From 83319c23654ad8608ba0152d7abbcbefc984c975 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 16:37:40 +0200
Subject: [PATCH 01/64] add zizmor

---
 .github/workflows/checksrc.yml | 39 ++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 .github/workflows/checksrc.yml

diff --git a/.github/workflows/checksrc.yml b/.github/workflows/checksrc.yml
new file mode 100644
index 0000000..bac3771
--- /dev/null
+++ b/.github/workflows/checksrc.yml
@@ -0,0 +1,39 @@
+# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# SPDX-License-Identifier: curl
+
+name: 'Source'
+
+'on':
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  linters:
+    name: 'linters'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: 'install prereqs'
+        run: |
+          /home/linuxbrew/.linuxbrew/bin/brew install zizmor
+
+      - name: 'zizmor GHA'
+        env:
+          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          zizmor --pedantic .github/workflows/*.yml

From 7f79fee7b28b4593cca991a16672050e5f70d87c Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 16:38:11 +0200
Subject: [PATCH 02/64] fixup EOLs at EOF

---
 .github/workflows/build_latest_release_multi.yml | 2 +-
 .github/workflows/build_master.yml               | 1 -
 .github/workflows/build_master_multi.yml         | 2 +-
 3 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index 0edb16d..96dfffb 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -119,4 +119,4 @@ jobs:
           cosign verify --key cosign.pub quay.io/curl/curl:$REL
           cosign verify --key cosign.pub quay.io/curl/curl:latest
           cosign verify --key cosign.pub quay.io/curl/curl-base:$REL
-          cosign verify --key cosign.pub quay.io/curl/curl-base:latest
\ No newline at end of file
+          cosign verify --key cosign.pub quay.io/curl/curl-base:latest
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index a196694..e46d590 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -77,4 +77,3 @@ jobs:
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev:master
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base:master
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl:master
-
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index b038561..24d629f 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -73,4 +73,4 @@ jobs:
       - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:master
-          cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base-multi:master
\ No newline at end of file
+          cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base-multi:master

From a0655fcf7ef07f23c692b58ca08a8a06801d7096 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 17:00:16 +0200
Subject: [PATCH 03/64] say why we need `packages: write` permissions

---
 .github/workflows/build_ci_multi.yml             | 3 +--
 .github/workflows/build_latest_release_multi.yml | 3 +--
 .github/workflows/build_master.yml               | 3 +--
 .github/workflows/build_master_dev.yml           | 3 +--
 .github/workflows/build_master_multi.yml         | 3 +--
 5 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 5dade27..569a802 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -17,8 +17,7 @@ jobs:
     name: ${{ matrix.build.name }}
     runs-on: 'ubuntu-latest'
     permissions:
-      contents: read
-      packages: write
+      packages: write  # To create/update container on ghcr.io
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index 96dfffb..e47db7c 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -16,8 +16,7 @@ jobs:
     name: ${{ matrix.build.name }}
     runs-on: 'ubuntu-latest'
     permissions:
-      contents: read
-      packages: write
+      packages: write  # To create/update container on ghcr.io
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index e46d590..b4d9748 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -18,8 +18,7 @@ jobs:
     name: ${{ matrix.build.name }}
     runs-on: 'ubuntu-latest'
     permissions:
-      contents: read
-      packages: write
+      packages: write  # To create/update container on ghcr.io
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 246e230..3ccc55f 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -19,8 +19,7 @@ jobs:
     name: ${{ matrix.build.name }}
     runs-on: 'ubuntu-latest'
     permissions:
-      contents: read
-      packages: write
+      packages: write  # To create/update container on ghcr.io
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index 24d629f..78c3751 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -18,8 +18,7 @@ jobs:
     name: ${{ matrix.build.name }}
     runs-on: 'ubuntu-latest'
     permissions:
-      contents: read
-      packages: write
+      packages: write  # To create/update container on ghcr.io
     strategy:
       fail-fast: false
       matrix:

From 1fc9167a72db3003c0297abb9739460c049e830a Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 17:07:32 +0200
Subject: [PATCH 04/64] avoid GH macros in shell code

---
 .github/workflows/build_ci_multi.yml             | 14 ++++++++++----
 .github/workflows/build_latest_release_multi.yml | 14 ++++++++++----
 .github/workflows/build_master.yml               | 14 ++++++++++----
 .github/workflows/build_master_dev.yml           | 14 ++++++++++----
 .github/workflows/build_master_multi.yml         | 14 ++++++++++----
 5 files changed, 50 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 569a802..f67b1b7 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -24,13 +24,19 @@ jobs:
         install_latest: [ true ]
     steps:
       - name: "login docker hub"
+        env:
+          DOCKER_HUB_USER: '${{secrets.DOCKER_HUB_USER}}'
+          DOCKER_HUB_TOKEN: '${{secrets.DOCKER_HUB_TOKEN}}'
         run: |
-          podman login -u ${{secrets.DOCKER_HUB_USER}} -p ${{secrets.DOCKER_HUB_TOKEN}} docker.io
-          docker login -u ${{secrets.DOCKER_HUB_USER}} -p ${{secrets.DOCKER_HUB_TOKEN}}
+          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
+        env:
+          QUAY_USER: '${{secrets.QUAY_USER}}'
+          QUAY_TOKEN: '${{secrets.QUAY_TOKEN}}'
         run: |
-          podman login -u ${{secrets.QUAY_USER}} -p ${{secrets.QUAY_TOKEN}} quay.io
-          docker login -u ${{secrets.QUAY_USER}} -p ${{secrets.QUAY_TOKEN}} quay.io
+          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index e47db7c..d4ff271 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -34,13 +34,19 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           registry: ${{ env.IMAGE_REGISTRY }}
       - name: "login docker hub"
+        env:
+          DOCKER_HUB_USER: '${{secrets.DOCKER_HUB_USER}}'
+          DOCKER_HUB_TOKEN: '${{secrets.DOCKER_HUB_TOKEN}}'
         run: |
-          podman login -u ${{secrets.DOCKER_HUB_USER}} -p ${{secrets.DOCKER_HUB_TOKEN}} docker.io
-          docker login -u ${{secrets.DOCKER_HUB_USER}} -p ${{secrets.DOCKER_HUB_TOKEN}}
+          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
+        env:
+          QUAY_USER: '${{secrets.QUAY_USER}}'
+          QUAY_TOKEN: '${{secrets.QUAY_TOKEN}}'
         run: |
-          podman login -u ${{secrets.QUAY_USER}} -p ${{secrets.QUAY_TOKEN}} quay.io
-          docker login -u ${{secrets.QUAY_USER}} -p ${{secrets.QUAY_TOKEN}} quay.io
+          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
       - run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index b4d9748..d715d24 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -36,13 +36,19 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           registry: ${{ env.IMAGE_REGISTRY }}
       - name: "login docker hub"
+        env:
+          DOCKER_HUB_USER: '${{secrets.DOCKER_HUB_USER}}'
+          DOCKER_HUB_TOKEN: '${{secrets.DOCKER_HUB_TOKEN}}'
         run: |
-          podman login -u ${{secrets.DOCKER_HUB_USER}} -p ${{secrets.DOCKER_HUB_TOKEN}} docker.io
-          docker login -u ${{secrets.DOCKER_HUB_USER}} -p ${{secrets.DOCKER_HUB_TOKEN}}
+          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
+        env:
+          QUAY_USER: '${{secrets.QUAY_USER}}'
+          QUAY_TOKEN: '${{secrets.QUAY_TOKEN}}'
         run: |
-          podman login -u ${{secrets.QUAY_USER}} -p ${{secrets.QUAY_TOKEN}} quay.io
-          docker login -u ${{secrets.QUAY_USER}} -p ${{secrets.QUAY_TOKEN}} quay.io
+          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
       - run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 3ccc55f..882d5ff 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -37,13 +37,19 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           registry: ${{ env.IMAGE_REGISTRY }}
       - name: "login docker hub"
+        env:
+          DOCKER_HUB_USER: '${{secrets.DOCKER_HUB_USER}}'
+          DOCKER_HUB_TOKEN: '${{secrets.DOCKER_HUB_TOKEN}}'
         run: |
-          podman login -u ${{secrets.DOCKER_HUB_USER}} -p ${{secrets.DOCKER_HUB_TOKEN}} docker.io
-          docker login -u ${{secrets.DOCKER_HUB_USER}} -p ${{secrets.DOCKER_HUB_TOKEN}}
+          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
+        env:
+          QUAY_USER: '${{secrets.QUAY_USER}}'
+          QUAY_TOKEN: '${{secrets.QUAY_TOKEN}}'
         run: |
-          podman login -u ${{secrets.QUAY_USER}} -p ${{secrets.QUAY_TOKEN}} quay.io
-          docker login -u ${{secrets.QUAY_USER}} -p ${{secrets.QUAY_TOKEN}} quay.io
+          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
       - run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index 78c3751..3ea89c3 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -36,13 +36,19 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           registry: ${{ env.IMAGE_REGISTRY }}
       - name: "login docker hub"
+        env:
+          DOCKER_HUB_USER: '${{secrets.DOCKER_HUB_USER}}'
+          DOCKER_HUB_TOKEN: '${{secrets.DOCKER_HUB_TOKEN}}'
         run: |
-          podman login -u ${{secrets.DOCKER_HUB_USER}} -p ${{secrets.DOCKER_HUB_TOKEN}} docker.io
-          docker login -u ${{secrets.DOCKER_HUB_USER}} -p ${{secrets.DOCKER_HUB_TOKEN}}
+          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
+        env:
+          QUAY_USER: '${{secrets.QUAY_USER}}'
+          QUAY_TOKEN: '${{secrets.QUAY_TOKEN}}'
         run: |
-          podman login -u ${{secrets.QUAY_USER}} -p ${{secrets.QUAY_TOKEN}} quay.io
-          docker login -u ${{secrets.QUAY_USER}} -p ${{secrets.QUAY_TOKEN}} quay.io
+          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
       - run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam

From 6a4989e674558fc1647fc58d3e88bfa63630219f Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 17:10:21 +0200
Subject: [PATCH 05/64] avoid GH macros in shell code 2

---
 .github/workflows/build_latest_release_multi.yml | 4 +++-
 .github/workflows/build_master.yml               | 4 +++-
 .github/workflows/build_master_dev.yml           | 4 +++-
 .github/workflows/build_master_multi.yml         | 4 +++-
 4 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index d4ff271..857c3fc 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -72,7 +72,9 @@ jobs:
       - name: Install Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
       - name: Write signing key to disk (only needed for `cosign sign --key`)
-        run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
+        env:
+          COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
+        run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
       - name: Sign images with sigstore key
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-multi:$REL
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index d715d24..b752543 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -67,7 +67,9 @@ jobs:
       - name: Install Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
       - name: Write signing key to disk (only needed for `cosign sign --key`)
-        run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
+        env:
+          COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
+        run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
       - name: Sign image with a key
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev:master
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 882d5ff..3851d5c 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -64,7 +64,9 @@ jobs:
       - name: Install Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
       - name: Write signing key to disk (only needed for `cosign sign --key`)
-        run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
+        env:
+          COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
+        run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
       - name: Sign image with a key
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-debian:master
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index 3ea89c3..9c8c4e2 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -66,7 +66,9 @@ jobs:
       - name: Install Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
       - name: Write signing key to disk (only needed for `cosign sign --key`)
-        run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
+        env:
+          COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
+        run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
       - name: Sign image with a key
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-multi:master

From bddbe79ddd7376170cfabe0c39989c735971aa55 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 17:23:34 +0200
Subject: [PATCH 06/64] build_master_dev.yml drop redundant cosign privkey save
 step

---
 .github/workflows/build_master_dev.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 3851d5c..43c8fdc 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -86,8 +86,6 @@ jobs:
         name: 'push images to github registry'
       - name: Install Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-      - name: Write signing key to disk (only needed for `cosign sign --key`)
-        run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
       - name: Sign image with a key
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-fedora:master

From 5a3439ac8eac8c7ec830ca9cf655bd5635f55dbd Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 17:24:49 +0200
Subject: [PATCH 07/64] avoid GH macros in shell code 3

---
 .github/workflows/build_latest_release_multi.yml | 4 +++-
 .github/workflows/build_master.yml               | 4 +++-
 .github/workflows/build_master_dev.yml           | 4 +++-
 .github/workflows/build_master_multi.yml         | 4 +++-
 4 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index 857c3fc..b00bd9c 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -82,7 +82,9 @@ jobs:
         env:
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
       - name: Write public key to disk
-        run: echo "${{ secrets.COSIGN_PUBLIC_KEY }}" > cosign.pub
+        env:
+          COSIGN_PUBLIC_KEY: '${{ secrets.COSIGN_PUBLIC_KEY }}'
+        run: echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
       - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:$REL
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index b752543..89d3b65 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -78,7 +78,9 @@ jobs:
         env:
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
       - name: Write public key to disk
-        run: echo "${{ secrets.COSIGN_PUBLIC_KEY }}" > cosign.pub
+        env:
+          COSIGN_PUBLIC_KEY: '${{ secrets.COSIGN_PUBLIC_KEY }}'
+        run: echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
       - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev:master
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 43c8fdc..1c0ad83 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -73,7 +73,9 @@ jobs:
         env:
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
       - name: Write public key to disk
-        run: echo "${{ secrets.COSIGN_PUBLIC_KEY }}" > cosign.pub
+        env:
+          COSIGN_PUBLIC_KEY: '${{ secrets.COSIGN_PUBLIC_KEY }}'
+        run: echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
       - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-debian:master
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index 9c8c4e2..b96dfa6 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -76,7 +76,9 @@ jobs:
         env:
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
       - name: Write public key to disk
-        run: echo "${{ secrets.COSIGN_PUBLIC_KEY }}" > cosign.pub
+        env:
+          COSIGN_PUBLIC_KEY: '${{ secrets.COSIGN_PUBLIC_KEY }}'
+        run: echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
       - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:master

From e1f9f8214d918cae7a3698d3031308aff3b64668 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 17:25:34 +0200
Subject: [PATCH 08/64] build_master_dev.yml drop redundant cosign pubkey save
 step

---
 .github/workflows/build_master_dev.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 1c0ad83..1444eed 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -93,8 +93,6 @@ jobs:
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-fedora:master
         env:
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
-      - name: Write public key to disk
-        run: echo "${{ secrets.COSIGN_PUBLIC_KEY }}" > cosign.pub
       - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-fedora:master

From 1dad0462366a674ab286a2bbdaf7a94ee4ac3446 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 17:37:02 +0200
Subject: [PATCH 09/64] add spellchecker: typos

---
 .github/workflows/checksrc.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/checksrc.yml b/.github/workflows/checksrc.yml
index bac3771..2b6c806 100644
--- a/.github/workflows/checksrc.yml
+++ b/.github/workflows/checksrc.yml
@@ -20,7 +20,7 @@ permissions: {}
 
 jobs:
   linters:
-    name: 'linters'
+    name: 'spellcheck, linters'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -29,7 +29,7 @@ jobs:
 
       - name: 'install prereqs'
         run: |
-          /home/linuxbrew/.linuxbrew/bin/brew install zizmor
+          /home/linuxbrew/.linuxbrew/bin/brew install zizmor typos-cli
 
       - name: 'zizmor GHA'
         env:
@@ -37,3 +37,9 @@ jobs:
         run: |
           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
           zizmor --pedantic .github/workflows/*.yml
+
+      - name: 'typos'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          typos --version
+          typos

