chore(deps): bump the github-actions-dependencies group with 1 update

Bumps the github-actions-dependencies group with 1 update: [hoverkraft-tech/ci-github-common](https://github.com/hoverkraft-tech/ci-github-common).

Updates `hoverkraft-tech/ci-github-common` from 0.12.1 to 0.13.0
- [Release notes](https://github.com/hoverkraft-tech/ci-github-common/releases)
- [Commits](hoverkraft-tech/ci-github-common@0.12.1...0.13.0)

---
updated-dependencies:
- dependency-name: hoverkraft-tech/ci-github-common
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions-dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Emilien Escalle <[email protected]>

.github/workflows/__generate-dependabot-config.yml

@@ -4,9 +4,13 @@ on:
   push:
     branches:
       - main
+
+permissions:
+  contents: read
+
 jobs:
   generate-dependabot-config:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/generate-dependabot-config.yml@0.12.1
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/generate-dependabot-config.yml@0.13.0
     with:
       github-app-id: ${{ vars.CI_BOT_APP_ID }}
     secrets:

.github/workflows/__main-ci.yml

@@ -6,6 +6,15 @@ on:
     tags: ["*"]
   workflow_dispatch:
 
+permissions:
+  contents: read
+  issues: read
+  packages: write
+  pull-requests: read
+  statuses: write
+  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+  id-token: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -27,7 +36,7 @@ jobs:
 
   release:
     needs: ci
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/release-actions.yml@0.12.1
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/release-actions.yml@0.13.0
     with:
       update-all: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) || github.event_name == 'workflow_dispatch' }}
       github-app-id: ${{ vars.CI_BOT_APP_ID }}

.github/workflows/__need-fix-to-issue.yml

@@ -5,6 +5,7 @@ on:
     branches:
       - main
   workflow_dispatch:
+    #checkov:skip=CKV_GHA_7: required
     inputs:
       manual-commit-ref:
         description: "The SHA of the commit to get the diff for"
@@ -13,9 +14,13 @@ on:
         description: "By default, the commit entered above is compared to the one directly before it; to go back further, enter an earlier SHA here"
         required: false
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@0.12.1
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@0.13.0
     with:
       manual-commit-ref: ${{ inputs.manual-commit-ref }}
       manual-base-ref: ${{ inputs.manual-base-ref }}

.github/workflows/__pull-request-ci.yml

@@ -5,6 +5,15 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+  issues: read
+  packages: write
+  pull-requests: read
+  statuses: write
+  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+  id-token: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true

.github/workflows/__shared-ci.yml

@@ -3,9 +3,18 @@ name: Internal - Common Continuous Integration tasks
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  issues: read
+  packages: write
+  pull-requests: read
+  statuses: write
+  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+  id-token: write
+
 jobs:
   linter:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@0.12.1
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@0.13.0
 
   test-action-docker-build-image:
     needs: linter

.github/workflows/__stale.yml

@@ -0,0 +1,13 @@
+name: Mark stale issues and pull requests
+
+on:
+  schedule:
+    - cron: "30 1 * * *"
+
+permissions:
+  issues: write
+  pull-requests: write
+
+jobs:
+  main:
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/[email protected]

.github/workflows/__test-action-docker-build-image.yml

@@ -4,6 +4,10 @@ run-name: Test for "docker/build-image" action
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  packages: write
+
 # jscpd:ignore-start
 jobs:
   tests:

.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml

@@ -4,6 +4,14 @@ run-name: Test for "docker/prune-pull-requests-image-tags" action
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  issues: read
+  packages: write
+  pull-requests: read
+  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+  id-token: write
+
 env:
   IMAGE: "test-prune-${{ github.run_number }}"
 
@@ -169,7 +177,7 @@ jobs:
 
       - id: get-issue-number
         if: ${{ github.event_name == 'pull_request' }}
-        uses: hoverkraft-tech/ci-github-common/actions/get-issue-number@0.12.1
+        uses: hoverkraft-tech/ci-github-common/actions/get-issue-number@0.13.0
 
