LukeEvansTech · LukeEvansTech · May 4, 2026 · May 4, 2026 · May 4, 2026 · May 4, 2026
diff --git a/.github/linters/.jscpd.json b/.github/linters/.jscpd.json
@@ -0,0 +1,13 @@
+{
+  "threshold": 10,
+  "reporters": ["consoleFull"],
+  "ignore": [
+    "**/node_modules/**",
+    "**/vendor/**",
+    "**/.terraform/**",
+    "**/.venv/**",
+    "**/dist/**",
+    "**/build/**",
+    "**/assets/scss/framework/**"
+  ]
+}
diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml
@@ -6,21 +6,24 @@ on:
     branches:
       - main
     paths:
-      - 'apps/**'
-      - '.github/workflows/build-and-push.yaml'
+      - "apps/**"
+      - ".github/workflows/build-and-push.yaml"
   pull_request:
     paths:
-      - 'apps/**'
+      - "apps/**"
   workflow_dispatch:
     inputs:
       app:
-        description: 'App to build (leave empty for all changed apps)'
+        description: "App to build (leave empty for all changed apps)"
         required: false
         type: string
 
 env:
   REGISTRY: ghcr.io
 
+permissions:
+  contents: read
+
 jobs:
   detect-changes:
     name: Detect Changed Apps
@@ -29,13 +32,14 @@ jobs:
       apps: ${{ steps.set-matrix.outputs.apps }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Detect changed apps
         id: changed-files
-        uses: tj-actions/changed-files@v45
+        uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45.0.2
         with:
           files: apps/**
           dir_names: true
@@ -44,21 +48,27 @@ jobs:
       - name: Set matrix
         id: set-matrix
         run: |
-          if [ -n "${{ inputs.app }}" ]; then
+          if [ -n "${INPUTS_APP}" ]; then
             # Manual trigger with specific app
-            echo "apps=[\"${{ inputs.app }}\"]" >> $GITHUB_OUTPUT
-          elif [ "${{ steps.changed-files.outputs.any_changed }}" == "true" ]; then
+            echo "apps=[\"${INPUTS_APP}\"]" >> $GITHUB_OUTPUT
+          elif [ "${STEPS_CHANGED_FILES_OUTPUTS_ANY_CHANGED}" == "true" ]; then
             # Auto-detect changed apps
-            APPS=$(echo '${{ steps.changed-files.outputs.all_changed_files }}' | jq -R -s -c 'split(" ") | map(select(length > 0)) | map(split("/")[1]) | unique')
+            APPS=$(echo '${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}' | jq -R -s -c 'split(" ") | map(select(length > 0)) | map(split("/")[1]) | unique')
             echo "apps=${APPS}" >> $GITHUB_OUTPUT
           else
             # No changes
             echo "apps=[]" >> $GITHUB_OUTPUT
           fi
+        env:
+          INPUTS_APP: ${{ inputs.app }}
+          STEPS_CHANGED_FILES_OUTPUTS_ANY_CHANGED: ${{ steps.changed-files.outputs.any_changed }}
+          STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
 
       - name: Show apps to build
         run: |
-          echo "Apps to build: ${{ steps.set-matrix.outputs.apps }}"
+          echo "Apps to build: ${STEPS_SET_MATRIX_OUTPUTS_APPS}"
+        env:
+          STEPS_SET_MATRIX_OUTPUTS_APPS: ${{ steps.set-matrix.outputs.apps }}
 
   build:
     name: Build ${{ matrix.app }}
@@ -76,16 +86,18 @@ jobs:
       attestations: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -94,14 +106,14 @@ jobs:
       - name: Read VERSION file and prepare build args
         id: version
         run: |
-          if [ -f "apps/${{ matrix.app }}/VERSION" ]; then
-            VERSION=$(cat apps/${{ matrix.app }}/VERSION)
+          if [ -f "apps/${MATRIX_APP}/VERSION" ]; then
+            VERSION=$(cat apps/${MATRIX_APP}/VERSION)
             echo "version=$VERSION" >> $GITHUB_OUTPUT
             echo "has_version=true" >> $GITHUB_OUTPUT
             echo "Found VERSION file with version: $VERSION"
 
