From d586dba76842633160b90ff13307931c438ec12e Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Thu, 5 Mar 2026 09:03:02 +0100 Subject: [PATCH 01/13] readme: update to v4 Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- README.md | 39 +++++++++++++++++---------------------- 1 file changed, 17 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 0daac52..ea6ee2f 100644 --- a/README.md +++ b/README.md @@ -40,17 +40,14 @@ jobs: buildx: runs-on: ubuntu-latest steps: - - - name: Checkout - uses: actions/checkout@v5 - # Add support for more platforms with QEMU (optional) # https://github.com/docker/setup-qemu-action name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 ``` ## Configuring your builder @@ -133,23 +130,6 @@ The following [official docker environment variables](https://docs.docker.com/en ### `nodes` output -```json -[ - { - "name": "builder-3820d274-502c-4498-ae24-d4c32b3023d90", - "endpoint": "unix:///var/run/docker.sock", - "driver-opts": [ - "network=host", - "image=moby/buildkit:master" - ], - "status": "running", - "buildkitd-flags": "--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host", - "buildkit": "3fab389", - "platforms": "linux/amd64,linux/amd64/v2,linux/amd64/v3,linux/amd64/v4,linux/386" - } -] -``` - | Name | Type | Description | |-------------------|--------|----------------------------| | `name` | String | Node name | @@ -160,6 +140,21 @@ The following [official docker environment variables](https://docs.docker.com/en | `buildkit` | String | BuildKit version | | `platforms` | String | Platforms available | +Example: + +```json +[ + { + "name": "builder-8fa135e1-9bce-4a29-9368-46a09a1d750d0", + "endpoint": "unix:///var/run/docker.sock", + "status": "running", + "buildkitd-flags": "--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host", + "buildkit": "v0.27.1", + "platforms": "linux/amd64,linux/amd64/v2,linux/amd64/v3,linux/386" + } +] +``` + ## Contributing Want to contribute? Awesome! You can find information about contributing to From 79739306011e4afbd98a28d41a996f9808df73d0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 6 Mar 2026 04:42:15 +0000 Subject: [PATCH 02/13] build(deps): bump docker/build-push-action from 6 to 7 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6 to 7. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/v6...v7) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 792ade8..e713c3f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -110,7 +110,7 @@ jobs: buildkitd-flags: --debug - name: Build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . platforms: linux/amd64,linux/arm64,linux/ppc64le @@ -240,7 +240,7 @@ jobs: buildkitd-config: /tmp/buildkitd.toml - name: Build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . @@ -267,7 +267,7 @@ jobs: mirrors = ["mirror.gcr.io"] - name: Build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . From 94ba311f39e9df31b6b0021509d82c10bfc0f990 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 6 Mar 2026 04:42:20 +0000 Subject: [PATCH 03/13] build(deps): bump docker/bake-action from 6 to 7 Bumps [docker/bake-action](https://github.com/docker/bake-action) from 6 to 7. - [Release notes](https://github.com/docker/bake-action/releases) - [Commits](https://github.com/docker/bake-action/compare/v6...v7) --- updated-dependencies: - dependency-name: docker/bake-action dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/test.yml | 2 +- .github/workflows/update-dist.yml | 2 +- .github/workflows/validate.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8f6bf39..4536f0b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -23,7 +23,7 @@ jobs: uses: ./ - name: Test - uses: docker/bake-action@v6 + uses: docker/bake-action@v7 with: targets: test - diff --git a/.github/workflows/update-dist.yml b/.github/workflows/update-dist.yml index 744588f..4dc3802 100644 --- a/.github/workflows/update-dist.yml +++ b/.github/workflows/update-dist.yml @@ -28,7 +28,7 @@ jobs: token: ${{ steps.docker-read-app.outputs.token || github.token }} - name: Build - uses: docker/bake-action@v6 + uses: docker/bake-action@v7 with: source: . targets: build diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index ae6f92e..95093c7 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -23,7 +23,7 @@ jobs: - name: List targets id: generate - uses: docker/bake-action/subaction/list-targets@v6 + uses: docker/bake-action/subaction/list-targets@v7 with: target: validate @@ -38,6 +38,6 @@ jobs: steps: - name: Validate - uses: docker/bake-action@v6 + uses: docker/bake-action@v7 with: targets: ${{ matrix.target }} From a88b3cd5532e102f58780dd875765e5772f3f058 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Fri, 6 Mar 2026 10:07:33 +0100 Subject: [PATCH 04/13] ci: switch to matrix subaction Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/validate.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 95093c7..33aed91 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -15,15 +15,15 @@ jobs: prepare: runs-on: ubuntu-latest outputs: - targets: ${{ steps.generate.outputs.targets }} + matrix: ${{ steps.generate.outputs.matrix }} steps: - name: Checkout uses: actions/checkout@v6 - - name: List targets + name: Generate matrix id: generate - uses: docker/bake-action/subaction/list-targets@v7 + uses: docker/bake-action/subaction/matrix@v7 with: target: validate @@ -34,7 +34,7 @@ jobs: strategy: fail-fast: false matrix: - target: ${{ fromJson(needs.prepare.outputs.targets) }} + include: ${{ fromJson(needs.prepare.outputs.matrix) }} steps: - name: Validate From f4d39becb22d44cbade7647c8d4c339fad8c6f3d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 04:42:17 +0000 Subject: [PATCH 05/13] build(deps): bump actions/create-github-app-token from 2 to 3 Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 2 to 3. - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](https://github.com/actions/create-github-app-token/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/update-dist.