[#patch] fix: issues (#263)

notdodo · web-flow · commit 19d2c4c4954c · 2025-10-17T21:51:40.000+02:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,7 +5,6 @@ updates:
     schedule:
       interval: monthly
       time: "12:00"
-      day: wednesday
     commit-message:
       prefix: "[#patch]"
       include: scope
@@ -18,7 +17,6 @@ updates:
     schedule:
       interval: monthly
       time: "12:00"
-      day: sunday
     commit-message:
       prefix: "[#patch]"
       prefix-development: ""
diff --git a/.github/workflows/clean-branch-cache.yml b/.github/workflows/clean-branch-cache.yml
@@ -6,7 +6,7 @@ on:
         default: true
       runs-on:
         type: string
-        default: "ubuntu-latest"
+        default: 'ubuntu-latest'
 
 jobs:
   cleanup:
diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml
@@ -6,13 +6,13 @@ on:
         default: true
       dockerfile:
         type: string
-        default: "Dockerfile"
+        default: 'Dockerfile'
       egress-policy-allowlist:
         type: string
-        default: ""
+        default: ''
       flavor:
         type: string
-        description: "Defines a global behavior for tags"
+        description: 'Defines a global behavior for tags'
         default: |
           latest=auto
           prefix=
@@ -22,16 +22,16 @@ on:
         type: string
       platforms:
         type: string
-        default: "linux/amd64,linux/arm64"
+        default: 'linux/amd64,linux/arm64'
       push:
         type: boolean
         default: false
       registry:
         type: string
-        default: ""
+        default: ''
       runs-on:
         type: string
-        default: "ubuntu-latest"
+        default: 'ubuntu-latest'
       tags:
         type: string
         default: |
@@ -44,7 +44,7 @@ on:
         default: true
       working-directory:
         type: string
-        default: "."
+        default: '.'
     secrets:
       registry-username:
         required: true
@@ -159,7 +159,7 @@ jobs:
         run: |
           echo -n "$(cat ./trivy_results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD"
       - name: Upload results
-        uses: github/codeql-action/upload-sarif@3407610120cd5656b6fc71991415cb50748b9489 # v2.20.1
+        uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 #  v4.30.9
         with:
           sarif_file: ${{ inputs.working-directory }}/trivy_results.sarif
           category: container-security
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -6,10 +6,10 @@ on:
         default: true
       egress-policy-allowlist:
         type: string
-        default: ""
+        default: ''
       runs-on:
         type: string
-        default: "ubuntu-latest"
+        default: 'ubuntu-latest'
 
 jobs:
   gitleaks:
diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml
@@ -9,13 +9,13 @@ on:
         default: true
       egress-policy-allowlist:
         type: string
-        default: ""
+        default: ''
       runs-on:
         type: string
-        default: "ubuntu-latest"
+        default: 'ubuntu-latest'
       working-directory:
         type: string
-        default: "."
+        default: '.'
 
 jobs:
   go-lint:
diff --git a/.github/workflows/go-security-scan.yml b/.github/workflows/go-security-scan.yml
@@ -6,16 +6,16 @@ on:
         default: true
       egress-policy-allowlist:
         type: string
-        default: ""
+        default: ''
       runs-on:
         type: string
-        default: "ubuntu-latest"
+        default: 'ubuntu-latest'
       upload-sarif:
         type: boolean
         default: true
       working-directory:
         type: string
-        default: "."
+        default: '.'
 
