From 14b71dd46843d184882c1da675ac4a38ef7bf82e Mon Sep 17 00:00:00 2001
From: hojmark <1203136+hojmark@users.noreply.github.com>
Date: Wed, 11 Mar 2026 14:23:16 +0100
Subject: [PATCH 1/2] ci: container image audit

---
 .github/workflows/audit.yaml | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml
index 4fce20ce..390c4c7b 100644
--- a/.github/workflows/audit.yaml
+++ b/.github/workflows/audit.yaml
@@ -8,8 +8,8 @@ on:
   workflow_dispatch:
 
 jobs:
-  audit:
-    name: Vulnerability audit
+  nuget-audit:
+    name: NuGet packages
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
@@ -36,6 +36,18 @@ jobs:
       # NU1903:	Package with high severity detected
       # NU1904:	Package with critical severity detected
       # NU1905:	An audit source does not provide a vulnerability database
-      - name: Audit
+      - name: Audit NuGet packages
         run: >
-          dotnet restore Drift.sln -p:WarningsAsErrors='"NU1900;NU1901;NU1902;NU1903;NU1904;NU1905"'
+          dotnet restore Drift.sln
+          -p:WarningsAsErrors='"NU1900;NU1901;NU1902;NU1903;NU1904;NU1905"'
+
+  container-audit:
+    name: Container image
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Audit container image
+        run: >
+          docker run --rm anchore/grype:latest
+          --fail-on high
+          hojmark/drift:latest

From 0db80c83b561e541690ca4e93c1d437180ea4457 Mon Sep 17 00:00:00 2001
From: hojmark <1203136+hojmark@users.noreply.github.com>
Date: Wed, 11 Mar 2026 14:23:36 +0100
Subject: [PATCH 2/2] ci: simplify run command yaml

---
 .github/workflows/ci.yaml         | 16 ++++++++--------
 .github/workflows/prerelease.yaml | 14 +++++++-------
 .github/workflows/release.yaml    | 12 ++++++------
 .github/workflows/renovate.yaml   | 16 ++++++++--------
 4 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index dbf0b9b8..d1d04684 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -37,11 +37,11 @@ jobs:
         uses: ./.github/actions/setup-runner
 
       - name: Run tests
-        run: |
-          dotnet run \
-          --project ./build/_build.csproj \
-          --target Test \
-          --commit ${{ github.sha }} \
+        run: >
+          dotnet run
+          --project ./build/_build.csproj
+          --target Test
+          --commit ${{ github.sha }}
           --msbuildverbosity ${{ github.event.inputs.verbosity }}
 
       - name: Display test results
@@ -51,7 +51,7 @@ jobs:
 
       # TODO fix publish warnings and re-enable check
       - name: Check for warnings
-        run: |
-          dotnet run \
-          --project ./build/_build.csproj \
+        run: >
+          dotnet run
+          --project ./build/_build.csproj
           --target CheckBuildWarnings
diff --git a/.github/workflows/prerelease.yaml b/.github/workflows/prerelease.yaml
index d164d396..90c5d120 100644
--- a/.github/workflows/prerelease.yaml
+++ b/.github/workflows/prerelease.yaml
@@ -25,13 +25,13 @@ jobs:
       - name: Release
         env:
           CUSTOM_VERSION: ${{ github.event.inputs.customVersion }}
-        run: |
-          dotnet run \
-            --project ./build/_build.csproj \
-            --target PreRelease \
-            --commit ${{ github.sha }} \
-            --githubtoken ${{ secrets.GITHUB_TOKEN }} \
-            --dockerhubpassword ${{ secrets.DOCKER_HUB_PAT_RW }} \
+        run: >
+          dotnet run
+            --project ./build/_build.csproj
+            --target PreRelease
+            --commit ${{ github.sha }}
+            --githubtoken ${{ secrets.GITHUB_TOKEN }}
+            --dockerhubpassword ${{ secrets.DOCKER_HUB_PAT_RW }}
             --customversion $CUSTOM_VERSION
 
       - name: Display test results
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index a9429e27..6a70555b 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -18,12 +18,12 @@ jobs:
         uses: ./.github/actions/setup-runner
 
       - name: Release
-        run: |
-          dotnet run \
-            --project ./build/_build.csproj \
-            --target Release \
-            --commit ${{ github.sha }} \
-            --githubtoken ${{ secrets.GITHUB_TOKEN }} \
+        run: >
+          dotnet run
+            --project ./build/_build.csproj
+            --target Release
+            --commit ${{ github.sha }}
+            --githubtoken ${{ secrets.GITHUB_TOKEN }}
             --dockerhubpassword ${{ secrets.DOCKER_HUB_PAT_RW }} 
 
       - name: Display test results
diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml
index 9c8662c9..67aa2e43 100644
--- a/.github/workflows/renovate.yaml
+++ b/.github/workflows/renovate.yaml
@@ -30,11 +30,11 @@ jobs:
           private-key: ${{ secrets.RENOVATE_APP_PK }}
 
       - name: Run Renovate
-        run: |
-          docker run --rm \
-            -e RENOVATE_LOG_LEVEL=${{ inputs.log_level }} \
-            -e RENOVATE_PRINT_CONFIG=${{ inputs.log_level != 'info' }} \
-            -e RENOVATE_PLATFORM=github \
-            -e RENOVATE_REPOSITORIES=hojmark/drift \
-            -e RENOVATE_TOKEN=${{ steps.app-token.outputs.token }} \
-            renovate/renovate:latest
\ No newline at end of file
+        run: >
+          docker run --rm
+          -e RENOVATE_LOG_LEVEL=${{ inputs.log_level }}
+          -e RENOVATE_PRINT_CONFIG=${{ inputs.log_level != 'info' }}
+          -e RENOVATE_PLATFORM=github
+          -e RENOVATE_REPOSITORIES=hojmark/drift 
+          -e RENOVATE_TOKEN=${{ steps.app-token.outputs.token }}
+          renovate/renovate:latest
\ No newline at end of file