DefectDojo · rossops · Nov 3, 2025 · Oct 6, 2025 · Oct 6, 2025 · Oct 7, 2025
@@ -26,7 +26,7 @@ This checklist is for your information.
 - [ ] Bugfixes should be submitted against the `bugfix` branch.
 - [ ] Give a meaningful name to your PR, as it may end up being used in the release notes.
 - [ ] Your code is flake8 compliant.
-- [ ] Your code is python 3.12 compliant.
+- [ ] Your code is python 3.13 compliant.
 - [ ] If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
 - [ ] Model changes must include the necessary migrations in the dojo/db_migrations folder.
 - [ ] Add applicable tests to the unit tests.

@@ -67,7 +67,7 @@ jobs:
       # export docker images to be used in next jobs below
       - name: Upload image ${{ matrix.docker-image }} as artifact
         timeout-minutes: 15
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: built-docker-image-${{ matrix.docker-image }}-${{ matrix.os }}-${{ env.PLATFORM }}
           path: ${{ matrix.docker-image }}-${{ matrix.os }}-${{ env.PLATFORM }}_img

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Close issues and PRs that are pending closure
-        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+        uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
         with:
           # Disable automatic stale marking - only close manually labeled items
           days-before-stale: -1

@@ -51,7 +51,7 @@ jobs:
         run: docker compose down
 
       - name: Upload oas.${{ matrix.file-type }} as artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: oas-${{ matrix.file-type }}
           path: oas.${{ matrix.file-type }}

@@ -19,9 +19,9 @@ jobs:
           extended: true
 
       - name: Setup Node
-        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
-          node-version: '22.20.0'
+          node-version: '24.11.0' # TODO: Renovate helper might not be needed here - needs to be fully tested
 
       - name: Cache dependencies
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0

@@ -58,7 +58,7 @@ jobs:
 
       # load docker images from build jobs
       - name: Load images from artifacts
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           path: built-docker-image
           pattern: built-docker-image-*
@@ -76,7 +76,7 @@ jobs:
         run: ln -s docker-compose.override.integration_tests.yml docker-compose.override.yml
 
       - name: Start Dojo
-        run: docker compose up --no-deps -d postgres nginx celerybeat celeryworker mailhog uwsgi redis
+        run: docker compose up --no-deps -d postgres nginx celerybeat celeryworker mailhog uwsgi valkey
         env:
           DJANGO_VERSION: ${{ matrix.os }}
           NGINX_VERSION: alpine

@@ -5,15 +5,6 @@ on:
 
 env:
   DD_HOSTNAME: defectdojo.default.minikube.local
-  HELM_REDIS_BROKER_SETTINGS: " \
-    --set redis.enabled=true \
-    --set celery.broker=redis \
-    --set createRedisSecret=true \
-    "
-  HELM_PG_DATABASE_SETTINGS: " \
-    --set postgresql.enabled=true \
-    --set createPostgresqlSecret=true \
-   "
 jobs:
   setting_minikube_cluster:
     name: Kubernetes Deployment
@@ -23,11 +14,11 @@ jobs:
       matrix:
         include:
           # databases, broker and k8s are independent, so we don't need to test each combination
-          # lastest k8s version (https://kubernetes.io/releases/) and oldest supported version from aws
-          # are tested (https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#available-versions)
-          - databases: pgsql
-            brokers: redis
-            k8s: 'v1.34.0' # renovate: datasource=github-releases depName=kubernetes/kubernetes
+          # lastest k8s version (https://kubernetes.io/releases/) and the oldest officially supported version
+          # are tested (https://kubernetes.io/releases/)
+          - k8s: 'v1.34.0' # renovate: datasource=github-releases depName=kubernetes/kubernetes versioning=loose
+            os: debian
+          - k8s: 'v1.31.13' # Do not track with renovate as we likely want to rev this manually
             os: debian
     steps:
       - name: Checkout
@@ -47,7 +38,7 @@ jobs:
           minikube status
 
       - name: Load images from artifacts
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           path: built-docker-image
           pattern: built-docker-image-*
@@ -68,12 +59,6 @@ jobs:
              helm dependency list ./helm/defectdojo
              helm dependency update ./helm/defectdojo
 
