diff --git a/.github/workflows/__generate-dependabot-config.yml b/.github/workflows/__generate-dependabot-config.yml
index d5fc0ca..d3a296b 100644
--- a/.github/workflows/__generate-dependabot-config.yml
+++ b/.github/workflows/__generate-dependabot-config.yml
@@ -4,9 +4,13 @@ on:
push:
branches:
- main
+
+permissions:
+ contents: read
+
jobs:
generate-dependabot-config:
- uses: hoverkraft-tech/ci-github-common/.github/workflows/generate-dependabot-config.yml@0.12.1
+ uses: hoverkraft-tech/ci-github-common/.github/workflows/generate-dependabot-config.yml@0.13.0
with:
github-app-id: ${{ vars.CI_BOT_APP_ID }}
secrets:
diff --git a/.github/workflows/__main-ci.yml b/.github/workflows/__main-ci.yml
index 34abde3..ca614d6 100644
--- a/.github/workflows/__main-ci.yml
+++ b/.github/workflows/__main-ci.yml
@@ -6,6 +6,15 @@ on:
tags: ["*"]
workflow_dispatch:
+permissions:
+ contents: read
+ issues: read
+ packages: write
+ pull-requests: read
+ statuses: write
+ # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+ id-token: write
+
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
@@ -27,7 +36,7 @@ jobs:
release:
needs: ci
- uses: hoverkraft-tech/ci-github-common/.github/workflows/release-actions.yml@0.12.1
+ uses: hoverkraft-tech/ci-github-common/.github/workflows/release-actions.yml@0.13.0
with:
update-all: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) || github.event_name == 'workflow_dispatch' }}
github-app-id: ${{ vars.CI_BOT_APP_ID }}
diff --git a/.github/workflows/__need-fix-to-issue.yml b/.github/workflows/__need-fix-to-issue.yml
index 3fabf26..3783dd1 100644
--- a/.github/workflows/__need-fix-to-issue.yml
+++ b/.github/workflows/__need-fix-to-issue.yml
@@ -5,6 +5,7 @@ on:
branches:
- main
workflow_dispatch:
+ #checkov:skip=CKV_GHA_7: required
inputs:
manual-commit-ref:
description: "The SHA of the commit to get the diff for"
@@ -13,9 +14,13 @@ on:
description: "By default, the commit entered above is compared to the one directly before it; to go back further, enter an earlier SHA here"
required: false
+permissions:
+ contents: read
+ issues: write
+
jobs:
main:
- uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@0.12.1
+ uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@0.13.0
with:
manual-commit-ref: ${{ inputs.manual-commit-ref }}
manual-base-ref: ${{ inputs.manual-base-ref }}
diff --git a/.github/workflows/__pull-request-ci.yml b/.github/workflows/__pull-request-ci.yml
index c208f47..1005431 100644
--- a/.github/workflows/__pull-request-ci.yml
+++ b/.github/workflows/__pull-request-ci.yml
@@ -5,6 +5,15 @@ on:
pull_request:
branches: [main]
+permissions:
+ contents: read
+ issues: read
+ packages: write
+ pull-requests: read
+ statuses: write
+ # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+ id-token: write
+
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
diff --git a/.github/workflows/__shared-ci.yml b/.github/workflows/__shared-ci.yml
index 10b0681..816b358 100644
--- a/.github/workflows/__shared-ci.yml
+++ b/.github/workflows/__shared-ci.yml
@@ -3,9 +3,18 @@ name: Internal - Common Continuous Integration tasks
on:
workflow_call:
+permissions:
+ contents: read
+ issues: read
+ packages: write
+ pull-requests: read
+ statuses: write
+ # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+ id-token: write
+
jobs:
linter:
- uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@0.12.1
+ uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@0.13.0
test-action-docker-build-image:
needs: linter
diff --git a/.github/workflows/__stale.yml b/.github/workflows/__stale.yml
new file mode 100644
index 0000000..7d254c0
--- /dev/null
+++ b/.github/workflows/__stale.yml
@@ -0,0 +1,13 @@
+name: Mark stale issues and pull requests
+
+on:
+ schedule:
+ - cron: "30 1 * * *"
+
+permissions:
+ issues: write
+ pull-requests: write
+
+jobs:
+ main:
+ uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@0.13.0
\ No newline at end of file
diff --git a/.github/workflows/__test-action-docker-build-image.yml b/.github/workflows/__test-action-docker-build-image.yml
index 0622f71..f858897 100644
--- a/.github/workflows/__test-action-docker-build-image.yml
