Merge branch 'master' into push-ymquuwqtoswx

Author: olblak

.github/workflows/add_issue_to_project.yaml

@@ -3,13 +3,12 @@ on:
   issues:
     types:
       - opened
-
 jobs:
   add-to-project:
     name: Add issue to Updatecli project
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/add-to-project@v1.0.2
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
         with:
           project-url: https://github.com/orgs/updatecli/projects/2
           github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}

.github/workflows/build.yaml

@@ -1,47 +1,36 @@
 name: Build
-
 on:
   merge_group:
     branches: master
   push:
     branches: master
   pull_request:
-
 jobs:
   build:
     runs-on: ubuntu-latest
-
     steps:
-    - uses: actions/checkout@v4
-
-    - name: Use Node.js
-      uses: actions/setup-node@v4.4.0
-      with:
-        node-version: 20
-
-    - name: Install Hugo
-      uses: peaceiris/actions-hugo@v3
-      with:
-        hugo-version: 0.157.0
-        extended: true
-
-    - name: Install Bundler
-      uses: ruby/setup-ruby@v1
-      with:
-        ruby-version: 2.7
-        bundler-cache: true
-
-    - name: Install asciidoctor
-      run: gem install asciidoctor
-
-    - name: Show Hugo Version
-      run: hugo version
-
-    - name: Install dependencies
-      run: npm install
-
-    - name: Run Hyas test script
-      run: npm test
-
-    - name: Build production website
-      run: npm run build
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Use Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: 24
+      - name: Install Hugo
+        uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
+        with:
+          hugo-version: 0.160.0
+          extended: true
+      - name: Install Bundler
+        uses: ruby/setup-ruby@e65c17d16e57e481586a6a5a0282698790062f92 # v1
+        with:
+          ruby-version: 2.7
+          bundler-cache: true
+      - name: Install asciidoctor
+        run: gem install asciidoctor
+      - name: Show Hugo Version
+        run: hugo version
+      - name: Install dependencies
+        run: npm install
+      - name: Run Hyas test script
+        run: npm test
+      - name: Build production website
+        run: npm run build

.github/workflows/codeql-analysis.yml

@@ -4,7 +4,6 @@
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
 name: "CodeQL"
-
 on:
   merge_group:
     branches: master
@@ -15,12 +14,10 @@ on:
     branches: [master]
   schedule:
     - cron: '0 11 * * 5'
-
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
-
     strategy:
       fail-fast: false
       matrix:
@@ -29,36 +26,30 @@ jobs:
         language: ['javascript']
         # Learn more...
         # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
-
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+      #- run: |
+      #   make bootstrap
+      #   make release
+      - name: Perform CodeQL Analysis
+        # ℹ️ Command-line programs to run using the OS shell.
+        # 📚 https://git.io/JvXDl
+
+        # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+        #    and modify them (or add more) to build your code if your project
+        #    uses a compiled language
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1

.github/workflows/typos.yaml

@@ -9,6 +9,6 @@ jobs:
       contents: read
     steps:
       - name: Checkout Actions Repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Check spelling of file.txt
-        uses: crate-ci/typos@v1.42.0
+        uses: crate-ci/typos@02ea592e44b3a53c302f697cddca7641cd051c3d # v1.45.0

.github/workflows/updatecli.yaml

@@ -1,23 +1,21 @@
+---
 name: Updatecli
 on:
   release:
   workflow_dispatch:
   schedule:
     # Run at 12:00 every Saterday every 14 days
     - cron: "0 12 */14 * *"
-
 jobs:
   updatecli:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3" # v6.0.0
-
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
       - name: "Setup updatecli"
-        uses: "updatecli/updatecli-action@5ca36367fadc6ad94d590984fd9c696e783ec635" # v2.96.0
+        uses: "updatecli/updatecli-action@2cc8e6d8e356d76b0280cdd03766c36596a0614e" # v3.0.0
         with:
-          version: "v0.114.0"
-
+          version: "v0.115.0"
       - name: "Run updatecli"
         run: updatecli compose apply --clean-git-branches=true --experimental
         env:

