From d0efec98feabfa0f32357bdbf92e42f9936ff345 Mon Sep 17 00:00:00 2001 From: Bug Bounty Zip <133497067+BugBountyzip@users.noreply.github.com> Date: Wed, 27 May 2026 09:17:16 +0300 Subject: [PATCH] Harden self-hosted image builds --- .github/workflows/build-image.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml index 4875591..823fcfd 100644 --- a/.github/workflows/build-image.yml +++ b/.github/workflows/build-image.yml @@ -40,7 +40,7 @@ jobs: run: | INPUT="${{ inputs.distro || 'ubuntu2604' }}" if [ "$INPUT" = "all" ]; then - echo 'distros=["ubuntu2604","arch","cachyos","kali"]' >> "$GITHUB_OUTPUT" + echo 'distros=["kali","ubuntu2604","arch","cachyos"]' >> "$GITHUB_OUTPUT" else echo "distros=[\"$INPUT\"]" >> "$GITHUB_OUTPUT" fi @@ -59,9 +59,18 @@ jobs: distro: ${{ fromJson(needs.matrix.outputs.distros) }} env: - CACHE_DIR: /home/opc/ccache + CCACHE_DIR: /home/opc/ccache steps: + - name: Clean image workspace + run: | + set -euo pipefail + if [ -z "${GITHUB_WORKSPACE:-}" ] || [ "$GITHUB_WORKSPACE" = "/" ]; then + echo "Invalid GITHUB_WORKSPACE" >&2 + exit 1 + fi + sudo rm -rf "$GITHUB_WORKSPACE/image" + - name: Checkout image builder uses: actions/checkout@v6 with: