7e8915d76ea1dbc3078a09d19dd4ee61ba5333ef
32 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
renovate[bot]
|
a9f4852956 |
Update docker/login-action action to v3.6.0 (#20712)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
c4b0d10438 |
Update actions/download-artifact action to v5 (#20405)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
9e4acd8bdd | Update actions/checkout action to v5 (#20404) | ||
|
renovate[bot]
|
5124cb393f |
Update docker/login-action action to v3.5.0 (#19860)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
113e32b956 |
Update docker/metadata-action action to v5.8.0 (#19722)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
96660d93ca |
Update docker/setup-buildx-action action to v3.11.1 (#18881)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
b9f3b0e0a6 |
Update docker/build-push-action action to v6.18.0 (#18422)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
8c020cc2e9 |
Update docker/build-push-action action to v6.17.0 (#18174)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
b00e390f3a |
Update docker/metadata-action action to v5.7.0 (#18175)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
1f9df0c8f0 |
Update docker/setup-buildx-action action to v3.10.0 (#18176)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
38c00dfad5 |
Update docker/build-push-action action to v6.16.0 (#18030)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
d6280c5aea |
Update docker/login-action action to v3.4.0 (#18031)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
108c470348 |
Update actions/download-artifact action to v4.3.0 (#17845)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
97dc58fc77 |
Update docker/build-push-action digest to 14487ce (#17665)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
41fec5171f |
Update actions/upload-artifact action to v4.6.2 (#17261)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | minor | `v4` -> `v4.6.2` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.6.2`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.6.2) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.6.1...v4.6.2) #### What's Changed - Update to use artifact 2.3.2 package & prepare for new upload-artifact release by [@​salmanmkc](https://redirect.github.com/salmanmkc) in [https://github.com/actions/upload-artifact/pull/685](https://redirect.github.com/actions/upload-artifact/pull/685) #### New Contributors - [@​salmanmkc](https://redirect.github.com/salmanmkc) made their first contribution in [https://github.com/actions/upload-artifact/pull/685](https://redirect.github.com/actions/upload-artifact/pull/685) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4...v4.6.2 ### [`v4.6.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.6.1) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.6.0...v4.6.1) #### What's Changed - Update to use artifact 2.2.2 package by [@​yacaovsnc](https://redirect.github.com/yacaovsnc) in [https://github.com/actions/upload-artifact/pull/673](https://redirect.github.com/actions/upload-artifact/pull/673) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4...v4.6.1 ### [`v4.6.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.6.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.5.0...v4.6.0) ##### What's Changed - Expose env vars to control concurrency and timeout by [@​yacaovsnc](https://redirect.github.com/yacaovsnc) in [https://github.com/actions/upload-artifact/pull/662](https://redirect.github.com/actions/upload-artifact/pull/662) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4...v4.6.0 ### [`v4.5.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.5.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.3...v4.5.0) ##### What's Changed - fix: deprecated `Node.js` version in action by [@​hamirmahal](https://redirect.github.com/hamirmahal) in [https://github.com/actions/upload-artifact/pull/578](https://redirect.github.com/actions/upload-artifact/pull/578) - Add new `artifact-digest` output by [@​bdehamer](https://redirect.github.com/bdehamer) in [https://github.com/actions/upload-artifact/pull/656](https://redirect.github.com/actions/upload-artifact/pull/656) ##### New Contributors - [@​hamirmahal](https://redirect.github.com/hamirmahal) made their first contribution in [https://github.com/actions/upload-artifact/pull/578](https://redirect.github.com/actions/upload-artifact/pull/578) - [@​bdehamer](https://redirect.github.com/bdehamer) made their first contribution in [https://github.com/actions/upload-artifact/pull/656](https://redirect.github.com/actions/upload-artifact/pull/656) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.4.3...v4.5.0 ### [`v4.4.3`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.3) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3) #### What's Changed - Undo indirect dependency updates from [#​627](https://redirect.github.com/actions/upload-artifact/issues/627) by [@​joshmgross](https://redirect.github.com/joshmgross) in [https://github.com/actions/upload-artifact/pull/632](https://redirect.github.com/actions/upload-artifact/pull/632) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3 ### [`v4.4.2`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.2) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2) #### What's Changed - Bump `@actions/artifact` to 2.1.11 by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/627](https://redirect.github.com/actions/upload-artifact/pull/627) - Includes fix for relative symlinks not resolving properly **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2 ### [`v4.4.