From a57bbf752cb6e9418fee8c332f84551f70170baa Mon Sep 17 00:00:00 2001
From: Oleksii Strutsynskyi <astrutsynskyi@cloudbees.com>
Date: Tue, 19 May 2026 10:40:52 +0200
Subject: [PATCH 1/4] chore: migrate kaniko build to
 cb-internal-shared-actions/build@v8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace the kaniko@v1 + AWS/ECR login + slsa-attestation pipeline with a single
calculi-corp/cb-internal-shared-actions/build@v8 (services variant) call.
Move go build into the workflow via go-binary-build: "true". Refactor
Dockerfile to runtime-only — alpine/scratch final + COPY of pre-built binary.
---
 .cloudbees/workflows/workflow.yml | 35 ++++++++++---------------------
 Dockerfile                        | 15 +------------
 2 files changed, 12 insertions(+), 38 deletions(-)

diff --git a/.cloudbees/workflows/workflow.yml b/.cloudbees/workflows/workflow.yml
index 81a0c07..eff7d20 100644
--- a/.cloudbees/workflows/workflow.yml
+++ b/.cloudbees/workflows/workflow.yml
@@ -27,31 +27,18 @@ jobs:
         run: |
           make verify
 
-      - name: Login to AWS
-        uses: https://github.com/cloudbees-io/configure-aws-credentials@v1
+      - id: build
+        name: Build, scan and push to ECR
+        uses: calculi-corp/cb-internal-shared-actions/build@v8
         with:
-          aws-region: us-east-1
-          role-to-assume: ${{ vars.oidc_staging_iam_role }}
-          role-duration-seconds: "3600"
-
-      - name: Configure container registry for Staging ECR
-        uses: https://github.com/cloudbees-io/configure-ecr-credentials@v1
-
-      - name: Build image
-        id: build
-        uses: https://github.com/cloudbees-io/kaniko@v1
-        with:
-          destination: 020229604682.dkr.ecr.us-east-1.amazonaws.com/actions/cloudbees-io-checkout:${{ cloudbees.scm.sha }}${{ cloudbees.scm.branch == 'main' && ',020229604682.dkr.ecr.us-east-1.amazonaws.com/actions/cloudbees-io-checkout:latest' || ''}}
-          labels: maintainer=sdp-pod-3,email=engineering@cloudbees.io
-
-      - id: slsa-attestation
-        name: Generate SLSA attestation
-        uses: calculi-corp/slsa-attestation@v1
-        with:
-          image-digest: 020229604682.dkr.ecr.us-east-1.amazonaws.com/actions/cloudbees-io-checkout@${{ steps.build.outputs.digest }}
-          aws-role-to-assume: ${{ vars.oidc_staging_iam_role }}
-          aws-region: us-east-1
-          aws-kms-alias: cbp-dev-kms-key-cosign          
+          go-binary-build: "true"
+          go-binary-name: checkout
+          kaniko-build: "true"
+          run-unit-test: "false"
+          registry-url: 020229604682.dkr.ecr.us-east-1.amazonaws.com
+          registry-image-name: actions/cloudbees-io-checkout
+          registry-type: ECR
+          oidc-iam-role: ${{ vars.oidc_staging_iam_role }}
 
   test-simple-no-repo-specified:
     if: cloudbees.api.url == 'https://api.saas-preprod.beescloud.com'
diff --git a/Dockerfile b/Dockerfile
index d1bd544..3b35ee6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,23 +1,10 @@
-#syntax=docker/dockerfile:1
-FROM golang:1.26.0-alpine3.22 AS build
-
-WORKDIR /work
-
-COPY go.mod* go.sum* ./
-
-RUN go mod download
-
-COPY . .
-
-RUN CGO_ENABLED=0 GOOS=linux go build -a -tags netgo -ldflags '-w -extldflags "-static"' -o /usr/local/bin/checkout main.go
-
 FROM alpine:3.22
 
 RUN apk fix && \
     apk --no-cache --update add git git-lfs gpg less openssh patch && \
     git lfs install
 
-COPY --from=build /usr/local/bin/checkout /usr/local/bin/checkout
+COPY checkout /usr/local/bin/checkout
 
