chore(deps): bump the github-actions-dependencies group across 8 directories with 9 updates

.devcontainer/devcontainer.json

@@ -1,29 +1,29 @@
 {
-  "name": "Alpine",
-  "image": "mcr.microsoft.com/devcontainers/base:alpine-3.21",
-  "features": {
-    "ghcr.io/devcontainers/features/docker-in-docker:3": {},
-    "ghcr.io/devcontainers/features/github-cli:1": {},
-    "ghcr.io/devcontainers-extra/features/act:1": {}
-  },
-  "remoteEnv": {
-    "GITHUB_TOKEN": "${localEnv:GITHUB_TOKEN}"
-  },
-  "customizations": {
-    "vscode": {
-      "extensions": [
-        "eamodio.gitlens",
-        "github.vscode-github-actions",
-        "github.copilot",
-        "github.copilot-chat",
-        "ms-vscode.makefile-tools",
-        "esbenp.prettier-vscode",
-        "ms-azuretools.vscode-containers",
-        "Tim-Koehler.helm-intellisense"
-      ],
-      "settings": {
-        "terminal.integrated.defaultProfile.linux": "zsh"
-      }
-    }
-  }
+	"name": "Alpine",
+	"image": "mcr.microsoft.com/devcontainers/base:alpine-3.21",
+	"features": {
+		"ghcr.io/devcontainers/features/docker-in-docker:3": {},
+		"ghcr.io/devcontainers/features/github-cli:1": {},
+		"ghcr.io/devcontainers-extra/features/act:1": {}
+	},
+	"remoteEnv": {
+		"GITHUB_TOKEN": "${localEnv:GITHUB_TOKEN}"
+	},
+	"customizations": {
+		"vscode": {
+			"extensions": [
+				"eamodio.gitlens",
+				"github.vscode-github-actions",
+				"github.copilot",
+				"github.copilot-chat",
+				"ms-vscode.makefile-tools",
+				"esbenp.prettier-vscode",
+				"ms-azuretools.vscode-containers",
+				"Tim-Koehler.helm-intellisense"
+			],
+			"settings": {
+				"terminal.integrated.defaultProfile.linux": "zsh"
+			}
+		}
+	}
 }

.github/dependabot.yml

@@ -4,6 +4,8 @@ updates:
   - package-ecosystem: docker
     open-pull-requests-limit: 20
     directory: "/"
+    cooldown:
+      default-days: 7
     schedule:
       interval: weekly
       day: friday
@@ -18,6 +20,8 @@ updates:
     directories:
       - "/"
       - "/actions/**/*"
+    cooldown:
+      default-days: 7
     schedule:
       interval: weekly
       day: friday
@@ -31,6 +35,8 @@ updates:
     open-pull-requests-limit: 20
     directories:
       - "/tests/charts/*/*"
+    cooldown:
+      default-days: 7
     schedule:
       interval: weekly
       day: friday
@@ -43,6 +49,8 @@ updates:
   - package-ecosystem: "devcontainers"
     open-pull-requests-limit: 20
     directory: "/"
+    cooldown:
+      default-days: 7
     schedule:
       interval: weekly
       day: friday
@@ -52,6 +60,8 @@ updates:
     open-pull-requests-limit: 20
     directories:
       - "/actions/**/*"
+    cooldown:
+      default-days: 7
     schedule:
       interval: weekly
       day: friday

.github/linters/.codespellrc

@@ -0,0 +1,2 @@
+[codespell]
+skip = *.svg,**/package-lock.json,**/node_modules/**

.github/linters/.jscpd.json

@@ -1,4 +1,4 @@
 {
-  "threshold": 5,
-  "ignore": ["**/tests/**", "**/node_modules/**"]
+	"threshold": 5,
+	"ignore": ["**/tests/**", "**/node_modules/**"]
 }

.github/linters/trivy-data/ksv0125.yaml

@@ -0,0 +1,9 @@
+---
+ksv0125:
+  trusted_registries:
+    - ghcr.io
+    - docker.io
+    - quay.io
+    - gcr.io
+    - k8s.gcr.io
+    - registry.k8s.io

.github/linters/trivy.yaml

@@ -0,0 +1,13 @@
+---
+exit-code: 1
+exit-on-eol: 2
+ignorefile: .trivyignore.yaml
+scan:
+  disable-telemetry: true
+  scanners:
+    - vuln
+    - misconfig
+    - secret
+rego:
+  data:
+    - .github/linters/trivy-data

