nais · Kyrremann · Jun 5, 2026 · Jun 4, 2026 · Jun 4, 2026 · Jun 4, 2026
diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml
@@ -24,8 +24,8 @@ jobs:
         working-directory: actions/spa-setup-task
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # ratchet:actions/checkout@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # ratchet:actions/setup-node@v6
         with:
           node-version: '20'
       - run: yarn install
@@ -41,7 +41,7 @@ jobs:
         id: diff
 
       # If index.js was different than expected, upload the expected version as an artifact
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}
         with:
           name: dist

diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml
@@ -14,9 +14,30 @@ env:
   GOOGLE_REGISTRY: "europe-north1-docker.pkg.dev"
 
 jobs:
+  check:
+    name: Static analysis
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # ratchet:actions/checkout@v6
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
+      - run: mise run check
+
+  test:
+    name: Tests
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # ratchet:actions/checkout@v6
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
+      - run: mise run test
+
   build_and_push:
     name: Build, push and sign images
     runs-on: ubuntu-22.04
+    needs: [check, test]
     permissions:
       contents: "read"
       id-token: "write"
@@ -35,21 +56,41 @@ jobs:
             chart: true
           - component: canary-deployer
             chart: true
+            dockerfile: Dockerfile.deploy
+            target: canary-deployer
+          - component: deploy-action
+            dockerfile: Dockerfile.deploy
+            target: deploy-action
+          - component: deploy
+            target: deploy
     steps:
-      - uses: actions/checkout@v4 # ratchet:exclude
-      - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # ratchet:azure/setup-helm@v3
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # ratchet:actions/checkout@v6
+
+      - name: Set build metadata
+        id: meta
+        run: |
+          echo "last_commit=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+          echo "date=$(date '+%Y-%m-%d')" >> $GITHUB_OUTPUT
+          echo "buildtime=$(date '+%s')" >> $GITHUB_OUTPUT
+
+      - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # ratchet:azure/setup-helm@v5
         if: matrix.chart
         with:
           version: "v3.11.1"
       - name: "Build and push image"
-        uses: nais/platform-build-push-sign@main # ratchet:exclude
+        uses: nais/platform-build-push-sign@31014e4bcac554cb52525fe2364244c5166b84d2 # ratchet:nais/platform-build-push-sign@main
         id: build_push_sign
         with:
-          dockerfile: Dockerfile.${{ matrix.component }}
+          dockerfile: ${{ matrix.dockerfile || format('Dockerfile.{0}', matrix.component) }}
+          target: ${{ matrix.target }}
           name: ${{ matrix.component }}
           google_service_account: gh-deploy
           workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
           push: ${{ github.actor != 'dependabot[bot]' && github.ref == 'refs/heads/master' }}
+          build_args: |
+            LAST_COMMIT=${{ steps.meta.outputs.last_commit }}
+            DATE=${{ steps.meta.outputs.date }}
+            BUILDTIME=${{ steps.meta.outputs.buildtime }}
 
       - name: "Package chart"
         if: matrix.chart
@@ -78,7 +119,7 @@ jobs:
       - name: "Authenticate to Google Cloud"
         if: matrix.chart && github.ref == 'refs/heads/master'
         id: "auth"
-        uses: "google-github-actions/auth@v2" # ratchet:exclude
+        uses: "google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093" # ratchet:google-github-actions/auth@v3
         with:
           workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
           service_account: "gh-deploy@nais-io.iam.gserviceaccount.com"
@@ -113,7 +154,7 @@ jobs:
       - build_and_push
     steps:
       - name: "Deploy hookd"
-        uses: nais/fasit-deploy@v4 # ratchet:exclude
+        uses: nais/fasit-deploy@9f870e05e92cde6cfd827b13384ec09e80be65fd # ratchet:nais/fasit-deploy@v4
         with:
           chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/${{ needs.build_and_push.outputs.hookd_chart_name }}
           version: ${{ needs.build_and_push.outputs.hookd_chart_version }}
@@ -124,7 +165,7 @@ jobs:
             ]
 
       - name: "Deploy deployd"
-        uses: nais/fasit-deploy@v4 # ratchet:exclude
+        uses: nais/fasit-deploy@9f870e05e92cde6cfd827b13384ec09e80be65fd # ratchet:nais/fasit-deploy@v4
         with:
           chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/${{ needs.build_and_push.outputs.deployd_chart_name }}
           version: ${{ needs.build_and_push.outputs.deployd_chart_version }}
@@ -137,7 +178,7 @@ jobs:
             ]
 
       - name: "Deploy canary-deployer"
-        uses: nais/fasit-deploy@v4 # ratchet:exclude
+        uses: nais/fasit-deploy@9f870e05e92cde6cfd827b13384ec09e80be65fd # ratchet:nais/fasit-deploy@v4
         with:
           chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/${{ needs.build_and_push.outputs.canary_deployer_chart_name }}
           version: ${{ needs.build_and_push.outputs.canary_deployer_chart_version }}
@@ -154,11 +195,9 @@ jobs:
       - build_and_push
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4 # ratchet:exclude
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # ratchet:actions/checkout@v6
 