 jobs:
   gosec:
@@ -50,7 +50,7 @@ jobs:
         # kics-scan ignore-line
         uses: securego/gosec@master
         with:
-          args: "-no-fail -fmt sarif -out ${{ inputs.working-directory }}/gosec-results.sarif ${{ inputs.working-directory }}/..."
+          args: '-no-fail -fmt sarif -out ${{ inputs.working-directory }}/gosec-results.sarif ${{ inputs.working-directory }}/...'
       - uses: reviewdog/action-setup@d8edfce3dd5e1ec6978745e801f9c50b5ef80252 # v1.4.0
       - name: Run reviewdog
         continue-on-error: true
@@ -59,8 +59,8 @@ jobs:
         run: |
           echo -n "$(cat ./gosec-results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=error -diff="git diff FETCH_HEAD"
       - name: Upload results
-        uses: github/codeql-action/upload-sarif@3407610120cd5656b6fc71991415cb50748b9489 # v2.20.1
+        uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 #  v4.30.9
         with:
-          sarif_file: "${{ inputs.working-directory }}/gosec-results.sarif"
+          sarif_file: '${{ inputs.working-directory }}/gosec-results.sarif'
           category: sast
         if: ${{ inputs.upload-sarif }}
diff --git a/.github/workflows/infra-security-scan.yml b/.github/workflows/infra-security-scan.yml
@@ -6,19 +6,19 @@ on:
         default: true
       egress-policy-allowlist:
         type: string
-        default: ""
+        default: ''
       enable-comments:
         type: boolean
         default: true
       runs-on:
         type: string
-        default: "ubuntu-latest"
+        default: 'ubuntu-latest'
       upload-sarif:
         type: boolean
         default: true
       working-directory:
         type: string
-        default: "."
+        default: '.'
 
 jobs:
   infra-security-scan:
@@ -62,7 +62,7 @@ jobs:
           enable_jobs_summary: true
           comments_with_queries: true
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@3407610120cd5656b6fc71991415cb50748b9489 # v2.20.1
+        uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 #  v4.30.9
         with:
           sarif_file: ${{ inputs.working-directory }}/kics_results.sarif
           category: devops
@@ -97,8 +97,10 @@ jobs:
           fail_level: any
           filter_mode: nofilter
           tool_name: actionlint
-      - name: Install the latest version of uv
+      - name: Install uv
         uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+        with:
+          enable-cache: true
       - name: Run zizmor 🌈
         run: |
           wget https://raw.githubusercontent.com/notdodo/github-actions/refs/heads/main/zizmor.yml
@@ -113,7 +115,7 @@ jobs:
         run: |
           echo -n "$(cat ./zizmor_results.sarif)" | reviewdog -reporter=github-check -f=sarif -level=warning -diff="git diff FETCH_HEAD"
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@3407610120cd5656b6fc71991415cb50748b9489 # v2.20.1
+        uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 #  v4.30.9
         with:
           sarif_file: zizmor_results.sarif
           category: github-actions
diff --git a/.github/workflows/local-auto-tagger-docker-bp.yml b/.github/workflows/local-auto-tagger-docker-bp.yml
@@ -1,9 +1,9 @@
-name: "Auto Tagger docker image builder and publisher"
+name: 'Auto Tagger docker image builder and publisher'
 
 on:
   push:
     tags:
-      - "auto-tagger-v[0-9]+.[0-9]+.[0-9]+"
+      - 'auto-tagger-v[0-9]+.[0-9]+.[0-9]+'
 
 jobs:
   build-push-docker-image:
diff --git a/.github/workflows/local-auto-tagger.yml b/.github/workflows/local-auto-tagger.yml
@@ -6,7 +6,7 @@ on:
     paths:
       - .github/workflows/*.yml
       - auto-tagger/**
-      - "!.github/workflows/local-*.yml"
+      - '!.github/workflows/local-*.yml'
 
 concurrency:
   group: ghas-auto-tagger-${{ github.ref }}
diff --git a/.github/workflows/pulumi-preview.yml b/.github/workflows/pulumi-preview.yml
@@ -3,37 +3,37 @@ on:
     inputs:
       aws-role:
         type: string
-        default: ""
+        default: ''
       aws-region:
         type: string
         default: eu-west-1
       aws-secrets-mapping:
         type: string
-        default: ""
+        default: ''
       disable-sudo:
         type: boolean
         default: true
       egress-policy-allowlist:
         type: string
-        default: ""
+        default: ''
       poetry-version:
         type: string
-        default: "latest"
+        default: 'latest'
       python-version:
         type: string
-        default: "3.13"
+        default: '3.13'
       runs-on:
         type: string
-        default: "ubuntu-latest"
+        default: 'ubuntu-latest'
       stack-name:
         type: string
-        default: ""
+        default: ''
       working-directory:
         type: string
-        default: "."
+        default: '.'
 