       - name: Delete test packages
         uses: actions/[email protected]

.github/workflows/__test-action-get-image-metadata.yml

@@ -4,6 +4,9 @@ run-name: Test for "docker/get-image-metadata" action
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: Test for "docker/get-image-metadata" action

.github/workflows/__test-action-get-image-name.yml

@@ -4,6 +4,9 @@ run-name: Test for "docker/get-image-name" action
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   tests-with-implicit-repository:
     name: Test for "docker/get-image-name" action

.github/workflows/__test-action-helm-release-chart.yml

@@ -4,6 +4,10 @@ run-name: Test for "helm/release-chart" action
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   tests:
     runs-on: ubuntu-latest

.github/workflows/__test-workflow-docker-build-images.yml

@@ -4,6 +4,14 @@ run-name: Test for "docker-build-images" workflow
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  issues: read
+  packages: write
+  pull-requests: read
+  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+  id-token: write
+
 # jscpd:ignore-start
 jobs:
   arrange:

.github/workflows/docker-build-images.md

@@ -15,12 +15,11 @@ This includes [multi-platform](https://docs.docker.com/build/building/multi-plat
 
 Needs the following permissions:
 
-- `id-token`: `write`
 - `contents`: `read`
-- `packages`: `write`
 - `issues`: `read`
+- `packages`: `write`
 - `pull-requests`: `read`
-- `actions`: `write`
+- `id-token`: `write` <!-- FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659 -->
 
 <!-- end description -->
 <!-- start contents -->
@@ -35,16 +34,17 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+  issues: read
+  packages: write
+  pull-requests: read
+  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+  id-token: write
+
 jobs:
   docker-build-images:
     uses: hoverkraft-tech/ci-github-container/.github/workflows/[email protected]
-    permissions:
-      id-token: write
-      contents: read
-      packages: write
-      issues: read
-      pull-requests: read
-      actions: write
     secrets:
       # Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry.
       # See https://github.com/docker/login-action#usage.
@@ -86,9 +86,9 @@ jobs:
 
 ## Secrets
 
-| **Secret**                             | **Description**                                                                                                                                                                                            |
-| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **<code>oci-registry-password</code>** | Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry. See [https://github.com/docker/login-action#usage](https://github.com/docker/login-action#usage). |
+| **Secret**                             | **Description**                                                                                                                                              |
+| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| **<code>oci-registry-password</code>** | Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry. See <https://github.com/docker/login-action#usage>. |
 
 <!-- end secrets -->
 <!-- start inputs -->
@@ -97,9 +97,9 @@ jobs:
 
 | **Input**                              | **Description**                                                                                                                                                                                                                                                                     | **Default**                                 | **Required** |
 | -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------- | ------------ |
-| **<code>runs-on</code>**               | Json array of runner(s) to use. See [https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job](https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job)                                                                                      | <code>["ubuntu-latest"]</code>              | **false**    |
+| **<code>runs-on</code>**               | Json array of runner(s) to use. See <https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job>                                                                                                                                                                   | <code>["ubuntu-latest"]</code>              | **false**    |
 | **<code>oci-registry</code>**          | OCI registry where to pull and push images                                                                                                                                                                                                                                          | <code>ghcr.io</code>                        | **false**    |
-| **<code>oci-registry-username</code>** | Username used to log against the OCI registry. See [https://github.com/docker/login-action#usage](https://github.com/docker/login-action#usage)                                                                                                                                     | <code>${{ github.repository_owner }}</code> | **false**    |
+| **<code>oci-registry-username</code>** | Username used to log against the OCI registry. See <https://github.com/docker/login-action#usage>                                                                                                                                                                                   | <code>${{ github.repository_owner }}</code> | **false**    |
 | **<code>images</code>**                | Images to build parameters.                                                                                                                                                                                                                                                         |                                             | **true**     |
 |                                        | Example: <code>[{"name": "application","context": ".","dockerfile": "./docker/application/Dockerfile","build-args": { "APP_PATH": "./application/", "PROD_MODE": "true" },"target": "prod","platforms": ["linux/amd64",{"name": "darwin/amd64","runs-on": "macos-latest"}]}]</code> |                                             |              |
 

