Gaq2

[Sir-Ripley]

The difference in workloads, added go functionality among other coding works

Summary by Sourcery

Add CI workflows for SLSA provenance generation and Jekyll site builds.

CI:

• Introduce a workflow to build artifacts and generate SLSA level 3 provenance using the OpenSSF SLSA GitHub generator.
• Add a Jekyll Docker-based CI workflow to build the static site on pushes and pull requests to the main branch.

[sourcery-ai]

Reviewer's Guide

Adds two new GitHub Actions workflows: one to generate and publish SLSA level 3 provenance for built artifacts on releases, and another to build a Jekyll site using a Docker-based builder on pushes and pull requests to main.

Sequence diagram for SLSA provenance generation workflow

sequenceDiagram
  actor Developer
  participant GitHub_Repo
  participant GitHub_Actions
  participant Job_build
  participant Job_provenance
  participant SLSA_Generator_Workflow

  Developer->>GitHub_Repo: Create release
  GitHub_Repo-->>GitHub_Actions: release event type created
  GitHub_Actions->>Job_build: Start job build

  Job_build->>Job_build: actions_checkout_v4
  Job_build->>Job_build: Build artifacts artifact1 and artifact2
  Job_build->>Job_build: Generate sha256 hashes
  Job_build->>GitHub_Actions: Output digests as base64-subjects

  GitHub_Actions->>Job_provenance: Start job provenance with needs.build.outputs.digests
  Job_provenance->>SLSA_Generator_Workflow: Reusable workflow call generator_generic_slsa3.yml

  SLSA_Generator_Workflow->>SLSA_Generator_Workflow: Verify workflow path and sign provenance
  SLSA_Generator_Workflow->>GitHub_Repo: Upload provenance as release asset
  GitHub_Repo-->>Developer: Release with attached SLSA level 3 provenance

Loading

Flow diagram for Jekyll Docker-based site build workflow

flowchart TD
  A["Push or pull_request to main"] --> B["Trigger workflow jekyll-docker"]
  B --> C["Job build on ubuntu-latest"]
  C --> D["Step actions/checkout@v4"]
  D --> E["Step docker run jekyll/builder:latest"]
  E --> F["Mount repo to /srv/jekyll and _site to /srv/jekyll/_site"]
  F --> G["chmod -R 777 /srv/jekyll"]
  G --> H["jekyll build --future"]
  H --> I["Static site generated into _site directory"]

Loading

File-Level Changes

Change	Details	Files
Introduce SLSA v3 provenance generation workflow for release artifacts.	Add a workflow triggered on release creation and manual dispatch to build example artifacts. Compute sha256 checksums for built artifacts and export them as base64-encoded subjects for provenance. Invoke the slsa-framework reusable workflow to generate signed provenance and optionally upload it as release assets with appropriate permissions.	.github/workflows/generator-generic-ossf-slsa3-publish.yml
Add Jekyll CI workflow using Docker-based builder.	Add workflow triggered on pushes and pull requests to the main branch. Check out repository code and run Jekyll build inside the official jekyll/builder Docker image. Mount workspace and _site directories into the container, adjust permissions, and build with the --future flag.	.github/workflows/jekyll-docker.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[sourcery-ai]

Hey there - I've reviewed your changes and found some issues that need to be addressed.

• In the SLSA workflow, the build job output is named digests but the Generate subject for provenance step writes hashes=... to GITHUB_OUTPUT; rename the output key or the echo’d name so steps.hash.outputs.digests (and needs.build.outputs.digests) actually exist.
• Consider pinning external dependencies to specific versions or digests (e.g., jekyll/builder:latest and slsa-framework/slsa-github-generator@v1.4.0) to avoid unexpected changes from moving tags and improve supply-chain stability.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In the SLSA workflow, the `build` job output is named `digests` but the `Generate subject for provenance` step writes `hashes=...` to `GITHUB_OUTPUT`; rename the output key or the echo’d name so `steps.hash.outputs.digests` (and `needs.build.outputs.digests`) actually exist.
- Consider pinning external dependencies to specific versions or digests (e.g., `jekyll/builder:latest` and `slsa-framework/slsa-github-generator@v1.4.0`) to avoid unexpected changes from moving tags and improve supply-chain stability.