             # Create build arg with uppercase app name
-            APP_UPPER=$(echo "${{ matrix.app }}" | tr '[:lower:]' '[:upper:]' | tr '-' '_')
+            APP_UPPER=$(echo "${MATRIX_APP}" | tr '[:lower:]' '[:upper:]' | tr '-' '_')
             BUILD_ARG="${APP_UPPER}_VERSION=${VERSION}"
             echo "build_arg=$BUILD_ARG" >> $GITHUB_OUTPUT
             echo "Build arg: $BUILD_ARG"
@@ -113,10 +125,12 @@ jobs:
 
           # Always add CACHEBUST to force rebuild when needed
           echo "cachebust=${{ github.sha }}" >> $GITHUB_OUTPUT
+        env:
+          MATRIX_APP: ${{ matrix.app }}
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.app }}
           tags: |
@@ -127,7 +141,7 @@ jobs:
 
       - name: Build and push
         id: build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: ./apps/${{ matrix.app }}
           platforms: linux/amd64
@@ -141,23 +155,27 @@ jobs:
 
       - name: Generate artifact attestation
         if: github.event_name != 'pull_request'
-        uses: actions/attest-build-provenance@v2
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
         with:
           subject-name: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.app }}
           subject-digest: ${{ steps.build.outputs.digest }}
           push-to-registry: true
 
       - name: Summary
         run: |
-          echo "## Built: ${{ matrix.app }}" >> $GITHUB_STEP_SUMMARY
+          echo "## Built: ${MATRIX_APP}" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          echo "**Image**: \`${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.app }}\`" >> $GITHUB_STEP_SUMMARY
-          echo "**Digest**: \`${{ steps.build.outputs.digest }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "**Image**: \`${{ env.REGISTRY }}/${{ github.repository_owner }}/${MATRIX_APP}\`" >> $GITHUB_STEP_SUMMARY
+          echo "**Digest**: \`${STEPS_BUILD_OUTPUTS_DIGEST}\`" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "### Tags" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
-          echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY
+          echo "${STEPS_META_OUTPUTS_TAGS}" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+        env:
+          MATRIX_APP: ${{ matrix.app }}
+          STEPS_BUILD_OUTPUTS_DIGEST: ${{ steps.build.outputs.digest }}
+          STEPS_META_OUTPUTS_TAGS: ${{ steps.meta.outputs.tags }}
 
   status:
     name: Build Status

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,18 @@
+name: Lint
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    permissions:
+      contents: read
+      statuses: write
+      pull-requests: write
+    uses: LukeEvansTech/shared-workflows/.github/workflows/super-linter.yml@57fff6deea8cdc1b42b62a16e72ce73df3b82f97 # v1
diff --git a/.github/workflows/mega-linter.yaml b/.github/workflows/mega-linter.yaml
diff --git a/apps/apc-deployer/Dockerfile b/apps/apc-deployer/Dockerfile
@@ -52,4 +52,7 @@ RUN kubectl version --client && \
     python3 -c "import sys; print(f'Python {sys.version}')"
 
 # Default command
+# CLI tool — runs to completion, no long-running service to health-check.
+HEALTHCHECK NONE
+
 CMD ["/bin/sh"]
diff --git a/apps/brother-deployer/Dockerfile b/apps/brother-deployer/Dockerfile
@@ -45,4 +45,7 @@ RUN kubectl version --client && \
     brother-cert --version || echo "brother-cert installed"
 
 # Default command
+# CLI tool — runs to completion, no long-running service to health-check.
+HEALTHCHECK NONE
+
 CMD ["/bin/sh"]
diff --git a/apps/onyx-deployer/Dockerfile b/apps/onyx-deployer/Dockerfile
@@ -49,4 +49,7 @@ RUN kubectl version --client && \
     python3 -c "import urllib.request; print('Python stdlib OK')" && \
     python3 -c "import OpenSSL; print('pyOpenSSL OK')"
 
+# CLI tool — runs to completion, no long-running service to health-check.
+HEALTHCHECK NONE
+
 ENTRYPOINT ["python3", "/app/onyx_cert_updater.py"]
diff --git a/apps/supermicro-ipmi-cert/Dockerfile b/apps/supermicro-ipmi-cert/Dockerfile
@@ -48,4 +48,7 @@ WORKDIR /app
 RUN kubectl version --client && \
     python3 -c "import requests; import OpenSSL; print(f'Python packages OK')"
 
+# CLI tool — runs to completion, no long-running service to health-check.
+HEALTHCHECK NONE
+
 ENTRYPOINT ["python3", "/app/supermicro_ipmi_cert.py"]