Add repo-local bashbrew setup action

[acburdine]

the TryGhost org requires pinned commit shas for all actions. The current docker-library/bashbrew action doesn't pin the setup-go action, so this PR creates a repo-local action for installing bashbrew.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7cdf5a69-dbe7-45b3-8cef-4bd95741e088

📥 Commits

Reviewing files that changed from the base of the PR and between bac1351 and 23fcb7b.

📒 Files selected for processing (3)

• .github/actions/bashbrew/action.yml
• .github/workflows/ci.yml
• .github/workflows/verify-templating.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/actions/bashbrew/action.yml
• .github/workflows/ci.yml

---

Walkthrough

A new composite GitHub Action is added at .github/actions/bashbrew/action.yml to install bashbrew locally within the repository. It checks out docker-library/bashbrew at a pinned commit SHA, sets up Go using the repo's go.mod, validates the bashbrew version, and exports the bin directory to GITHUB_PATH and BASHBREW_SCRIPTS to GITHUB_ENV. The ci.yml workflow is updated to reference this local action instead of docker-library/bashbrew@HEAD, pins the actions/checkout step in the test job to a commit SHA, and adds a master branch filter to the pull_request trigger. The verify-templating.yml workflow adds a master branch filter to the push trigger.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add repo-local bashbrew setup action' is concise and directly describes the main change—creating a repository-local GitHub Action for bashbrew installation.
Description check	✅ Passed	The description clearly explains the context (TryGhost org requirements for pinned commit SHAs) and rationale (upstream action doesn't pin setup-go) for creating the repo-local action.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/actions/bashbrew/action.yml (1)

8-12: 🔒 Security & Privacy | 🔵 Trivial

Consider disabling credential persistence for this external checkout.

While docker-library/bashbrew is a trusted first-party Docker project, disabling credential persistence is a security best practice when executing scripts from any external repository. Adding persist-credentials: false reduces token exposure risk by preventing credentials from being stored in git config during the checkout step.

Suggested hardening

     - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
       with:
         repository: docker-library/bashbrew
         path: ${{ github.action_path }}
         ref: d662ff01570964b5f648df009c9269f388285692 # HEAD
+        persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/actions/bashbrew/action.yml around lines 8 - 12, The
actions/checkout step for the external docker-library/bashbrew repository is
missing credential persistence hardening. Add persist-credentials: false to the
with block of the actions/checkout step to prevent git credentials from being
stored in git config during checkout, which reduces token exposure risk and
follows security best practices when executing scripts from external
repositories.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/actions/bashbrew/action.yml:
- Around line 8-12: The actions/checkout step for the external
docker-library/bashbrew repository is missing credential persistence hardening.
Add persist-credentials: false to the with block of the actions/checkout step to
prevent git credentials from being stored in git config during checkout, which
reduces token exposure risk and follows security best practices when executing
scripts from external repositories.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 07888b68-3240-41c2-b4ff-78ec7d2db1dc

📥 Commits

Reviewing files that changed from the base of the PR and between 267c603 and bac1351.

📒 Files selected for processing (3)

• .github/actions/bashbrew/action.yml
• .github/workflows/ci.yml
• .github/workflows/verify-templating.yml