diff --git a/.github/mergify.yml b/.github/mergify.yml index 97a67be7..715aa1c8 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -14,11 +14,6 @@ pull_request_rules: - files = .trunk/trunk.yaml actions: merge: - - name: Delete branch after close - conditions: - - closed - actions: - delete_head_branch: - name: Comment when a pull request is merged conditions: - merged @@ -83,6 +78,6 @@ queue_rules: - check-success = GitGuardian Security Checks - check-success = SonarCloud - check-success = Trunk Check - - check-success = CodeRabbit - check-success = Test Image / API Test - check-success = CodeQL + # - check-success = CodeRabbit diff --git a/.github/renovate.json b/.github/renovate.json index 74099f6b..22474119 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -10,6 +10,8 @@ "dependencies" ] }, + "osvVulnerabilityAlerts": true, + "dependencyDashboardOSVVulnerabilitySummary": "all", "ignorePaths": [ "pyproject.toml" ] diff --git a/.github/workflows/.docker.yaml b/.github/workflows/.docker.yaml index 07deebb0..a45bdd3a 100644 --- a/.github/workflows/.docker.yaml +++ b/.github/workflows/.docker.yaml @@ -22,19 +22,28 @@ permissions: jobs: check_dockerfile: name: Validate Dockerfile - runs-on: ubuntu-latest + runs-on: ubuntu-slim if: ${{ inputs.is_test }} environment: name: code_quality steps: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - name: Install APT packages + run: | + sudo apt-get update + sudo apt-get install -y docker.io + sudo systemctl start docker - name: Log in to ${{ inputs.registry }} Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ${{ inputs.registry }} username: mh0386 password: ${{ inputs.registry == 'ghcr.io' && secrets.GH_TOKEN || inputs.registry == 'docker.io' && secrets.TOKEN_KEY_DOCKER }} + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Validate build configuration uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: @@ -55,16 +64,13 @@ jobs: name: Build and push Docker image to ${{ inputs.registry }} needs: check_dockerfile if: ${{ always() && !cancelled() }} - runs-on: ubuntu-latest + runs-on: ubuntu-slim outputs: image_tag: ${{ steps.tag.outputs.TAG }} environment: name: docker_image url: ${{inputs.registry}}/${{github.repository}} steps: - - name: Free Disk Space - if: github.event_name != 'pull_request' - uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Get Python version from pyproject.toml @@ -72,6 +78,18 @@ jobs: uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 with: cmd: yq -roy '.project.requires-python' pyproject.toml + - name: Install APT packages + run: sudo apt-get update && sudo apt-get install -y docker.io + - name: Set up Docker + uses: docker/setup-docker-action@v4.5.0 + with: + daemon-config: | + { + "debug": true, + "features": { + "containerd-snapshotter": true + } + } - name: Log in to ${{ inputs.registry }} Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: @@ -126,7 +144,7 @@ jobs: name: Docker Scout (${{ matrix.commands }}) needs: build_image if: ${{ always() && !cancelled() }} - runs-on: ubuntu-latest + runs-on: ubuntu-slim environment: name: docker_image strategy: @@ -137,6 +155,18 @@ jobs: - cves - recommendations steps: + - name: Install APT packages + run: sudo apt-get update && sudo apt-get install -y docker.io + - name: Set up Docker + uses: docker/setup-docker-action@v4.5.0 + with: + daemon-config: | + { + "debug": true, + "features": { + "containerd-snapshotter": true + } + } - name: Log in to ${{ inputs.registry }} Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: @@ -155,7 +185,7 @@ jobs: api_test: name: API Test needs: build_image - runs-on: ubuntu-latest + runs-on: ubuntu-slim if: ${{ always() && !cancelled() && inputs.is_test }} environment: name: api_test @@ -194,7 +224,7 @@ jobs: - api_test - docker_scout if: ${{ always() && !cancelled() && inputs.registry == 'ghcr.io' }} - runs-on: ubuntu-latest + runs-on: ubuntu-slim environment: name: docker_image steps: diff --git a/.github/workflows/.lint.yaml b/.github/workflows/.lint.yaml index dd1d058b..ca4c2c16 100644 --- a/.github/workflows/.lint.yaml +++ b/.github/workflows/.lint.yaml @@ -8,7 +8,7 @@ permissions: jobs: format: name: Format - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write environment: @@ -37,7 +37,7 @@ jobs: commit_options: '--no-verify' check: name: Check - runs-on: ubuntu-latest + runs-on: ubuntu-slim environment: name: code_quality needs: format diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 798109ea..d3d414e4 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -20,7 +20,7 @@ jobs: UV_LINK_MODE: "copy" permissions: contents: write - runs-on: ubuntu-latest + runs-on: ubuntu-slim steps: - name: Checkout Code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 @@ -64,7 +64,7 @@ jobs: github_release: name: Create GitHub Release needs: setup_and_build - runs-on: ubuntu-latest + runs-on: ubuntu-slim environment: name: github url: ${{github.event.repository.html_url}}/releases/tag/${{github.ref_name}} diff --git a/.github/workflows/ci_tools.yaml b/.github/workflows/ci_tools.yaml index 61fe6d75..e4a4e07e 100644 --- a/.github/workflows/ci_tools.yaml +++ b/.github/workflows/ci_tools.yaml @@ -15,7 +15,7 @@ concurrency: jobs: trunk_upgrade: name: Upgrade Trunk - runs-on: ubuntu-latest + runs-on: ubuntu-slim if: github.event_name == 'schedule' permissions: contents: write @@ -28,7 +28,7 @@ jobs: uses: trunk-io/trunk-action/upgrade@75699af9e26881e564e9d832ef7dc3af25ec031b # v1 cache_trunk: name: Cache Trunk - runs-on: ubuntu-latest + runs-on: ubuntu-slim if: github.event_name == 'push' permissions: actions: write diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index df6454c4..45564451 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -10,7 +10,7 @@ concurrency: jobs: pypi: name: Upload Python Package - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: read id-token: write diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 5df150e4..5605933f 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -12,7 +12,7 @@ permissions: read-all jobs: compatibility: name: Check Dependency Compatibility - runs-on: ubuntu-latest + runs-on: ubuntu-slim environment: name: code_quality permissions: