225e2fb96d
chore: fix dependabot alerts ( #4126 )
...
* chore: fix dependabot alerts
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* chore: fix dependabot alerts
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* fix: bump zui version
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
---------
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2026-06-11 17:22:15 -07:00
e8c38a5639
chore: fix dependabot alerts ( #4113 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2026-06-05 15:12:32 +03:00
d8fb19819b
chore: fix dependabot alerts ( #4091 )
...
* chore: fix dependabot alerts
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* chore: fix dependabot alerts
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
---------
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2026-05-22 22:20:08 -07:00
a4c55e288c
chore: fix dependabot alerts ( #4082 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2026-05-21 08:50:48 -07:00
9aff5b8d08
chore: fix dependabot alerts ( #4048 )
...
* chore: fix dependabot alerts
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* chore: fix dependabot alerts
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* chore: fix dependabot alerts
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* chore: fix golangci-lint findings from CI
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* chore: fix golangci-lint gosec warnings
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* chore: update code to use slices package and address gosec linting issues
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* build: fix makefile target
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* chore: update tests to use context in HTTP requests and add gosec annotations
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* chore: update tests to use context in HTTP requests
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* chore: update tests to use context in HTTP requests
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* chore: update tests to use context in HTTP requests
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* chore: update tests to use context in HTTP requests
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* chore: bump zui version
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* chore: update test helpers and improve security settings in tests
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* chore: add gosec linting directive for test path construction
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
---------
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2026-05-11 09:29:05 +03:00
d97953f101
Pin actions and tighten workflow permissions ( #3954 )
...
* ci: Reduce chance of installing corrupt packages
See: https://dev.to/hsbt/should-rubygemsbundler-have-a-cooldown-feature-40cp
Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr >
* ci: prevent credential leakage from checkout steps
Add `persist-credentials: false` to all `actions/checkout` calls across
22 workflow files. Without this, the GitHub token used for checkout is
written into `.git/config` and remains accessible to all subsequent steps
and any uploaded artifacts (artipacked finding).
Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr >
* ci: prevent template injection from github context in run steps
`${{ github.* }}` expressions used directly inside `run:` blocks are
expanded before the shell sees them. A crafted value (e.g. a tag name
containing shell metacharacters) would execute arbitrary code.
Move the values into `env:` variables (e.g. GITHUB_EVENT_RELEASE_TAG_NAME,
GITHUB_ACTOR) and reference them as `${VAR}` in the shell, so the runtime
never interprets them as code (template-injection finding).
Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr >
* ci: prevent injection in yq commands via release tag name
`${{ github.event.release.tag_name }}` was interpolated directly into
yq `cmd:` inputs. A crafted tag name could inject shell commands since
the expression is expanded before the action runs. Use yq's `strenv()`
with an `env:` variable instead so the value is always treated as data.
Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr >
* ci: pin all GitHub Actions to full commit SHAs
Actions pinned to mutable tags (e.g. @v6, @main) can change under us if
the upstream repo is compromised or tags are moved, enabling supply-chain
attacks. Pinning to the full 40-char commit SHA locks the exact code that
runs. Version tags are preserved as inline comments (e.g. # v6.0.2) for
readability and Dependabot compatibility.
Used `pinact` for standard tagged versions; remaining branch-based
references (mikefarah/yq, jlumbroso/free-disk-space,
project-stacker/stacker-build-push-action, aquasecurity/trivy-action)
resolved manually via the GitHub API.
Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr >
* ci: slow down GitHub Actions dependency updates to biweekly
Dependabot has no native biweekly interval. Combining weekly checks with
a 14-day cooldown achieves the same effect: Dependabot scans every Monday
but won't open a PR for a new action version until 14 days after release,
giving the ecosystem time to stabilize before we adopt it.
Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr >
* ci: group all Dependabot updates into single PRs per ecosystem
Without groups, Dependabot opens one PR per dependency. With `patterns: "*"`,
all Go module bumps land in one PR and all GitHub Actions pin updates in
another, reducing review noise.
Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr >
* ci: restore credential persistence for helm-charts push
`persist-credentials: false` was too broad — the helm-charts checkout
uses HELM_PUSH_TOKEN specifically so the subsequent `git push` can
authenticate. Only the main repo checkout should have credentials disabled.
Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr >
* ci: use --password-stdin for oras login
Passing the token via `-p` exposes it in process listings and debug
logs. Piping via stdin is the standard secure pattern for CLI auth.
Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr >
* ci: pin actions to versioned release SHAs
jmgilman/actions-generate-checksum: v1 branch HEAD -> v1.0.1 release
mikefarah/yq: arbitrary master HEAD -> v4.52.5 release
Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr >
---------
Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr >
2026-04-10 15:35:22 -07:00
79ab6464dc
chore: fix dependabot alerts ( #3921 )
2026-03-31 09:53:19 +03:00
6831928e53
chore: fix dependabot alerts ( #3896 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2026-03-26 09:14:59 +02:00
d30be464f6
chore: fix dependabot alerts ( #3880 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2026-03-19 08:38:41 +02:00
2ba0525f01
chore: fix dependabot alerts ( #3860 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2026-03-10 09:43:08 +02:00
bb121c3b76
chore: fix dependabot alerts ( #3841 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2026-03-03 23:59:38 -08:00
01bca48e33
chore: fix dependabot alerts ( #3820 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2026-02-24 08:23:49 +02:00
624a520453
chore: fix dependabot alerts ( #3802 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2026-02-16 11:42:35 -08:00
c3c50a2261
chore: fix dependabot alerts ( #3788 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2026-02-09 22:18:35 -08:00
d5b1b2d25b
chore: fix dependabot alerts ( #3774 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2026-02-03 20:25:38 +02:00
b905528b6c
chore: fix dependabot alerts ( #3751 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2026-01-31 11:48:29 +02:00
0cac8a7ee8
chore: fix dependabot alerts ( #3707 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2026-01-15 20:42:39 +02:00
800a545fbe
chore: fix dependabot alerts ( #3677 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-12-29 09:59:57 +02:00
3a349dccec
chore: fix dependabot alerts ( #3657 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-12-15 23:34:32 -08:00
e7b73b6c2d
chore: fix dependabot alerts ( #3636 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-12-09 10:49:45 +02:00
92aee8ebce
chore: Fix deps ( #3620 )
...