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.1) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1) #### What's Changed - Add a section about hidden files by [@​joshmgross](https://redirect.github.com/joshmgross) in [https://github.com/actions/upload-artifact/pull/607](https://redirect.github.com/actions/upload-artifact/pull/607) - Add workflow file for publishing releases to immutable action package by [@​Jcambass](https://redirect.github.com/Jcambass) in [https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621) - Update [@​actions/artifact](https://redirect.github.com/actions/artifact) to latest version, includes symlink and timeout fixes by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/625](https://redirect.github.com/actions/upload-artifact/pull/625) #### New Contributors - [@​Jcambass](https://redirect.github.com/Jcambass) made their first contribution in [https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1 ### [`v4.4.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0) #### Notice: Breaking Changes ⚠️ We will no longer include hidden files and folders by default in the `upload-artifact` action of this version. This reduces the risk that credentials are accidentally uploaded into artifacts. Customers who need to continue to upload these files can use a new option, `include-hidden-files`, to continue to do so. See ["Notice of upcoming deprecations and breaking changes in GitHub Actions runners"](https://github.blog/changelog/2024-08-19-notice-of-upcoming-deprecations-and-breaking-changes-in-github-actions-runners/) changelog and [this issue](https://redirect.github.com/actions/upload-artifact/issues/602) for more details. #### What's Changed - Exclude hidden files by default by [@​joshmgross](https://redirect.github.com/joshmgross) in [https://github.com/actions/upload-artifact/pull/598](https://redirect.github.com/actions/upload-artifact/pull/598) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0 ### [`v4.3.6`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.3.6) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6) #### What's Changed - Revert to [@​actions/artifact](https://redirect.github.com/actions/artifact) 2.1.8 by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/594](https://redirect.github.com/actions/upload-artifact/pull/594) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4...v4.3.6 ### [`v4.3.5`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.3.5) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5) #### What's Changed - Bump [@​actions/artifact](https://redirect.github.com/actions/artifact) to v2.1.9 by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/588](https://redirect.github.com/actions/upload-artifact/pull/588) - Fixed artifact upload chunk timeout logic [#​1774](https://redirect.github.com/actions/toolkit/pull/1774) - Use lazy stream to prevent issues with open file limits [#​1771](https://redirect.github.com/actions/toolkit/pull/1771) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5 ### [`v4.3.4`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.3.4) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.3...v4.3.4) #### What's Changed - Update [@​actions/artifact](https://redirect.github.com/actions/artifact) version, bump dependencies by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/584](https://redirect.github.com/actions/upload-artifact/pull/584) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.3.3...v4.3.4 ### [`v4.3.3`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.3.3) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.2...v4.3.3) #### What's Changed - updating `@actions/artifact` dependency to v2.1.6 by [@​eggyhead](https://redirect.github.com/eggyhead) in [https://github.com/actions/upload-artifact/pull/565](https://redirect.github.com/actions/upload-artifact/pull/565) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.3.2...v4.3.3 ### [`v4.3.2`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.3.2) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.1...v4.3.2) #### What's Changed - Update release-new-action-version.yml by [@​konradpabjan](https://redirect.github.com/konradpabjan) in [https://github.com/actions/upload-artifact/pull/516](https://redirect.github.com/actions/upload-artifact/pull/516) - Minor fix to the migration readme by [@​andrewakim](https://redirect.github.com/andrewakim) in [https://github.com/actions/upload-artifact/pull/523](https://redirect.github.com/actions/upload-artifact/pull/523) - Update readme with v3/v2/v1 deprecation notice by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/561](https://redirect.github.com/actions/upload-artifact/pull/561) - updating `@actions/artifact` dependency to v2.1.5 and `@actions/core` to v1.0.1 by [@​eggyhead](https://redirect.github.com/eggyhead) in [https://github.com/actions/upload-artifact/pull/562](https://redirect.github.com/actions/upload-artifact/pull/562) #### New Contributors - [@​andrewakim](https://redirect.github.com/andrewakim) made their first contribution in [https://github.com/actions/upload-artifact/pull/523](https://redirect.github.com/actions/upload-artifact/pull/523) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.3.1...v4.3.2 ### [`v4.3.