Merge branch 'main-enterprise' into feat/github-action-mode-pr-comments

Author: decyjphr

.devcontainer/Dockerfile

@@ -1,6 +1,6 @@
 # See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.195.0/containers/javascript-node/.devcontainer/base.Dockerfile
-# [Choice] Node.js version (use -bullseye variants on local arm64/Apple Silicon): 16, 14, 12, 16-bullseye, 14-bullseye, 12-bullseye, 16-buster, 14-buster, 12-buster
-ARG VARIANT=20-bookworm
+# [Choice] Node.js version/variant (use -bookworm variants on local arm64/Apple Silicon): e.g. 22-bookworm, 20-bookworm, 18-bookworm
+ARG VARIANT=22-bookworm
 FROM mcr.microsoft.com/devcontainers/javascript-node:1-${VARIANT}
 
 # [Optional] Uncomment this section to install additional OS packages.
@@ -23,7 +23,10 @@ RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "aws
   rm -rf ./aws && \
   rm awscliv2.zip
 # Install sam cli
-RUN curl -L "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-$(dpkg --print-architecture).zip" -o "aws-sam-cli.zip" && \
+RUN ARCH_RAW=$(uname -m) && \
+  ARCH=$ARCH_RAW && \
+  if [ "$ARCH_RAW" = "aarch64" ]; then ARCH="arm64"; fi && \
+  curl -L "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-${ARCH}.zip" -o "aws-sam-cli.zip" && \
   unzip aws-sam-cli.zip -d sam-installation && \
   sudo ./sam-installation/install && \
   rm -rf ./sam-installation && \

.devcontainer/devcontainer.json

@@ -4,10 +4,10 @@
 	"name": "Node.js",
 	"build": {
 		"dockerfile": "Dockerfile",
-		// Update 'VARIANT' to pick a Node version: 16, 14, 12.
-		// Append -bullseye or -buster to pin to an OS version.
-		// Use -bullseye variants on local arm64/Apple Silicon.
-		"args": { "VARIANT": "20-bookworm" }
+		// Update 'VARIANT' to pick a Node version, e.g. 22, 20, 18.
+		// Append -bookworm or -bullseye to pin to an OS version.
+		// Use -bookworm variants on local arm64/Apple Silicon.
+		"args": { "VARIANT": "22-bookworm" }
 	},
 
 	"settings": {},

.github/workflows/advanced-codeql.yml

@@ -0,0 +1,72 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL Advanced"
+
+on:
+  workflow_dispatch: 
+  push:
+    branches: [ "main-enterprise" ]
+  pull_request:
+    branches: [ "main-enterprise" ]
+
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        - language: javascript-typescript
+          build-mode: none
+        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+    - name: 'Checkout repository'
+      uses: actions/checkout@v4
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/create-pre-release.yml

@@ -46,7 +46,7 @@ jobs:
       - name: Setup node
         uses: actions/setup-node@v6
         with:
-          node-version: 16.x
+          node-version: 22.x
           cache: 'npm'
       - run: npm install
       - name: Set up Docker Buildx

.github/workflows/create-release.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Setup node
         uses: actions/setup-node@v6
         with:
-          node-version: 16.x
+          node-version: 22.x
           cache: "npm"
       - run: npm install
       - name: Set up Docker Buildx

.github/workflows/node-ci.yml

@@ -11,7 +11,7 @@ concurrency:
 
 jobs:
   test:
-    if: ${{ github.actor != 'dependabot'}}
+    if: ${{ github.actor != 'dependabot[bot]'}}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -25,5 +25,5 @@ jobs:
     strategy:
       matrix:
         node-version:
-          - 18
-          - 20
+          - 22
+          - 24

.github/workflows/rc-release.yml

@@ -27,7 +27,7 @@ jobs:
     - name: Use Node.js
       uses: actions/setup-node@v6
       with:
-        node-version: 16.x
+        node-version: 22.x
         cache: npm
     - run: npm ci
     - run: npm run build --if-present

.nvmrc

@@ -1 +1 @@
-v20
+v22

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:20-alpine
+FROM node:22-alpine
 WORKDIR /opt/safe-settings
 ENV NODE_ENV production
 ## Set the Labels

helm/safe-settings/README.md

@@ -9,22 +9,15 @@ A Helm chart for Kubernetes
 | affinity | object | `{}` |  |
 | autoscaling.enabled | bool | `false` |  |
 | autoscaling.maxReplicas | int | `10` |  |
-| autoscaling.minReplicas | int | `2` |  |
+| autoscaling.minReplicas | int | `1` |  |
 | autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
-| deploymentConfig.configvalidators[0].error | string | `"`Admin cannot be assigned to collaborators`\n"` |  |
-| deploymentConfig.configvalidators[0].plugin | string | `"collaborators"` |  |
-| deploymentConfig.configvalidators[0].script | string | `"console.log(`baseConfig ${JSON.stringify(baseconfig)}`)\nreturn baseconfig.permission != 'admin'\n"` |  |
-| deploymentConfig.overridevalidators[0].error | string | `"`Branch protection required_approving_review_count cannot be overidden to a lower value`\n"` |  |
-| deploymentConfig.overridevalidators[0].plugin | string | `"branches"` |  |
-| deploymentConfig.overridevalidators[0].script | string | `"console.log(`baseConfig ${JSON.stringify(baseconfig)}`)\nconsole.log(`overrideConfig ${JSON.stringify(overrideconfig)}`)\nif (baseconfig.protection.required_pull_request_reviews.required_approving_review_count && overrideconfig.protection.required_pull_request_reviews.required_approving_review_count ) {\n  return overrideconfig.protection.required_pull_request_reviews.required_approving_review_count >= baseconfig.protection.required_pull_request_reviews.required_approving_review_count\n}\nreturn true\n"` |  |
-| deploymentConfig.overridevalidators[1].error | string | `"Some error\n"` |  |
-| deploymentConfig.overridevalidators[1].plugin | string | `"labels"` |  |
-| deploymentConfig.overridevalidators[1].script | string | `"return true\n"` |  |
+| deploymentConfig.configvalidators | list | [] |  |
+| deploymentConfig.overridevalidators | list | [] |  |
 | deploymentConfig.restrictedRepos.exclude[0] | string | `"^admin$"` |  |
 | deploymentConfig.restrictedRepos.exclude[1] | string | `"^\\.github$"` |  |
 | deploymentConfig.restrictedRepos.exclude[2] | string | `"^safe-settings$"` |  |
 | deploymentConfig.restrictedRepos.exclude[3] | string | `".*-test"` |  |
-| deploymentConfig.restrictedRepos.include[0] | string | `"^test$"` |  |
+| deploymentConfig.restrictedRepos.include | null | `null` |  |
 | env | list | `[]` |  |
 | envFrom | list | `[]` |  |
 | extraObjects | list | `[]` | Add dynamic manifests via values. Example: extraObjects: - kind: ConfigMap   apiVersion: v1   metadata:     name: extra-cm-{{ .Release.Name }}   data: |     extra.yml: "does-my-install-need-extra-info: true" |
@@ -44,15 +37,15 @@ A Helm chart for Kubernetes
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
-| replicaCount | int | `2` |  |
+| replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
 | securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | securityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | securityContext.privileged | bool | `false` |  |
 | securityContext.readOnlyRootFilesystem | bool | `true` |  |
 | securityContext.runAsNonRoot | bool | `true` |  |
 | securityContext.runAsUser | int | `1000` |  |
-| service.port | int | `80` |  |
+| service.port | int | `3000` |  |
 | service.type | string | `"ClusterIP"` |  |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.automountServiceAccountToken | bool | `false` |  |