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-dist.yml b/.github/workflows/update-dist.yml index 4dc3802..fefe728 100644 --- a/.github/workflows/update-dist.yml +++ b/.github/workflows/update-dist.yml @@ -14,7 +14,7 @@ jobs: - name: GitHub auth token from GitHub App id: docker-read-app - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@v3 with: app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }} private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }} From 3da2ceadbfdde69af4c426a0883c764680ae1d21 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Fri, 20 Mar 2026 11:56:47 +0100 Subject: [PATCH 06/13] ci: enable SAST scanning with CodeQL Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/codeql.yml | 45 ++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..07ce72d --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,45 @@ +name: codeql + +on: + push: + branches: + - 'master' + - 'releases/v*' + pull_request: + +permissions: + actions: read + contents: read + security-events: write + +env: + NODE_VERSION: "24" + +jobs: + analyze: + runs-on: ubuntu-latest + steps: + - + name: Checkout + uses: actions/checkout@v6 + - + name: Enable corepack + run: | + corepack enable + yarn --version + - + name: Set up Node + uses: actions/setup-node@v6 + with: + node-version: ${{ env.NODE_VERSION }} + - + name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: javascript-typescript + build-mode: none + - + name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:javascript-typescript" From 7f6e739c6d5e26cf2b3688c04dda3bd1993690ad Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Wed, 25 Mar 2026 12:39:32 +0100 Subject: [PATCH 07/13] ci: bump crazy-max/.github to 1.1.0 Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- .github/workflows/pr-assign-author.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e713c3f..1446ec0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -485,7 +485,7 @@ jobs: uses: actions/checkout@v6 - name: Install k3s - uses: crazy-max/.github/.github/actions/install-k3s@a94383ec9e125b23907fb6fcebf7ff87964595e5 + uses: crazy-max/.github/.github/actions/install-k3s@20ef82212dc54bab5749f5e05576ca6d3c8a5773 # v1.1.0 - name: Set up Docker Buildx id: buildx diff --git a/.github/workflows/pr-assign-author.yml b/.github/workflows/pr-assign-author.yml index f56fa03..571b370 100644 --- a/.github/workflows/pr-assign-author.yml +++ b/.github/workflows/pr-assign-author.yml @@ -11,7 +11,7 @@ on: jobs: run: - uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@1b673f36fad86812f538c1df9794904038a23cbf + uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@20ef82212dc54bab5749f5e05576ca6d3c8a5773 # v1.1.0 permissions: contents: read pull-requests: write From 45439ec47e3e23aa455959df54d22a0d7bc0feb4 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Mon, 30 Mar 2026 13:56:10 +0200 Subject: [PATCH 08/13] ci: zizmor workflow Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/zizmor.yml | 29 +++++++++++++++++++++++++++++ .github/zizmor.yml | 3 +++ 2 files changed, 32 insertions(+) create mode 100644 .github/workflows/zizmor.yml create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..a485e93 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,29 @@ +name: zizmor + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +on: + workflow_dispatch: + push: + branches: + - 'master' + - 'releases/v*' + tags: + - 'v*' + pull_request: + +jobs: + zizmor: + uses: crazy-max/.github/.github/workflows/zizmor.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0 + permissions: + contents: read + security-events: write + with: + min-severity: medium + min-confidence: medium + persona: pedantic diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..6415720 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,3 @@ +rules: + secrets-outside-env: # FIXME: remove this rule when zizmor 1.24.0 is released, fixing the right persona attached to this rule: https://github.com/zizmorcore/zizmor/pull/1783 + disable: true From 8072de9b61b26d3b70350c59ff9bf658fbe2dcd4 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Mon, 30 Mar 2026 13:56:26 +0200 Subject: [PATCH 09/13] fix zizmor findings Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/dependabot.yml | 8 +++ .github/workflows/ci.yml | 71 ++++++++++++++------------ .github/workflows/codeql.yml | 19 +++---- .github/workflows/pr-assign-author.yml | 4 +- .github/workflows/publish.yml | 11 +++- .github/workflows/test.yml | 10 ++-- .github/workflows/update-dist.yml | 17 ++++-- .github/workflows/validate.yml | 9 ++-- 8 files changed, 91 insertions(+), 58 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 98596e5..51c53f3 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,6 +4,12 @@ updates: directory: "/" schedule: interval: "daily" + cooldown: + default-days: 2 + groups: + crazy-max-dot-github: + patterns: + - "crazy-max/.github/*" labels: - "dependencies" - "bot" @@ -11,6 +17,8 @@ updates: directory: "/" schedule: interval: "daily" + cooldown: + default-days: 2 