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.3.1) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.0...v4.3.1) - Bump [@​actions/artifacts](https://redirect.github.com/actions/artifacts) to latest version to include [updated GHES host check](https://redirect.github.com/actions/toolkit/pull/1648) ### [`v4.3.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.3.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.2.0...v4.3.0) #### What's Changed - Reorganize upload code in prep for merge logic & add more tests by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/504](https://redirect.github.com/actions/upload-artifact/pull/504) - Add sub-action to merge artifacts by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/505](https://redirect.github.com/actions/upload-artifact/pull/505) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4...v4.3.0 ### [`v4.2.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.2.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.1.0...v4.2.0) #### What's Changed - Ability to overwrite an Artifact by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/501](https://redirect.github.com/actions/upload-artifact/pull/501) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4...v4.2.0 ### [`v4.1.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.1.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4...v4.1.0) #### What's Changed - Add migrations docs by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/482](https://redirect.github.com/actions/upload-artifact/pull/482) - Update README.md by [@​samuelwine](https://redirect.github.com/samuelwine) in [https://github.com/actions/upload-artifact/pull/492](https://redirect.github.com/actions/upload-artifact/pull/492) - Support artifact-url output by [@​konradpabjan](https://redirect.github.com/konradpabjan) in [https://github.com/actions/upload-artifact/pull/496](https://redirect.github.com/actions/upload-artifact/pull/496) - Update readme to reflect new 500 artifact per job limit by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/497](https://redirect.github.com/actions/upload-artifact/pull/497) #### New Contributors - [@​samuelwine](https://redirect.github.com/samuelwine) made their first contribution in [https://github.com/actions/upload-artifact/pull/492](https://redirect.github.com/actions/upload-artifact/pull/492) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4...v4.1.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/astral-sh/ruff). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMjcuMyIsInVwZGF0ZWRJblZlciI6IjM5LjIyNy4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJpbnRlcm5hbCJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
db69dfba45 |
Update actions/download-artifact action to v4.2.1 (#17258)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/download-artifact](https://redirect.github.com/actions/download-artifact) | action | minor | `v4` -> `v4.2.1` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v4.2.1`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.2.1) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v4.2.0...v4.2.1) #### What's Changed - Add unit tests by [@​GhadimiR](https://redirect.github.com/GhadimiR) in [https://github.com/actions/download-artifact/pull/392](https://redirect.github.com/actions/download-artifact/pull/392) - Fix bug introduced in 4.2.0 by [@​GhadimiR](https://redirect.github.com/GhadimiR) in [https://github.com/actions/download-artifact/pull/391](https://redirect.github.com/actions/download-artifact/pull/391) **Full Changelog**: https://github.com/actions/download-artifact/compare/v4.2.0...v4.2.1 ### [`v4.2.0`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.2.0) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.9...v4.2.0) #### What's Changed - Update README.md by [@​lkfortuna](https://redirect.github.com/lkfortuna) in [https://github.com/actions/download-artifact/pull/384](https://redirect.github.com/actions/download-artifact/pull/384) - Bump artifact version, do digest check by [@​GhadimiR](https://redirect.github.com/GhadimiR) in [https://github.com/actions/download-artifact/pull/383](https://redirect.github.com/actions/download-artifact/pull/383) #### New Contributors - [@​lkfortuna](https://redirect.github.com/lkfortuna) made their first contribution in [https://github.com/actions/download-artifact/pull/384](https://redirect.github.com/actions/download-artifact/pull/384) - [@​GhadimiR](https://redirect.github.com/GhadimiR) made their first contribution in [https://github.com/actions/download-artifact/pull/383](https://redirect.github.com/actions/download-artifact/pull/383) **Full Changelog**: https://github.com/actions/download-artifact/compare/v4.1.9...v4.2.0 ### [`v4.1.9`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.9) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.8...v4.1.9) #### What's Changed - Add workflow file for publishing releases to immutable action package by [@​Jcambass](https://redirect.github.com/Jcambass) in [https://github.com/actions/download-artifact/pull/354](https://redirect.github.com/actions/download-artifact/pull/354) - docs: small migration fix by [@​froblesmartin](https://redirect.github.com/froblesmartin) in [https://github.com/actions/download-artifact/pull/370](https://redirect.github.com/actions/download-artifact/pull/370) - Update MIGRATION.md by [@​andyfeller](https://redirect.github.com/andyfeller) in [https://github.com/actions/download-artifact/pull/372](https://redirect.github.com/actions/download-artifact/pull/372) - Update artifact package to 2.2.2 by [@​yacaovsnc](https://redirect.github.com/yacaovsnc) in [https://github.com/actions/download-artifact/pull/380](https://redirect.github.com/actions/download-artifact/pull/380) #### New Contributors - [@​Jcambass](https://redirect.github.com/Jcambass) made their first contribution in [https://github.com/actions/download-artifact/pull/354](https://redirect.github.com/actions/download-artifact/pull/354) - [@​froblesmartin](https://redirect.github.com/froblesmartin) made their first contribution in [https://github.com/actions/download-artifact/pull/370](https://redirect.github.com/actions/download-artifact/pull/370) - [@​andyfeller](https://redirect.github.com/andyfeller) made their first contribution in [https://github.com/actions/download-artifact/pull/372](https://redirect.github.com/actions/download-artifact/pull/372) - [@​yacaovsnc](https://redirect.github.com/yacaovsnc) made their first contribution in [https://github.com/actions/download-artifact/pull/380](https://redirect.github.com/actions/download-artifact/pull/380) **Full Changelog**: https://github.com/actions/download-artifact/compare/v4...v4.1.9 ### [`v4.1.8`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.8) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.7...v4.1.8) #### What's Changed - Update [@​actions/artifact](https://redirect.github.com/actions/artifact) version, bump dependencies by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/download-artifact/pull/341](https://redirect.github.com/actions/download-artifact/pull/341) **Full Changelog**: https://github.com/actions/download-artifact/compare/v4...v4.1.8 ### [`v4.1.7`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.7) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.6...v4.1.7) #### What's Changed - Update [@​actions/artifact](https://redirect.github.com/actions/artifact) dependency by [@​bethanyj28](https://redirect.github.com/bethanyj28) in [https://github.com/actions/download-artifact/pull/325](https://redirect.github.com/actions/download-artifact/pull/325) **Full Changelog**: https://github.com/actions/download-artifact/compare/v4.1.6...v4.1.7 ### [`v4.1.6`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.6) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.5...v4.1.6) #### What's Changed - updating `@actions/artifact` dependency to v2.1.6 by [@​eggyhead](https://redirect.github.com/eggyhead) in [https://github.com/actions/download-artifact/pull/324](https://redirect.github.com/actions/download-artifact/pull/324) **Full Changelog**: https://github.com/actions/download-artifact/compare/v4.1.5...v4.1.6 ### [`v4.1.5`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.5) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.4...v4.1.5) #### What's Changed - Update readme with v3/v2/v1 deprecation notice by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/download-artifact/pull/322](https://redirect.github.com/actions/download-artifact/pull/322) - Update dependencies `@actions/core` to v1.10.1 and `@actions/artifact` to v2.1.5 **Full Changelog**: https://github.com/actions/download-artifact/compare/v4.1.4...v4.1.5 ### [`v4.1.4`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.4) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.3...v4.1.4) #### What's Changed - Update [@​actions/artifact](https://redirect.github.com/actions/artifact) by [@​bethanyj28](https://redirect.github.com/bethanyj28) in [https://github.com/actions/download-artifact/pull/307](https://redirect.github.com/actions/download-artifact/pull/307) **Full Changelog**: https://github.com/actions/download-artifact/compare/v4...v4.1.4 ### [`v4.1.3`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.3) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.2...v4.1.3) #### What's Changed - Update release-new-action-version.yml by [@​konradpabjan](https://redirect.github.com/konradpabjan) in [https://github.com/actions/download-artifact/pull/292](https://redirect.github.com/actions/download-artifact/pull/292) - Update toolkit dependency with updated unzip logic by [@​bethanyj28](https://redirect.github.com/bethanyj28) in [https://github.com/actions/download-artifact/pull/299](https://redirect.github.com/actions/download-artifact/pull/299) - Update [@​actions/artifact](https://redirect.github.com/actions/artifact) by [@​bethanyj28](https://redirect.github.com/bethanyj28) in [https://github.com/actions/download-artifact/pull/303](https://redirect.github.com/actions/download-artifact/pull/303) #### New Contributors - [@​bethanyj28](https://redirect.github.com/bethanyj28) made their first contribution in [https://github.com/actions/download-artifact/pull/299](https://redirect.github.com/actions/download-artifact/pull/299) **Full Changelog**: https://github.com/actions/download-artifact/compare/v4...v4.1.3 ### [`v4.1.2`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.2) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.1...v4.1.2) - Bump [@​actions/artifacts](https://redirect.github.com/actions/artifacts) to latest version to include [updated GHES host check](https://redirect.github.com/actions/toolkit/pull/1648) ### [`v4.1.1`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.1) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.0...v4.1.1) - Fix transient request timeouts [https://github.com/actions/download-artifact/issues/249](https://redirect.github.com/actions/download-artifact/issues/249) - Bump `@actions/artifacts` to latest version ### [`v4.1.0`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.0) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v4...v4.1.0) #### What's Changed - Some cleanup by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/download-artifact/pull/247](https://redirect.github.com/actions/download-artifact/pull/247) - Fix default for run-id by [@​stchr](https://redirect.github.com/stchr) in [https://github.com/actions/download-artifact/pull/252](https://redirect.github.com/actions/download-artifact/pull/252) - Support pattern matching to filter artifacts & merge to same directory by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/download-artifact/pull/259](https://redirect.github.com/actions/download-artifact/pull/259) #### New Contributors - [@​stchr](https://redirect.github.com/stchr) made their first contribution in [https://github.com/actions/download-artifact/pull/252](https://redirect.github.com/actions/download-artifact/pull/252) **Full Changelog**: https://github.com/actions/download-artifact/compare/v4...v4.1.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/astral-sh/ruff). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMjcuMyIsInVwZGF0ZWRJblZlciI6IjM5LjIyNy4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJpbnRlcm5hbCJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
796e7510c4 |
Update actions/checkout action to v4.2.2 (#17257)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://redirect.github.com/actions/checkout) | action | minor | `v4` -> `v4.2.2` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v4.2.2`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v422) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.2.1...v4.2.2) - `url-helper.ts` now leverages well-known environment variables by [@​jww3](https://redirect.github.com/jww3) in [https://github.com/actions/checkout/pull/1941](https://redirect.github.com/actions/checkout/pull/1941) - Expand unit test coverage for `isGhes` by [@​jww3](https://redirect.github.com/jww3) in [https://github.com/actions/checkout/pull/1946](https://redirect.github.com/actions/checkout/pull/1946) ### [`v4.2.1`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v421) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.2.0...v4.2.1) - Check out other refs/\* by commit if provided, fall back to ref by [@​orhantoy](https://redirect.github.com/orhantoy) in [https://github.com/actions/checkout/pull/1924](https://redirect.github.com/actions/checkout/pull/1924) ### [`v4.2.0`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v420) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.7...v4.2.0) - Add Ref and Commit outputs by [@​lucacome](https://redirect.github.com/lucacome) in [https://github.com/actions/checkout/pull/1180](https://redirect.github.com/actions/checkout/pull/1180) - Dependency updates by [@​dependabot-](https://redirect.github.com/dependabot-) [https://github.com/actions/checkout/pull/1777](https://redirect.github.com/actions/checkout/pull/1777), [https://github.com/actions/checkout/pull/1872](https://redirect.github.com/actions/checkout/pull/1872) ### [`v4.1.7`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v417) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.6...v4.1.7) - Bump the minor-npm-dependencies group across 1 directory with 4 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/checkout/pull/1739](https://redirect.github.com/actions/checkout/pull/1739) - Bump actions/checkout from 3 to 4 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/checkout/pull/1697](https://redirect.github.com/actions/checkout/pull/1697) - Check out other refs/\* by commit by [@​orhantoy](https://redirect.github.com/orhantoy) in [https://github.com/actions/checkout/pull/1774](https://redirect.github.com/actions/checkout/pull/1774) - Pin actions/checkout's own workflows to a known, good, stable version. by [@​jww3](https://redirect.github.com/jww3) in [https://github.com/actions/checkout/pull/1776](https://redirect.github.com/actions/checkout/pull/1776) ### [`v4.1.6`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v416) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.5...v4.1.6) - Check platform to set archive extension appropriately by [@​cory-miller](https://redirect.github.com/cory-miller) in [https://github.com/actions/checkout/pull/1732](https://redirect.github.com/actions/checkout/pull/1732) ### [`v4.1.5`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v415) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.4...v4.1.5) - Update NPM dependencies by [@​cory-miller](https://redirect.github.com/cory-miller) in [https://github.com/actions/checkout/pull/1703](https://redirect.github.com/actions/checkout/pull/1703) - Bump github/codeql-action from 2 to 3 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/checkout/pull/1694](https://redirect.github.com/actions/checkout/pull/1694) - Bump actions/setup-node from 1 to 4 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/checkout/pull/1696](https://redirect.github.com/actions/checkout/pull/1696) - Bump actions/upload-artifact from 2 to 4 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/checkout/pull/1695](https://redirect.github.com/actions/checkout/pull/1695) - README: Suggest `user.email` to be `41898282+github-actions[bot]@​users.noreply.github.com` by [@​cory-miller](https://redirect.github.com/cory-miller) in [https://github.com/actions/checkout/pull/1707](https://redirect.github.com/actions/checkout/pull/1707) ### [`v4.1.4`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v414) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.3...v4.1.4) - Disable `extensions.worktreeConfig` when disabling `sparse-checkout` by [@​jww3](https://redirect.github.com/jww3) in [https://github.com/actions/checkout/pull/1692](https://redirect.github.com/actions/checkout/pull/1692) - Add dependabot config by [@​cory-miller](https://redirect.github.com/cory-miller) in [https://github.com/actions/checkout/pull/1688](https://redirect.github.com/actions/checkout/pull/1688) - Bump the minor-actions-dependencies group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/checkout/pull/1693](https://redirect.github.com/actions/checkout/pull/1693) - Bump word-wrap from 1.2.3 to 1.2.5 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/checkout/pull/1643](https://redirect.github.com/actions/checkout/pull/1643) ### [`v4.1.3`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v413) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.2...v4.1.3) - Check git version before attempting to disable `sparse-checkout` by [@​jww3](https://redirect.github.com/jww3) in [https://github.com/actions/checkout/pull/1656](https://redirect.github.com/actions/checkout/pull/1656) - Add SSH user parameter by [@​cory-miller](https://redirect.github.com/cory-miller) in [https://github.com/actions/checkout/pull/1685](https://redirect.github.com/actions/checkout/pull/1685) - Update `actions/checkout` version in `update-main-version.yml` by [@​jww3](https://redirect.github.com/jww3) in [https://github.com/actions/checkout/pull/1650](https://redirect.github.com/actions/checkout/pull/1650) ### [`v4.1.2`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v412) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.1...v4.1.2) - Fix: Disable sparse checkout whenever `sparse-checkout` option is not present [@​dscho](https://redirect.github.com/dscho) in [https://github.com/actions/checkout/pull/1598](https://redirect.github.com/actions/checkout/pull/1598) ### [`v4.1.1`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v411) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.0...v4.1.1) - Correct link to GitHub Docs by [@​peterbe](https://redirect.github.com/peterbe) in [https://github.com/actions/checkout/pull/1511](https://redirect.github.com/actions/checkout/pull/1511) - Link to release page from what's new section by [@​cory-miller](https://redirect.github.com/cory-miller) in [https://github.com/actions/checkout/pull/1514](https://redirect.github.com/actions/checkout/pull/1514) ### [`v4.1.0`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v410) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.0.0...v4.1.0) - [Add support for partial checkout filters](https://redirect.github.com/actions/checkout/pull/1396) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/astral-sh/ruff). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMjcuMyIsInVwZGF0ZWRJblZlciI6IjM5LjIyNy4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJpbnRlcm5hbCJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
f7b9089cb8 |
Update actions/upload-artifact digest to ea165f8 (#16936)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | digest | `4cec3d8` -> `ea165f8` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/astral-sh/ruff). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJpbnRlcm5hbCJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
187cac56bd |
