The /releases/latest/download/ URL doesn't expand version in
the filename. Query the redirect to resolve actual version first.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The linux runner has no git/node on host and rootless podman
lacks namespace privileges. Use container: directive for every
job: alpine for secrets (gitleaks binary), docker:latest for
build (docker socket mounted by runner).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The linux runner has podman but no git. Clone repos via
alpine/git container for secrets and build host jobs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The linux runner (anvil) has no Node.js, so actions/checkout@v4
fails on every job. Use manual git clone consistently across
all jobs — container and host alike.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The gitleaks image lacks a shell compatible with the runner's
script injection. Use podman run with volume mount on the host
instead, matching the proven s5p pattern.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Multiline run with backslash continuation gets corrupted inside
the gitleaks container. Collapse to single line.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The alpine and gitleaks container images lack Node.js, which
actions/checkout@v4 requires. Use manual git clone instead.
Build job stays on host where actions/checkout works natively.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace manual podman run invocations with the runner's container:
directive for lint, test, and secrets jobs. Cleaner step definitions,
no volume mounts needed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Lint, test, secrets scan, and Harbor build/push jobs running
on linux runner using ephemeral podman containers. Adds
requirements.txt for container-based pip installs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
