chore: fix acceptance tests on default branch

.github/workflows/continuous-integration.yml

@@ -18,6 +18,7 @@ jobs:
     uses: ./.github/workflows/wc-build-push-test.yml
     secrets: inherit
     permissions:
+      actions: read
       attestations: write
       checks: write
       contents: write

.github/workflows/release-build.yml

@@ -19,6 +19,7 @@ jobs:
     uses: ./.github/workflows/wc-build-push-test.yml
     secrets: inherit
     permissions:
+      actions: read
       attestations: write
       checks: write
       contents: write
@@ -49,6 +50,9 @@ jobs:
     env:
       REGISTRY: ghcr.io
     steps:
+      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
       - name: Inspect manifest and extract digest
         id: inspect-manifest
         run: |

.github/workflows/update-dependencies.yml

@@ -21,6 +21,9 @@ jobs:
       contents: write
       pull-requests: write
     steps:
+      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false

.github/workflows/wc-acceptance-test.yml

@@ -30,7 +30,15 @@ jobs:
       - name: Start Codespace
         run: |
           set -Eeuo pipefail
-          gh secret set -a codespaces IMAGE_VERSION --body "pr-${{ github.event.pull_request.number }}"
+
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            gh secret set -a codespaces IMAGE_VERSION --body "pr-${{ github.event.pull_request.number }}"
+          elif [[ "${{ github.event_name }}" == "push" && "${{ startsWith(github.ref, 'refs/tags/') }}" == "true" ]]; then
+            gh secret set -a codespaces IMAGE_VERSION --body "${GITHUB_REF#refs/tags/}"
+          else
+            gh secret set -a codespaces IMAGE_VERSION --body "edge"
+          fi
+
           echo CODESPACE_NAME="$(gh codespace create -R "${{ github.repository }}" -b "$HEAD_REF" -m basicLinux32gb --devcontainer-path ".devcontainer/${{ inputs.flavor }}-test/devcontainer.json" --idle-timeout 10m --retention-period 1h)" >> "$GITHUB_ENV"
         env:
           GH_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}

.github/workflows/wc-build-push-test.yml

@@ -15,6 +15,7 @@ jobs:
     uses: ./.github/workflows/wc-build-push.yml
     secrets: inherit
     permissions:
+      actions: read
       attestations: write
       contents: write
       id-token: write
@@ -23,6 +24,25 @@ jobs:
     with:
       flavor: ${{ matrix.flavor }}
 
+  dependency-review:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    needs: build-push
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
+        with:
+          comment-summary-in-pr: on-failure
+          fail-on-severity: critical
+
   integration-test:
     strategy:
       matrix:

.github/workflows/wc-build-push.yml

@@ -81,6 +81,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: build-push
     permissions:
+      actions: read
       attestations: write
       # dependency-submission needs contents write permission.
       contents: write
@@ -123,12 +124,25 @@ jobs:
             type=semver,pattern={{major}}
       - name: Create manifest list and push
         working-directory: ${{ runner.temp }}/digests
+        shell: python
         run: |
-          set -Eeuo pipefail
-          # shellcheck disable=SC2046
-          docker buildx imagetools create \
-            $(echo '${{ steps.metadata.outputs.json }}' | jq -r '.tags | map("--tag " + .) | join(" ")') \
-            $(printf '${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}@sha256:%s ' *)
+          import os
+          import json
+          import subprocess
+
+          CONTAINER = '${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}'
+          METADATA = json.loads('${{ steps.metadata.outputs.json }}')
+
+          digests = [f for f in os.listdir('.') if f.startswith('sha256:') or len(f) == 64]
+
+          command = ['docker', 'buildx', 'imagetools', 'create',
+              *[annotation for annotation in METADATA.get('annotations', []) for annotation in ('--annotation', annotation)],
+              *[tag for tag in METADATA.get('tags', []) for tag in ('--tag', tag)],
+              *[f"{CONTAINER}@sha256:{digest}" for digest in digests]
+          ]
+
+          print(' '.join(command))
+          subprocess.run(command, check=True)
       - name: Inspect manifest and extract digest
         id: inspect-manifest
         run: |
@@ -149,11 +163,6 @@ jobs:
         with:
           image: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}@${{ steps.inspect-manifest.outputs.digest }}
           dependency-snapshot: true
-      - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
-        if: github.event_name == 'pull_request'
-        with:
-          comment-summary-in-pr: on-failure
-          fail-on-severity: critical
       - uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
         with:
           subject-name: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}

README.md

@@ -88,7 +88,7 @@ The amp-devcontainer repository follows a [semantic versioning](https://semver.o
 
 Released containers will never be cleaned-up, pull request builds are cleaned up when the pull request is merged, and edge builds may be cleaned up after being stale for a while.
 
-The release notes always contain an overview of the corresponding image versions that included the full SHA next to the version number. This makes it possible for humans to easily see what version is used while still pinning to an exact version. This is the recommended way to refer to an image.
+The release notes always contain an overview of the corresponding image versions that include the full SHA next to the version number. This makes it possible for humans to easily see what version is used while still pinning to an exact version. This is the recommended way to refer to an image.
 
 All container images are included in a release. This might change in the future when the need arises to have separate releases per container.
 
@@ -217,5 +217,5 @@ See [security](.github/SECURITY.md) for more information.
 
 ## Licenses
 
-amp-devcontainer is licensed under the MIT license
+amp-devcontainer is licensed under the MIT license.
 See [license](./LICENSE) for more information.