-      - name: Set confings into Outputs
-        id: set
-        run: |-
-              echo "pgsql=${{ env.HELM_PG_DATABASE_SETTINGS }}" >> $GITHUB_ENV
-              echo "redis=${{ env.HELM_REDIS_BROKER_SETTINGS }}" >> $GITHUB_ENV
-
       - name: Deploying Django application with ${{ matrix.databases }} ${{ matrix.brokers }}
         timeout-minutes: 15
         run: |-
@@ -84,10 +69,14 @@ jobs:
                defectdojo \
                ./helm/defectdojo \
                --set django.ingress.enabled=true \
+               --set images.django.image.tag=latest \
+               --set images.nginx.image.tag=latest \
                --set imagePullPolicy=Never \
                --set initializer.keepSeconds="-1" \
-               ${{ env[matrix.databases] }} \
-               ${{ env[matrix.brokers] }} \
+               --set redis.enabled=true \
+               --set createRedisSecret=true \
+               --set postgresql.enabled=true \
+               --set createPostgresqlSecret=true \
                --set createSecret=true
 
       - name: Check deployment status

@@ -98,7 +98,7 @@ jobs:
           chart-search-root: "helm/defectdojo"
 
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
+        uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"

@@ -86,7 +86,7 @@ jobs:
           chart-search-root: "helm/defectdojo"
 
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
+        uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"
@@ -162,7 +162,7 @@ jobs:
           chart-search-root: "helm/defectdojo"
 
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
+        uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"

@@ -47,7 +47,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Load OAS files from artifacts
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           pattern: oas-*
 

@@ -89,7 +89,7 @@ jobs:
 
         # upload the digest file as artifact
       - name: Upload digest
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: digests-${{ matrix.docker-image}}-${{ matrix.os }}-${{ env.PLATFORM }}
           path: ${{ runner.temp }}/digests/*

@@ -69,16 +69,6 @@ jobs:
              helm dependency list ./helm/defectdojo
              helm dependency update ./helm/defectdojo
 
-      - name: Add yq
-        uses: mikefarah/yq@6251e95af8df3505def48c71f3119836701495d6 # v4.47.2
-
-      - name: Pin version docker version
-        id: pin_image
-        run: |-
-          yq --version
-          yq -i '.tag="${{ inputs.release_number }}"'  helm/defectdojo/values.yaml
-          echo "Current image tag:`yq -r '.tag' helm/defectdojo/values.yaml`"
-
       - name: Package Helm chart
         id: package-helm-chart
         run: |
@@ -87,7 +77,7 @@ jobs:
           echo "chart_version=$(ls build | cut -d '-' -f 2,3 | sed 's|\.tgz||')" >> $GITHUB_ENV
 
       - name: Create release ${{ inputs.release_number }}
-        uses: softprops/action-gh-release@62c96d0c4e8a889135c1f3a25910db8dbe0e85f7 # v2.3.4
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
         with:
           name: '${{ inputs.release_number }} 🌈'
           tag_name: ${{ inputs.release_number }}

@@ -41,7 +41,7 @@ jobs:
 
       # only download digests for this image and this os
     - name: Download digests
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         path: ${{ runner.temp }}/digests
         pattern: digests-${{ matrix.docker-image}}-${{ matrix.os }}-*

@@ -21,4 +21,4 @@ jobs:
         uses: suzuki-shunsuke/github-action-renovate-config-validator@c22827f47f4f4a5364bdba19e1fe36907ef1318e # v1.1.1
         with:
           strict: "true"
-          validator_version: 41.146.0 # renovate: datasource=github-releases depName=renovatebot/renovate
+          validator_version: 41.168.0 # renovate: datasource=github-releases depName=renovatebot/renovate
@@ -36,7 +36,7 @@ jobs:
 
       # load docker images from build jobs
       - name: Load images from artifacts
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           path: built-docker-image
           pattern: built-docker-image-*

