TehRiehlDeal
d36121e673
frontend-ci / secrets-scan (push) Successful in 6s
frontend-ci / fs-scan (push) Successful in 11s
frontend-ci / typecheck (push) Successful in 13s
frontend-ci / lint (push) Successful in 16s
frontend-ci / sast (push) Successful in 18s
frontend-ci / build (push) Successful in 38s
frontend-ci / push (push) Has been skipped
Mirrors the backend push-job rewrite:
- Replace docker/login-action@v3 (fast 1s failure on the Gitea
runner) with plain `docker login --password-stdin`.
- Read VERSION from package.json (jq), SHA_SHORT from git, publish
:VERSION, :SHA_SHORT, :latest. Drop floating :1.2, :1 tags.
- Pre-check Harbor for an existing :VERSION artifact and fail early
with a "bump package.json" message instead of overwriting silently.
- Sign each pushed image with cosign. Signature is on the digest
(resolved via :SHA_SHORT), so it covers all tags pointing at it.
- After a successful image push, create and push a `v${VERSION}` git
tag back to origin using the auto-injected token. Tag-push failure
is a warning, not an error.
- Drop `tags: ["v*"]` from the workflow trigger — CI now creates the
tag itself, so re-triggering on tag push would loop.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>