+++ b/.github/workflows/__test-action-docker-build-image.yml
@@ -4,6 +4,10 @@ run-name: Test for "docker/build-image" action
on:
workflow_call:
+permissions:
+ contents: read
+ packages: write
+
# jscpd:ignore-start
jobs:
tests:
diff --git a/.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml b/.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml
index b0c0d4d..b6eede9 100644
--- a/.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml
+++ b/.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml
@@ -4,6 +4,14 @@ run-name: Test for "docker/prune-pull-requests-image-tags" action
on:
workflow_call:
+permissions:
+ contents: read
+ issues: read
+ packages: write
+ pull-requests: read
+ # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+ id-token: write
+
env:
IMAGE: "test-prune-${{ github.run_number }}"
@@ -169,7 +177,7 @@ jobs:
- id: get-issue-number
if: ${{ github.event_name == 'pull_request' }}
- uses: hoverkraft-tech/ci-github-common/actions/get-issue-number@0.12.1
+ uses: hoverkraft-tech/ci-github-common/actions/get-issue-number@0.13.0
- name: Delete test packages
uses: actions/github-script@v7.0.1
diff --git a/.github/workflows/__test-action-get-image-metadata.yml b/.github/workflows/__test-action-get-image-metadata.yml
index c28bc82..a9d01cc 100644
--- a/.github/workflows/__test-action-get-image-metadata.yml
+++ b/.github/workflows/__test-action-get-image-metadata.yml
@@ -4,6 +4,9 @@ run-name: Test for "docker/get-image-metadata" action
on:
workflow_call:
+permissions:
+ contents: read
+
jobs:
tests:
name: Test for "docker/get-image-metadata" action
diff --git a/.github/workflows/__test-action-get-image-name.yml b/.github/workflows/__test-action-get-image-name.yml
index 980b2e2..e4b06f9 100644
--- a/.github/workflows/__test-action-get-image-name.yml
+++ b/.github/workflows/__test-action-get-image-name.yml
@@ -4,6 +4,9 @@ run-name: Test for "docker/get-image-name" action
on:
workflow_call:
+permissions:
+ contents: read
+
jobs:
tests-with-implicit-repository:
name: Test for "docker/get-image-name" action
diff --git a/.github/workflows/__test-action-helm-release-chart.yml b/.github/workflows/__test-action-helm-release-chart.yml
index 90c9b9a..4469537 100644
--- a/.github/workflows/__test-action-helm-release-chart.yml
+++ b/.github/workflows/__test-action-helm-release-chart.yml
@@ -4,6 +4,10 @@ run-name: Test for "helm/release-chart" action
on:
workflow_call:
+permissions:
+ contents: read
+ packages: write
+
jobs:
tests:
runs-on: ubuntu-latest
diff --git a/.github/workflows/__test-workflow-docker-build-images.yml b/.github/workflows/__test-workflow-docker-build-images.yml
index 6e858d6..dc2c4e7 100644
--- a/.github/workflows/__test-workflow-docker-build-images.yml
+++ b/.github/workflows/__test-workflow-docker-build-images.yml
@@ -4,6 +4,14 @@ run-name: Test for "docker-build-images" workflow
on:
workflow_call:
+permissions:
+ contents: read
+ issues: read
+ packages: write
+ pull-requests: read
+ # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+ id-token: write
+
# jscpd:ignore-start
jobs:
arrange:
diff --git a/.github/workflows/docker-build-images.md b/.github/workflows/docker-build-images.md
index 51588c6..74371bd 100644
--- a/.github/workflows/docker-build-images.md
+++ b/.github/workflows/docker-build-images.md
@@ -15,12 +15,11 @@ This includes [multi-platform](https://docs.docker.com/build/building/multi-plat
Needs the following permissions:
-- `id-token`: `write`
- `contents`: `read`
-- `packages`: `write`
- `issues`: `read`
+- `packages`: `write`
- `pull-requests`: `read`
-- `actions`: `write`
+- `id-token`: `write`
@@ -35,16 +34,17 @@ on:
pull_request:
branches: [main]
+permissions:
+ contents: read
+ issues: read
+ packages: write
+ pull-requests: read
+ # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+ id-token: write
+
jobs:
docker-build-images:
uses: hoverkraft-tech/ci-github-container/.github/workflows/docker-build-images.yml@0.15.2
- permissions:
- id-token: write
- contents: read
- packages: write
- issues: read
- pull-requests: read
- actions: write
secrets:
# Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry.