.github/workflows/docker-build-images.yml

@@ -65,12 +65,20 @@ on:
         required: true
     secrets:
       oci-registry-password:
-        description: "Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry. See https://github.com/docker/login-action#usage"
+        description: "Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry. See https://github.com/docker/login-action#usage."
         required: true
       build-secrets:
-        description: "List of secrets to expose to the build. See [https://docs.docker.com/build/ci/github-actions/secrets/](https://docs.docker.com/build/ci/github-actions/secrets/)"
+        description: "List of secrets to expose to the build. See https://docs.docker.com/build/ci/github-actions/secrets/."
         required: false
 
+permissions:
+  contents: read
+  issues: read
+  packages: write
+  pull-requests: read
+  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+  id-token: write
+
 jobs:
   prepare-variables:
     outputs:
@@ -233,7 +241,7 @@ jobs:
 
       # FIXME: Set built images infos in file to be uploaded as artifacts, because github action does not handle job outputs for matrix
       # https://github.com/orgs/community/discussions/26639
-      - uses: hoverkraft-tech/ci-github-common/actions/set-matrix-output@0.12.1
+      - uses: hoverkraft-tech/ci-github-common/actions/set-matrix-output@0.13.0
         with:
           artifact-name: ${{ needs.prepare-variables.outputs.artifact-name }}
           value: ${{ steps.build.outputs.built-image }}
@@ -251,7 +259,6 @@ jobs:
     permissions:
       contents: read
       packages: write
-      actions: write
       # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
       id-token: write
     needs: [prepare-variables, build-images]
@@ -260,7 +267,7 @@ jobs:
       built-images: ${{ steps.built-images.outputs.built-images }}
     steps:
       - id: get-matrix-outputs
-        uses: hoverkraft-tech/ci-github-common/actions/get-matrix-outputs@0.12.1
+        uses: hoverkraft-tech/ci-github-common/actions/get-matrix-outputs@0.13.0
         with:
           artifact-name: ${{ needs.prepare-variables.outputs.artifact-name }}
 

.github/workflows/prune-pull-requests-images-tags.md

@@ -25,6 +25,10 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   main:
     uses: hoverkraft-tech/ci-github-container/.github/workflows/[email protected]

Dockerfile

@@ -1,5 +1,10 @@
+#checkov:skip=CKV_DOCKER_2: required
 FROM ghcr.io/super-linter/super-linter:slim-v6
 
+ARG UID=1000
+ARG GID=1000
+USER ${UID}:${GID}
+
 ENV RUN_LOCAL=true 
 ENV USE_FIND_ALGORITHM=true
 ENV LOG_LEVEL=WARN

Makefile

@@ -7,7 +7,7 @@ lint: ## Execute linting
 	DEFAULT_WORKSPACE="$(CURDIR)"; \
 	LINTER_IMAGE="linter:latest"; \
 	VOLUME="$$DEFAULT_WORKSPACE:$$DEFAULT_WORKSPACE"; \
-	docker build --tag $$LINTER_IMAGE .; \
+	docker build --build-arg UID=$(id -u) --build-arg GID=$(id -g)  --tag $$LINTER_IMAGE .; \
 	docker run \
 		-e DEFAULT_WORKSPACE="$$DEFAULT_WORKSPACE" \
 		-e FILTER_REGEX_INCLUDE="$(filter-out $@,$(MAKECMDGOALS))" \

tests/application/Dockerfile

@@ -1,3 +1,7 @@
 FROM scratch AS base
 
+HEALTHCHECK --interval=5s --timeout=3s --retries=3 CMD ["/healthcheck"]
+
+USER test
+
 FROM base AS prod