From 329aa992fed6de61feba15e6bc1bd3ae8ba7e3ee Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 17:37:27 +0200
Subject: [PATCH 10/64] fix typos

---
 Makefile          | 2 +-
 README.md         | 2 +-
 adrs/01-design.md | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 807629c..168dd6b 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@
 
 container_ids=`buildah ls --format "{{.ContainerID}}"`
 
-# default setttings for official curl images
+# default settings for official curl images
 debian_base=docker.io/debian
 fedora_base=docker.io/fedora
 base=docker.io/alpine:3.22.1
diff --git a/README.md b/README.md
index 113f65d..f0d2b19 100644
--- a/README.md
+++ b/README.md
@@ -64,7 +64,7 @@ Master branch built regularly:
 * **curl-base-multi:master** - curl-base multiarch **master** branch
 
 A set of special case images built regularly:
-* **curl-exp:master** - curl **master** branch built enabling expiremental features
+* **curl-exp:master** - curl **master** branch built enabling experimental features
 
 Platform specific dev images built daily:
 * **curl-dev:master** - alpine based development environment
diff --git a/adrs/01-design.md b/adrs/01-design.md
index 61fe57a..7a27c3c 100644
--- a/adrs/01-design.md
+++ b/adrs/01-design.md
@@ -24,7 +24,7 @@ One other goal is to ensure this infrastructure is not overly dependent on any s
 
 ## Container Build Design
 
-Using [buildah](https://buildah.io/), we can create reusable and parameterised set of scripts building a hiearchy of 
+Using [buildah](https://buildah.io/), we can create reusable and parameterised set of scripts building a hierarchy of
 container images.
 
 ```commandline
@@ -58,7 +58,7 @@ Design and create container image build process using [buildah](https://buildah.
 
 Add CHANGELOG.md and automated release process based on tag.
 
-Use [sigstore](https://www.sigstore.dev/) for signing and verifying fo all images generated by this process
+Use [sigstore](https://www.sigstore.dev/) for signing and verifying of all images generated by this process
 
 Ensure both podman and docker work equally well.
 

From ae51d6ec0adb6107ef07b11db602e9a4b233c430 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 17:39:54 +0200
Subject: [PATCH 11/64] fix some issues reported by yamllint

---
 .github/workflows/build_ci_multi.yml             | 7 ++++---
 .github/workflows/build_latest_release_multi.yml | 5 +++--
 .github/workflows/build_master.yml               | 7 ++++---
 .github/workflows/build_master_dev.yml           | 7 ++++---
 .github/workflows/build_master_multi.yml         | 5 +++--
 5 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index f67b1b7..f57f5e2 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -1,7 +1,8 @@
 name: build_ci_multi_images
-on:
+
+'on':
   pull_request:
-    types: [ opened, synchronize, reopened, labeled, unlabeled ]
+    types: [opened, synchronize, reopened, labeled, unlabeled]
     branches:
       - main
 
@@ -21,7 +22,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        install_latest: [ true ]
+        install_latest: [true]
     steps:
       - name: "login docker hub"
         env:
diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index b00bd9c..0aaa513 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -1,5 +1,6 @@
 name: build_latest_release_multi_images
-on:
+
+'on':
   push:
     tags:
       - '*'
@@ -20,7 +21,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        install_latest: [ true ]
+        install_latest: [true]
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 89d3b65..35d9a26 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -1,10 +1,11 @@
 name: build_master_images
-on:
+
+'on':
   schedule:
     - cron: '30 2 * * * '
   push:
     branches:
-    - main
+      - main
 
 permissions: {}
 
@@ -22,7 +23,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        install_latest: [ true ]
+        install_latest: [true]
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 1444eed..ca1ccb6 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -1,11 +1,12 @@
 name: build_dev_master_images
-on:
+
+'on':
   schedule:
     # Runs every day
     - cron: '30 2 * * * '
   push:
     branches:
-    - main
+      - main
 
 permissions: {}
 
@@ -23,7 +24,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        install_latest: [ true ]
+        install_latest: [true]
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index b96dfa6..aca2aef 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -1,5 +1,6 @@
 name: build_master_multi_images
-on:
+
+'on':
   schedule:
     - cron: '30 2 * * * '
   push:
@@ -22,7 +23,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        install_latest: [ true ]
+        install_latest: [true]
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

From e2ce196f23a88e939aff552ee70bf23180c84cd2 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 17:40:58 +0200
Subject: [PATCH 12/64] fix some issues reported by yamllint 2

---
 dev-compose.yml | 30 ++++++++++++++----------------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/dev-compose.yml b/dev-compose.yml
index 37df637..9f655bf 100644
--- a/dev-compose.yml
+++ b/dev-compose.yml
@@ -1,19 +1,17 @@
 version: '3'
 
 services:
-
-    buildah-service:
-      container_name: buildah-service
-      build:
-        context: .
-        dockerfile: Containerfile
-      image: buildah-service
-      privileged: true
-      stdin_open: true
-      tty: true
-      environment:
-        DEBUG: 1
-      volumes:
-        - $HOME/src/curl-container:/opt/app-root/src
-        - $HOME/src/curl:/opt/app-root/curl
-
+  buildah-service:
+    container_name: buildah-service
+    build:
+      context: .
+      dockerfile: Containerfile
+    image: buildah-service
+    privileged: true
+    stdin_open: true
+    tty: true
+    environment:
+      DEBUG: 1
+    volumes:
+      - $HOME/src/curl-container:/opt/app-root/src
+      - $HOME/src/curl:/opt/app-root/curl

From 8e833087761dd36f545c5f4b2bd41e503945db55 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 18:20:27 +0200
Subject: [PATCH 13/64] fix some issues reported by yamllint 3

---
 .github/workflows/build_master_multi.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index aca2aef..977264d 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -5,7 +5,7 @@ name: build_master_multi_images
     - cron: '30 2 * * * '
   push:
     branches:
-    - main
+      - main
 
 permissions: {}
 

From ca208222a730e393026adcb5d3420817289a451a Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 17:42:24 +0200
Subject: [PATCH 14/64] whitespace

---
 .gitignore          |  2 +-
 CHANGELOG.md        |  4 ++--
 README.md           | 15 +++++++--------
 adrs/01-design.md   |  2 +-
 create_dev_image.sh |  1 -
 create_multi.sh     | 11 +++++------
 6 files changed, 16 insertions(+), 19 deletions(-)

diff --git a/.gitignore b/.gitignore
index 6b75623..e04276f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
 .idea
-venv
\ No newline at end of file
+venv
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 594c303..3b4a2d1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -121,7 +121,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - fix entrypoint perms
 
 ## [8.1.2-2] - 2023-06-08
-### Added 
+### Added
 - curl-dev-fedora:master
 - curl-dev-debian:master
 ### Changed
@@ -138,4 +138,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - created [curl-container repo](https://github.com/curl/curl-container/pull/1)
 ### Changed
-- generate [curl:8.1.2 release](https://github.com/curl/curl/releases/tag/curl-8_1_2) images on [alpine 3.18.0](https://alpinelinux.org/posts/Alpine-3.18.0-released.html) 
+- generate [curl:8.1.2 release](https://github.com/curl/curl/releases/tag/curl-8_1_2) images on [alpine 3.18.0](https://alpinelinux.org/posts/Alpine-3.18.0-released.html)
diff --git a/README.md b/README.md
index f0d2b19..3294784 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,9 @@
 # Curl Container
 
-[![build_master_multi_images](https://github.com/curl/curl-container/actions/workflows/build_master_multi.yml/badge.svg)](https://github.com/curl/curl-container/actions/workflows/build_master_multi.yml) 
+[![build_master_multi_images](https://github.com/curl/curl-container/actions/workflows/build_master_multi.yml/badge.svg)](https://github.com/curl/curl-container/actions/workflows/build_master_multi.yml)
 [![build_latest_release_multi_images](https://github.com/curl/curl-container/actions/workflows/build_latest_release_multi.yml/badge.svg)](https://github.com/curl/curl-container/actions/workflows/build_latest_release_multi.yml)
 
-This repository contains infrastructure/code that generates, tests and distributes the Official curl docker images 
+This repository contains infrastructure/code that generates, tests and distributes the Official curl docker images
 available from the following registries:
 * [quay.io](https://quay.io/curl/curl): curl images distributed by Quay.io
 * [docker.io](https://hub.docker.com/r/curlimages/curl): curl images distributed by docker.io
@@ -57,7 +57,7 @@ or [Jim Fuller](jim.fuller@webcomposite.com) directly.
 The following images are available via [github packages](https://github.com/orgs/curl/packages).
 
 Master branch built regularly:
-* **curl-dev:master** - curl-dev **master** branch 
+* **curl-dev:master** - curl-dev **master** branch
 * **curl-base:master** - curl-base **master** branch
 * **curl:master** - curl **master** branch
 * **curl-multi:master** - curl multiarch **master** branch
@@ -71,7 +71,7 @@ Platform specific dev images built daily:
 * **curl-dev-debian:master** - debian based development environment
 * **curl-dev-fedora:master** - fedora based development environment
 
-To use any of these development images; 
+To use any of these development images;
 ```
 > podman run -it -v /Users/exampleuser/src/curl:/src/curl  ghcr.io/curl/curl-container/curl-dev-debian:master zsh
 > ./buildconf
@@ -79,16 +79,16 @@ To use any of these development images;
 > make
 ```
 
-**Note**- dev images are not specifically scanned for vulnerabilities and we currently _pin_ to latest which 
+**Note**- dev images are not specifically scanned for vulnerabilities and we currently _pin_ to latest which
 always has vulns ... **use at your own risk**. Perhaps we could consider _pinning_ to a later 'vintage'.
 
 ## Dependencies
 
 Either of the following are required to use images:
-* [podman](https://podman.io/getting-started/) 
+* [podman](https://podman.io/getting-started/)
 * [docker](https://docs.docker.com/get-docker/)
 
-The following are required to build or release images: 
+The following are required to build or release images:
 * [buildah](https://buildah.io/): used for composing dev/build images
 * [qemu-user-static](https://github.com/multiarch/qemu-user-static): used for building multiarch images
 
@@ -106,4 +106,3 @@ The release process is as follows:
 * raise prep PR, review and merge
 * create [new release](https://github.com/curl/curl-container/releases/new) with new tag ( ex. 8.1.2 ) based on previously created branch
 * new tag will trigger CI for publishing to quay/docker
-
diff --git a/adrs/01-design.md b/adrs/01-design.md
index 7a27c3c..b6f2249 100644
--- a/adrs/01-design.md
+++ b/adrs/01-design.md
@@ -69,7 +69,7 @@ Enhance testing
 We could keep the status quo (eg. ugly bash/makefile) though it is hard to maintain... also current release process is completely
 opaque and non automated.
 
-We could have opted for other container build frameworks/language or other adjuncts (ex. [skopeo](https://github.com/containers/skopeo)) ... 
+We could have opted for other container build frameworks/language or other adjuncts (ex. [skopeo](https://github.com/containers/skopeo)) ...
 buildah seemed to have the right set of features and mature ... perhaps in the future we will have even more choices.
 
 Presumably we could have gone full 'code as infrastructure' and invoke buildah programmatically ... opted for shell scripts
diff --git a/create_dev_image.sh b/create_dev_image.sh
index 3762284..1859392 100755
--- a/create_dev_image.sh
+++ b/create_dev_image.sh
@@ -95,4 +95,3 @@ buildah config --label org.opencontainers.image.licenses="MIT" $bdr
 
 # commit image
 buildah commit $bdr "${image_name}" # --disable-compression false --squash --sign-by --tls-verify
-
diff --git a/create_multi.sh b/create_multi.sh
index 76b7615..c25dba3 100755
--- a/create_multi.sh
+++ b/create_multi.sh
@@ -27,10 +27,9 @@ buildah manifest create curl-multi:${release_tag}
 for IMGTAG in "linux/386" "linux/arm/v7" "linux/amd64" "linux/arm64" "linux/ppc64le" ; do
   pathname="${IMGTAG////-}"
   echo "building $IMGTAG : $pathname"
- 	./create_dev_image.sh "$IMGTAG" ${base} ${compiler} "$dev_deps" "$build_opts" ${branch_or_ref} curl-dev-${pathname}:${release_tag} 0
- 	./create_base_image.sh "$IMGTAG" ${base} localhost/curl-dev-${pathname}:${release_tag} "$base_deps" curl-base-${pathname}:${release_tag} ${release_tag}
- 	buildah manifest add curl-base-multi:${release_tag} localhost/curl-base-${pathname}:${release_tag};
- 	./create_appliance_image.sh "$IMGTAG" localhost/curl-base-${pathname}:${release_tag} curl-${pathname}:${release_tag} ${release_tag}
- 	buildah manifest add curl-multi:${release_tag} localhost/curl-${pathname}:${release_tag};
+  ./create_dev_image.sh "$IMGTAG" ${base} ${compiler} "$dev_deps" "$build_opts" ${branch_or_ref} curl-dev-${pathname}:${release_tag} 0
+  ./create_base_image.sh "$IMGTAG" ${base} localhost/curl-dev-${pathname}:${release_tag} "$base_deps" curl-base-${pathname}:${release_tag} ${release_tag}
+  buildah manifest add curl-base-multi:${release_tag} localhost/curl-base-${pathname}:${release_tag};
+  ./create_appliance_image.sh "$IMGTAG" localhost/curl-base-${pathname}:${release_tag} curl-${pathname}:${release_tag} ${release_tag}
+  buildah manifest add curl-multi:${release_tag} localhost/curl-${pathname}:${release_tag};
 done
-

From a612a7883937cc87ef13bd68d1f2b419e1418d96 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 17:53:52 +0200
Subject: [PATCH 15/64] whitespace 2

---
 .github/CODEOWNERS      |  6 +++---
 .github/CONTRIBUTING.md |  2 +-
 adrs/01-design.md       |  2 +-
 cosign.pub              |  2 +-
 etc/entrypoint.sh       |  2 +-
 tests/steps/features.py |  1 -
 tests/test_image.sh     | 10 +++++-----
 7 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 3673752..351b073 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,3 +1,3 @@
-# Copyright (C) 2023 James Fuller, <jim@webcomposite.com>, et al.
-#
-# SPDX-License-Identifier: curl
+# Copyright (C) 2023 James Fuller, <jim@webcomposite.com>, et al.
+#
+# SPDX-License-Identifier: curl
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
index ce25164..d8efd1e 100644
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@@ -26,4 +26,4 @@ Send your suggestions using one of these methods:
 
  3. as an [issue](https://github.com/curl/curl-container/issues)
 
-/ The curl-container team!
\ No newline at end of file
+/ The curl-container team!
diff --git a/adrs/01-design.md b/adrs/01-design.md
index b6f2249..2b84284 100644
--- a/adrs/01-design.md
+++ b/adrs/01-design.md
@@ -73,4 +73,4 @@ We could have opted for other container build frameworks/language or other adjun
 buildah seemed to have the right set of features and mature ... perhaps in the future we will have even more choices.
 
 Presumably we could have gone full 'code as infrastructure' and invoke buildah programmatically ... opted for shell scripts
-for simplicity.
\ No newline at end of file
+for simplicity.
diff --git a/cosign.pub b/cosign.pub
index d487706..240c70c 100644
--- a/cosign.pub
+++ b/cosign.pub
@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwFTRXl79xRiAFa5ZX4aZ7Vkdqmji
 5WY0zqc3bd6B08CsNftlYsu2gAqdWm0IlzoQpi2Zi5C437RTg/DgLQ6Bkg==
------END PUBLIC KEY-----
\ No newline at end of file
+-----END PUBLIC KEY-----
diff --git a/etc/entrypoint.sh b/etc/entrypoint.sh
index cccf6c5..b3e9776 100755
--- a/etc/entrypoint.sh
+++ b/etc/entrypoint.sh
@@ -11,4 +11,4 @@ if [ "${1#-}" != "${1}" ] || [ -z "$(command -v "${1}")" ]; then
   set -- curl "$@"
 fi
 
-exec "$@"
\ No newline at end of file
+exec "$@"
diff --git a/tests/steps/features.py b/tests/steps/features.py
index 9e9635b..c6e4bb7 100644
--- a/tests/steps/features.py
+++ b/tests/steps/features.py
@@ -21,4 +21,3 @@ def invoke_podman_image(context, image):
     cmd = f"podman run -it {image} -V".split()
     p = subprocess.run(cmd,capture_output=True, text=True)
     assert p.returncode == 0
-
diff --git a/tests/test_image.sh b/tests/test_image.sh
index 01d39db..0cb484e 100755
--- a/tests/test_image.sh
+++ b/tests/test_image.sh
@@ -25,19 +25,19 @@ ctrmnt=$(buildah mount $ctr)
 
 # check file exists
 if [[ ! -f "$ctrmnt/usr/bin/curl" ]]; then
-    echo "/usr/bin/curl does not exist."
+  echo "/usr/bin/curl does not exist."
 fi
 if [[ ! -f "$ctrmnt/usr/lib/libcurl.so.4.8.0" ]]; then
-    echo "/usr/lib/libcurl.so.4.8.0 does not exist."
+  echo "/usr/lib/libcurl.so.4.8.0 does not exist."
 fi
 
 # check symlink exists and is not broken
 if [ ! -L "$ctrmnt/usr/lib/libcurl.so.4" ] && [ ! -e "$ctrmnt/usr/lib/libcurl.so.4" ]; then
-    echo "/usr/lib/libcurl.so.4 symlink does not exist or is broken."
+  echo "/usr/lib/libcurl.so.4 symlink does not exist or is broken."
 fi
 if [ ! -L "$ctrmnt/usr/lib/libcurl.so" ] && [ ! -e "$ctrmnt/usr/lib/libcurl.so"  ]; then
-    echo "/usr/lib/libcurl.so symlink does not exist or is broken."
+  echo "/usr/lib/libcurl.so symlink does not exist or is broken."
 fi
 
 # test running curl
-buildah run $ctr /usr/bin/curl -V
\ No newline at end of file
+buildah run $ctr /usr/bin/curl -V

From 59476a0cbdcc6fb8f5a953dae99ea22b065c538a Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 17:45:17 +0200
Subject: [PATCH 16/64] drop cosign.pub steps, the pubkey is in the git repo
 root

---
 .github/workflows/build_latest_release_multi.yml | 4 ----
 .github/workflows/build_master.yml               | 4 ----
 .github/workflows/build_master_dev.yml           | 4 ----
 .github/workflows/build_master_multi.yml         | 4 ----
 4 files changed, 16 deletions(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index 0aaa513..1b579bc 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -82,10 +82,6 @@ jobs:
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base-multi:$REL
         env:
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
-      - name: Write public key to disk
-        env:
-          COSIGN_PUBLIC_KEY: '${{ secrets.COSIGN_PUBLIC_KEY }}'
-        run: echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
       - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:$REL
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 35d9a26..3ea2f77 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -78,10 +78,6 @@ jobs:
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl:master
         env:
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
-      - name: Write public key to disk
-        env:
-          COSIGN_PUBLIC_KEY: '${{ secrets.COSIGN_PUBLIC_KEY }}'
-        run: echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
       - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev:master
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index ca1ccb6..a40864d 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -73,10 +73,6 @@ jobs:
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-debian:master
         env:
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
-      - name: Write public key to disk
-        env:
-          COSIGN_PUBLIC_KEY: '${{ secrets.COSIGN_PUBLIC_KEY }}'
-        run: echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
       - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-debian:master
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index 977264d..f54c6ac 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -76,10 +76,6 @@ jobs:
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base-multi:master
         env:
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
-      - name: Write public key to disk
-        env:
-          COSIGN_PUBLIC_KEY: '${{ secrets.COSIGN_PUBLIC_KEY }}'
-        run: echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
       - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:master

From 5e51edcbcde3fea324abb4677e2e69336ba8b1a4 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 17:55:20 +0200
Subject: [PATCH 17/64] 01-design.md: replace UTF-8 line-drawing chars with
 ASCII-7

---
 adrs/01-design.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/adrs/01-design.md b/adrs/01-design.md
index 2b84284..e68f2e9 100644
--- a/adrs/01-design.md
+++ b/adrs/01-design.md
@@ -28,9 +28,9 @@ Using [buildah](https://buildah.io/), we can create reusable and parameterised s
 container images.
 