versioning-strategy: "increase" allow: - dependency-type: "production" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1446ec0..3ab87c9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,8 @@ name: ci +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -32,7 +35,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx id: buildx @@ -51,7 +54,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx 1 uses: ./ @@ -64,7 +67,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Stop docker run: | @@ -85,14 +88,14 @@ jobs: - name: Dump context if: always() - uses: crazy-max/ghaction-dump-context@v2 + uses: crazy-max/ghaction-dump-context@5355a8e5e6ac5a302e746a1c4b7747a0393863c8 # v2.3.0 debug: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Create Dockerfile run: | @@ -102,7 +105,7 @@ jobs: EOL - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx uses: ./ @@ -110,7 +113,7 @@ jobs: buildkitd-flags: --debug - name: Build - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: . platforms: linux/amd64,linux/arm64,linux/ppc64le @@ -126,7 +129,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx uses: ./ @@ -149,7 +152,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx uses: ./ @@ -162,7 +165,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx uses: ./ @@ -181,7 +184,7 @@ jobs: runs-on: ubuntu-latest services: dind: - image: docker:dind + image: docker:29.3-dind@sha256:4d90f1f6c400315c2dba96d3ec93c01e64198395cbba04f79d12adce4f737029 options: >- --privileged --health-cmd "docker info" @@ -195,7 +198,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Create context run: | @@ -217,7 +220,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Create buildkitd conf run: | @@ -240,7 +243,7 @@ jobs: buildkitd-config: /tmp/buildkitd.toml - name: Build - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: . @@ -249,7 +252,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Create Dockerfile run: | @@ -267,7 +270,7 @@ jobs: mirrors = ["mirror.gcr.io"] - name: Build - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: . @@ -285,10 +288,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 with: platforms: ${{ matrix.qemu-platforms }} - @@ -314,7 +317,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx uses: ./ @@ -328,7 +331,7 @@ jobs: EOL - name: Build - uses: docker/build-push-action@master + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: . @@ -337,7 +340,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Uninstall docker cli run: | @@ -365,7 +368,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Uninstall docker cli run: | @@ -387,7 +390,7 @@ jobs: EOL - name: Build - uses: docker/build-push-action@master + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: . @@ -396,7 +399,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Create dummy contexts run: | @@ -425,10 +428,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx uses: ./ @@ -440,7 +443,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Create Docker context run: | @@ -463,7 +466,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx uses: ./ @@ -482,7 +485,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install k3s uses: crazy-max/.github/.github/actions/install-k3s@20ef82212dc54bab5749f5e05576ca6d3c8a5773 # v1.1.0 @@ -515,7 +518,7 @@ jobs: EOL - name: Build - uses: docker/build-push-action@master + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: . @@ -530,7 +533,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx uses: ./ @@ -543,7 +546,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx id: buildx @@ -564,7 +567,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx uses: ./ @@ -583,7 +586,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx id: buildx diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 07ce72d..843bacd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,5 +1,8 @@ name: codeql +permissions: + contents: read + on: push: branches: @@ -7,21 +10,19 @@ on: - 'releases/v*' pull_request: -permissions: - actions: read - contents: read - security-events: write - env: NODE_VERSION: "24" jobs: analyze: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Enable corepack run: | @@ -29,17 +30,17 @@ jobs: yarn --version - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: ${{ env.NODE_VERSION }} - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: languages: javascript-typescript build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: category: "/language:javascript-typescript" diff --git a/.github/workflows/pr-assign-author.yml b/.github/workflows/pr-assign-author.yml index 571b370..79e6137 100644 --- a/.github/workflows/pr-assign-author.yml +++ b/.github/workflows/pr-assign-author.yml @@ -4,14 +4,14 @@ permissions: contents: read on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] safe to use without checkout types: - opened - reopened jobs: run: - uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@20ef82212dc54bab5749f5e05576ca6d3c8a5773 # v1.1.0 + uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0 permissions: contents: read pull-requests: write diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index edad97f..57635a7 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,5 +1,12 @@ name: publish +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: release: types: @@ -15,7 +22,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Publish - uses: actions/publish-immutable-action@v0.0.4 + uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4536f0b..66b5e63 