mirror of
https://github.com/sethforprivacy/p2pool-docker.git
synced 2026-06-24 04:34:36 -04:00
699b578ee7
Reliability (catch a bad image revision before prod): - Smoke-test the exact pushed digest in update-image-on-push.yml BEFORE the merge job tags it 'latest' (previously the prod artifact was never run). - Assert the p2pool banner reports the pinned P2POOL_BRANCH tag, and verify the container starts and stays up, instead of just sleeping 30s. Hardening: - Least-privilege 'permissions:' blocks (default contents: read; packages: write only on push/merge jobs; repo default token is currently write-all). - Concurrency groups (cancel superseded PR builds; serialize prod pushes). - persist-credentials: false on checkout; timeout-minutes on jobs. Build cache: - cache-to registry buildcache (mode=max, per-arch); read buildcache + latest. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
5.9 KiB
5.9 KiB