 ```commandline
-├─ dev image: instant development image.
-│  ├─ base image: curl base image to be used in docker inheritance.
-│  │  ├─ curl image: curl 'appliance' image.
++- dev image: instant development image.
+|  +- base image: curl base image to be used in docker inheritance.
+|  |  +- curl image: curl 'appliance' image.
 ```
 
 Where the dev image can be used as an 'instant' development environment for building curl. The base image is intended

From a1ec89f694c8e8dda6c69bb446806764919f2398 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 18:00:33 +0200
Subject: [PATCH 18/64] checksrc.yml cleanup

---
 .github/workflows/checksrc.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/checksrc.yml b/.github/workflows/checksrc.yml
index 2b6c806..f0c2eff 100644
--- a/.github/workflows/checksrc.yml
+++ b/.github/workflows/checksrc.yml
@@ -28,8 +28,7 @@ jobs:
           persist-credentials: false
 
       - name: 'install prereqs'
-        run: |
-          /home/linuxbrew/.linuxbrew/bin/brew install zizmor typos-cli
+        run: /home/linuxbrew/.linuxbrew/bin/brew install zizmor typos-cli
 
       - name: 'zizmor GHA'
         env:

From 1523e3be27cd6b03fdaeb95ac9e0970c7612ac47 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 18:13:41 +0200
Subject: [PATCH 19/64] try using grype and trivy from Linuxbrew

---
 .github/workflows/build_ci_multi.yml             |  8 ++++++--
 .github/workflows/build_latest_release_multi.yml |  8 ++++++--
 .github/workflows/build_master.yml               |  8 ++++++--
 .github/workflows/build_master_dev.yml           | 14 ++++++++++----
 .github/workflows/build_master_multi.yml         |  8 ++++++--
 Makefile                                         | 11 +++++++++--
 6 files changed, 43 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index f57f5e2..9f6bb8c 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -50,5 +50,9 @@ jobs:
         name: 'build multi image'
       - run: buildah unshare make dist_name=localhost/curl-multi release_tag=master test
         name: 'test image'
-      - run: make image_name=localhost/curl-multi:master scan
-        name: 'security scan image'
+      - name: 'install scan prereqs'
+        run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy
+      - name: 'security scan image'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          make image_name=localhost/curl-multi:master scan
diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index 1b579bc..b6d7f50 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -64,8 +64,12 @@ jobs:
         name: 'build multi image'
       - run: buildah unshare make dist_name=localhost/curl-multi release_tag=$REL test
         name: 'test image'
-      - run: make image_name=localhost/curl-multi:${REL} scan
-        name: 'security scan image'
+      - name: 'install scan prereqs'
+        run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy
+      - name: 'security scan image'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          make image_name=localhost/curl-multi:${REL} scan
       - run: |
           buildah manifest push --format v2s2 --all curl-multi:$REL "docker://ghcr.io/curl/curl-container/curl-multi:${REL}"
           buildah manifest push --format v2s2 --all curl-base-multi:$REL "docker://ghcr.io/curl/curl-container/curl-base-multi:${REL}"
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 3ea2f77..5c5ffb7 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -58,8 +58,12 @@ jobs:
         name: 'build master images'
       - run: buildah unshare make dist_name=localhost/curl release_tag=master test
         name: 'test image'
-      - run: make image_name=localhost/curl:master scan
-        name: 'security scan image'
+      - name: 'install scan prereqs'
+        run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy
+      - name: 'security scan image'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          make image_name=localhost/curl:master scan
       - run: |
           buildah push curl-dev:master "docker://ghcr.io/curl/curl-container/curl-dev:master"
           buildah push curl-base:master "docker://ghcr.io/curl/curl-container/curl-base:master"
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index a40864d..88d5707 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -57,8 +57,12 @@ jobs:
         name: 'install dev deps'
       - run: buildah unshare make branch_or_ref=master release_tag=master build_debian
         name: 'build debian dev image'
-      - run: make image_name=localhost/curl-dev-debian:master scan
-        name: 'security scan image'
+      - name: 'install scan prereqs'
+        run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy
+      - name: 'security scan image'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          make image_name=localhost/curl-dev-debian:master scan
       - run: |
           buildah push curl-dev-debian:master "docker://ghcr.io/curl/curl-container/curl-dev-debian:master"
         name: 'push images to github registry'
@@ -78,8 +82,10 @@ jobs:
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-debian:master
       - run: buildah unshare make branch_or_ref=master release_tag=master build_fedora
         name: 'build fedora dev image'
-      - run: make image_name=localhost/curl-dev-fedora:master scan
-        name: 'security scan image'
+      - name: 'security scan image'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          make image_name=localhost/curl-dev-fedora:master scan
       - run: |
           buildah push curl-dev-fedora:master "docker://ghcr.io/curl/curl-container/curl-dev-fedora:master"
         name: 'push images to github registry'
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index f54c6ac..e85d4c3 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -58,8 +58,12 @@ jobs:
         name: 'build multi image'
       - run: buildah unshare make dist_name=localhost/curl-multi release_tag=master test
         name: 'test image'
-      - run: make image_name=localhost/curl-multi:master scan
-        name: 'security scan image'
+      - name: 'install scan prereqs'
+        run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy
+      - name: 'security scan image'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          make image_name=localhost/curl-multi:master scan
       - run: |
           buildah manifest push --all --format v2s2 localhost/curl-base-multi:master "docker://ghcr.io/curl/curl-container/curl-base-multi:master"
           buildah manifest push --all --format v2s2 localhost/curl-multi:master "docker://ghcr.io/curl/curl-container/curl-multi:master"
diff --git a/Makefile b/Makefile
index 168dd6b..a20cb23 100644
--- a/Makefile
+++ b/Makefile
@@ -83,16 +83,23 @@ feature-test:
 #
 #  > make image_name=localhost/curl:master scan
 #
+# Requires: grype trivy
+#
+# One way to install them:
+#   curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+#   curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo bash -s -- -b /usr/local/bin v0.32.0
+#
 scan:
 	podman save -o image.tar ${image_name}
 	# Run clamav on image.tar
 # 	freshclam
 	clamscan image.tar
 	# run grype on image.tar
-	curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin && grype image.tar
+	grype --version
+	grype image.tar
 	# run trivy on image.tar
 	systemctl --user enable --now podman.socket | true
-	curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo bash -s -- -b /usr/local/bin v0.32.0
+	trivy --version
 	trivy image --input image.tar
 	rm image.tar
 

From e82cbc8038cb5432a72e9bc8171b8be88f02bef1 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 18:15:37 +0200
Subject: [PATCH 20/64] make GHA macro formatting consistent

---
 .github/workflows/build_ci_multi.yml             | 8 ++++----
 .github/workflows/build_latest_release_multi.yml | 8 ++++----
 .github/workflows/build_master.yml               | 8 ++++----
 .github/workflows/build_master_dev.yml           | 8 ++++----
 .github/workflows/build_master_multi.yml         | 8 ++++----
 5 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 9f6bb8c..492edcf 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -26,15 +26,15 @@ jobs:
     steps:
       - name: "login docker hub"
         env:
-          DOCKER_HUB_USER: '${{secrets.DOCKER_HUB_USER}}'
-          DOCKER_HUB_TOKEN: '${{secrets.DOCKER_HUB_TOKEN}}'
+          DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
+          DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
           podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
           docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
         env:
-          QUAY_USER: '${{secrets.QUAY_USER}}'
-          QUAY_TOKEN: '${{secrets.QUAY_TOKEN}}'
+          QUAY_USER: '${{ secrets.QUAY_USER }}'
+          QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
           podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
           docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index b6d7f50..c3b516c 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -36,15 +36,15 @@ jobs:
           registry: ${{ env.IMAGE_REGISTRY }}
       - name: "login docker hub"
         env:
-          DOCKER_HUB_USER: '${{secrets.DOCKER_HUB_USER}}'
-          DOCKER_HUB_TOKEN: '${{secrets.DOCKER_HUB_TOKEN}}'
+          DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
+          DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
           podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
           docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
         env:
-          QUAY_USER: '${{secrets.QUAY_USER}}'
-          QUAY_TOKEN: '${{secrets.QUAY_TOKEN}}'
+          QUAY_USER: '${{ secrets.QUAY_USER }}'
+          QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
           podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
           docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 5c5ffb7..bd60b1f 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -38,15 +38,15 @@ jobs:
           registry: ${{ env.IMAGE_REGISTRY }}
       - name: "login docker hub"
         env:
-          DOCKER_HUB_USER: '${{secrets.DOCKER_HUB_USER}}'
-          DOCKER_HUB_TOKEN: '${{secrets.DOCKER_HUB_TOKEN}}'
+          DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
+          DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
           podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
           docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
         env:
-          QUAY_USER: '${{secrets.QUAY_USER}}'
-          QUAY_TOKEN: '${{secrets.QUAY_TOKEN}}'
+          QUAY_USER: '${{ secrets.QUAY_USER }}'
+          QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
           podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
           docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 88d5707..ffa3cf3 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -39,15 +39,15 @@ jobs:
           registry: ${{ env.IMAGE_REGISTRY }}
       - name: "login docker hub"
         env:
-          DOCKER_HUB_USER: '${{secrets.DOCKER_HUB_USER}}'
-          DOCKER_HUB_TOKEN: '${{secrets.DOCKER_HUB_TOKEN}}'
+          DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
+          DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
           podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
           docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
         env:
-          QUAY_USER: '${{secrets.QUAY_USER}}'
-          QUAY_TOKEN: '${{secrets.QUAY_TOKEN}}'
+          QUAY_USER: '${{ secrets.QUAY_USER }}'
+          QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
           podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
           docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index e85d4c3..f149a50 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -38,15 +38,15 @@ jobs:
           registry: ${{ env.IMAGE_REGISTRY }}
       - name: "login docker hub"
         env:
-          DOCKER_HUB_USER: '${{secrets.DOCKER_HUB_USER}}'
-          DOCKER_HUB_TOKEN: '${{secrets.DOCKER_HUB_TOKEN}}'
+          DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
+          DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
           podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
           docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
         env:
-          QUAY_USER: '${{secrets.QUAY_USER}}'
-          QUAY_TOKEN: '${{secrets.QUAY_TOKEN}}'
+          QUAY_USER: '${{ secrets.QUAY_USER }}'
+          QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
           podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
           docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io

From 2bde59a15f57791a24fa0e75f035b174bf999cc2 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 18:16:12 +0200
Subject: [PATCH 21/64] make GHA macro formatting consistent 2

---
 .github/workflows/build_latest_release_multi.yml | 6 +++---
 .github/workflows/build_master.yml               | 2 +-
 .github/workflows/build_master_dev.yml           | 4 ++--
 .github/workflows/build_master_multi.yml         | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index c3b516c..f9ffa90 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -85,7 +85,7 @@ jobs:
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-multi:$REL
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base-multi:$REL
         env:
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:$REL
@@ -103,7 +103,7 @@ jobs:
           cosign sign -y --key cosign.key docker.io/curlimages/curl-base:$REL
           cosign sign -y --key cosign.key docker.io/curlimages/curl-base:latest
         env:
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: Verify image
         run: |
           cosign verify --key cosign.pub docker.io/curlimages/curl:$REL
@@ -123,7 +123,7 @@ jobs:
           cosign sign -y --key cosign.key quay.io/curl/curl-base:$REL
           cosign sign -y --key cosign.key quay.io/curl/curl-base:latest
         env:
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: Verify image
         run: |
           cosign verify --key cosign.pub quay.io/curl/curl:$REL
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index bd60b1f..647d051 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -81,7 +81,7 @@ jobs:
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base:master
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl:master
         env:
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev:master
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index ffa3cf3..aefddab 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -76,7 +76,7 @@ jobs:
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-debian:master
         env:
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-debian:master
@@ -95,7 +95,7 @@ jobs:
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-fedora:master
         env:
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-fedora:master
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index f149a50..fc891ed 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -79,7 +79,7 @@ jobs:
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-multi:master
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base-multi:master
         env:
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:master

From 4d9c27e1915430401c4ce10746fe9118ab1bfc70 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 23 Oct 2025 18:18:49 +0200
Subject: [PATCH 22/64] make CI jobs testable without docker hub/quay login
 creds

---
 .github/workflows/build_ci_multi.yml             | 12 ++++++++----
 .github/workflows/build_latest_release_multi.yml | 12 ++++++++----
 .github/workflows/build_master.yml               | 12 ++++++++----
 .github/workflows/build_master_dev.yml           | 12 ++++++++----
 .github/workflows/build_master_multi.yml         | 12 ++++++++----
 5 files changed, 40 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 492edcf..3764a97 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -29,15 +29,19 @@ jobs:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
-          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+          if [ -n "${DOCKER_HUB_USER:+1}" ]; then
+            podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+            docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+          fi
       - name: "login quay.io"
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
-          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          if [ -n "${QUAY_USER:+1}" ]; then
+            podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+            docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          fi
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index f9ffa90..ee0bc5d 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -39,15 +39,19 @@ jobs:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
-          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+          if [ -n "${DOCKER_HUB_USER:+1}" ]; then
+            podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+            docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+          fi
       - name: "login quay.io"
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
-          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          if [ -n "${QUAY_USER:+1}" ]; then
+            podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+            docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          fi
       - run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 647d051..8665e93 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -41,15 +41,19 @@ jobs:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
-          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+          if [ -n "${DOCKER_HUB_USER:+1}" ]; then
+            podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+            docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+          fi
       - name: "login quay.io"
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
-          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          if [ -n "${QUAY_USER:+1}" ]; then
+            podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+            docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          fi
       - run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index aefddab..4839814 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -42,15 +42,19 @@ jobs:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
-          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+          if [ -n "${DOCKER_HUB_USER:+1}" ]; then
+            podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+            docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+          fi
       - name: "login quay.io"
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
-          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          if [ -n "${QUAY_USER:+1}" ]; then
+            podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+            docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          fi
       - run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index fc891ed..225e2a0 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -41,15 +41,19 @@ jobs:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
