Use container: directive per job instead of nested podman run.
Each job specifies its execution image directly:
- test: python:3.13-alpine
- secrets: ghcr.io/gitleaks/gitleaks:latest
- build: quay.io/podman/stable (--privileged for nested builds)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The linux runner has no Node.js, so actions/checkout@v4 fails.
Use manual git clone with token auth instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace ubuntu-latest runner with linux label and migrate all
container operations from docker to podman. Add requirements.txt
as single source of truth for runtime dependencies.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Runner uses buildx with docker-container driver which doesn't
populate the local image store. --push builds and pushes directly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Docker credential helper on the runner may interfere with login.
Write base64 credentials to ~/.docker/config.json directly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Multiline shell continuation in YAML was causing literal \n in the
command. Single-line pipe also avoids the CLI password warning.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Runs gitleaks detect with full history before the build job.
Both test and secrets jobs must pass to gate image push.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
python:3.13-slim lacks node, which actions/checkout@v4 requires.
Run test job on bare runner with setup-python instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Bake source into the image (COPY src/) so production containers
run without volume mounts. CI pipeline runs ruff + pytest then
builds and pushes harbor.mymx.me/s5p/s5p:latest on push to main.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