## Individual Comments

### Comment 1
<location> `.github/workflows/generator-generic-ossf-slsa3-publish.yml:23-32` </location>
<code_context>
+      digests: ${{ steps.hash.outputs.digests }}
</code_context>

<issue_to_address>
**issue (bug_risk):** The job output name (`digests`) does not match the step output name (`hashes`), so `needs.build.outputs.digests` will be empty.

The `build` job exposes `digests: ${{ steps.hash.outputs.digests }}`, but the `hash` step writes `hashes=...` to `GITHUB_OUTPUT`, so `steps.hash.outputs.digests` is never set and `provenance` gets an empty `base64-subjects`. Please either:

- Change the step to output `digests` (e.g. `echo "digests=$(...)" >> "$GITHUB_OUTPUT"`), or
- Change the job output and `provenance` input to use `hashes` instead.

The names need to match for the provenance workflow to receive the subject list.
</issue_to_address>

### Comment 2
<location> `.github/workflows/jekyll-docker.yml:20` </location>
<code_context>
+      run: |
+        docker run \
+        -v ${{ github.workspace }}:/srv/jekyll -v ${{ github.workspace }}/_site:/srv/jekyll/_site \
+        jekyll/builder:latest /bin/bash -c "chmod -R 777 /srv/jekyll && jekyll build --future"
</code_context>

<issue_to_address>
**🚨 suggestion (security):** Using `chmod -R 777` inside the container is overly permissive and may mask permission issues.

Within the container, this also lets any process modify the build inputs/outputs under `/srv/jekyll`, which is broader than necessary.

Consider instead:
- Matching ownership/permissions to the Jekyll user/group (e.g. `chown -R jekyll:jekyll /srv/jekyll` plus a more restrictive `chmod` like 755), or
- Configuring `docker run` (e.g. `--user` or mount options) so a blanket recursive `777` isn’t needed.

This keeps the CI environment closer to production and makes permission issues more visible rather than papered over by `777`.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

Use whatever format you need to, or give me suggestions on how to fix this

[sourcery-ai]

🚨 suggestion (security): Using chmod -R 777 inside the container is overly permissive and may mask permission issues.

Within the container, this also lets any process modify the build inputs/outputs under /srv/jekyll, which is broader than necessary.

Consider instead:

• Matching ownership/permissions to the Jekyll user/group (e.g. chown -R jekyll:jekyll /srv/jekyll plus a more restrictive chmod like 755), or
• Configuring docker run (e.g. --user or mount options) so a blanket recursive 777 isn’t needed.

This keeps the CI environment closer to production and makes permission issues more visible rather than papered over by 777.

[Sir-Ripley]

Can you either correct this and do this for me, or give me a step-by-step on how to

[Sir-Ripley]

Can you either correct this and do this for me, or give me a step-by-step on how to?

[sourcery-ai]

You’re right to ask for something concrete here.

I can’t directly edit the PR for you, but here’s a step‑by‑step with an updated workflow snippet you can paste in.

1. Use the Jekyll image’s default user instead of chmod 777

The jekyll/builder image already has a jekyll user configured for running the build. The main issue is that when you mount your repo from the GitHub runner into the container, the files are owned by a different UID, so the jekyll user may not have write permissions.

A cleaner pattern is:

• Run the container as the same UID/GID as the GitHub runner user, or
• Ensure the Jekyll user has ownership of the mounted dir (using chown), but with sane permissions instead of 777.

Given GitHub Actions runs as uid=1001 on ubuntu-latest, we can run the container as that user and avoid chmod -R 777 entirely.

2. Updated workflow snippet

Replace your current run step with something like this:

    - name: Build the site in the jekyll/builder container
      run: |
        # Detect the current user and group IDs (GitHub runner user)
        UID=$(id -u)
        GID=$(id -g)

        docker run \
          --user "$UID:$GID" \
          -v "${{ github.workspace }}:/srv/jekyll" \
          -v "${{ github.workspace }}/_site:/srv/jekyll/_site" \
          jekyll/builder:latest \
          jekyll build --future

Key changes:

• --user "$UID:$GID" makes the container process run as the same user as the GitHub runner, so it already has appropriate permissions on the mounted files.
• Removed the chmod -R 777 entirely.
• Dropped the /bin/bash -c wrapper since we’re just running a single command.

