
shared changed-files detection job for all lint checks.

* feat(config): extract changed-workflows composite from self-pr-validation

Create src/config/changed-workflows composite that categorizes
changed files by type (YAML, workflows, actions, markdown) for
downstream lint jobs. Refactor self-pr-validation to use it.

* fix(ci): add changed-files dependency to typos job

* fix(config): fix find operator precedence and require github-token in changed-workflows

- Fix find -name operator precedence bug: wrap -name flags in \( \)
  so both .yml and .yaml files are returned in workflow_dispatch fallback
- Make github-token required to prevent silent auth failures with gh CLI
- Fix yamllint glob pattern to recursively match .yml files

* feat(lint): add step summaries to all lint and detection composites

Each composite now writes a GitHub Step Summary before running,
listing the files it will process (or scope for typos). Feedback
is self-contained in each composite, not in the workflow.

* refactor(lint): replace step summaries with log output in lint composites

* refactor(lint): add file count and list to log step in lint composites

* refactor(lint): use group annotations and sed for file log in lint composites

* fix(changed-workflows): replace while loop with sed to fix step summary list rendering

* fix(lint): action-files csv, actionlint covers src/ composites, log changed-files to stdout

* feat(notify): add pr-lint-reporter composite and lint-report job to post PR comments

* refactor(notify): replace files collapse with failures collapse in pr-lint-reporter

* feat(lint): scope spelling check to changed files only, add all-files detection

* feat(notify): fetch job annotations to show per-file errors in failures collapse

* fix(lint): use env vars for input interpolation in run blocks, fix grep -Fq, gate typos on changed files

* fix(lint): scope actionlint to workflow files only to avoid composite false positives

* fix(notify): filter only failure-level annotations in lint reporter to exclude warnings

* chore(deps): upgrade actions/checkout to v6 in self-pr-validation

* feat(lint): enforce full semver pinning in pinned-actions check

* feat(lint): warn on internal unpinned actions instead of failing in pinned-actions check

* feat(lint): restrict external actions to final releases only, allow pre-releases for internal

* feat(lint): warn on internal pre-release tags (beta/rc) instead of allowing silently

* fix(lint): anchor uses: grep to start of line to avoid false matches in shell scripts

* fix(lint): align pinned-actions description and error message with actual validation rules

- gate lint-report on changed-files success to avoid misleading skipped summaries
- paginate annotation fetches in pr-lint-reporter (per_page 100)
- fix pinned-actions description and error message to reflect final-release-only rule for externals

* chore(lint): clean up markdown-link-check and yamllint configs

* ci(self): remove edited trigger to prevent reruns on CodeRabbit updates

* fix(lint): tighten markdown config, fix pinned-actions grep pattern, scope workflow permissions

* fix(lint): add pull-requests read to changed-files job, strip inline comments in pinned-actions

* feat(lint): add shellcheck and readme-check composites to PR lint pipeline

* fix(lint): quote shellcheck description, add pr-lint-reporter README

* fix(lint): quote step name containing run: in shellcheck composite

* fix(lint): remove GHA expression syntax from Python comment in shellcheck

* fix(lint): use shell variable placeholder for GHA expressions, exclude SC2154

* fix(lint): respect shell type and count all severity findings in shellcheck

* fix(lint): fix GHA regex for nested braces, correct shellcheck line offset

* feat(lint): add composite-schema lint to validate input conventions

* fix(lint): scope composite-schema to src/ action files only via dedicated output

* feat(lint): extend composite-schema with name, description, steps, kebab-case and reserved prefix checks

* feat(lint): validate composite directory depth matches src/<capability>/<name>/action.yml

* fix(lint): apply directory depth check only after confirming composite action

* fix(lint): gate validation job to PR events, harden composite-schema inputs, escape JS file paths with toJSON

* fix(lint): add actions:read permission, harden composite-schema type guards, fix README example

* fix(lint): fix inputs normalization false-negative and double-count, align README example guard

* fix(lint): treat YAML parse errors as violations, enforce action.yml filename in path check

… root-level file changes (#155)

* feat(changed-paths): add shared_paths input to trigger full matrix on root-level file changes

* fix(changed-paths): rename inputs to kebab-case to pass composite-schema lint

* fix(workflows): remove trailing spaces and quote GITHUB_OUTPUT redirects (SC2086)

* fix(workflows): quote GITHUB_OUTPUT redirects and suppress inapplicable shellcheck rules

* fix(workflows): quote GITHUB_OUTPUT, fix SC2188/SC2034/SC2193/SC2001 in remaining workflows

* docs(changed-paths): update README input names to kebab-case and add migration table

* fix(changed-paths): add jq error handling for malformed filter-paths JSON in shared path branch

* fix(gptchangelog): replace useless cat with input redirection (SC2002)

* fix(gptchangelog): rename unused APP_NAME/VERSION to _ in changelog PR while loop

* fix(changed-paths): align error message and README section to kebab-case naming

* docs(changed-paths): update remaining snake_case section headers and prose to kebab-case

* docs(changed-paths): move path-level disabled annotation from default cell to description

* feat(workflows): propagate shared_paths input to all reusable workflows using changed-paths

* fix(workflows): point changed-paths to feat branch for self-consistent testing

* fix(workflows): revert changed-paths ref back to develop pre-merge