 WORKDIR /cloudbees/home
 

From a13afc4ea2b2c699dd2ea0a50a10ce2c0bdb6fbe Mon Sep 17 00:00:00 2001
From: Oleksii Strutsynskyi <astrutsynskyi@cloudbees.com>
Date: Tue, 19 May 2026 11:07:29 +0200
Subject: [PATCH 2/4] fix: add scm-token-org: read to build job permissions

v8's Download SaaS Platform Scripts step (gated by kaniko-build + ECR) clones
cloudbees/saas-platform-scripts. Without scm-token-org: read at the build
job level, git-credential-cloudbees gets permission denied on the
cross-org fetch.
---
 .cloudbees/workflows/workflow.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.cloudbees/workflows/workflow.yml b/.cloudbees/workflows/workflow.yml
index eff7d20..82fe800 100644
--- a/.cloudbees/workflows/workflow.yml
+++ b/.cloudbees/workflows/workflow.yml
@@ -17,6 +17,7 @@ jobs:
     if: cloudbees.api.url == 'https://api.saas-preprod.beescloud.com' || cloudbees.api.url == 'https://api.cloudbees.io'
     permissions:
       scm-token-own: read
+      scm-token-org: read
       id-token: write
     steps:
       - name: Git checkout

From c6b69062d6ab7c8cb8d595ce919a5dec166b5994 Mon Sep 17 00:00:00 2001
From: Oleksii Strutsynskyi <astrutsynskyi@cloudbees.com>
Date: Tue, 19 May 2026 11:39:49 +0200
Subject: [PATCH 3/4] fix: testing action pulls v8-built image by
 cloudbees.version

After migrating the build to cb-internal-shared-actions/build@v8 the
image is tagged with ${{ cloudbees.version }} (e.g. 0.0.402-pr-64) plus
floating :preprod / :latest. v8 no longer pushes a per-sha tag, so the
test-* jobs that reference :${{ action.scm.sha }} fail with
image-not-found. Switch the testing action to pull the version tag.
---
 .cloudbees/testing/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.cloudbees/testing/action.yml b/.cloudbees/testing/action.yml
index 0e89c69..7664980 100644
--- a/.cloudbees/testing/action.yml
+++ b/.cloudbees/testing/action.yml
@@ -81,7 +81,7 @@ runs:
   steps:
     - name: Checkout
       id: checkout
-      uses: docker://020229604682.dkr.ecr.us-east-1.amazonaws.com/actions/cloudbees-io-checkout:${{ action.scm.sha }}
+      uses: docker://020229604682.dkr.ecr.us-east-1.amazonaws.com/actions/cloudbees-io-checkout:${{ cloudbees.version }}
       env:
         CLOUDBEES_EVENT_PATH: /cloudbees/event.json
       shell: sh

From 9545916ddb0c7887be53accd1ba80aed99c606a3 Mon Sep 17 00:00:00 2001
From: Oleksii Strutsynskyi <astrutsynskyi@cloudbees.com>
Date: Tue, 19 May 2026 12:08:06 +0200
Subject: [PATCH 4/4] fix: testing action pulls :preprod tag (cloudbees.version
 unavailable in action context)

Workflow validation rejects ${{ cloudbees.version }} inside composite
action context: "cloudbees.version is undefined, supported cloudbees
fields: scm". Only cloudbees.scm.* is exposed to actions.

v8 pushes :preprod (and :latest on main) as floating tags alongside the
versioned :0.0.NNN-pr-NN. Test jobs run after build in the same run, so
:preprod is the just-built image for non-main branches.
---
 .cloudbees/testing/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.cloudbees/testing/action.yml b/.cloudbees/testing/action.yml
index 7664980..d677aa3 100644
--- a/.cloudbees/testing/action.yml
+++ b/.cloudbees/testing/action.yml
@@ -81,7 +81,7 @@ runs:
   steps:
     - name: Checkout
       id: checkout
-      uses: docker://020229604682.dkr.ecr.us-east-1.amazonaws.com/actions/cloudbees-io-checkout:${{ cloudbees.version }}
+      uses: docker://020229604682.dkr.ecr.us-east-1.amazonaws.com/actions/cloudbees-io-checkout:preprod
       env:
         CLOUDBEES_EVENT_PATH: /cloudbees/event.json
       shell: sh