Update actions/download-artifact digest to 95815c3 (#16935)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/download-artifact](https://redirect.github.com/actions/download-artifact) | action | digest | `cc20338` -> `95815c3` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/astral-sh/ruff). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJpbnRlcm5hbCJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
dbdb46dcd2 |
Pin dependencies (#16791)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [CodSpeedHQ/action](https://redirect.github.com/CodSpeedHQ/action) | action | pinDigest | -> `0010eb0` | | [PyO3/maturin-action](https://redirect.github.com/PyO3/maturin-action) | action | pinDigest | -> `36db840` | | [SebRollen/toml-action](https://redirect.github.com/SebRollen/toml-action) | action | pinDigest | -> `b1b3628` | | [Swatinem/rust-cache](https://redirect.github.com/Swatinem/rust-cache) | action | pinDigest | -> `f0deed1` | | [actions/cache](https://redirect.github.com/actions/cache) | action | pinDigest | -> `d4323d4` | | [actions/checkout](https://redirect.github.com/actions/checkout) | action | pinDigest | -> `11bd719` | | [actions/download-artifact](https://redirect.github.com/actions/download-artifact) | action | pinDigest | -> `cc20338` | | [actions/github-script](https://redirect.github.com/actions/github-script) | action | pinDigest | -> `60a0d83` | | [actions/setup-node](https://redirect.github.com/actions/setup-node) | action | pinDigest | -> `cdca736` | | [actions/setup-python](https://redirect.github.com/actions/setup-python) | action | pinDigest | -> `4237552` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | pinDigest | -> `4cec3d8` | | [astral-sh/setup-uv](https://redirect.github.com/astral-sh/setup-uv) | action | pinDigest | -> `f94ec6b` | | [dawidd6/action-download-artifact](https://redirect.github.com/dawidd6/action-download-artifact) | action | pinDigest | -> `20319c5` | | [docker/build-push-action](https://redirect.github.com/docker/build-push-action) | action | pinDigest | -> `471d1dc` | | [docker/login-action](https://redirect.github.com/docker/login-action) | action | pinDigest | -> `74a5d14` | | [docker/metadata-action](https://redirect.github.com/docker/metadata-action) | action | pinDigest | -> `902fa8e` | | [docker/setup-buildx-action](https://redirect.github.com/docker/setup-buildx-action) | action | pinDigest | -> `b5ca514` | | [extractions/setup-just](https://redirect.github.com/extractions/setup-just) | action | pinDigest | -> `dd310ad` | | [jetli/wasm-bindgen-action](https://redirect.github.com/jetli/wasm-bindgen-action) | action | pinDigest | -> `20b33e2` | | [jetli/wasm-pack-action](https://redirect.github.com/jetli/wasm-pack-action) | action | pinDigest | -> `0d096b0` | | [peter-evans/create-or-update-comment](https://redirect.github.com/peter-evans/create-or-update-comment) | action | pinDigest | -> `71345be` | | [peter-evans/find-comment](https://redirect.github.com/peter-evans/find-comment) | action | pinDigest | -> `3eae4d3` | | [taiki-e/install-action](https://redirect.github.com/taiki-e/install-action) | action | pinDigest | -> `2c41309` | | [uraimo/run-on-arch-action](https://redirect.github.com/uraimo/run-on-arch-action) | action | pinDigest | -> `ac33288` | | [webfactory/ssh-agent](https://redirect.github.com/webfactory/ssh-agent) | action | pinDigest | -> `dc588b6` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/astral-sh/ruff). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDAuMCIsInVwZGF0ZWRJblZlciI6IjM5LjIwMC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJpbnRlcm5hbCJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
samypr100
|
df6c850a53 |
Bump alpine default tag to 3.21 (#16456)
## Summary Alpine 3.21 has been released for a few months and `uv` has already migrated in https://github.com/astral-sh/uv/pull/11157 |
||
|
Dylan
|
90589372da |
Fix grep for version number in docker build (#15699)
Grep now only returns _first_ result and "version" has to be at start of line. |
||
|
Alex Waygood
|
7284d68157 | fix invalid syntax in workflow file (#15357) | ||
|
Alex Waygood
|
d45c1ee44f |
Upgrade zizmor to the latest version in CI (#15300)
## Summary This PR upgrades zizmor to the latest release in our CI. zizmor is a static analyzer checking for security issues in GitHub workflows. The new release finds some new issues in our workflows; this PR fixes some of the issues, and adds ignores for some other issues. The issues fixed in this PR are new cases of zizmor's [`template-injection`](https://woodruffw.github.io/zizmor/audits/#template-injection) rule being emitted. The issues I'm ignoring for now are all to do with the [`cache-poisoning`](https://woodruffw.github.io/zizmor/audits/#cache-poisoning) rule. The main reason I'm fixing some but ignoring others is that I'm confident fixing the template-injection diagnostics won't have any impact on how our workflows operate in CI, but I'm worried that fixing the cache-poisoning diagnostics could slow down our CI a fair bit. I don't mind if somebody else is motivated to try to fix these diagnostics, but for now I think I'd prefer to just ignore them; it doesn't seem high-priority enough to try to fix them right now :-) ## Test Plan - `uvx pre-commit run -a --hook-stage=manual` passes locally - Let's see if CI passes on this PR... |
||
|
Alex Waygood
|