-          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+          if [ -n "${DOCKER_HUB_USER:+1}" ]; then
+            podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+            docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+          fi
       - name: "login quay.io"
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
-          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          if [ -n "${QUAY_USER:+1}" ]; then
+            podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+            docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          fi
       - run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam

From f26fdd8fc6fac68dc85673e07cd50abbebcc5c1b Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 03:17:19 +0200
Subject: [PATCH 23/64] try something

https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#github-context
---
 .github/workflows/build_ci_multi.yml             | 2 ++
 .github/workflows/build_latest_release_multi.yml | 2 ++
 .github/workflows/build_master.yml               | 2 ++
 .github/workflows/build_master_dev.yml           | 2 ++
 .github/workflows/build_master_multi.yml         | 2 ++
 5 files changed, 10 insertions(+)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 3764a97..2d25be3 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -25,6 +25,7 @@ jobs:
         install_latest: [true]
     steps:
       - name: "login docker hub"
+        if: ${{ github.secret_source == 'Actions' }}
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
@@ -34,6 +35,7 @@ jobs:
             docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
           fi
       - name: "login quay.io"
+        if: ${{ github.secret_source == 'Actions' }}
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index ee0bc5d..bd927e1 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -35,6 +35,7 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           registry: ${{ env.IMAGE_REGISTRY }}
       - name: "login docker hub"
+        if: ${{ github.secret_source == 'Actions' }}
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
@@ -44,6 +45,7 @@ jobs:
             docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
           fi
       - name: "login quay.io"
+        if: ${{ github.secret_source == 'Actions' }}
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 8665e93..d38544c 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -37,6 +37,7 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           registry: ${{ env.IMAGE_REGISTRY }}
       - name: "login docker hub"
+        if: ${{ github.secret_source == 'Actions' }}
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
@@ -46,6 +47,7 @@ jobs:
             docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
           fi
       - name: "login quay.io"
+        if: ${{ github.secret_source == 'Actions' }}
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 4839814..dff1e94 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -38,6 +38,7 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           registry: ${{ env.IMAGE_REGISTRY }}
       - name: "login docker hub"
+        if: ${{ github.secret_source == 'Actions' }}
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
@@ -47,6 +48,7 @@ jobs:
             docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
           fi
       - name: "login quay.io"
+        if: ${{ github.secret_source == 'Actions' }}
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index 225e2a0..c2e7286 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -37,6 +37,7 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           registry: ${{ env.IMAGE_REGISTRY }}
       - name: "login docker hub"
+        if: ${{ github.secret_source == 'Actions' }}
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
@@ -46,6 +47,7 @@ jobs:
             docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
           fi
       - name: "login quay.io"
+        if: ${{ github.secret_source == 'Actions' }}
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'

From fd57f87bdd87c85141e10fd50fb46bc55972d44c Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 03:22:51 +0200
Subject: [PATCH 24/64] cleanup

---
 .github/workflows/build_ci_multi.yml             | 12 ++++--------
 .github/workflows/build_latest_release_multi.yml | 12 ++++--------
 .github/workflows/build_master.yml               | 12 ++++--------
 .github/workflows/build_master_dev.yml           | 12 ++++--------
 .github/workflows/build_master_multi.yml         | 12 ++++--------
 5 files changed, 20 insertions(+), 40 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 2d25be3..510e763 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -30,20 +30,16 @@ jobs:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
-          if [ -n "${DOCKER_HUB_USER:+1}" ]; then
-            podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-            docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
-          fi
+          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
         if: ${{ github.secret_source == 'Actions' }}
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
-          if [ -n "${QUAY_USER:+1}" ]; then
-            podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-            docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          fi
+          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index bd927e1..ab6cc1c 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -40,20 +40,16 @@ jobs:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
-          if [ -n "${DOCKER_HUB_USER:+1}" ]; then
-            podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-            docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
-          fi
+          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
         if: ${{ github.secret_source == 'Actions' }}
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
-          if [ -n "${QUAY_USER:+1}" ]; then
-            podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-            docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          fi
+          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
       - run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index d38544c..8ce05c0 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -42,20 +42,16 @@ jobs:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
-          if [ -n "${DOCKER_HUB_USER:+1}" ]; then
-            podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-            docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
-          fi
+          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
         if: ${{ github.secret_source == 'Actions' }}
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
-          if [ -n "${QUAY_USER:+1}" ]; then
-            podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-            docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          fi
+          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
       - run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index dff1e94..18d147e 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -43,20 +43,16 @@ jobs:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
-          if [ -n "${DOCKER_HUB_USER:+1}" ]; then
-            podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-            docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
-          fi
+          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
         if: ${{ github.secret_source == 'Actions' }}
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
-          if [ -n "${QUAY_USER:+1}" ]; then
-            podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-            docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          fi
+          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
       - run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index c2e7286..29aa944 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -42,20 +42,16 @@ jobs:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
-          if [ -n "${DOCKER_HUB_USER:+1}" ]; then
-            podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-            docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
-          fi
+          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
         if: ${{ github.secret_source == 'Actions' }}
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
-          if [ -n "${QUAY_USER:+1}" ]; then
-            podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-            docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          fi
+          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
       - run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam

From a12b36e742633d3c0fcd81a7b43538d846c19c8a Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 03:27:24 +0200
Subject: [PATCH 25/64] cleanup-2

---
 .github/workflows/build_latest_release_multi.yml | 2 --
 .github/workflows/build_master.yml               | 2 --
 .github/workflows/build_master_dev.yml           | 2 --
 .github/workflows/build_master_multi.yml         | 2 --
 4 files changed, 8 deletions(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index ab6cc1c..f9ffa90 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -35,7 +35,6 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           registry: ${{ env.IMAGE_REGISTRY }}
       - name: "login docker hub"
-        if: ${{ github.secret_source == 'Actions' }}
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
@@ -43,7 +42,6 @@ jobs:
           podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
           docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
-        if: ${{ github.secret_source == 'Actions' }}
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 8ce05c0..647d051 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -37,7 +37,6 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           registry: ${{ env.IMAGE_REGISTRY }}
       - name: "login docker hub"
-        if: ${{ github.secret_source == 'Actions' }}
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
@@ -45,7 +44,6 @@ jobs:
           podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
           docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
-        if: ${{ github.secret_source == 'Actions' }}
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 18d147e..aefddab 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -38,7 +38,6 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           registry: ${{ env.IMAGE_REGISTRY }}
       - name: "login docker hub"
-        if: ${{ github.secret_source == 'Actions' }}
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
@@ -46,7 +45,6 @@ jobs:
           podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
           docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
-        if: ${{ github.secret_source == 'Actions' }}
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index 29aa944..fc891ed 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -37,7 +37,6 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           registry: ${{ env.IMAGE_REGISTRY }}
       - name: "login docker hub"
-        if: ${{ github.secret_source == 'Actions' }}
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
@@ -45,7 +44,6 @@ jobs:
           podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
           docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
       - name: "login quay.io"
-        if: ${{ github.secret_source == 'Actions' }}
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'

From e868b6a6f5706d597b000fc3dbf40cecfa2ee702 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 03:34:59 +0200
Subject: [PATCH 26/64] build_ci_multi.yml: split logins to separate workflow
 to verify them, without running anything else there

Also drop perms, and global secrets, that were not used.
---
 .github/workflows/build_ci_multi.yml | 50 +++++++++++++---------------
 1 file changed, 24 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 510e763..7b65d55 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -8,46 +8,23 @@ name: build_ci_multi_images
 
 permissions: {}
 
-env:
-  REGISTRY_USER: ${{ github.actor }}
-  REGISTRY_PASSWORD: ${{ github.token }}
-  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
-
 jobs:
   build_multi_ci:
     name: ${{ matrix.build.name }}
     runs-on: 'ubuntu-latest'
-    permissions:
-      packages: write  # To create/update container on ghcr.io
     strategy:
       fail-fast: false
       matrix:
         install_latest: [true]
     steps:
-      - name: "login docker hub"
-        if: ${{ github.secret_source == 'Actions' }}
-        env:
-          DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
-          DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
+      - name: 'install dev deps'
         run: |
-          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
-      - name: "login quay.io"
-        if: ${{ github.secret_source == 'Actions' }}
-        env:
-          QUAY_USER: '${{ secrets.QUAY_USER }}'
-          QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
-        run: |
-          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          sudo apt-get update
+          sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
-      - run: |
-          sudo apt-get update
-          sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
-        name: 'install dev deps'
       - run: buildah unshare make branch_or_ref=master release_tag=master multibuild
         name: 'build multi image'
       - run: buildah unshare make dist_name=localhost/curl-multi release_tag=master test
@@ -58,3 +35,24 @@ jobs:
         run: |
           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
           make image_name=localhost/curl-multi:master scan
+
+  verify_secrets:
+    name: ${{ matrix.build.name }}
+    runs-on: 'ubuntu-latest'
+    if: ${{ github.secret_source == 'Actions' }}
+    steps:
+      - name: "login docker hub"
+        env:
+          DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
+          DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
+        run: |
+          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+
+      - name: "login quay.io"
+        env:
+          QUAY_USER: '${{ secrets.QUAY_USER }}'
+          QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
+        run: |
+          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io

From fe14057c5cd0c9e6b0eb68caa651590e4ed07564 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 03:35:45 +0200
Subject: [PATCH 27/64] build_ci_multi.yml drop matrix, it had a single item,
 with an unused value

---
 .github/workflows/build_ci_multi.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 7b65d55..19322ff 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -12,10 +12,6 @@ jobs:
   build_multi_ci:
     name: ${{ matrix.build.name }}
     runs-on: 'ubuntu-latest'
-    strategy:
-      fail-fast: false
-      matrix:
-        install_latest: [true]
     steps:
       - name: 'install dev deps'
         run: |

From fd91820f99af53e4e97c205b02c90fb6839956d7 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 03:41:37 +0200
Subject: [PATCH 28/64] build_ci_multi.yml cleanup

---
 .github/workflows/build_ci_multi.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 19322ff..a0df985 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -33,7 +33,7 @@ jobs:
           make image_name=localhost/curl-multi:master scan
 
   verify_secrets:
-    name: ${{ matrix.build.name }}
+    name: 'Verify credentials'
     runs-on: 'ubuntu-latest'
     if: ${{ github.secret_source == 'Actions' }}
     steps:

From 84882530651b6af7bda523ab6fbb929fa4b71ba2 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 03:41:52 +0200
Subject: [PATCH 29/64] build_ci_multi.yml cleanup 2

---
 .github/workflows/build_ci_multi.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index a0df985..0814f4a 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -10,7 +10,7 @@ permissions: {}
 
 jobs:
   build_multi_ci:
-    name: ${{ matrix.build.name }}
+    name: 'build_multi_ci'
     runs-on: 'ubuntu-latest'
     steps:
       - name: 'install dev deps'

From 4c5084f64fa57538387932c393f7eb97537a3c1b Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 03:44:20 +0200
Subject: [PATCH 30/64] build_ci_multi.yml cleanup 3

---
 .github/workflows/build_ci_multi.yml | 42 ++++++++++++++--------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 0814f4a..a251be4 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -9,6 +9,27 @@ name: build_ci_multi_images
 permissions: {}
 
 jobs:
+  verify_secrets:
+    name: 'Verify credentials'
+    runs-on: 'ubuntu-latest'
+    if: ${{ github.secret_source == 'Actions' }}
+    steps:
+      - name: "login docker hub"
+        env:
+          DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
+          DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
+        run: |
+          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
+          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+
+      - name: "login quay.io"
+        env:
+          QUAY_USER: '${{ secrets.QUAY_USER }}'
+          QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
+        run: |
+          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+
   build_multi_ci:
     name: 'build_multi_ci'
     runs-on: 'ubuntu-latest'
@@ -31,24 +52,3 @@ jobs:
         run: |
           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
           make image_name=localhost/curl-multi:master scan
-
-  verify_secrets:
-    name: 'Verify credentials'
-    runs-on: 'ubuntu-latest'
-    if: ${{ github.secret_source == 'Actions' }}
-    steps:
-      - name: "login docker hub"
-        env:
-          DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
-          DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
-        run: |
-          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
-
-      - name: "login quay.io"
-        env:
-          QUAY_USER: '${{ secrets.QUAY_USER }}'
-          QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
-        run: |
-          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io

From b329f596849932681009773b600624a6b4c2aa82 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 03:50:50 +0200
Subject: [PATCH 31/64] build_ci_multi: pass secret via stdin from builtin
 command echo

To avoid these warnings:
```
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
```
---
 .github/workflows/build_ci_multi.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index a251be4..14d1c85 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -19,16 +19,16 @@ jobs:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
-          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+          echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io
+          echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin
 
       - name: "login quay.io"
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
-          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io
+          echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io
 
   build_multi_ci:
     name: 'build_multi_ci'