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,5 +1,8 @@ name: test +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -17,18 +20,19 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx uses: ./ - name: Test - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: + source: . targets: test - name: Upload coverage - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4 with: files: ./coverage/clover.xml token: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/update-dist.yml b/.github/workflows/update-dist.yml index fefe728..8b57b08 100644 --- a/.github/workflows/update-dist.yml +++ b/.github/workflows/update-dist.yml @@ -1,5 +1,12 @@ name: update-dist +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: pull_request: types: @@ -8,27 +15,27 @@ on: jobs: update-dist: - if: github.actor == 'dependabot[bot]' + if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name runs-on: ubuntu-latest steps: - name: GitHub auth token from GitHub App id: docker-read-app - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 with: app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }} private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }} owner: docker - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.event.pull_request.head.ref }} fetch-depth: 0 - token: ${{ steps.docker-read-app.outputs.token || github.token }} + token: ${{ steps.docker-read-app.outputs.token }} - name: Build - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: source: . targets: build diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 33aed91..2657986 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -1,5 +1,8 @@ name: validate +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -19,11 +22,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Generate matrix id: generate - uses: docker/bake-action/subaction/matrix@v7 + uses: docker/bake-action/subaction/matrix@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: target: validate @@ -38,6 +41,6 @@ jobs: steps: - name: Validate - uses: docker/bake-action@v7 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: targets: ${{ matrix.target }} From 0dd24c14e2bd2b61272c7b63ddaf01dbf3205d41 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 31 Mar 2026 01:51:08 +0000 Subject: [PATCH 10/13] build(deps): bump crazy-max/ghaction-dump-context from 2.3.0 to 3.0.0 Bumps [crazy-max/ghaction-dump-context](https://github.com/crazy-max/ghaction-dump-context) from 2.3.0 to 3.0.0. - [Release notes](https://github.com/crazy-max/ghaction-dump-context/releases) - [Commits](https://github.com/crazy-max/ghaction-dump-context/compare/5355a8e5e6ac5a302e746a1c4b7747a0393863c8...5d2753e7076f4568c7729971e25231f32147e2d8) --- updated-dependencies: - dependency-name: crazy-max/ghaction-dump-context dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3ab87c9..9cc8edb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -88,7 +88,7 @@ jobs: - name: Dump context if: always() - uses: crazy-max/ghaction-dump-context@5355a8e5e6ac5a302e746a1c4b7747a0393863c8 # v2.3.0 + uses: crazy-max/ghaction-dump-context@5d2753e7076f4568c7729971e25231f32147e2d8 # v3.0.0 debug: runs-on: ubuntu-latest From 76613809640064b6ade38213255833cb797d962b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 31 Mar 2026 01:51:12 +0000 Subject: [PATCH 11/13] build(deps): bump crazy-max/.github from 1.1.0 to 1.3.0 Bumps [crazy-max/.github](https://github.com/crazy-max/.github) from 1.1.0 to 1.3.0. - [Release notes](https://github.com/crazy-max/.github/releases) - [Commits](https://github.com/crazy-max/.github/compare/20ef82212dc54bab5749f5e05576ca6d3c8a5773...bb328ea508cd6a89d0865555ddbeb148e5724aed) --- updated-dependencies: - dependency-name: crazy-max/.github dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3ab87c9..33cbea4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -488,7 +488,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install k3s - uses: crazy-max/.github/.github/actions/install-k3s@20ef82212dc54bab5749f5e05576ca6d3c8a5773 # v1.1.0 + uses: crazy-max/.github/.github/actions/install-k3s@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0 - name: Set up Docker Buildx id: buildx From a7da99c89f842034b973611e083e3604455c8c43 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 31 Mar 2026 01:52:37 +0000 Subject: [PATCH 12/13] build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.5.4 to 6.0.0. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/75cd11691c0faa626561e295848008c8a7dddffe...57e3a136b779b570ffcdbf80b3bdc90e7fab3de2) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 66b5e63..ea44eff 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -32,7 +32,7 @@ jobs: targets: test - name: Upload coverage - uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 with: files: ./coverage/clover.xml token: ${{ secrets.CODECOV_TOKEN }} From af595e0653d4a4478e9af2f97718081bc2aa1a04 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Wed, 1 Apr 2026 13:12:08 +0200 Subject: [PATCH 13/13] ci: stop update-dist reruns after generated dist pushes Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/update-dist.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-dist.yml b/.github/workflows/update-dist.yml index 8b57b08..0d0f65f 100644 --- a/.github/workflows/update-dist.yml +++ b/.github/workflows/update-dist.yml @@ -15,7 +15,7 @@ on: jobs: update-dist: - if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name + if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name runs-on: ubuntu-latest steps: -