# See https://github.com/docker/login-action#usage.
@@ -86,9 +86,9 @@ jobs:
## Secrets
-| **Secret** | **Description** |
-| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **oci-registry-password** | Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry. See [https://github.com/docker/login-action#usage](https://github.com/docker/login-action#usage). |
+| **Secret** | **Description** |
+| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| **oci-registry-password** | Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry. See . |
@@ -97,9 +97,9 @@ jobs:
| **Input** | **Description** | **Default** | **Required** |
| -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------- | ------------ |
-| **runs-on** | Json array of runner(s) to use. See [https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job](https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job) | ["ubuntu-latest"] | **false** |
+| **runs-on** | Json array of runner(s) to use. See | ["ubuntu-latest"] | **false** |
| **oci-registry** | OCI registry where to pull and push images | ghcr.io | **false** |
-| **oci-registry-username** | Username used to log against the OCI registry. See [https://github.com/docker/login-action#usage](https://github.com/docker/login-action#usage) | ${{ github.repository_owner }} | **false** |
+| **oci-registry-username** | Username used to log against the OCI registry. See | ${{ github.repository_owner }} | **false** |
| **images** | Images to build parameters. | | **true** |
| | Example: [{"name": "application","context": ".","dockerfile": "./docker/application/Dockerfile","build-args": { "APP_PATH": "./application/", "PROD_MODE": "true" },"target": "prod","platforms": ["linux/amd64",{"name": "darwin/amd64","runs-on": "macos-latest"}]}] | | |
diff --git a/.github/workflows/docker-build-images.yml b/.github/workflows/docker-build-images.yml
index 82a36ec..ca819b4 100644
--- a/.github/workflows/docker-build-images.yml
+++ b/.github/workflows/docker-build-images.yml
@@ -65,12 +65,20 @@ on:
required: true
secrets:
oci-registry-password:
- description: "Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry. See https://github.com/docker/login-action#usage"
+ description: "Password or GitHub token (packages:read and packages:write scopes) used to log against the OCI registry. See https://github.com/docker/login-action#usage."
required: true
build-secrets:
- description: "List of secrets to expose to the build. See [https://docs.docker.com/build/ci/github-actions/secrets/](https://docs.docker.com/build/ci/github-actions/secrets/)"
+ description: "List of secrets to expose to the build. See https://docs.docker.com/build/ci/github-actions/secrets/."
required: false
+permissions:
+ contents: read
+ issues: read
+ packages: write
+ pull-requests: read
+ # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+ id-token: write
+
jobs:
prepare-variables:
outputs:
@@ -233,7 +241,7 @@ jobs:
# FIXME: Set built images infos in file to be uploaded as artifacts, because github action does not handle job outputs for matrix
# https://github.com/orgs/community/discussions/26639
- - uses: hoverkraft-tech/ci-github-common/actions/set-matrix-output@0.12.1
+ - uses: hoverkraft-tech/ci-github-common/actions/set-matrix-output@0.13.0
with:
artifact-name: ${{ needs.prepare-variables.outputs.artifact-name }}
value: ${{ steps.build.outputs.built-image }}
@@ -251,7 +259,6 @@ jobs:
permissions:
contents: read
packages: write
- actions: write
# FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
id-token: write
needs: [prepare-variables, build-images]
@@ -260,7 +267,7 @@ jobs:
built-images: ${{ steps.built-images.outputs.built-images }}
steps:
- id: get-matrix-outputs
- uses: hoverkraft-tech/ci-github-common/actions/get-matrix-outputs@0.12.1
+ uses: hoverkraft-tech/ci-github-common/actions/get-matrix-outputs@0.13.0
with:
artifact-name: ${{ needs.prepare-variables.outputs.artifact-name }}
diff --git a/.github/workflows/prune-pull-requests-images-tags.md b/.github/workflows/prune-pull-requests-images-tags.md
index 2978145..e8d3d0a 100644
--- a/.github/workflows/prune-pull-requests-images-tags.md
+++ b/.github/workflows/prune-pull-requests-images-tags.md
@@ -25,6 +25,10 @@ on:
push:
branches: [main]
+permissions:
+ contents: read
+ packages: write
+
jobs:
main:
uses: hoverkraft-tech/ci-github-container/.github/workflows/prune-pull-requests-images-tags.yml@0.15.3
diff --git a/Dockerfile b/Dockerfile
index 0b056d7..c15ca27 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,10 @@
+#checkov:skip=CKV_DOCKER_2: required
FROM ghcr.io/super-linter/super-linter:slim-v6
+ARG UID=1000
+ARG GID=1000
+USER ${UID}:${GID}
+
ENV RUN_LOCAL=true
ENV USE_FIND_ALGORITHM=true
ENV LOG_LEVEL=WARN
diff --git a/Makefile b/Makefile
index 7374be4..ceeceea 100644
--- a/Makefile
+++ b/Makefile
@@ -7,7 +7,7 @@ lint: ## Execute linting
DEFAULT_WORKSPACE="$(CURDIR)"; \
LINTER_IMAGE="linter:latest"; \
VOLUME="$$DEFAULT_WORKSPACE:$$DEFAULT_WORKSPACE"; \
- docker build --tag $$LINTER_IMAGE .; \
+ docker build --build-arg UID=$(id -u) --build-arg GID=$(id -g) --tag $$LINTER_IMAGE .; \
docker run \
-e DEFAULT_WORKSPACE="$$DEFAULT_WORKSPACE" \
-e FILTER_REGEX_INCLUDE="$(filter-out $@,$(MAKECMDGOALS))" \
diff --git a/tests/application/Dockerfile b/tests/application/Dockerfile
index 4492980..09b3637 100644
--- a/tests/application/Dockerfile
+++ b/tests/application/Dockerfile
@@ -1,3 +1,7 @@
FROM scratch AS base
+HEALTHCHECK --interval=5s --timeout=3s --retries=3 CMD ["/healthcheck"]
+
+USER test
+
FROM base AS prod
\ No newline at end of file