From 2790f6cdcf634cc6560a6eb5538ba118b491f07a Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 03:55:54 +0200
Subject: [PATCH 32/64] narrow scope of ghcr cred envs

---
 .github/workflows/build_latest_release_multi.yml | 9 ++++-----
 .github/workflows/build_master.yml               | 9 ++++-----
 .github/workflows/build_master_dev.yml           | 9 ++++-----
 .github/workflows/build_master_multi.yml         | 9 ++++-----
 4 files changed, 16 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index f9ffa90..8e20182 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -7,11 +7,6 @@ name: build_latest_release_multi_images
 
 permissions: {}
 
-env:
-  REGISTRY_USER: ${{ github.actor }}
-  REGISTRY_PASSWORD: ${{ github.token }}
-  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
-
 jobs:
   build_multi_latest_release_tag:
     name: ${{ matrix.build.name }}
@@ -22,6 +17,10 @@ jobs:
       fail-fast: false
       matrix:
         install_latest: [true]
+    env:
+      REGISTRY_USER: ${{ github.actor }}
+      REGISTRY_PASSWORD: ${{ github.token }}
+      IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 647d051..6179bad 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -9,11 +9,6 @@ name: build_master_images
 
 permissions: {}
 
-env:
-  REGISTRY_USER: ${{ github.actor }}
-  REGISTRY_PASSWORD: ${{ github.token }}
-  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
-
 jobs:
   build_master:
     name: ${{ matrix.build.name }}
@@ -24,6 +19,10 @@ jobs:
       fail-fast: false
       matrix:
         install_latest: [true]
+    env:
+      REGISTRY_USER: ${{ github.actor }}
+      REGISTRY_PASSWORD: ${{ github.token }}
+      IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index aefddab..9ffd91e 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -10,11 +10,6 @@ name: build_dev_master_images
 
 permissions: {}
 
-env:
-  REGISTRY_USER: ${{ github.actor }}
-  REGISTRY_PASSWORD: ${{ github.token }}
-  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
-
 jobs:
   build_dev_master:
     name: ${{ matrix.build.name }}
@@ -25,6 +20,10 @@ jobs:
       fail-fast: false
       matrix:
         install_latest: [true]
+    env:
+      REGISTRY_USER: ${{ github.actor }}
+      REGISTRY_PASSWORD: ${{ github.token }}
+      IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index fc891ed..d4b1513 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -9,11 +9,6 @@ name: build_master_multi_images
 
 permissions: {}
 
-env:
-  REGISTRY_USER: ${{ github.actor }}
-  REGISTRY_PASSWORD: ${{ github.token }}
-  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
-
 jobs:
   build_multi_master:
     name: ${{ matrix.build.name }}
@@ -24,6 +19,10 @@ jobs:
       fail-fast: false
       matrix:
         install_latest: [true]
+    env:
+      REGISTRY_USER: ${{ github.actor }}
+      REGISTRY_PASSWORD: ${{ github.token }}
+      IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

From d18673564e3d8a92efe0f7a6a0be44c76eb54a39 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 04:01:18 +0200
Subject: [PATCH 33/64] build_ci_multi.yml try ghcr creds

---
 .github/workflows/build_ci_multi.yml | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 14d1c85..12776a0 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -10,7 +10,22 @@ permissions: {}
 
 jobs:
   verify_secrets:
-    name: 'Verify credentials'
+    name: 'Verify credentials (ghcr)'
+    runs-on: 'ubuntu-latest'
+    env:
+      REGISTRY_USER: ${{ github.actor }}
+      REGISTRY_PASSWORD: ${{ github.token }}
+      IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+    steps:
+      - name: 'login ghcr.io'
+        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
+        with:
+          username: ${{ env.REGISTRY_USER }}
+          password: ${{ env.REGISTRY_PASSWORD }}
+          registry: ${{ env.IMAGE_REGISTRY }}
+
+  verify_secrets:
+    name: 'Verify credentials (docker hub, quay)'
     runs-on: 'ubuntu-latest'
     if: ${{ github.secret_source == 'Actions' }}
     steps:

From a5c0392ca6488e69f122968616623c3eb89d7f06 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 04:02:57 +0200
Subject: [PATCH 34/64] fixup

---
 .github/workflows/build_ci_multi.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 12776a0..c271705 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -9,7 +9,7 @@ name: build_ci_multi_images
 permissions: {}
 
 jobs:
-  verify_secrets:
+  verify_secrets_ghcr:
     name: 'Verify credentials (ghcr)'
     runs-on: 'ubuntu-latest'
     env:
@@ -24,7 +24,7 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           registry: ${{ env.IMAGE_REGISTRY }}
 
-  verify_secrets:
+  verify_secrets_registries:
     name: 'Verify credentials (docker hub, quay)'
     runs-on: 'ubuntu-latest'
     if: ${{ github.secret_source == 'Actions' }}

From d760fb07e9744ab43296555acde1b612a7ecb566 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 04:07:45 +0200
Subject: [PATCH 35/64] try without podman-login action

---
 .github/workflows/build_ci_multi.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index c271705..52e8c16 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -24,6 +24,19 @@ jobs:
           password: ${{ env.REGISTRY_PASSWORD }}
           registry: ${{ env.IMAGE_REGISTRY }}
 
+  verify_secrets_ghcr_direct:
+    name: 'Verify credentials (ghcr direct)'
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: "login docker hub"
+        env:
+          REGISTRY_USER: '${{ github.actor }}'
+          REGISTRY_TOKEN: '${{ github.token }}'
+          IMAGE_REGISTRY: 'ghcr.io/${{ github.repository_owner }}'
+        run: |
+          echo "${REGISTRY_TOKEN}" | podman login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}"
+          echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin
+
   verify_secrets_registries:
     name: 'Verify credentials (docker hub, quay)'
     runs-on: 'ubuntu-latest'

From c8214903b5a992bb1d78fdefa1f33d8380e753ad Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 04:09:29 +0200
Subject: [PATCH 36/64] try without podman-login action fixup

---
 .github/workflows/build_ci_multi.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 52e8c16..33c2e45 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -35,7 +35,7 @@ jobs:
           IMAGE_REGISTRY: 'ghcr.io/${{ github.repository_owner }}'
         run: |
           echo "${REGISTRY_TOKEN}" | podman login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}"
-          echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin
+          echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}"
 
   verify_secrets_registries:
     name: 'Verify credentials (docker hub, quay)'

From 2cde6a73ab6e9b543624dc15fdee8596dc1378fd Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 11:56:10 +0200
Subject: [PATCH 37/64] try simplify podman-login init

---
 .github/workflows/build_ci_multi.yml | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 33c2e45..4c1a798 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -12,17 +12,13 @@ jobs:
   verify_secrets_ghcr:
     name: 'Verify credentials (ghcr)'
     runs-on: 'ubuntu-latest'
-    env:
-      REGISTRY_USER: ${{ github.actor }}
-      REGISTRY_PASSWORD: ${{ github.token }}
-      IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
     steps:
       - name: 'login ghcr.io'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
-          username: ${{ env.REGISTRY_USER }}
-          password: ${{ env.REGISTRY_PASSWORD }}
-          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+          registry: ghcr.io/${{ github.repository_owner }}
 
   verify_secrets_ghcr_direct:
     name: 'Verify credentials (ghcr direct)'

From 563e40076b06aa3cdb5677ba4a7d245261c60cbd Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 12:43:47 +0200
Subject: [PATCH 38/64] pass secret via stdin in all jobs

---
 .github/workflows/build_latest_release_multi.yml | 8 ++++----
 .github/workflows/build_master.yml               | 8 ++++----
 .github/workflows/build_master_dev.yml           | 8 ++++----
 .github/workflows/build_master_multi.yml         | 8 ++++----
 4 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index 8e20182..63a108b 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -38,15 +38,15 @@ jobs:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
-          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+          echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io
+          echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin
       - name: "login quay.io"
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
-          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io
+          echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io
       - run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 6179bad..2cca42b 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -40,15 +40,15 @@ jobs:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
-          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+          echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io
+          echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin
       - name: "login quay.io"
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
-          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io
+          echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io
       - run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 9ffd91e..76f0dd3 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -41,15 +41,15 @@ jobs:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
-          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+          echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io
+          echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin
       - name: "login quay.io"
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
-          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io
+          echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io
       - run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index d4b1513..d5d03af 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -40,15 +40,15 @@ jobs:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
-          podman login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}" docker.io
-          docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_TOKEN}"
+          echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io
+          echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin
       - name: "login quay.io"
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
         run: |
-          podman login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
-          docker login -u "${QUAY_USER}" -p "${QUAY_TOKEN}" quay.io
+          echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io
+          echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io
       - run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam

From 4c1826f69512ec946cb76d32e19f8e10d208357a Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 12:48:20 +0200
Subject: [PATCH 39/64] drop interim envs in redhat-actions/podman-login
 actions

---
 .github/workflows/build_latest_release_multi.yml | 10 +++-------
 .github/workflows/build_master.yml               | 10 +++-------
 .github/workflows/build_master_dev.yml           | 10 +++-------
 .github/workflows/build_master_multi.yml         | 10 +++-------
 4 files changed, 12 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index 63a108b..421f3b1 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -17,10 +17,6 @@ jobs:
       fail-fast: false
       matrix:
         install_latest: [true]
-    env:
-      REGISTRY_USER: ${{ github.actor }}
-      REGISTRY_PASSWORD: ${{ github.token }}
-      IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -30,9 +26,9 @@ jobs:
       - name: Log in to ghcr.io
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
-          username: ${{ env.REGISTRY_USER }}
-          password: ${{ env.REGISTRY_PASSWORD }}
-          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+          registry: ghcr.io/${{ github.repository_owner }}
       - name: "login docker hub"
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 2cca42b..2dcb7e9 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -19,10 +19,6 @@ jobs:
       fail-fast: false
       matrix:
         install_latest: [true]
-    env:
-      REGISTRY_USER: ${{ github.actor }}
-      REGISTRY_PASSWORD: ${{ github.token }}
-      IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -32,9 +28,9 @@ jobs:
       - name: Log in to ghcr.io
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
-          username: ${{ env.REGISTRY_USER }}
-          password: ${{ env.REGISTRY_PASSWORD }}
-          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+          registry: ghcr.io/${{ github.repository_owner }}
       - name: "login docker hub"
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 76f0dd3..50628c4 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -20,10 +20,6 @@ jobs:
       fail-fast: false
       matrix:
         install_latest: [true]
-    env:
-      REGISTRY_USER: ${{ github.actor }}
-      REGISTRY_PASSWORD: ${{ github.token }}
-      IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -33,9 +29,9 @@ jobs:
       - name: Log in to ghcr.io
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
-          username: ${{ env.REGISTRY_USER }}
-          password: ${{ env.REGISTRY_PASSWORD }}
-          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+          registry: ghcr.io/${{ github.repository_owner }}
       - name: "login docker hub"
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index d5d03af..9583b83 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -19,10 +19,6 @@ jobs:
       fail-fast: false
       matrix:
         install_latest: [true]
-    env:
-      REGISTRY_USER: ${{ github.actor }}
-      REGISTRY_PASSWORD: ${{ github.token }}
-      IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -32,9 +28,9 @@ jobs:
       - name: Log in to ghcr.io
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
-          username: ${{ env.REGISTRY_USER }}
-          password: ${{ env.REGISTRY_PASSWORD }}
-          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+          registry: ghcr.io/${{ github.repository_owner }}
       - name: "login docker hub"
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'

From 760bad4cdd1714b54a8fee367e621cac0ee59b7b Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 12:52:35 +0200
Subject: [PATCH 40/64] cleanup

---
 .github/workflows/build_ci_multi.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 4c1a798..147c9ce 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -24,13 +24,15 @@ jobs:
     name: 'Verify credentials (ghcr direct)'
     runs-on: 'ubuntu-latest'
     steps:
-      - name: "login docker hub"
+      - name: "login ghcr.io"
         env:
           REGISTRY_USER: '${{ github.actor }}'
           REGISTRY_TOKEN: '${{ github.token }}'
           IMAGE_REGISTRY: 'ghcr.io/${{ github.repository_owner }}'
         run: |
+          podman --version
           echo "${REGISTRY_TOKEN}" | podman login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}"
+          docker --version
           echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}"
 
   verify_secrets_registries:

From 35ae939e18f31db48295ff32f8df64ae4bf61f4f Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 14:26:31 +0200
Subject: [PATCH 41/64] use secrets.GITHUB_TOKEN for consistency with other
 repos

Also to highlight it's a secret.
---
 .github/workflows/build_ci_multi.yml             | 4 ++--
 .github/workflows/build_latest_release_multi.yml | 2 +-
 .github/workflows/build_master.yml               | 2 +-
 .github/workflows/build_master_dev.yml           | 2 +-
 .github/workflows/build_master_multi.yml         | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 147c9ce..a1c166b 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -17,7 +17,7 @@ jobs:
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
-          password: ${{ github.token }}
+          password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
 
   verify_secrets_ghcr_direct:
@@ -27,7 +27,7 @@ jobs:
       - name: "login ghcr.io"
         env:
           REGISTRY_USER: '${{ github.actor }}'
-          REGISTRY_TOKEN: '${{ github.token }}'
+          REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
           IMAGE_REGISTRY: 'ghcr.io/${{ github.repository_owner }}'
         run: |
           podman --version
diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index 421f3b1..f52ee3f 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -27,7 +27,7 @@ jobs:
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
-          password: ${{ github.token }}
+          password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
       - name: "login docker hub"
         env:
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 2dcb7e9..72a826d 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -29,7 +29,7 @@ jobs:
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
-          password: ${{ github.token }}
+          password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
       - name: "login docker hub"
         env:
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 50628c4..d295948 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -30,7 +30,7 @@ jobs:
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
-          password: ${{ github.token }}
+          password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
       - name: "login docker hub"
         env:
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index 9583b83..ec336f4 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -29,7 +29,7 @@ jobs:
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
-          password: ${{ github.token }}
+          password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
       - name: "login docker hub"
         env:

From fae059d5a5cf44600a541167b8d28e3602982a4f Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 14:43:17 +0200
Subject: [PATCH 42/64] GHA: set/adjust concurrency

---
 .github/workflows/build_ci_multi.yml             | 4 ++++
 .github/workflows/build_latest_release_multi.yml | 4 ++++
 .github/workflows/build_master.yml               | 4 ++++
 .github/workflows/build_master_dev.yml           | 4 ++++
 .github/workflows/build_master_multi.yml         | 4 ++++
 .github/workflows/codeql.yml                     | 3 ++-
 6 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index a1c166b..01e63e7 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -6,6 +6,10 @@ name: build_ci_multi_images
     branches:
       - main
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index f52ee3f..d736178 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -5,6 +5,10 @@ name: build_latest_release_multi_images
     tags:
       - '*'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.sha }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 72a826d..680fa59 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -7,6 +7,10 @@ name: build_master_images
     branches:
       - main
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.sha }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index d295948..78c70d0 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -8,6 +8,10 @@ name: build_dev_master_images
