devops-infra · ChristophShyper · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
@@ -17,9 +17,9 @@ Reusable callers exist for four profiles:
 
 Each in-scope repository should expose these caller workflows in `.github/workflows/`:
 
-1. `auto-create-pull-request.yml`
-2. `cron-check-dependencies.yml`
-3. `manual-update-version.yml`
+1. `auto-pull-request-create.yml`
+2. `cron-dependency-update.yml`
+3. `manual-release-create.yml`
 
 Static profile repositories should also expose:
 
@@ -36,12 +36,12 @@ Example:
 ```yaml
 jobs:
   call:
-    uses: devops-infra/.github/.github/workflows/reusable-auto-create-pull-request.yml@v1
+    uses: devops-infra/.github/.github/workflows/reusable-auto-pull-request-create.yml@v1
 ```
 
 ## Weekly health workflow behavior
 
-`cron-check-dependencies` is the aggregated weekly check. It combines:
+`cron-dependency-update` is the aggregated weekly check. It combines:
 
 - dependency checks
 - baseline validation
@@ -50,9 +50,9 @@ jobs:
 
 The workflow creates or updates one repository issue with findings and auto-closes it when clean.
 
-## Manual version update behavior
+## Manual release behavior
 
-`manual-update-version` supports two modes:
+`manual-release-create` supports two modes:
 
 - bump or set version (and open release PR)
 - build/push only without version bump (`build_only: true`)

@@ -1,4 +1,4 @@
-name: (Auto) Create Pull Request
+name: (Auto) Pull Request Create
 
 on:
   push:
@@ -13,10 +13,10 @@ permissions:
   pull-requests: write
 
 jobs:
-  call-auto-create-pull-request:
-    uses: ./.github/workflows/reusable-auto-create-pull-request.yml
+  call-auto-pull-request-create:
+    uses: ./.github/workflows/reusable-auto-pull-request-create.yml
     with:
       runs-on: ubuntu-24.04-arm
-      task-version: 3.49
+      task-version: 3.x
       profile: other
     secrets: inherit
@@ -1,4 +1,4 @@
-name: (Cron) Check dependencies
+name: (Cron) Dependency Update
 
 on:
   schedule:
@@ -13,7 +13,7 @@ permissions:
 
 jobs:
   call-weekly-health-check:
-    uses: ./.github/workflows/reusable-cron-check-dependencies.yml
+    uses: ./.github/workflows/reusable-cron-dependency-update.yml
     with:
       runs-on: ubuntu-24.04-arm
       task-version: 3.x

@@ -1,4 +1,4 @@
-name: (Manual) Update Version
+name: (Manual) Release Create
 
 on:
   workflow_dispatch:
@@ -30,7 +30,7 @@ permissions:
 
 jobs:
   call-version-update:
-    uses: ./.github/workflows/reusable-manual-update-version.yml
+    uses: ./.github/workflows/reusable-manual-release-create.yml
     with:
       runs-on: ubuntu-24.04-arm
       task-version: 3.x

@@ -1,4 +1,4 @@
-name: (Reusable - Auto) Create Pull Request
+name: (Reusable - Auto) Pull Request Create
 
 on:
   workflow_call:

@@ -1,4 +1,4 @@
-name: (Reusable - Cron) Check dependencies
+name: (Cron) Dependency Update
 
 on:
   workflow_call:
@@ -38,7 +38,7 @@ permissions:
   issues: read
 
 jobs:
-  dependency-check:
+  dependency-update:
     name: Weekly health scan
     runs-on: ${{ inputs.runs-on }}
     steps:
@@ -70,31 +70,16 @@ jobs:
           echo "REPORT_FILE=$REPORT_FILE" >> "$GITHUB_ENV"
           echo "HAS_FINDINGS=false" >> "$GITHUB_ENV"
 
-      - name: Run lint
-        id: lint
-        if: inputs.enable-lint
-        continue-on-error: true
-        run: task lint
-
-      - name: Record lint findings
-        if: inputs.enable-lint && steps.lint.outcome != 'success'
-        run: |
-          echo "- lint failed: \`task lint\`" >> "$REPORT_FILE"
-          echo "HAS_FINDINGS=true" >> "$GITHUB_ENV"
-
-      - name: Run dependency checks
+      - name: Run dependency update task
         id: deps
         continue-on-error: true
         run: |
           set +e
-          if task --list | grep -q "deps:check"; then
-            task deps:check
-            rc=$?
-          elif task --list | grep -q "update-versions"; then
-            task update-versions
+          if task --list | grep -q "dependency:update"; then
+            task dependency:update
             rc=$?
           else
-            echo "No dedicated dependency-check task found"
+            echo "No dedicated dependency update task found (missing task: dependency:update)"
             rc=3
           fi
           set -e
@@ -106,6 +91,18 @@ jobs:
           echo "- dependency checks reported updates or failed" >> "$REPORT_FILE"
           echo "HAS_FINDINGS=true" >> "$GITHUB_ENV"
 