.github/workflows/updatecli_release.yaml

@@ -9,37 +9,37 @@ on:
   repository_dispatch:
     types:
       - "updatecli-release"
+permissions: {}
 jobs:
   updatecli:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@v4"
-
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
       - name: "Install Updatecli"
-        uses: "updatecli/updatecli-action@v2.96.0"
+        uses: "updatecli/updatecli-action@2cc8e6d8e356d76b0280cdd03766c36596a0614e" # v3.0.0
         with:
-          version: "v0.114.0"
-
+          version: "v0.115.0"
       # releasepost is required by the Updatecli
       #   * policy ghcr.io/updatecli/policies/releasepost/releasepost
       - name: "Install Releasepost"
-        uses: "updatecli/releasepost-action@v0.5.0"
-
+        uses: "updatecli/releasepost-action@864390bddae97db06ee881ab4a08d159b4464643" # v0.5.0
       - name: "Run updatecli only on release pipelines"
-        run: updatecli compose apply --clean-git-branches=true --labels="event:release" --experimental
+        run: updatecli compose apply --clean-git-branches=true --labels="release:updatecli" --experimental
         env:
           UPDATECLI_GITHUB_APP_CLIENT_ID: ${{ secrets.UPDATECLIBOT_APP_ID }}
           UPDATECLI_GITHUB_APP_PRIVATE_KEY: ${{ secrets.UPDATECLIBOT_APP_PRIVKEY }}
           UPDATECLI_GITHUB_APP_INSTALLATION_ID: ${{ secrets.UPDATECLIBOT_APP_INSTALLATION_ID }}
           UPDATECLI_UDASH_API_URL: ${{ secrets.UPDATECLI_UDASH_API_URL }}
           UPDATECLI_UDASH_ACCESS_TOKEN: ${{ secrets.UPDATECLI_UDASH_ACCESS_TOKEN }}
           UPDATECLI_UDASH_URL: ${{ secrets.UPDATECLI_UDASH_URL }}
-
       - name: "Run updatecli"
         run: "updatecli compose apply --file updatecli-compose-release.yaml --experimental"
         env:
-          RELEASEPOST_GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+          RELEASEPOST_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           UPDATECLI_GITHUB_APP_CLIENT_ID: ${{ secrets.UPDATECLIBOT_APP_ID }}
           UPDATECLI_GITHUB_APP_PRIVATE_KEY: ${{ secrets.UPDATECLIBOT_APP_PRIVKEY }}
           UPDATECLI_GITHUB_APP_INSTALLATION_ID: ${{ secrets.UPDATECLIBOT_APP_INSTALLATION_ID }}

.github/workflows/updatecli_test.yaml

@@ -1,23 +1,18 @@
 name: Updatecli Test
-
 on:
   pull_request:
-
 permissions:
   contents: read
-
 jobs:
   updatecli:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3" # v6.0.0
-
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
       - name: "Setup updatecli"
-        uses: "updatecli/updatecli-action@5ca36367fadc6ad94d590984fd9c696e783ec635" # v2.96.0
+        uses: "updatecli/updatecli-action@2cc8e6d8e356d76b0280cdd03766c36596a0614e" # v3.0.0
         with:
-          version: "v0.114.0"
-
+          version: "v0.115.0"
       - name: "Test updatecli in dry-run mode"
         run: "updatecli compose diff --experimental"
         env:

.github/workflows/updatecli_update.yaml

@@ -1,32 +1,29 @@
+---
 name: Updatecli - Update
 on:
   workflow_dispatch:
   push:
     branches:
       - main
-
 jobs:
   updatecli:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3" # v6.0.0
-
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
       - name: "Setup updatecli"
-        uses: "updatecli/updatecli-action@5ca36367fadc6ad94d590984fd9c696e783ec635" # v2.96.0
+        uses: "updatecli/updatecli-action@2cc8e6d8e356d76b0280cdd03766c36596a0614e" # v3.0.0
         with:
-          version: "v0.114.0"
-
+          version: "v0.115.0"
       - name: "Run updatecli only on monitored pipelines"
-        run: updatecli compose apply --clean-git-branches=true --labels="monitoring:enabled" --experimental
+        run: updatecli compose apply --clean-git-branches=true --labels="monitor:active" --experimental
         env:
           UPDATECLI_GITHUB_APP_CLIENT_ID: ${{ secrets.UPDATECLIBOT_APP_ID }}
           UPDATECLI_GITHUB_APP_PRIVATE_KEY: ${{ secrets.UPDATECLIBOT_APP_PRIVKEY }}
           UPDATECLI_GITHUB_APP_INSTALLATION_ID: ${{ secrets.UPDATECLIBOT_APP_INSTALLATION_ID }}
           UPDATECLI_UDASH_API_URL: ${{ secrets.UPDATECLI_UDASH_API_URL }}
           UPDATECLI_UDASH_ACCESS_TOKEN: ${{ secrets.UPDATECLI_UDASH_ACCESS_TOKEN }}
           UPDATECLI_UDASH_URL: ${{ secrets.UPDATECLI_UDASH_URL }}
-
       - name: "Run updatecli only on existing pipelines"
         run: updatecli compose apply --clean-git-branches=true --existing-only=true --experimental
         env:

.github/zizmor.yaml

@@ -0,0 +1,4 @@
+
+rules:
+    secrets-outside-env:
+        disable: true