     branches:
       - main
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.sha }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index ec336f4..77c07bb 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -7,6 +7,10 @@ name: build_master_multi_images
     branches:
       - main
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.sha }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index ceab04c..8bc901a 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -11,7 +11,8 @@ name: 'CodeQL'
     - cron: '0 0 * * 4'
 
 concurrency:
-  group: ${{ github.workflow }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
 
 permissions: {}
 

From 2aca58fb3c03a216128e1244850acf8bc9e53e12 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 14:46:43 +0200
Subject: [PATCH 43/64] ghcr: try logging in as repo owner instead of PR actor

---
 .github/workflows/build_ci_multi.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 01e63e7..2d572bb 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -20,7 +20,7 @@ jobs:
       - name: 'login ghcr.io'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
-          username: ${{ github.actor }}
+          username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
 
@@ -30,7 +30,7 @@ jobs:
     steps:
       - name: "login ghcr.io"
         env:
-          REGISTRY_USER: '${{ github.actor }}'
+          REGISTRY_USER: '${{ github.repository_owner }}'
           REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
           IMAGE_REGISTRY: 'ghcr.io/${{ github.repository_owner }}'
         run: |

From 6ff79bb0698a70ad83a34d9277690801a694d06a Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 15:07:32 +0200
Subject: [PATCH 44/64] replace ghcr user with curl (repo owner) (was: actor)

This should only make a (small) difference for PRs.
---
 .github/workflows/build_latest_release_multi.yml | 2 +-
 .github/workflows/build_master.yml               | 2 +-
 .github/workflows/build_master_dev.yml           | 2 +-
 .github/workflows/build_master_multi.yml         | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index d736178..36923e0 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -30,7 +30,7 @@ jobs:
       - name: Log in to ghcr.io
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
-          username: ${{ github.actor }}
+          username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
       - name: "login docker hub"
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 680fa59..499399a 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -32,7 +32,7 @@ jobs:
       - name: Log in to ghcr.io
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
-          username: ${{ github.actor }}
+          username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
       - name: "login docker hub"
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 78c70d0..ce9f839 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -33,7 +33,7 @@ jobs:
       - name: Log in to ghcr.io
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
-          username: ${{ github.actor }}
+          username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
       - name: "login docker hub"
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index 77c07bb..1bcd628 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -32,7 +32,7 @@ jobs:
       - name: Log in to ghcr.io
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
-          username: ${{ github.actor }}
+          username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
       - name: "login docker hub"

From 1827806f7dd1ef7b47d1f42ba1c619be6ddb0273 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 15:40:22 +0200
Subject: [PATCH 45/64] Revert "replace ghcr user with curl (repo owner) (was:
 actor)"

This reverts commit 4bba64839f563fd38c36eb411c2e5929802e71ae.
---
 .github/workflows/build_latest_release_multi.yml | 2 +-
 .github/workflows/build_master.yml               | 2 +-
 .github/workflows/build_master_dev.yml           | 2 +-
 .github/workflows/build_master_multi.yml         | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index 36923e0..d736178 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -30,7 +30,7 @@ jobs:
       - name: Log in to ghcr.io
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
-          username: ${{ github.repository_owner }}
+          username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
       - name: "login docker hub"
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 499399a..680fa59 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -32,7 +32,7 @@ jobs:
       - name: Log in to ghcr.io
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
-          username: ${{ github.repository_owner }}
+          username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
       - name: "login docker hub"
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index ce9f839..78c70d0 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -33,7 +33,7 @@ jobs:
       - name: Log in to ghcr.io
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
-          username: ${{ github.repository_owner }}
+          username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
       - name: "login docker hub"
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index 1bcd628..77c07bb 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -32,7 +32,7 @@ jobs:
       - name: Log in to ghcr.io
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
-          username: ${{ github.repository_owner }}
+          username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
       - name: "login docker hub"

From a29fdf8a991fdd8313e899fd2207b7d548b43bb5 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 15:42:01 +0200
Subject: [PATCH 46/64] cleanups

---
 .github/workflows/build_ci_multi.yml | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 2d572bb..80c2b9d 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -14,21 +14,28 @@ permissions: {}
 
 jobs:
   verify_secrets_ghcr:
-    name: 'Verify credentials (ghcr)'
+    name: 'Verify credentials'
     runs-on: 'ubuntu-latest'
     steps:
-      - name: 'login ghcr.io'
+      - name: 'login ghcr.io (action)'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
-          username: ${{ github.repository_owner }}
+          username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
 
-  verify_secrets_ghcr_direct:
-    name: 'Verify credentials (ghcr direct)'
-    runs-on: 'ubuntu-latest'
-    steps:
-      - name: "login ghcr.io"
+      - name: "login ghcr.io (actor)"
+        env:
+          REGISTRY_USER: '${{ github.actor }}'
+          REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          IMAGE_REGISTRY: 'ghcr.io/${{ github.repository_owner }}'
+        run: |
+          podman --version
+          echo "${REGISTRY_TOKEN}" | podman login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}"
+          docker --version
+          echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}"
+
+      - name: "login ghcr.io (repo owner)"
         env:
           REGISTRY_USER: '${{ github.repository_owner }}'
           REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

From 331e5e3deb356589033cfc21cafaf01c2f523f34 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 15:44:28 +0200
Subject: [PATCH 47/64] cleanups

---
 .github/workflows/build_ci_multi.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 80c2b9d..fda38c5 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -17,14 +17,14 @@ jobs:
     name: 'Verify credentials'
     runs-on: 'ubuntu-latest'
     steps:
-      - name: 'login ghcr.io (action)'
+      - name: 'login ghcr.io (actor, via action)'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
 
-      - name: "login ghcr.io (actor)"
+      - name: "login ghcr.io (actor, direct)"
         env:
           REGISTRY_USER: '${{ github.actor }}'
           REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
@@ -35,7 +35,7 @@ jobs:
           docker --version
           echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}"
 
-      - name: "login ghcr.io (repo owner)"
+      - name: "login ghcr.io (repo owner, direct)"
         env:
           REGISTRY_USER: '${{ github.repository_owner }}'
           REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

From 3bd4389b099234a27b421b33e1f564832ca82732 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 15:45:25 +0200
Subject: [PATCH 48/64] try failed login

---
 .github/workflows/build_ci_multi.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index fda38c5..1f462d6 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -46,6 +46,17 @@ jobs:
           docker --version
           echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}"
 
+      - name: "login ghcr.io (repo owner, bogus, direct)"
+        env:
+          REGISTRY_USER: '${{ github.repository_owner }}'
+          REGISTRY_TOKEN: 'bogus-password'
+          IMAGE_REGISTRY: 'ghcr.io/${{ github.repository_owner }}'
+        run: |
+          podman --version
+          echo "${REGISTRY_TOKEN}" | podman login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}"
+          docker --version
+          echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}"
+
   verify_secrets_registries:
     name: 'Verify credentials (docker hub, quay)'
     runs-on: 'ubuntu-latest'

From d78be6dd654872a4eda16415aef088e7e4d77a87 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 15:48:16 +0200
Subject: [PATCH 49/64] cleanup

wrong password fails as expected.
---
 .github/workflows/build_ci_multi.yml | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 1f462d6..fda38c5 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -46,17 +46,6 @@ jobs:
           docker --version
           echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}"
 
-      - name: "login ghcr.io (repo owner, bogus, direct)"
-        env:
-          REGISTRY_USER: '${{ github.repository_owner }}'
-          REGISTRY_TOKEN: 'bogus-password'
-          IMAGE_REGISTRY: 'ghcr.io/${{ github.repository_owner }}'
-        run: |
-          podman --version
-          echo "${REGISTRY_TOKEN}" | podman login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}"
-          docker --version
-          echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}"
-
   verify_secrets_registries:
     name: 'Verify credentials (docker hub, quay)'
     runs-on: 'ubuntu-latest'

From 05b302e9e98340919e1230959910def0cd34d778 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 24 Oct 2025 15:52:27 +0200
Subject: [PATCH 50/64] simplify direct ghcr.io

---
 .github/workflows/build_ci_multi.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index fda38c5..210638e 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -28,12 +28,11 @@ jobs:
         env:
           REGISTRY_USER: '${{ github.actor }}'
           REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
-          IMAGE_REGISTRY: 'ghcr.io/${{ github.repository_owner }}'
         run: |
           podman --version
-          echo "${REGISTRY_TOKEN}" | podman login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}"
+          echo "${REGISTRY_TOKEN}" | podman login -u "${REGISTRY_USER}" --password-stdin "ghcr.io/${GITHUB_REPOSITORY_OWNER}"
           docker --version
-          echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin "${IMAGE_REGISTRY}"
+          echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin "ghcr.io/${GITHUB_REPOSITORY_OWNER}"
 
       - name: "login ghcr.io (repo owner, direct)"
         env:

From bbb7b412b0f1e656fa330982f10f3b89101e3fb0 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Sat, 25 Oct 2025 03:00:26 +0200
Subject: [PATCH 51/64] try applyinh curl apt-get tricks

---
 .github/workflows/build_ci_multi.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 210638e..2f1f16c 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -72,8 +72,12 @@ jobs:
     steps:
       - name: 'install dev deps'
         run: |
-          sudo apt-get update
-          sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
+          sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
+          sudo apt-get -o Dpkg::Use-Pty=0 update
+          sudo rm -f /var/lib/man-db/auto-update
+          sudo apt-get -o Dpkg::Use-Pty=0 install -y \
+            qemu-user-static buildah less git make podman clamav clamav-freshclam
+
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:

From 6fb9f6f80d1f2b2a920f8b202d2092e065e4b071 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Mon, 27 Oct 2025 17:18:11 +0100
Subject: [PATCH 52/64] sync up two outlier "verify key" step names

---
 .github/workflows/build_latest_release_multi.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index d736178..76be174 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -103,7 +103,7 @@ jobs:
           cosign sign -y --key cosign.key docker.io/curlimages/curl-base:latest
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-      - name: Verify image
+      - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub docker.io/curlimages/curl:$REL
           cosign verify --key cosign.pub docker.io/curlimages/curl:latest
@@ -123,7 +123,7 @@ jobs:
           cosign sign -y --key cosign.key quay.io/curl/curl-base:latest
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-      - name: Verify image
+      - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub quay.io/curl/curl:$REL
           cosign verify --key cosign.pub quay.io/curl/curl:latest

From ef89f087c5a2c4b1d6b7c1ca758d56674df33046 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 28 Oct 2025 00:17:13 +0100
Subject: [PATCH 53/64] GHA move step `name:` first when not there

---
 .github/workflows/build_ci_multi.yml          |  8 ++++----
 .../workflows/build_latest_release_multi.yml  | 16 +++++++--------
 .github/workflows/build_master.yml            | 16 +++++++--------
 .github/workflows/build_master_dev.yml        | 20 +++++++++----------
 .github/workflows/build_master_multi.yml      | 16 +++++++--------
 5 files changed, 38 insertions(+), 38 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 2f1f16c..65e7597 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -82,10 +82,10 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
-      - run: buildah unshare make branch_or_ref=master release_tag=master multibuild
-        name: 'build multi image'
-      - run: buildah unshare make dist_name=localhost/curl-multi release_tag=master test
-        name: 'test image'
+      - name: 'build multi image'
+        run: buildah unshare make branch_or_ref=master release_tag=master multibuild
+      - name: 'test image'
+        run: buildah unshare make dist_name=localhost/curl-multi release_tag=master test
       - name: 'install scan prereqs'
         run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy
       - name: 'security scan image'
diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index 76be174..429e8fa 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -47,10 +47,10 @@ jobs:
         run: |
           echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io
           echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io
-      - run: |
+      - name: 'install dev deps'
+        run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
-        name: 'install dev deps'
       - name: Sets env vars
         run: |
           release_tag_redirect=$(curl -s https://github.com/curl/curl/releases/latest -w'%{redirect_url}\n' -o /dev/null)
@@ -59,20 +59,20 @@ jobs:
           rel=${latest_release_ref:5}
           release_image_tag="${rel//_/.}"
           echo "REL=$release_image_tag" >> $GITHUB_ENV
-      - run: buildah unshare make branch_or_ref=$TAG_REF release_tag=$REL multibuild
-        name: 'build multi image'
-      - run: buildah unshare make dist_name=localhost/curl-multi release_tag=$REL test
-        name: 'test image'
+      - name: 'build multi image'
+        run: buildah unshare make branch_or_ref=$TAG_REF release_tag=$REL multibuild
+      - name: 'test image'
+        run: buildah unshare make dist_name=localhost/curl-multi release_tag=$REL test
       - name: 'install scan prereqs'
         run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy
       - name: 'security scan image'
         run: |
           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
           make image_name=localhost/curl-multi:${REL} scan
-      - run: |
+      - name: 'push images to github registry'
+        run: |
           buildah manifest push --format v2s2 --all curl-multi:$REL "docker://ghcr.io/curl/curl-container/curl-multi:${REL}"
           buildah manifest push --format v2s2 --all curl-base-multi:$REL "docker://ghcr.io/curl/curl-container/curl-base-multi:${REL}"
-        name: 'push images to github registry'
       - name: Install Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
       - name: Write signing key to disk (only needed for `cosign sign --key`)
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 680fa59..d3e0feb 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -49,25 +49,25 @@ jobs:
         run: |
           echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io
           echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io
-      - run: |
+      - name: 'install dev deps'
+        run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
-        name: 'install dev deps'
-      - run: buildah unshare make branch_or_ref=master release_tag=master build_ref_images
-        name: 'build master images'
-      - run: buildah unshare make dist_name=localhost/curl release_tag=master test
-        name: 'test image'
+      - name: 'build master images'
+        run: buildah unshare make branch_or_ref=master release_tag=master build_ref_images
+      - name: 'test image'
+        run: buildah unshare make dist_name=localhost/curl release_tag=master test
       - name: 'install scan prereqs'
         run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy
       - name: 'security scan image'
         run: |
           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
           make image_name=localhost/curl:master scan
-      - run: |
+      - name: 'push images to github registry'
+        run: |
           buildah push curl-dev:master "docker://ghcr.io/curl/curl-container/curl-dev:master"
           buildah push curl-base:master "docker://ghcr.io/curl/curl-container/curl-base:master"
           buildah push curl:master "docker://ghcr.io/curl/curl-container/curl:master"
-        name: 'push images to github registry'
       - name: Install Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
       - name: Write signing key to disk (only needed for `cosign sign --key`)
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 78c70d0..e3e63f0 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -50,21 +50,21 @@ jobs:
         run: |
           echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io
           echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io
-      - run: |
+      - name: 'install dev deps'
+        run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
-        name: 'install dev deps'
-      - run: buildah unshare make branch_or_ref=master release_tag=master build_debian
-        name: 'build debian dev image'
+      - name: 'build debian dev image'
+        run: buildah unshare make branch_or_ref=master release_tag=master build_debian
       - name: 'install scan prereqs'
         run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy
       - name: 'security scan image'
         run: |
           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
           make image_name=localhost/curl-dev-debian:master scan
-      - run: |
+      - name: 'push images to github registry'
+        run: |
           buildah push curl-dev-debian:master "docker://ghcr.io/curl/curl-container/curl-dev-debian:master"
-        name: 'push images to github registry'
       - name: Install Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
       - name: Write signing key to disk (only needed for `cosign sign --key`)
@@ -79,15 +79,15 @@ jobs:
       - name: Verify image with public key
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-debian:master
-      - run: buildah unshare make branch_or_ref=master release_tag=master build_fedora
-        name: 'build fedora dev image'
+      - name: 'build fedora dev image'
+        run: buildah unshare make branch_or_ref=master release_tag=master build_fedora
       - name: 'security scan image'
         run: |
           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
           make image_name=localhost/curl-dev-fedora:master scan
-      - run: |
+      - name: 'push images to github registry'
+        run: |
           buildah push curl-dev-fedora:master "docker://ghcr.io/curl/curl-container/curl-dev-fedora:master"
-        name: 'push images to github registry'
       - name: Install Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
       - name: Sign image with a key
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index 77c07bb..6c08ec8 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -49,24 +49,24 @@ jobs:
         run: |
           echo "${QUAY_TOKEN}" | podman login -u "${QUAY_USER}" --password-stdin quay.io
           echo "${QUAY_TOKEN}" | docker login -u "${QUAY_USER}" --password-stdin quay.io
-      - run: |
+      - name: 'install dev deps'
+        run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
-        name: 'install dev deps'
-      - run: buildah unshare make branch_or_ref=master release_tag=master multibuild
-        name: 'build multi image'
-      - run: buildah unshare make dist_name=localhost/curl-multi release_tag=master test
-        name: 'test image'
+      - name: 'build multi image'
+        run: buildah unshare make branch_or_ref=master release_tag=master multibuild
+      - name: 'test image'
+        run: buildah unshare make dist_name=localhost/curl-multi release_tag=master test
       - name: 'install scan prereqs'
         run: /home/linuxbrew/.linuxbrew/bin/brew install grype trivy
       - name: 'security scan image'
         run: |
           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
           make image_name=localhost/curl-multi:master scan
-      - run: |
+      - name: 'push multi images to github registry'
+        run: |
           buildah manifest push --all --format v2s2 localhost/curl-base-multi:master "docker://ghcr.io/curl/curl-container/curl-base-multi:master"
           buildah manifest push --all --format v2s2 localhost/curl-multi:master "docker://ghcr.io/curl/curl-container/curl-multi:master"
-        name: 'push multi images to github registry'
       - name: Install Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
       - name: Write signing key to disk (only needed for `cosign sign --key`)

From 24631f556eb6768c5c0c43a68c2980ba0aa252d2 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 28 Oct 2025 00:18:25 +0100
Subject: [PATCH 54/64] GHA: drop step name from actions/checkout steps

---
 .github/workflows/build_ci_multi.yml             | 3 +--
 .github/workflows/build_latest_release_multi.yml | 3 +--
 .github/workflows/build_master.yml               | 3 +--
 .github/workflows/build_master_dev.yml           | 3 +--
 .github/workflows/build_master_multi.yml         | 3 +--
 5 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 65e7597..6dc260c 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -78,8 +78,7 @@ jobs:
           sudo apt-get -o Dpkg::Use-Pty=0 install -y \
             qemu-user-static buildah less git make podman clamav clamav-freshclam
 
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: 'build multi image'
diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index 429e8fa..35cc4b1 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -22,8 +22,7 @@ jobs:
       matrix:
         install_latest: [true]
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
           tag_name: ${{ github.ref }}
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index d3e0feb..03c7c78 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -24,8 +24,7 @@ jobs:
       matrix:
         install_latest: [true]
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
           ref: "main"
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index e3e63f0..35af9fa 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -25,8 +25,7 @@ jobs:
       matrix:
         install_latest: [true]
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
           ref: "main"
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index 6c08ec8..291fc2b 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -24,8 +24,7 @@ jobs:
       matrix:
         install_latest: [true]
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
           ref: "main"

From 476f950e3b9a8fa85a48f18f67666ba445e57c90 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 28 Oct 2025 00:20:56 +0100
Subject: [PATCH 55/64] GHA: sync up yaml strings to use single-quotes

---
 .github/workflows/build_ci_multi.yml             | 8 ++++----
 .github/workflows/build_latest_release_multi.yml | 4 ++--
 .github/workflows/build_master.yml               | 6 +++---
 .github/workflows/build_master_dev.yml           | 6 +++---
 .github/workflows/build_master_multi.yml         | 6 +++---
 5 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 6dc260c..3c0e5b6 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -24,7 +24,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
 
-      - name: "login ghcr.io (actor, direct)"
+      - name: 'login ghcr.io (actor, direct)'
         env:
           REGISTRY_USER: '${{ github.actor }}'
           REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
@@ -34,7 +34,7 @@ jobs:
           docker --version
           echo "${REGISTRY_TOKEN}" | docker login -u "${REGISTRY_USER}" --password-stdin "ghcr.io/${GITHUB_REPOSITORY_OWNER}"
 
-      - name: "login ghcr.io (repo owner, direct)"
+      - name: 'login ghcr.io (repo owner, direct)'
         env:
           REGISTRY_USER: '${{ github.repository_owner }}'
           REGISTRY_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
@@ -50,7 +50,7 @@ jobs:
     runs-on: 'ubuntu-latest'
     if: ${{ github.secret_source == 'Actions' }}
     steps:
-      - name: "login docker hub"
+      - name: 'login docker hub'
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
@@ -58,7 +58,7 @@ jobs:
           echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io
           echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin
 
-      - name: "login quay.io"
+      - name: 'login quay.io'
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index 35cc4b1..17b66bf 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -32,14 +32,14 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
-      - name: "login docker hub"
+      - name: 'login docker hub'
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
           echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io
           echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin
-      - name: "login quay.io"
+      - name: 'login quay.io'
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 03c7c78..9d94dc1 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -27,21 +27,21 @@ jobs:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
-          ref: "main"
+          ref: 'main'
       - name: Log in to ghcr.io
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
-      - name: "login docker hub"
+      - name: 'login docker hub'
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
           echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io
           echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin
-      - name: "login quay.io"
+      - name: 'login quay.io'
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 35af9fa..e0e3fca 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -28,21 +28,21 @@ jobs:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
-          ref: "main"
+          ref: 'main'
       - name: Log in to ghcr.io
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
-      - name: "login docker hub"
+      - name: 'login docker hub'
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
           echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io
           echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin
-      - name: "login quay.io"
+      - name: 'login quay.io'
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index 291fc2b..928da01 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -27,21 +27,21 @@ jobs:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
-          ref: "main"
+          ref: 'main'
       - name: Log in to ghcr.io
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io/${{ github.repository_owner }}
-      - name: "login docker hub"
+      - name: 'login docker hub'
         env:
           DOCKER_HUB_USER: '${{ secrets.DOCKER_HUB_USER }}'
           DOCKER_HUB_TOKEN: '${{ secrets.DOCKER_HUB_TOKEN }}'
         run: |
           echo "${DOCKER_HUB_TOKEN}" | podman login -u "${DOCKER_HUB_USER}" --password-stdin docker.io
           echo "${DOCKER_HUB_TOKEN}" | docker login -u "${DOCKER_HUB_USER}" --password-stdin
-      - name: "login quay.io"
+      - name: 'login quay.io'
         env:
           QUAY_USER: '${{ secrets.QUAY_USER }}'
           QUAY_TOKEN: '${{ secrets.QUAY_TOKEN }}'

From b963ae02b33621523c2c974c2610d96c78e68e8b Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 28 Oct 2025 00:24:48 +0100
Subject: [PATCH 56/64] GHA: single-quote `name:` where missing

---
 .../workflows/build_latest_release_multi.yml  | 20 +++++++++----------
 .github/workflows/build_master.yml            | 10 +++++-----
 .github/workflows/build_master_dev.yml        | 16 +++++++--------
 .github/workflows/build_master_multi.yml      | 10 +++++-----
 4 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index 17b66bf..81c7454 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -26,7 +26,7 @@ jobs:
         with:
           persist-credentials: false
           tag_name: ${{ github.ref }}
-      - name: Log in to ghcr.io
+      - name: 'Log in to ghcr.io'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
@@ -50,7 +50,7 @@ jobs:
         run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
-      - name: Sets env vars
+      - name: 'Sets env vars'
         run: |
           release_tag_redirect=$(curl -s https://github.com/curl/curl/releases/latest -w'%{redirect_url}\n' -o /dev/null)
           latest_release_ref=$(basename ${release_tag_redirect})
@@ -72,19 +72,19 @@ jobs:
         run: |
           buildah manifest push --format v2s2 --all curl-multi:$REL "docker://ghcr.io/curl/curl-container/curl-multi:${REL}"
           buildah manifest push --format v2s2 --all curl-base-multi:$REL "docker://ghcr.io/curl/curl-container/curl-base-multi:${REL}"
-      - name: Install Cosign
+      - name: 'Install Cosign'
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-      - name: Write signing key to disk (only needed for `cosign sign --key`)
+      - name: 'Write signing key to disk (only needed for `cosign sign --key`)'
         env:
           COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
-      - name: Sign images with sigstore key
+      - name: 'Sign images with sigstore key'
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-multi:$REL
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base-multi:$REL
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-      - name: Verify image with public key
+      - name: 'Verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:$REL
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base-multi:$REL
@@ -94,7 +94,7 @@ jobs:
           buildah manifest push --format v2s2 --all localhost/curl-multi:$REL "docker://docker.io/curlimages/curl:latest"
           buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://docker.io/curlimages/curl-base:${REL}"
           buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://docker.io/curlimages/curl-base:latest"
-      - name: Sign images with a sigstore key
+      - name: 'Sign images with a sigstore key'
         run: |
           cosign sign -y --key cosign.key docker.io/curlimages/curl:$REL
           cosign sign -y --key cosign.key docker.io/curlimages/curl:latest
@@ -102,7 +102,7 @@ jobs:
           cosign sign -y --key cosign.key docker.io/curlimages/curl-base:latest
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-      - name: Verify image with public key
+      - name: 'Verify image with public key'
         run: |
           cosign verify --key cosign.pub docker.io/curlimages/curl:$REL
           cosign verify --key cosign.pub docker.io/curlimages/curl:latest
@@ -114,7 +114,7 @@ jobs:
           buildah manifest push --format v2s2 --all localhost/curl-multi:$REL "docker://quay.io/curl/curl:latest"
           buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://quay.io/curl/curl-base:${REL}"
           buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://quay.io/curl/curl-base:latest"
-      - name: Sign images with a sigstore key
+      - name: 'Sign images with a sigstore key'
         run: |
           cosign sign -y --key cosign.key quay.io/curl/curl:$REL
           cosign sign -y --key cosign.key quay.io/curl/curl:latest
@@ -122,7 +122,7 @@ jobs:
           cosign sign -y --key cosign.key quay.io/curl/curl-base:latest
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-      - name: Verify image with public key
+      - name: 'Verify image with public key'
         run: |
           cosign verify --key cosign.pub quay.io/curl/curl:$REL
           cosign verify --key cosign.pub quay.io/curl/curl:latest
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 9d94dc1..0fd53aa 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -28,7 +28,7 @@ jobs:
         with:
           persist-credentials: false
           ref: 'main'
-      - name: Log in to ghcr.io
+      - name: 'Log in to ghcr.io'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
@@ -67,20 +67,20 @@ jobs:
           buildah push curl-dev:master "docker://ghcr.io/curl/curl-container/curl-dev:master"
           buildah push curl-base:master "docker://ghcr.io/curl/curl-container/curl-base:master"
           buildah push curl:master "docker://ghcr.io/curl/curl-container/curl:master"
-      - name: Install Cosign
+      - name: 'Install Cosign'
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-      - name: Write signing key to disk (only needed for `cosign sign --key`)
+      - name: 'Write signing key to disk (only needed for `cosign sign --key`)'
         env:
           COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
-      - name: Sign image with a key
+      - name: 'Sign image with a key'
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev:master
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base:master
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl:master
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-      - name: Verify image with public key
+      - name: 'Verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev:master
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base:master
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index e0e3fca..5f3c0cb 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -29,7 +29,7 @@ jobs:
         with:
           persist-credentials: false
           ref: 'main'
-      - name: Log in to ghcr.io
+      - name: 'Log in to ghcr.io'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
@@ -64,18 +64,18 @@ jobs:
       - name: 'push images to github registry'
         run: |
           buildah push curl-dev-debian:master "docker://ghcr.io/curl/curl-container/curl-dev-debian:master"
-      - name: Install Cosign
+      - name: 'Install Cosign'
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-      - name: Write signing key to disk (only needed for `cosign sign --key`)
+      - name: 'Write signing key to disk (only needed for `cosign sign --key`)'
         env:
           COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
-      - name: Sign image with a key
+      - name: 'Sign image with a key'
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-debian:master
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-      - name: Verify image with public key
+      - name: 'Verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-debian:master
       - name: 'build fedora dev image'
@@ -87,13 +87,13 @@ jobs:
       - name: 'push images to github registry'
         run: |
           buildah push curl-dev-fedora:master "docker://ghcr.io/curl/curl-container/curl-dev-fedora:master"
-      - name: Install Cosign
+      - name: 'Install Cosign'
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-      - name: Sign image with a key
+      - name: 'Sign image with a key'
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-fedora:master
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-      - name: Verify image with public key
+      - name: 'Verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-fedora:master
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index 928da01..d6a5b53 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -28,7 +28,7 @@ jobs:
         with:
           persist-credentials: false
           ref: 'main'
-      - name: Log in to ghcr.io
+      - name: 'Log in to ghcr.io'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
@@ -66,19 +66,19 @@ jobs:
         run: |
           buildah manifest push --all --format v2s2 localhost/curl-base-multi:master "docker://ghcr.io/curl/curl-container/curl-base-multi:master"
           buildah manifest push --all --format v2s2 localhost/curl-multi:master "docker://ghcr.io/curl/curl-container/curl-multi:master"
-      - name: Install Cosign
+      - name: 'Install Cosign'
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-      - name: Write signing key to disk (only needed for `cosign sign --key`)
+      - name: 'Write signing key to disk (only needed for `cosign sign --key`)'
         env:
           COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
-      - name: Sign image with a key
+      - name: 'Sign image with a key'
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-multi:master
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base-multi:master
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-      - name: Verify image with public key
+      - name: 'Verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:master
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base-multi:master

From 9792078b6201c34e9d7455bd6acc0b9e67b13b2a Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 28 Oct 2025 00:28:52 +0100
Subject: [PATCH 57/64] GHA: drop name: capitalization where missing

---
 .../workflows/build_latest_release_multi.yml  | 20 +++++++++----------
 .github/workflows/build_master.yml            | 10 +++++-----
 .github/workflows/build_master_dev.yml        | 16 +++++++--------
 .github/workflows/build_master_multi.yml      | 10 +++++-----
 4 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index 81c7454..25d832e 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -26,7 +26,7 @@ jobs:
         with:
           persist-credentials: false
           tag_name: ${{ github.ref }}
-      - name: 'Log in to ghcr.io'
+      - name: 'log in to ghcr.io'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
@@ -50,7 +50,7 @@ jobs:
         run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
-      - name: 'Sets env vars'
+      - name: 'sets env vars'
         run: |
           release_tag_redirect=$(curl -s https://github.com/curl/curl/releases/latest -w'%{redirect_url}\n' -o /dev/null)
           latest_release_ref=$(basename ${release_tag_redirect})
@@ -72,19 +72,19 @@ jobs:
         run: |
           buildah manifest push --format v2s2 --all curl-multi:$REL "docker://ghcr.io/curl/curl-container/curl-multi:${REL}"
           buildah manifest push --format v2s2 --all curl-base-multi:$REL "docker://ghcr.io/curl/curl-container/curl-base-multi:${REL}"
-      - name: 'Install Cosign'
+      - name: 'install Cosign'
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-      - name: 'Write signing key to disk (only needed for `cosign sign --key`)'
+      - name: 'write signing key to disk (only needed for `cosign sign --key`)'
         env:
           COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
-      - name: 'Sign images with sigstore key'
+      - name: 'sign images with sigstore key'
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-multi:$REL
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base-multi:$REL
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-      - name: 'Verify image with public key'
+      - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:$REL
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base-multi:$REL
@@ -94,7 +94,7 @@ jobs:
           buildah manifest push --format v2s2 --all localhost/curl-multi:$REL "docker://docker.io/curlimages/curl:latest"
           buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://docker.io/curlimages/curl-base:${REL}"
           buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://docker.io/curlimages/curl-base:latest"
-      - name: 'Sign images with a sigstore key'
+      - name: 'sign images with a sigstore key'
         run: |
           cosign sign -y --key cosign.key docker.io/curlimages/curl:$REL
           cosign sign -y --key cosign.key docker.io/curlimages/curl:latest
@@ -102,7 +102,7 @@ jobs:
           cosign sign -y --key cosign.key docker.io/curlimages/curl-base:latest
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-      - name: 'Verify image with public key'
+      - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub docker.io/curlimages/curl:$REL
           cosign verify --key cosign.pub docker.io/curlimages/curl:latest
@@ -114,7 +114,7 @@ jobs:
           buildah manifest push --format v2s2 --all localhost/curl-multi:$REL "docker://quay.io/curl/curl:latest"
           buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://quay.io/curl/curl-base:${REL}"
           buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://quay.io/curl/curl-base:latest"
-      - name: 'Sign images with a sigstore key'
+      - name: 'sign images with a sigstore key'
         run: |
           cosign sign -y --key cosign.key quay.io/curl/curl:$REL
           cosign sign -y --key cosign.key quay.io/curl/curl:latest
@@ -122,7 +122,7 @@ jobs:
           cosign sign -y --key cosign.key quay.io/curl/curl-base:latest
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-      - name: 'Verify image with public key'
+      - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub quay.io/curl/curl:$REL
           cosign verify --key cosign.pub quay.io/curl/curl:latest
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 0fd53aa..f79c9e2 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -28,7 +28,7 @@ jobs:
         with:
           persist-credentials: false
           ref: 'main'
-      - name: 'Log in to ghcr.io'
+      - name: 'log in to ghcr.io'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
@@ -67,20 +67,20 @@ jobs:
           buildah push curl-dev:master "docker://ghcr.io/curl/curl-container/curl-dev:master"
           buildah push curl-base:master "docker://ghcr.io/curl/curl-container/curl-base:master"
           buildah push curl:master "docker://ghcr.io/curl/curl-container/curl:master"
-      - name: 'Install Cosign'
+      - name: 'install Cosign'
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-      - name: 'Write signing key to disk (only needed for `cosign sign --key`)'
+      - name: 'write signing key to disk (only needed for `cosign sign --key`)'
         env:
           COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
-      - name: 'Sign image with a key'
+      - name: 'sign image with a key'
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev:master
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base:master
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl:master
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-      - name: 'Verify image with public key'
+      - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev:master
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base:master
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index 5f3c0cb..c6a81bc 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -29,7 +29,7 @@ jobs:
         with:
           persist-credentials: false
           ref: 'main'
-      - name: 'Log in to ghcr.io'
+      - name: 'log in to ghcr.io'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
@@ -64,18 +64,18 @@ jobs:
       - name: 'push images to github registry'
         run: |
           buildah push curl-dev-debian:master "docker://ghcr.io/curl/curl-container/curl-dev-debian:master"
-      - name: 'Install Cosign'
+      - name: 'install Cosign'
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-      - name: 'Write signing key to disk (only needed for `cosign sign --key`)'
+      - name: 'write signing key to disk (only needed for `cosign sign --key`)'
         env:
           COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
-      - name: 'Sign image with a key'
+      - name: 'sign image with a key'
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-debian:master
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-      - name: 'Verify image with public key'
+      - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-debian:master
       - name: 'build fedora dev image'
@@ -87,13 +87,13 @@ jobs:
       - name: 'push images to github registry'
         run: |
           buildah push curl-dev-fedora:master "docker://ghcr.io/curl/curl-container/curl-dev-fedora:master"
-      - name: 'Install Cosign'
+      - name: 'install Cosign'
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-      - name: 'Sign image with a key'
+      - name: 'sign image with a key'
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-fedora:master
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-      - name: 'Verify image with public key'
+      - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-fedora:master
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index d6a5b53..c89f8c5 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -28,7 +28,7 @@ jobs:
         with:
           persist-credentials: false
           ref: 'main'
-      - name: 'Log in to ghcr.io'
+      - name: 'log in to ghcr.io'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
@@ -66,19 +66,19 @@ jobs:
         run: |
           buildah manifest push --all --format v2s2 localhost/curl-base-multi:master "docker://ghcr.io/curl/curl-container/curl-base-multi:master"
           buildah manifest push --all --format v2s2 localhost/curl-multi:master "docker://ghcr.io/curl/curl-container/curl-multi:master"
-      - name: 'Install Cosign'
+      - name: 'install Cosign'
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-      - name: 'Write signing key to disk (only needed for `cosign sign --key`)'
+      - name: 'write signing key to disk (only needed for `cosign sign --key`)'
         env:
           COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
-      - name: 'Sign image with a key'
+      - name: 'sign image with a key'
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-multi:master
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base-multi:master
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-      - name: 'Verify image with public key'
+      - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:master
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-base-multi:master

From dd470c1c602915150ed525d0286bc396a7453146 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 28 Oct 2025 00:30:13 +0100
Subject: [PATCH 58/64] GHA: sync wording for some `name:`s

---
 .github/workflows/build_latest_release_multi.yml | 2 +-
 .github/workflows/build_master.yml               | 2 +-
 .github/workflows/build_master_dev.yml           | 2 +-
 .github/workflows/build_master_multi.yml         | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index 25d832e..e5a9be4 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -26,7 +26,7 @@ jobs:
         with:
           persist-credentials: false
           tag_name: ${{ github.ref }}
-      - name: 'log in to ghcr.io'
+      - name: 'login ghcr.io'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index f79c9e2..ed3ce16 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -28,7 +28,7 @@ jobs:
         with:
           persist-credentials: false
           ref: 'main'
-      - name: 'log in to ghcr.io'
+      - name: 'login ghcr.io'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index c6a81bc..a7b59d4 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -29,7 +29,7 @@ jobs:
         with:
           persist-credentials: false
           ref: 'main'
-      - name: 'log in to ghcr.io'
+      - name: 'login ghcr.io'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index c89f8c5..b38df77 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -28,7 +28,7 @@ jobs:
         with:
           persist-credentials: false
           ref: 'main'
-      - name: 'log in to ghcr.io'
+      - name: 'login ghcr.io'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:
           username: ${{ github.actor }}

From c2cbca056adf5933cf69d90d6b6b1184a8023bcf Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 28 Oct 2025 00:32:14 +0100
Subject: [PATCH 59/64] GHA: sync imperative `name:`

---
 .github/workflows/build_latest_release_multi.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index e5a9be4..743cf06 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -50,7 +50,7 @@ jobs:
         run: |
           sudo apt-get update
           sudo apt-get -y install qemu-user-static buildah less git make podman clamav clamav-freshclam
-      - name: 'sets env vars'
+      - name: 'set env vars'
         run: |
           release_tag_redirect=$(curl -s https://github.com/curl/curl/releases/latest -w'%{redirect_url}\n' -o /dev/null)
           latest_release_ref=$(basename ${release_tag_redirect})

From 5d40de3fb7b046312381f3f579c60ef5331db216 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 28 Oct 2025 00:33:19 +0100
Subject: [PATCH 60/64] drop duplicate cosign install step

---
 .github/workflows/build_master_dev.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index a7b59d4..ca54afa 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -87,8 +87,6 @@ jobs:
       - name: 'push images to github registry'
         run: |
           buildah push curl-dev-fedora:master "docker://ghcr.io/curl/curl-container/curl-dev-fedora:master"
-      - name: 'install Cosign'
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
       - name: 'sign image with a key'
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-fedora:master

From 24bec48778f3bd6ca3fa5d4d9f6b68d45598b0e7 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 28 Oct 2025 00:35:07 +0100
Subject: [PATCH 61/64] GHA: yaml: move env: before run: where not there

---
 .github/workflows/build_latest_release_multi.yml | 12 ++++++------
 .github/workflows/build_master.yml               |  4 ++--
 .github/workflows/build_master_dev.yml           |  8 ++++----
 .github/workflows/build_master_multi.yml         |  4 ++--
 4 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/build_latest_release_multi.yml b/.github/workflows/build_latest_release_multi.yml
index 743cf06..224f062 100644
--- a/.github/workflows/build_latest_release_multi.yml
+++ b/.github/workflows/build_latest_release_multi.yml
@@ -79,11 +79,11 @@ jobs:
           COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
       - name: 'sign images with sigstore key'
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-multi:$REL
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base-multi:$REL
-        env:
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:$REL
@@ -95,13 +95,13 @@ jobs:
           buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://docker.io/curlimages/curl-base:${REL}"
           buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://docker.io/curlimages/curl-base:latest"
       - name: 'sign images with a sigstore key'
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           cosign sign -y --key cosign.key docker.io/curlimages/curl:$REL
           cosign sign -y --key cosign.key docker.io/curlimages/curl:latest
           cosign sign -y --key cosign.key docker.io/curlimages/curl-base:$REL
           cosign sign -y --key cosign.key docker.io/curlimages/curl-base:latest
-        env:
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub docker.io/curlimages/curl:$REL
@@ -115,13 +115,13 @@ jobs:
           buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://quay.io/curl/curl-base:${REL}"
           buildah manifest push --format v2s2 --all localhost/curl-base-multi:$REL "docker://quay.io/curl/curl-base:latest"
       - name: 'sign images with a sigstore key'
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           cosign sign -y --key cosign.key quay.io/curl/curl:$REL
           cosign sign -y --key cosign.key quay.io/curl/curl:latest
           cosign sign -y --key cosign.key quay.io/curl/curl-base:$REL
           cosign sign -y --key cosign.key quay.io/curl/curl-base:latest
-        env:
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub quay.io/curl/curl:$REL
diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index ed3ce16..fd7226e 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -74,12 +74,12 @@ jobs:
           COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
       - name: 'sign image with a key'
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev:master
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base:master
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl:master
-        env:
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev:master
diff --git a/.github/workflows/build_master_dev.yml b/.github/workflows/build_master_dev.yml
index ca54afa..96b2e54 100644
--- a/.github/workflows/build_master_dev.yml
+++ b/.github/workflows/build_master_dev.yml
@@ -71,10 +71,10 @@ jobs:
           COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
       - name: 'sign image with a key'
-        run: |
-          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-debian:master
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: |
+          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-debian:master
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-debian:master
@@ -88,10 +88,10 @@ jobs:
         run: |
           buildah push curl-dev-fedora:master "docker://ghcr.io/curl/curl-container/curl-dev-fedora:master"
       - name: 'sign image with a key'
-        run: |
-          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-fedora:master
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: |
+          cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-dev-fedora:master
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-dev-fedora:master
diff --git a/.github/workflows/build_master_multi.yml b/.github/workflows/build_master_multi.yml
index b38df77..e5d8f9e 100644
--- a/.github/workflows/build_master_multi.yml
+++ b/.github/workflows/build_master_multi.yml
@@ -73,11 +73,11 @@ jobs:
           COSIGN_PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
         run: echo "${COSIGN_PRIVATE_KEY}" > cosign.key
       - name: 'sign image with a key'
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-multi:master
           cosign sign -y --key cosign.key ghcr.io/curl/curl-container/curl-base-multi:master
-        env:
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: 'verify image with public key'
         run: |
           cosign verify --key cosign.pub ghcr.io/curl/curl-container/curl-multi:master

From 55a020fa2172f708a5e6edb2b81f7772d1f17014 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 28 Oct 2025 00:51:55 +0100
Subject: [PATCH 62/64] redhat-actions/podman-login upside/downside

---
 .github/workflows/build_ci_multi.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 3c0e5b6..1dd0d5c 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -17,6 +17,8 @@ jobs:
     name: 'Verify credentials'
     runs-on: 'ubuntu-latest'
     steps:
+      # upside: it logs out and deletes ~/.docker/config.json
+      # downside: extra dependency, uses -p instead of --password-stdin
       - name: 'login ghcr.io (actor, via action)'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
         with:

From d2cd502ff05e40d97d1a08f1804193893d648665 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 28 Oct 2025 00:57:46 +0100
Subject: [PATCH 63/64] redhat-actions/podman-login upside/downside updated

https://github.com/redhat-actions/podman-login/issues/ -> 36
---
 .github/workflows/build_ci_multi.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build_ci_multi.yml b/.github/workflows/build_ci_multi.yml
index 1dd0d5c..e006ab4 100644
--- a/.github/workflows/build_ci_multi.yml
+++ b/.github/workflows/build_ci_multi.yml
@@ -17,7 +17,7 @@ jobs:
     name: 'Verify credentials'
     runs-on: 'ubuntu-latest'
     steps:
-      # upside: it logs out and deletes ~/.docker/config.json
+      # upside: it logs out and aims to delete creds ~/.docker/config.json
       # downside: extra dependency, uses -p instead of --password-stdin
       - name: 'login ghcr.io (actor, via action)'
         uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7

From f5ea1cc8184490eb7588b5301a68087552267b39 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 28 Oct 2025 02:45:30 +0100
Subject: [PATCH 64/64] try a little build speed optimization

---
 create_dev_image.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/create_dev_image.sh b/create_dev_image.sh
index 1859392..8f4e90f 100755
--- a/create_dev_image.sh
+++ b/create_dev_image.sh
@@ -77,7 +77,7 @@ fi
 
 # build curl
 buildah run $bdr autoreconf -fi
-buildah run $bdr ./configure ${build_opts}
+buildah run $bdr ./configure --disable-dependency-tracking ${build_opts}
 buildah run $bdr make -j$(nproc)
 
 # run tests