.github/workflows/__greetings.yml

@@ -3,14 +3,15 @@ name: Greetings
 on:
   issues:
     types: [opened]
-  pull_request_target:
+  pull_request:
+    types: [opened]
     branches: [main]
 
 permissions: {}
 
 jobs:
   greetings:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@66578f5b9aec4ac5558b5dad750c4c74dfcb65c5 # 0.35.5
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@6a0fdae9e2598eccf7a9ec2bc20e7ce8e7c10c48 # 0.36.4
     permissions:
       contents: read
       issues: write

.github/workflows/__main-ci.yml

@@ -29,7 +29,8 @@ jobs:
       pull-requests: read
       security-events: write
       statuses: write
-    secrets: inherit
+    secrets:
+      CI_BOT_APP_PRIVATE_KEY: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
 
   clean:
     needs: ci
@@ -73,17 +74,19 @@ jobs:
       pull-requests: write
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - uses: ./actions/helm/generate-docs
         with:
           working-directory: ./tests/charts
           github-app-client-id: ${{ vars.CI_BOT_APP_CLIENT_ID }}
-          github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
+          github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }} # zizmor: ignore[secrets-outside-env]
 
   release:
     needs: ci
     if: github.event_name != 'schedule'
-    uses: hoverkraft-tech/ci-github-publish/.github/workflows/release-actions.yml@84d583ba7b357f9476707f54cf5419d630ae0145 # 0.26.2
+    uses: hoverkraft-tech/ci-github-publish/.github/workflows/release-actions.yml@b2562b46714e535a0113f90f554b55e1248212c1 # 0.26.3
     permissions:
       contents: read
     with:

.github/workflows/__need-fix-to-issue.yml

@@ -21,7 +21,7 @@ permissions: {}
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@66578f5b9aec4ac5558b5dad750c4c74dfcb65c5 # 0.35.5
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@6a0fdae9e2598eccf7a9ec2bc20e7ce8e7c10c48 # 0.36.4
     permissions:
       contents: read
       issues: write

.github/workflows/__pull-request-ci.yml

@@ -24,4 +24,5 @@ jobs:
       pull-requests: read
       security-events: write
       statuses: write
-    secrets: inherit
+    secrets:
+      CI_BOT_APP_PRIVATE_KEY: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}

.github/workflows/__semantic-pull-request.yml

@@ -2,7 +2,7 @@
 name: "Pull Request - Semantic Lint"
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - edited
@@ -12,7 +12,7 @@ permissions: {}
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@66578f5b9aec4ac5558b5dad750c4c74dfcb65c5 # 0.35.5
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@6a0fdae9e2598eccf7a9ec2bc20e7ce8e7c10c48 # 0.36.4
     permissions:
       contents: write
       pull-requests: write

.github/workflows/__shared-ci.yml

@@ -3,12 +3,15 @@ name: Internal - Common Continuous Integration tasks
 
 on: # yamllint disable-line rule:truthy
   workflow_call:
+    secrets:
+      CI_BOT_APP_PRIVATE_KEY:
+        required: false
 
 permissions: {}
 
 jobs:
   linter:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@66578f5b9aec4ac5558b5dad750c4c74dfcb65c5 # 0.35.5
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@6a0fdae9e2598eccf7a9ec2bc20e7ce8e7c10c48 # 0.36.4
     permissions:
       actions: read
       contents: read
@@ -84,7 +87,8 @@ jobs:
       issues: read
       packages: write
       pull-requests: read
-    secrets: inherit
+    secrets:
+      CI_BOT_APP_PRIVATE_KEY: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
 
   test-workflow-docker-build-images-caching:
     name: Test docker build images - Caching
@@ -96,7 +100,8 @@ jobs:
       issues: read
       packages: write
       pull-requests: read
-    secrets: inherit
+    secrets:
+      CI_BOT_APP_PRIVATE_KEY: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
 
   test-workflow-docker-build-images-multi-registry:
     name: Test docker build images - Multi registry inputs
@@ -108,7 +113,8 @@ jobs:
       issues: read
       packages: write
       pull-requests: read
-    secrets: inherit
+    secrets:
+      CI_BOT_APP_PRIVATE_KEY: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
 
   test-workflow-docker-build-images-platforms-and-signing:
     name: Test docker build images - Platforms and Signing
@@ -120,4 +126,5 @@ jobs:
       issues: read
       packages: write
       pull-requests: read
-    secrets: inherit
+    secrets:
+      CI_BOT_APP_PRIVATE_KEY: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}

.github/workflows/__stale.yml

@@ -9,7 +9,7 @@ permissions: {}
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@66578f5b9aec4ac5558b5dad750c4c74dfcb65c5 # 0.35.5
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@6a0fdae9e2598eccf7a9ec2bc20e7ce8e7c10c48 # 0.36.4
     permissions:
       issues: write
       pull-requests: write

.github/workflows/__test-action-docker-build-image.yml

@@ -161,8 +161,10 @@ jobs:
           password: ${{ github.token }}
 
       - name: Assert - Check docker image
+        env:
+          BUILT_IMAGE_OUTPUT: ${{ steps.build-image.outputs.built-image }}
         run: |
-          IMAGE=$(echo '${{ steps.build-image.outputs.built-image }}' | jq -r '.image')
+          IMAGE=$(echo "$BUILT_IMAGE_OUTPUT" | jq -r '.image')
           if ! docker pull "$IMAGE"; then
             echo "Failed to pull $IMAGE"
             exit 1
@@ -245,8 +247,10 @@ jobs:
           password: ${{ github.token }}
 
       - name: Assert - Check docker image
+        env:
+          BUILT_IMAGE_OUTPUT: ${{ steps.build-image.outputs.built-image }}
         run: |
-          IMAGE=$(echo '${{ steps.build-image.outputs.built-image }}' | jq -r '.image')
+          IMAGE=$(echo "$BUILT_IMAGE_OUTPUT" | jq -r '.image')
           if ! docker pull "$IMAGE"; then
             echo "Failed to pull $IMAGE"
             exit 1
@@ -341,8 +345,10 @@ jobs:
           password: ${{ github.token }}
 
       - name: Assert - Check docker image
+        env:
+          BUILT_IMAGE_OUTPUT: ${{ steps.build-image.outputs.built-image }}
         run: |
-          IMAGE=$(echo '${{ steps.build-image.outputs.built-image }}' | jq -r '.image')
+          IMAGE=$(echo "$BUILT_IMAGE_OUTPUT" | jq -r '.image')
           if ! docker pull "$IMAGE"; then
             echo "Failed to pull $IMAGE"
             exit 1

.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml

@@ -195,11 +195,11 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+      - uses: ./actions/docker/setup
         with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          oci-registry: ghcr.io
+          oci-registry-username: ${{ github.repository_owner }}
+          oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Generate an image tag that should be deleted
         env:
@@ -318,17 +318,22 @@ jobs:
               assert.equal(packageVersionExists, false, `Package version "${process.env.TAG_TO_DELETE}" has not been deleted`);
             }
 
-      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
+
+      - uses: ./actions/docker/setup
+        with:
+          oci-registry: ghcr.io
+          oci-registry-username: ${{ github.repository_owner }}
+          oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Assert - Ensure current image tag didn't get deleted
         env:
           IMAGE_NAME: ${{ env.IMAGE_NAME }}
+          BUILT_IMAGES: ${{ needs.arrange-build-images.outputs.built-images }}
         run: |
-          for IMAGE_TAG in $(echo '${{ needs.arrange-build-images.outputs.built-images }}' | jq -r '."${{ env.IMAGE_NAME }}".images[]'); do
+          for IMAGE_TAG in $(echo "$BUILT_IMAGES" | jq -r --arg image_name "$IMAGE_NAME" '.[$image_name].images[]'); do
             docker pull "$IMAGE_TAG"
 
             if ! MANIFEST=$(docker manifest inspect "$IMAGE_TAG"); then

.github/workflows/__test-action-get-image-metadata.yml

@@ -25,7 +25,7 @@ jobs:
           oci-registry: ghcr.io
           image: application-test
 
-      - name: Assert - Check get image metadata ouputs
+      - name: Assert - Check get image metadata outputs
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           IMAGE_OUTPUT: ${{ steps.get-image-metadata.outputs.image }}
@@ -140,7 +140,7 @@ jobs:
           image: application-test
           tag: 1.0.0
 
-      - name: Assert - Check get image metadata ouputs
+      - name: Assert - Check get image metadata outputs
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           TAGS_OUTPUT: ${{ steps.get-image-metadata.outputs.tags }}

.github/workflows/__test-action-get-image-name.yml

@@ -24,7 +24,7 @@ jobs:
           oci-registry: ghcr.io
           image: application-test
 
-      - name: Check get image name ouputs
+      - name: Check get image name outputs
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           IMAGE_NAME_OUTPUT: ${{ steps.get-image-name.outputs.image-name }}
@@ -69,7 +69,7 @@ jobs:
           image: application-test
           repository: hoverkraft-tech/other-repository
 
-      - name: Check get image name ouput
+      - name: Check get image name output
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           IMAGE_NAME_OUTPUT: ${{ steps.get-image-name.outputs.image-name }}