@@ -2,124 +2,17 @@
 name: Shellcheck
 on:
   pull_request:
-env:
-  SHELLCHECK_REPO: 'koalaman/shellcheck'
-  SHELLCHECK_VERSION: 'v0.9.0' # renovate: datasource=github-releases depName=koalaman/shellcheck
-  SHELLCHECK_SHA: '038fd81de6b7e20cc651571362683853670cdc71' # Renovate config is not currently adjusted to update hash - it needs to be done manually for now
+
 jobs:
   shellcheck:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
-      - name: Grab shellcheck
-        run: |
-          set -e
-
-          SHELLCHECK_TARBALL_URL="https://github.com/${SHELLCHECK_REPO}/releases/download/${SHELLCHECK_VERSION}/shellcheck-${SHELLCHECK_VERSION}.linux.x86_64.tar.xz"
-          SHELLCHECK_TARBALL_LOC="shellcheck.tar.xz"
-          curl -L "${SHELLCHECK_TARBALL_URL}" -o "${SHELLCHECK_TARBALL_LOC}"
-          tarball_sha=$(shasum ${SHELLCHECK_TARBALL_LOC} | awk '{print $1}')
-          if [ "${tarball_sha}" != "${SHELLCHECK_SHA}" ]; then
-            echo "Got invalid SHA for shellcheck: ${tarball_sha}"
-            exit 1
-          fi
-          tar -xvf "${SHELLCHECK_TARBALL_LOC}"
-          cd "shellcheck-${SHELLCHECK_VERSION}" || exit 1
-          mv shellcheck "${GITHUB_WORKSPACE}/shellcheck"
-
-      - name: Run shellcheck
-        shell: bash
-        run: |
-          set -o pipefail
-
-          # Make sure we already put the proper shellcheck binary in place
-          if [ ! -f "./shellcheck" ]; then
-              echo "shellcheck not found"
-              exit 1
-          fi
-
-          # Make sure we know what to compare the PR's changes against
-          if [ -z "${GITHUB_BASE_REF}" ]; then
-              echo "No base reference supplied"
-              exit 1
-          fi
-
-          num_findings=0
-
-          # Execute shellcheck and add errors based on the output
-          run_shellcheck() {
-              local modified_shell_script="${1}"
-              local findings_file="findings.txt"
-
-              # Remove leftover findings file from previous iterations
-              if [ -f "${findings_file}" ]; then
-                  rm "${findings_file}"
-              fi
-
-              echo "Running shellcheck against ${modified_shell_script}..."
-
-              # If shellcheck reported no errors (exited with 0 status code), return
-              if ./shellcheck -f json -S warning "${modified_shell_script}" | jq -c '.[]' > "${findings_file}"; then
-                  return 0
-              fi
-
-              # Walk each of the individual findings
-              while IFS= read -r finding; do
-                  num_findings=$((num_findings+1))
-
-                  line=$(echo "${finding}" | jq '.line')
-                  end_line=$(echo "${finding}" | jq '.endLine')
-                  column=$(echo "${finding}" | jq '.column')
-                  end_column=$(echo "${finding}" | jq '.endColumn')
-                  code=$(echo "${finding}" | jq '.code')
-                  title="SC${code}"
-                  message="$(echo "${finding}" | jq -r '.message') See https://github.com/koalaman/shellcheck/wiki/${title}"
-
-                  echo "Line: ${line}"
-                  echo "End line: ${end_line}"
-                  echo "Column: ${column}"
-                  echo "End column: ${end_column}"
-                  echo "Title: ${title}"
-                  echo "Message: ${message}"
-
-                  # Raise an error with the file/line/etc
-                  echo "::error file=${modified_shell_script},line=${line},endLine=${end_line},column=${column},endColumn=${end_column},title=${title}::${message}"
-              done < ${findings_file}
-          }
-
-          # Find the shell scripts that were created or modified by this PR
-          find_modified_shell_scripts() {
-              shell_scripts="shell_scripts.txt"
-              modified_files="modified_files.txt"
-              modified_shell_scripts="modified_shell_scripts.txt"
-
-              find . -name "*.sh" -or -name "*.bash" | sed 's#^\./##' > "${shell_scripts}"
-              git diff --name-only "origin/${GITHUB_BASE_REF}" HEAD > "${modified_files}"
-
-              if [ ! -s "${shell_scripts}" ] || [ ! -s "${modified_files}" ]; then
-                  echo "No modified shell scripts detected"
-                  exit 0
-              fi
-
-              if ! grep -Fxf "${shell_scripts}" "${modified_files}" > "${modified_shell_scripts}"; then
-                echo "No modified shell scripts detected"
-                exit 0
-              fi
-          }
-
-          git fetch origin "${GITHUB_BASE_REF}" || exit 1
-
-          find_modified_shell_scripts
-
-          # Loop through the modified shell scripts
-          while IFS= read -r modified_shell_script; do
-              run_shellcheck "${modified_shell_script}"
-          done < ${modified_shell_scripts}
-
-          # If shellcheck reported any findings, fail the workflow
-          if [ ${num_findings} -gt 0 ]; then
-              echo "shellcheck reported ${num_findings} findings."
-              exit 1
-          fi
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
+        with:
+          version: 'v0.11.0' # renovate: datasource=github-releases depName=koalaman/shellcheck versioning=loose
+        env:
+          SHELLCHECK_OPTS: -e SC1091 -e SC2086  # TODO: fix following findings