+      - name: Run lint
+        id: lint
+        if: inputs.enable-lint
+        continue-on-error: true
+        run: task lint
+
+      - name: Record lint findings
+        if: inputs.enable-lint && steps.lint.outcome != 'success'
+        run: |
+          echo "- lint failed: \`task lint\`" >> "$REPORT_FILE"
+          echo "HAS_FINDINGS=true" >> "$GITHUB_ENV"
+
       - name: Install Docker Buildx
         if: inputs.profile == 'actions' || inputs.profile == 'dockerized'
         uses: docker/setup-buildx-action@v4

@@ -1,4 +1,4 @@
-name: (Reusable - Manual) Update Version
+name: (Reusable - Manual) Release Create
 
 on:
   workflow_call:

@@ -115,6 +115,14 @@ tasks:
     cmds:
       - echo "{{.VERSION}}"
 
+  dependency:update:
+    desc: Check main dependency not covered by dependabot
+    cmds:
+      - |
+        echo "ℹ️ No dedicated dependency updater configured for this repository."
+        echo "ℹ️ Dependabot handles GitHub Actions and package metadata updates."
+        echo "ℹ️ Keeping dependency checks as a safe no-op for now."
+
   version:set:
     desc: Validate version
     cmds:

@@ -95,6 +95,14 @@ tasks:
     cmds:
       - echo "{{.VERSION}}"
 
+  dependency:update:
+    desc: Check main dependency not covered by dependabot
+    cmds:
+      - |
+        echo "ℹ️ No dedicated dependency updater configured for this repository profile."
+        echo "ℹ️ Dependabot handles GitHub Actions and package metadata updates."
+        echo "ℹ️ Docker builds still validate runtime dependencies during CI."
+
   version:set:
     desc: Update version in README.md and action.yml
     cmds:

@@ -0,0 +1,150 @@
+version: '3'
+
+silent: true
+
+tasks:
+  help:
+    desc: Detailed help
+    cmds:
+      - |
+        echo "Tasks:"
+        task --list
+
+  lint:actionlint:
+    desc: Lint GitHub Actions workflows with actionlint
+    cmds:
+      - |
+        echo "▶️ Running actionlint..."
+        set +e
+        docker run --rm -i -v "$PWD:/work" -w /work rhysd/actionlint:latest -color
+        rc=$?
+        set -e
+        if [ "$rc" -eq 0 ]; then
+          echo "✅ actionlint passed"
+        else
+          echo "❌ actionlint failed"
+          exit $rc
+        fi
+
+  lint:hadolint:
+    desc: Lint Dockerfile with hadolint
+    cmds:
+      - |
+        echo "▶️ Running hadolint..."
+        set +e
+        docker run --rm -i -v "$PWD:/work" -w /work hadolint/hadolint:latest-debian < Dockerfile
+        rc=$?
+        set -e
+        if [ "$rc" -eq 0 ]; then
+          echo "✅ hadolint passed"
+        else
+          echo "❌ hadolint failed"
+          exit $rc
+        fi
+
+  lint:shellcheck:
+    desc: Lint shell scripts with shellcheck
+    cmds:
+      - |
+        echo "▶️ Running shellcheck..."
+        set +e
+        docker run --rm -i -v "$PWD:/work" -w /work koalaman/shellcheck:stable -x -S style entrypoint.sh
+        rc=$?
+        set -e
+        if [ "$rc" -eq 0 ]; then
+          echo "✅ shellcheck passed"
+        else
+          echo "❌ shellcheck failed"
+          exit $rc
+        fi
+
+  lint:yamllint:
+    desc: Lint YAML files with yamllint
+    cmds:
+      - |
+        echo "▶️ Running yamllint..."
+        set +e
+        docker run --rm -i -v "$PWD:/work" -w /work cytopia/yamllint -c .yamllint.yml .
+        rc=$?
+        set -e
+        if [ "$rc" -eq 0 ]; then
+          echo "✅ yamllint passed"
+        else
+          echo "❌ yamllint failed"
+          exit $rc
+        fi
+
+  git:get-pr-template:
+    desc: Get pull request template
+    cmds:
+      - mkdir -p .tmp
+      - curl -LsS https://raw.githubusercontent.com/devops-infra/.github/refs/tags/v1/PULL_REQUEST_TEMPLATE.md -o .tmp/PULL_REQUEST_TEMPLATE.md
+
+  git:set-config:
+    desc: Set git user config
+    cmds:
+      - git config user.name "github-actions[bot]"
+      - git config user.email "github-actions[bot]@users.noreply.github.com"
+
+  scripts:dependency:update:
+    desc: Update Alpine apk package constraints in Dockerfile
+    cmds:
+      - |
+        set -eu
+        if [ ! -f Dockerfile ]; then
+          echo "ℹ️ Dockerfile not found; nothing to update"
+          exit 0
+        fi
+
+        base_image="$(sed -nE 's/^FROM[[:space:]]+([^[:space:]]+).*/\1/p' Dockerfile | head -1)"
+        if [ -z "$base_image" ]; then
+          echo "ℹ️ Could not resolve base image; nothing to update"
+          exit 0
+        fi
+
+        case "$base_image" in
+          alpine:*|alpine)
+            :
+            ;;
+          *)
+            echo "ℹ️ Base image is '$base_image', not Alpine; nothing to update"
+            exit 0
+            ;;
+        esac
+
+        normalize_minor() {
+          version="$1"
+          printf '%s' "$version" | awk -F. '{print $1 "." $2}'
+        }
+
+        list_file=".tmp/dependency-update-apk-list.txt"
+        mkdir -p .tmp
+
+        sed -nE 's/^\s*([a-zA-Z0-9+_.-]+)=~=?([0-9]+\.[0-9]+).*$/\1 \2/p' Dockerfile > "$list_file"
+        if [ ! -s "$list_file" ]; then
+          echo "ℹ️ No pinned apk constraints (~=) found in Dockerfile"
+          exit 0
+        fi
+
+        updated=0
+        while read -r pkg current_minor; do
+          [ -n "$pkg" ] || continue
+          latest_full="$(docker run --rm "$base_image" sh -lc "apk update >/dev/null && apk list --all '$pkg' 2>/dev/null | head -1 | awk -F'[- ]' '{print \\$2}'")"
+          if [ -z "$latest_full" ]; then
+            echo "⚠️ Could not resolve latest version for $pkg; skipping"
+            continue
+          fi
+          latest_minor="$(normalize_minor "$latest_full")"
+          if [ "$latest_minor" = "$current_minor" ]; then
+            echo "✅ $pkg already up to date at $current_minor"
+            continue
+          fi
+          echo "⬆️ $pkg: $current_minor -> $latest_minor"
+          {{.SED}} -i "s#\<$pkg\>=~=$current_minor#$pkg~=$latest_minor#g" Dockerfile
+          {{.SED}} -i "s#\<$pkg\>~=$current_minor#$pkg~=$latest_minor#g" Dockerfile
+          updated=1
+        done < "$list_file"
+
+        if [ "$updated" -eq 0 ]; then
+          echo "ℹ️ No apk dependency updates were required"
+        fi
@@ -7,6 +7,7 @@ dotenv:
 
 includes:
   variables: ./Taskfile.variables.yml
+  scripts: ./Taskfile.scripts.yml
   cicd:
     taskfile: ./Taskfile.cicd.yml
     flatten: true
@@ -24,12 +25,4 @@ tasks:
   help:
     desc: Detailed help
     cmds:
-      - |
-        echo "Tasks:"
-        task --list
-        echo ""
-        echo "Environment:"
-        echo "  DOCKER_NAME={{.DOCKER_NAME}}  DOCKER_USERNAME={{.DOCKER_USERNAME}}"
-        echo "  GHRC_NAME={{.GHRC_NAME}}  GITHUB_USERNAME={{.GITHUB_USERNAME}}"
-        echo "  LAST_RELEASE={{.LAST_RELEASE}}"  VERSION={{.VERSION}}   VERSION_FULL={{.VERSION_FULL}}
-        echo "  BRANCH={{.GIT_BRANCH}}  GIT_SHORT_SHA={{.GIT_SHORT_SHA}}"  GIT_SHA={{.GIT_SHA}}
+      - task: scripts:help
@@ -1,4 +1,4 @@
-name: (Auto) Create Pull Request
+name: (Auto) Pull Request Create
 
 on:
   push:
@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   call:
-    uses: devops-infra/.github/.github/workflows/reusable-auto-create-pull-request.yml@v1
+    uses: devops-infra/.github/.github/workflows/reusable-auto-pull-request-create.yml@v1
     with:
       profile: actions
     secrets: inherit