-      - uses: actions/setup-go@v5
-        with:
-          go-version: 'stable'
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
 
       - name: Force create tag
         env:
@@ -170,9 +209,9 @@ jobs:
 
       - name: Create deploy binaries
         run: |
-          make deploy-release-linux
-          make deploy-release-darwin
-          make deploy-release-windows
+          mise run release:linux
+          mise run release:darwin
+          mise run release:windows
 
       - name: Delete release if exists
         env:

diff --git a/.github/workflows/test-job.yaml b/.github/workflows/test-job.yaml
diff --git a/.github/workflows/test-naisjob-without-schedule.yaml b/.github/workflows/test-naisjob-without-schedule.yaml
diff --git a/.github/workflows/test-naisjob.yaml b/.github/workflows/test-naisjob.yaml
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1 +1 @@
-* @navikt/aura
+* @navikt/nais
diff --git a/Dockerfile.canary-deployer b/Dockerfile.canary-deployer
diff --git a/Dockerfile.deploy b/Dockerfile.deploy
@@ -1,6 +1,9 @@
 FROM golang:1.26-alpine AS builder
 
-RUN apk add --no-cache git make curl
+ARG LAST_COMMIT=local
+ARG DATE=unknown
+ARG BUILDTIME=0
+
 ENV GOOS=linux
 ENV CGO_ENABLED=0
 
@@ -11,14 +14,36 @@ COPY go.sum .
 RUN go mod download
 COPY . .
 
-RUN make kubebuilder
-RUN make test
-RUN make deploy-alpine
+RUN go build -a -installsuffix cgo -o bin/deploy \
+    -ldflags "-s -X github.com/nais/deploy/pkg/version.Revision=${LAST_COMMIT} -X github.com/nais/deploy/pkg/version.Date=${DATE} -X github.com/nais/deploy/pkg/version.BuildUnixTime=${BUILDTIME}" \
+    ./cmd/deploy/
 
 
-FROM alpine:3
+FROM alpine:3 AS deploy
 
 WORKDIR /app
 RUN apk add --no-cache ca-certificates wget
 COPY --from=builder /src/bin/deploy .
 CMD ["/app/deploy"]
+
+
+FROM alpine:3 AS canary-deployer
+
+WORKDIR /app
+RUN apk add --no-cache ca-certificates
+COPY --from=builder /src/bin/deploy .
+ADD canary-deployer/deployer.sh /canary/deployer.sh
+ADD canary-deployer/canary.yml /canary/resource.yml
+ENV RESOURCE=/canary/resource.yml
+CMD ["/canary/deployer.sh"]
+
+
+FROM alpine:3 AS deploy-action
+
+WORKDIR /app
+ENV TZ="Europe/Oslo"
+RUN apk add --no-cache ca-certificates curl jq
+RUN curl -L -f https://github.com/mikefarah/yq/releases/download/2.4.1/yq_linux_amd64 > /usr/local/bin/yq && chmod +x /usr/local/bin/yq
+COPY --from=builder /src/bin/deploy .
+COPY actions/deploy/entrypoint.sh /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/Dockerfile.deploy-action b/Dockerfile.deploy-action
diff --git a/Dockerfile.deployd b/Dockerfile.deployd
@@ -1,6 +1,9 @@
 FROM golang:1.26-alpine AS builder
 
-RUN apk add --no-cache git make curl
+ARG LAST_COMMIT=local
+ARG DATE=unknown
+ARG BUILDTIME=0
+
 ENV GOOS=linux
 ENV CGO_ENABLED=0
 
@@ -11,9 +14,9 @@ COPY go.sum .
 RUN go mod download
 COPY . .
 
-RUN make kubebuilder
-RUN make test
-RUN make deployd-alpine
+RUN go build -a -installsuffix cgo -o bin/deployd \
+    -ldflags "-s -X github.com/nais/deploy/pkg/version.Revision=${LAST_COMMIT} -X github.com/nais/deploy/pkg/version.Date=${DATE} -X github.com/nais/deploy/pkg/version.BuildUnixTime=${BUILDTIME}" \
+    ./cmd/deployd/
 
 
 FROM alpine:3

diff --git a/Dockerfile.hookd b/Dockerfile.hookd
@@ -1,6 +1,9 @@
 FROM golang:1.26-alpine AS builder
 
-RUN apk add --no-cache git make curl
+ARG LAST_COMMIT=local
+ARG DATE=unknown
+ARG BUILDTIME=0
+
 ENV GOOS=linux
 ENV CGO_ENABLED=0
 
@@ -11,9 +14,9 @@ COPY go.sum .
 RUN go mod download
 COPY . .
 
-RUN make kubebuilder
-RUN make test
-RUN make hookd-alpine
+RUN go build -a -installsuffix cgo -o bin/hookd \
+    -ldflags "-s -X github.com/nais/deploy/pkg/version.Revision=${LAST_COMMIT} -X github.com/nais/deploy/pkg/version.Date=${DATE} -X github.com/nais/deploy/pkg/version.BuildUnixTime=${BUILDTIME}" \
+    ./cmd/hookd/
 
 
 FROM alpine:3