3. If you prefer to keep using the jekyll user

If you’d rather rely on the jekyll user inside the image, you can instead adjust ownership once, but with more restrictive permissions:

    - name: Build the site in the jekyll/builder container
      run: |
        docker run \
          -v "${{ github.workspace }}:/srv/jekyll" \
          -v "${{ github.workspace }}/_site:/srv/jekyll/_site" \
          jekyll/builder:latest \
          /bin/bash -c "\
            chown -R jekyll:jekyll /srv/jekyll && \
            chmod -R u+rwX,go+rX /srv/jekyll && \
            jekyll build --future \
          "

Here:

• chown -R jekyll:jekyll /srv/jekyll gives the jekyll user ownership of the source and _site directories.
• chmod -R u+rwX,go+rX means:
  • User: read, write, execute where appropriate.
  • Group/others: read and execute only (no write).

4. What you need to do

1. Pick one of the two snippets above (I recommend the first one with --user "$UID:$GID").
2. Replace the existing run: block in .github/workflows/jekyll-docker.yml with that snippet.
3. Push the change to your branch – GitHub Actions will automatically rerun the workflow on the PR.

If you paste your updated YAML here, I can sanity‑check it before you push, or we can tweak for any errors the workflow logs show.

[sourcery-ai]

You’re right to ask for something concrete here.

You have two options:

1. A minimal change that just avoids 777 but keeps the pattern you’re using now.
2. A more robust change that runs the container as your GitHub Actions user so you don’t need to chmod at all.

Below I’ll show you both, with copy‑pasteable YAML.

---

1) Minimal fix: more restrictive permissions

The jekyll/builder image uses a jekyll user internally. A safer pattern than chmod -R 777 is to:

• set ownership to jekyll:jekyll, and
• set permissions to something like u+rwX,go+rX (readable by others, but not world‑writable).

Update your workflow step to this:

- name: Build the site in the jekyll/builder container
  run: |
    docker run \
      -v ${{ github.workspace }}:/srv/jekyll \
      -v ${{ github.workspace }}/_site:/srv/jekyll/_site \
      jekyll/builder:latest /bin/bash -c "\
        chown -R jekyll:jekyll /srv/jekyll && \
        chmod -R u+rwX,go+rX /srv/jekyll && \
        jekyll build --future"

What changed:

• Replaced chmod -R 777 with:
  • chown -R jekyll:jekyll /srv/jekyll (make the jekyll user own the files)
  • chmod -R u+rwX,go+rX /srv/jekyll (read/execute for everyone, write only for owner)

This keeps things permissive enough for the container to work but avoids world‑writable permissions.

---

2) Better approach: match the host user (no chmod at all)

Another option is to run the container as the same user ID that GitHub Actions uses (typically runner with UID 1001). This way, file permissions match by default and you don’t need chmod.

- name: Build the site in the jekyll/builder container
  run: |
    docker run \
      --user $(id -u):$(id -g) \
      -v ${{ github.workspace }}:/srv/jekyll \
      -v ${{ github.workspace }}/_site:/srv/jekyll/_site \
      jekyll/builder:latest jekyll build --future

What changed:

• Added --user $(id -u):$(id -g) so the container uses the same UID/GID as the GitHub runner.
• Removed the chmod completely.

If you try this and the build fails with a permissions error, fall back to option 1.

---

Which should you use?

• If you want the least disruptive change that almost certainly works right away, use Option 1.
• If you want the cleanest setup that avoids permission hacks, try Option 2 first and only move to option 1 if you hit issues.

If you tell me which option you’d like, I can adapt the full .github/workflows/jekyll-docker.yml for you and show the complete file as it should look.

[netlify]

✅ Deploy Preview for qagultima ready!

Name	Link
🔨 Latest commit	39845e7
🔍 Latest deploy log	https://app.netlify.com/projects/qagultima/deploys/6929ea2baae0040008d1ac18
😎 Deploy Preview	https://deploy-preview-1--qagultima.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.