diff --git a/.dockerignore b/.dockerignore index 2908cf4..415f10d 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,7 +1,9 @@ +# keep-sorted start +*.yml +.*.yaml .git .github demo images tests -.*.yaml -*.yml +# keep-sorted end diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 1a30636..ea163e2 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -1,5 +1,9 @@ { $schema: "https://docs.renovatebot.com/renovate-schema.json", + // # keep-sorted start block=yes + "git-submodules": { + enabled: true, + }, // Keep the extends started with ":" at the end of the list to allow overriding extends: [ "config:recommended", @@ -12,9 +16,6 @@ ":enableVulnerabilityAlertsWithLabel(security)", ":pinSkipCi", ], - "git-submodules": { - enabled: true, - }, labels: [ "renovate", "renovate/{{replace '.*/' '' depName}}", @@ -55,4 +56,5 @@ }, ], separateMinorPatch: true, + // # keep-sorted end } diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 27a7d87..d496d4d 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -6,18 +6,18 @@ on: pull_request: types: [opened, synchronize] paths: - - Dockerfile - .dockerignore - - entrypoint.sh - .github/workflows/docker-image.yml + - Dockerfile + - entrypoint.sh push: branches: - main paths: - - Dockerfile - .dockerignore - - entrypoint.sh - .github/workflows/docker-image.yml + - Dockerfile + - entrypoint.sh permissions: read-all diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 136b12b..ac0276d 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -37,7 +37,7 @@ jobs: chmod a+x README.sh - name: 💡 MegaLinter - uses: oxsecurity/megalinter@b38cdf1f0cbe056fad4112cb7cd99c2b574c9617 # v8.1.0 + uses: oxsecurity/megalinter@d8c95fc6f2237031fb9e9322b0f97100168afa6e # v8.2.0 env: GITHUB_COMMENT_REPORTER: false # Disabled due to error: [GitHub Status Reporter] Error posting Status for REPOSITORY with ...: 403 diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 941b4ca..12dbac5 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -15,7 +15,7 @@ jobs: release-please-pr: runs-on: ubuntu-latest steps: - - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1 + - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3 with: release-type: simple skip-github-release: true @@ -23,7 +23,7 @@ jobs: release-please-release: runs-on: ubuntu-latest steps: - - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1 + - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3 id: release with: release-type: simple @@ -36,7 +36,7 @@ jobs: run: | git config user.name github-actions[bot] git config user.email 41898282+github-actions[bot]@users.noreply.github.com - git remote add gh-token "https://${{ secrets.GITHUB_TOKEN }}@github.com/google-github-actions/release-please-action.git" + git remote add gh-token "https://${{ secrets.GITHUB_TOKEN }}@github.com/googleapis/release-please-action.git" git tag -d v${{ steps.release.outputs.major }} || true git tag -d v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }} || true git push origin :v${{ steps.release.outputs.major }} || true diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 916c5e9..63451cf 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -6,10 +6,10 @@ on: inputs: dryRun: type: boolean - description: "Dry-Run" + description: Dry-Run logLevel: type: choice - description: "Log-Level" + description: Log-Level default: debug options: - info @@ -20,23 +20,25 @@ on: - main - "!renovate/*" schedule: - - cron: "0 0-3 * * 0" + - cron: 0 0-3 * * 0 env: + # keep-sorted start # https://docs.renovatebot.com/troubleshooting/#log-debug-levels - LOG_LEVEL: "${{ inputs.logLevel || 'debug' }}" + LOG_LEVEL: ${{ inputs.logLevel || 'debug' }} + RENOVATE_AUTOMERGE: "true" + # Renovate Automerge + RENOVATE_AUTOMERGE_TYPE: branch + # https://docs.renovatebot.com/self-hosted-configuration/#dryrun + # Run renovate in dry-run mode if executed in branches other than main - prevents versions in PRs/branches from being updated + RENOVATE_DRY_RUN: ${{ inputs.dryRun || ( github.head_ref || github.ref_name ) != 'main' || false }} + # https://docs.renovatebot.com/configuration-options/#platformcommit + RENOVATE_PLATFORM_COMMIT: "true" # https://docs.renovatebot.com/self-hosted-configuration/#repositories RENOVATE_REPOSITORIES: ${{ github.repository }} # https://docs.renovatebot.com/self-hosted-configuration/#username RENOVATE_USERNAME: ${{ github.repository_owner }} - # https://docs.renovatebot.com/configuration-options/#platformcommit - RENOVATE_PLATFORM_COMMIT: "true" - # https://docs.renovatebot.com/self-hosted-configuration/#dryrun - # Run renovate in dry-run mode if executed in branches other than main - prevents versions in PRs/branches from being updated - RENOVATE_DRY_RUN: "${{ inputs.dryRun || ( github.head_ref || github.ref_name ) != 'main' || false }}" - # Renovate Automerge - RENOVATE_AUTOMERGE_TYPE: "branch" - RENOVATE_AUTOMERGE: "true" + # keep-sorted end permissions: read-all diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 5acceea..59f5f57 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,7 +4,7 @@ name: stale on: workflow_dispatch: schedule: - - cron: "9 9 * * *" + - cron: 9 9 * * * permissions: issues: write @@ -16,6 +16,7 @@ jobs: steps: - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: + # keep-sorted start close-issue-message: | This issue has not seen any activity since it was marked stale. Closing. @@ -32,3 +33,4 @@ jobs: stale-pr-message: | This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days. + # keep-sorted end diff --git a/.gitignore b/.gitignore index 645c6dd..3d493dd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,7 @@ -# pre-commit configuration file -.pre-commit-config.yaml - +# keep-sorted start newline_separated=yes # Lychee cache .lycheecache + +# pre-commit configuration file +.pre-commit-config.yaml +# keep-sorted end diff --git a/.mega-linter.yml b/.mega-linter.yml index 493531b..c446faa 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -1,6 +1,7 @@ # Configuration file for MegaLinter # See all available variables at https://megalinter.io/latest/configuration/ and in linters documentation +# keep-sorted start newline_separated=yes BASH_SHFMT_ARGUMENTS: --case-indent --indent 2 --space-redirects DISABLE_LINTERS: @@ -18,6 +19,7 @@ FILTER_REGEX_EXCLUDE: CHANGELOG.md FORMATTERS_DISABLE_ERRORS: false MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .markdownlint.yml + MARKDOWN_MARKDOWNLINT_FILTER_REGEX_EXCLUDE: CHANGELOG.md # Remove initial MegaLinter graphic @@ -33,7 +35,7 @@ REPOSITORY_DEVSKIM_ARGUMENTS: --ignore-globs CHANGELOG.md --ignore-rule-ids DS16 REPOSITORY_KICS_ARGUMENTS: --fail-on high -REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yaml --severity HIGH,CRITICAL --ignore-unfixed +REPOSITORY_TRIVY_ARGUMENTS: --severity HIGH,CRITICAL --ignore-unfixed TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES: - GITHUB_TOKEN @@ -41,3 +43,4 @@ TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES: TYPESCRIPT_PRETTIER_ARGUMENTS: --html-whitespace-sensitivity=ignore VALIDATE_ALL_CODEBASE: true +# keep-sorted end diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..ee337a8 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,3 @@ +# See: https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0002/ +# We allow root access in our container +DS002 diff --git a/.trivyignore.yaml b/.trivyignore.yaml deleted file mode 100644 index 3a89630..0000000 --- a/.trivyignore.yaml +++ /dev/null @@ -1,5 +0,0 @@ -misconfigurations: - # Accept root user in Dockerfile - - id: AVD-DS-0002 - paths: - - Dockerfile