* chore: fix dependabot alerts
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* chore: update zui
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
---------
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-12-04 11:43:24 +02:00
6452bec403
chore: fix dependabot alerts ( #3595 )
...
* chore: fix dependabot alerts
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* ci: bump up golang to 1.25.x
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* fix: linter errors
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* fix: stacker and docker build files to use golang 1.25
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
---------
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-11-26 11:21:36 +02:00
49c15abf06
chore: fix dependabot alerts ( #3555 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-11-18 08:46:51 +02:00
33c466e007
chore: fix dependabot alerts ( #3514 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-11-04 14:11:27 +02:00
a0943eccfe
chore: fix dependabot alerts ( #3496 )
...
* chore: fix dependabot alerts
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* fix: initialize logger in ut
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
---------
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-10-30 14:21:53 -07:00
559d9cf2fc
chore: fix dependabot alerts ( #3477 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-10-22 09:46:03 +03:00
b2bbbb27f2
chore: fix dependabot alerts ( #3461 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-10-14 08:07:24 +03:00
1d9c9aeacf
chore: fix dependabot alerts ( #3444 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-10-07 14:14:34 +03:00
5e5bd1e33c
chore: fix dependabot alerts ( #3422 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-09-30 09:56:53 +03:00
e49048958d
chore: fix dependabot alerts ( #3397 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-09-18 11:49:04 -07:00
97ab0e2568
chore: fix dependabot alerts ( #3380 )
...
* chore: fix dependabot alerts
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* ci: bump up golang version to 1.24.x
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
---------
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-09-11 11:11:38 +03:00
9bb73d43b4
chore: fix dependabot alerts ( #3365 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-09-07 00:04:16 -07:00
cb520aa9e4
Fix deps ( #3343 )
...
* chore(ci): fix sync images workflow
golang image is sync'ed from dockerhub and it appears certs have expired
that is breaking 'docker trust inspect ...'
* chore: fix dependabot alerts
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
---------
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-08-28 09:05:59 -07:00
f689c13f2e
chore: fix dependabot alerts ( #3328 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-08-19 01:49:36 -07:00
69e58b092d
chore: fix dependabot alerts ( #3312 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-08-16 00:23:35 -07:00
a13c917b73
chore: fix dependabot alerts ( #3292 )
...
* chore: fix dependabot alerts
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* fix: update trivy api call
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
---------
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-08-06 10:09:53 -07:00
e775f41edc
chore: fix dependabot alerts ( #3274 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-07-25 09:33:23 -07:00
2c7e8fd33e
chore: fix dependabot alerts ( #3245 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-07-05 00:06:32 +03:00
100dfec142
chore: fix dependabot alerts ( #3213 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-06-17 10:09:19 -07:00
6a22640bfa
Fix dependabot alerts ( #3188 )
...
* chore: update github.com/redis/go-redis/v9 to v9.9.0
Signed-off-by: Andrei Aaron <aaaron@luxoft.com >
* chore: update trivy to v0.63.0
Signed-off-by: Andrei Aaron <aaaron@luxoft.com >
* chore: update github.com/spf13/cast to v1.9.2
Signed-off-by: Andrei Aaron <aaaron@luxoft.com >
* chore: update ossf/scorecard-action from 2.4.1 to 2.4.2
Signed-off-by: Andrei Aaron <aaaron@luxoft.com >
* chore: fix multiple dependabot alerts
Signed-off-by: Andrei Aaron <aaaron@luxoft.com >
---------
Signed-off-by: Andrei Aaron <aaaron@luxoft.com >
2025-06-09 10:40:13 -07:00
167f7e34cd
chore: fix dependabot alerts ( #3155 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-05-27 18:58:50 +03:00
32a5eee521
chore: fix dependabot alerts ( #3141 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-05-05 22:06:22 -07:00
06a0cd5220
chore: fix dependabot alerts ( #3127 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-04-30 21:47:54 +03:00
2592d4c784
chore: fix dependabot alerts ( #3099 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-04-14 22:43:56 -07:00
62af65b07d
chore: fix dependabot alerts ( #3084 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-04-08 22:57:22 -07:00
fd761c0254
chore: fix dependabot alerts ( #3070 )
...
* chore: fix dependabot alerts
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
* ci: fix linter config
* fix: linter fixes
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
---------
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-04-04 00:31:02 -07:00
651d123731
chore: fix dependabot alerts ( #3021 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-03-11 01:40:27 -07:00
528c2e5f6d
chore: fix dependabot alerts ( #2961 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-02-11 20:11:41 -08:00
d0ad93532f
chore: fix dependabot alerts ( #2945 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-02-03 23:34:01 -08:00
67231230e5
chore: fix dependabot alerts ( #2922 )
...
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com >
2025-01-29 09:42:27 -08:00
Ramkumar Chinchani