 concurrency:
-  group: ghas-${{ github.repository }}-pulumi-preview-${{ github.ref }}
+  group: ghas-${{ github.repository }}-pulumi-preview-${{ inputs.stack-name }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
@@ -112,7 +112,7 @@ jobs:
         with:
           path: ${{ env.PULUMI_HOME }}/plugins
           key: python-${{ inputs.python-version }}-venv-${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory), format('{0}/uv.lock', inputs.working-directory)) }}
-      - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+      - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         if: ${{ inputs.aws-role != '' }}
         with:
           role-to-assume: ${{ inputs.aws-role }}
@@ -124,6 +124,7 @@ jobs:
           secret-ids: >
             ${{ inputs.aws-secrets-mapping }}
       - uses: pulumi/actions@d7ceb0215da5a14ec84f50b703365ddf0194a9c8 # v6.6.0
+        name: Pulumi Preview
         with:
           command: preview
           stack-name: ${{ inputs.stack-name }}
diff --git a/.github/workflows/pulumi-up.yml b/.github/workflows/pulumi-up.yml
@@ -3,37 +3,37 @@ on:
     inputs:
       aws-role:
         type: string
-        default: ""
+        default: ''
       aws-region:
         type: string
         default: eu-west-1
       aws-secrets-mapping:
         type: string
-        default: ""
+        default: ''
       disable-sudo:
         type: boolean
         default: true
       egress-policy-allowlist:
         type: string
-        default: ""
+        default: ''
       poetry-version:
         type: string
-        default: "latest"
+        default: 'latest'
       python-version:
         type: string
-        default: "3.13"
+        default: '3.13'
       runs-on:
         type: string
-        default: "ubuntu-latest"
+        default: 'ubuntu-latest'
       stack-name:
         type: string
-        default: ""
+        default: ''
       working-directory:
         type: string
-        default: "."
+        default: '.'
 
 concurrency:
-  group: ghas-${{ github.repository }}-pulumi-up-${{ github.ref }}
+  group: ghas-${{ github.repository }}-pulumi-up-${{ inputs.stack-name }}-${{ github.ref }}
   cancel-in-progress: false
 
 jobs:
@@ -111,7 +111,7 @@ jobs:
         with:
           path: ${{ env.PULUMI_HOME }}/plugins
           key: python-${{ inputs.python-version }}-venv-${{ hashFiles(format('{0}/poetry.lock', inputs.working-directory), format('{0}/uv.lock', inputs.working-directory)) }}
-      - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+      - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         if: ${{ inputs.aws-role != '' }}
         with:
           role-to-assume: ${{ inputs.aws-role }}
@@ -123,6 +123,7 @@ jobs:
           secret-ids: >
             ${{ inputs.aws-secrets-mapping }}
       - uses: pulumi/actions@d7ceb0215da5a14ec84f50b703365ddf0194a9c8 # v6.6.0
+        name: Pulumi Up
         with:
           command: up
           stack-name: ${{ inputs.stack-name }}
diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml
@@ -6,19 +6,19 @@ on:
         default: true
       egress-policy-allowlist:
         type: string
-        default: ""
+        default: ''
       poetry-version:
         type: string
-        default: "latest"
+        default: 'latest'
       python-version:
         type: string
-        default: "3.13"
+        default: '3.13'
       runs-on:
         type: string
-        default: "ubuntu-latest"
+        default: 'ubuntu-latest'
       working-directory:
         type: string
-        default: "."
+        default: '.'
 
 jobs:
   install-and-checks:
@@ -80,7 +80,7 @@ jobs:
       - run: uv sync --locked --all-extras --dev
         if: ${{ steps.cache-deps.outputs.cache-hit != 'true' && hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }}
       - name: Install Task
-        uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0
+        uses: go-task/setup-task@0ab1b2a65bc55236a3bc64cde78f80e20e8885c2 # v1.0.0
         with:
           repo-token: ${{ github.token }}
       - name: Linting
diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml
diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml
diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml
