Merge branch 'main' into non-root

Author: thomasleplus

.commitlintrc.js

@@ -0,0 +1,19 @@
+const Configuration = {
+  /*
+   * Inherit rules from conventional commits.
+   */
+  extends: ["@commitlint/config-conventional"],
+
+  /*
+   * Any rules defined here will override rules from parent.
+   */
+  rules: {
+    "body-leading-blank": [2, "always"], // warning -> error
+    "body-max-line-length": [1, "always", 100], // error -> warning
+    "footer-leading-blank": [2, "always"], // warning -> error
+    "footer-max-length": [1, "always", 100], // error -> warning
+    "header-max-length": [1, "always", 100], // error -> warning
+  },
+};
+
+export default Configuration;

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,2 @@
+---
+blank_issues_enabled: false

.github/workflows/apk-check-versions.yml

@@ -9,7 +9,7 @@ on:
 permissions: {}
 
 jobs:
-  check:
+  apk-check-versions:
     runs-on: ubuntu-latest
     steps:
       - name: Check the versions

.github/workflows/automerge.yml

@@ -2,13 +2,17 @@
 name: "Dependabot auto-merge"
 on: pull_request
 
-permissions:
-  actions: write
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
-  dependabot:
+  automerge:
+    permissions:
+      # Required to merge the PR
+      contents: write
+      # Required to merge the PR if it modifies a workflow
+      actions: write
+      # Required to approve the PR
+      pull-requests: write
     runs-on: ubuntu-latest
     if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:

.github/workflows/check-pr.yml

@@ -2,11 +2,13 @@
 name: "Check PR"
 on: pull_request
 
-permissions:
-  pull-requests: write
+permissions: {}
 
 jobs:
-  check:
+  check-pr:
+    permissions:
+      # Required to add labels to the PR
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - name: Check commits

.github/workflows/codeql-analysis.yml

@@ -11,7 +11,7 @@ on:
 permissions: {}
 
 jobs:
-  analyze:
+  codeql-analysis:
     name: Analyze (${{ matrix.language }})
     # Runner size impacts CodeQL analysis time. To learn more, please see:
     #   - https://gh.io/recommended-hardware-resources-for-running-codeql
@@ -20,16 +20,12 @@ jobs:
     # Consider using larger runners or machines with greater resources for possible analysis time improvements.
     runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     permissions:
-      # required for all workflows
-      security-events: write
-
-      # required to fetch internal or private CodeQL packs
-      packages: read
-
-      # only required for workflows in private repositories
+      # for github/codeql-action/init to get workflow details
       actions: read
+      # for actions/checkout to fetch code
       contents: read
-
+      # for github/codeql-action/autobuild to send a status report
+      security-events: write
     strategy:
       fail-fast: false
       matrix:
@@ -58,7 +54,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
+        uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -70,6 +66,6 @@ jobs:
           # queries: security-extended,security-and-quality
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
+        uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -2,16 +2,18 @@
 name: "Dependency Review"
 on: [pull_request]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   dependency-review:
+    permissions:
+      # Required to read the code
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3
+        uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0

.github/workflows/devskim.yml

@@ -13,28 +13,29 @@ on:
     branches: ["main"]
   schedule:
     - cron: "0 0 * * 0"
+  workflow_dispatch:
 
 permissions: {}
 
 jobs:
-  lint:
+  devskim:
     name: DevSkim
     runs-on: ubuntu-latest
     permissions:
-      actions: read
+      # required to read the code
       contents: read
+      # required to publish security findings
       security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
-
       - name: Run DevSkim scanner
         uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1.0.16
-
-      - name: Upload DevSkim scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
         with:
           should-scan-archives: true
+      - name: Upload DevSkim scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5
+        with:
           sarif_file: devskim-results.sarif

.github/workflows/docker-build-push.yml

@@ -8,13 +8,16 @@ on:
     - cron: "0 0 * * 0"
   workflow_dispatch:
 
-permissions:
-  # Required by sigstore
-  id-token: write
+permissions: {}
 
 jobs:
-  build:
+  docker-build-push:
     if: ${{ ! startsWith(github.ref, 'refs/tags/') }}
+    permissions:
+      # Required to create a release
+      contents: write
+      # Required to sign the Docker image
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - name: Set REPOSITORY
@@ -67,7 +70,7 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
       - name: Install cosign
         if: github.ref == 'refs/heads/main'
-        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
       - name: Sign the Docker image
         if: github.ref == 'refs/heads/main'
         working-directory: ${{ env.IMAGE }}
@@ -95,7 +98,7 @@ jobs:
           fi
       - name: Check if release already exists
         if: env.VERSION != ''
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         id: check-release
         with:
           script: |
@@ -123,6 +126,5 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         with:
-          name: ${{ env.VERSION }}
+          release_name: ${{ env.VERSION }}
           tag_name: v${{ env.VERSION }}
-          generate_release_notes: true

.github/workflows/docker-release.yml

@@ -5,13 +5,16 @@ on:
   release:
     types: [published]
 
-permissions:
-  # Required by sigstore
-  id-token: write
+permissions: {}
 
 jobs:
-  release:
+  docker-release:
     if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      # Required to checkout the code
+      contents: read
+      # Required to sign the Docker image
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - name: Set REPOSITORY
@@ -59,7 +62,7 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
       - name: Install cosign
-        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
       - name: Sign the Docker image
         working-directory: ${{ env.REPOSITORY }}
         env:
@@ -74,3 +77,12 @@ jobs:
             images+=("${tag}@${DIGEST}")
           done
           cosign sign --recursive --yes "${images[@]}"
+      - name: Manually generate release note
+        shell: bash
+        run: |
+          set -euo pipefail
+          IFS=$'\n\t'
+          echo "This failure is expected. It is a reminder to update the release notes for this newly created release."
+          echo "To do so, go to ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/latest and click on the edit button."
+          echo "Then click on the 'Generate release notes' button and finally the 'Update release' button. Cheers!"
+          exit 1