712c886749 |
Add actionlint as a pre-commit hook (with shellcheck integration) (#15021)
|
||
|
Dhruv Manilawala
|
53f2d72e02 |
Revert certain double quotes from workflow shell script (#14939)
Follow-up from #14938 |
||
|
Dhruv Manilawala
|
3629cbf35a |
Use double quotes consistently for shell scripts (#14938)
## Summary The release failed (https://github.com/astral-sh/ruff/actions/runs/12298190472/job/34321509636) because the shell script in the Docker release workflow was using single quotes instead of double quotes. This is related to https://www.shellcheck.net/wiki/SC2016. I found it via [`actionlint`](https://github.com/rhysd/actionlint). Related #14893. I also went ahead and fixed https://www.shellcheck.net/wiki/SC2086 which were raised in a couple of places. |
||
|
Alex Waygood
|
033ecf5a4b |
Also have zizmor check for low-severity security issues (#14893)
## Summary This PR changes our zizmor configuration to also flag low-severity security issues in our GitHub Actions workflows. It's a followup to https://github.com/astral-sh/ruff/pull/14844. The issues being fixed here were all flagged by [zizmor's `template-injection` rule](https://woodruffw.github.io/zizmor/audits/#template-injection): > Detects potential sources of code injection via template expansion. > > GitHub Actions allows workflows to define template expansions, which occur within special `${{ ... }}` delimiters. These expansions happen before workflow and job execution, meaning the expansion of a given expression appears verbatim in whatever context it was performed in. > > Template expansions aren't syntax-aware, meaning that they can result in unintended shell injection vectors. This is especially true when they're used with attacker-controllable expression contexts, such as `github.event.issue.title` (which the attacker can fully control by supplying a new issue title). [...] > To fully remediate the vulnerability, you should not use `${{ env.VARNAME }}`, since that is still a template expansion. Instead, you should use `${VARNAME}` to ensure that the shell itself performs the variable expansion. ## Test Plan I tested that this passes all zizmore warnings by running `pre-commit run -a zizmor` locally. The other test is obviously to check that the workflows all still run correctly in CI 😄 |
||
|
Alex Waygood
|
58e7db89a1 |
Run zizmor in CI, and fix most warnings (#14844)
## Summary A [recent exploit](https://github.com/advisories/GHSA-7x29-qqmq-v6qc) brought attention to how easy it can be for attackers to use template expansion in GitHub Actions workflows to inject arbitrary code into a repository. That vulnerability [would have been caught by the zizmor linter](https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection), which looks for potential security vulnerabilities in GitHub Actions workflows. This PR adds [zizmor](https://github.com/woodruffw/zizmor) as a pre-commit hook and fixes the high- and medium-severity warnings flagged by the tool. All the warnings fixed in this PR are related to this zizmor check: https://woodruffw.github.io/zizmor/audits/#artipacked. The summary of the check is that `actions/checkout` will by default persist git configuration for the duration of the workflow, which can be insecure. It's unnecessary unless you actually need to do things with `git` later on in the workflow. None of our workflows do except for `publish-docs.yml` and `sync-typeshed.yml`, so I set `persist-credentials: true` for those two but `persist-credentials: false` for all other uses of `actions/checkout`. Unfortunately there are several warnings in `release.yml`, including four high-severity warnings. However, this is a generated workflow file, so I have deliberately excluded this file from the check. These are the findings in `release.yml`: <details> <summary>release.yml findings</summary> ``` warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/alexw/dev/ruff/.github/workflows/release.yml:62:9 | 62 | - uses: actions/checkout@v4 | _________- 63 | | with: 64 | | submodules: recursive | |_______________________________- does not set persist-credentials: false | = note: audit confidence → Low warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/alexw/dev/ruff/.github/workflows/release.yml:124:9 | 124 | - uses: actions/checkout@v4 | _________- 125 | | with: 126 | | submodules: recursive | |_______________________________- does not set persist-credentials: false | = note: audit confidence → Low warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/alexw/dev/ruff/.github/workflows/release.yml:174:9 | 174 | - uses: actions/checkout@v4 | _________- 175 | | with: 176 | | submodules: recursive | |_______________________________- does not set persist-credentials: false | = note: audit confidence → Low warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/alexw/dev/ruff/.github/workflows/release.yml:249:9 | 249 | - uses: actions/checkout@v4 | _________- 250 | | with: 251 | | submodules: recursive 252 | | # Create a GitHub Release while uploading all files to it | |_______________________________________________________________- does not set persist-credentials: false | = note: audit confidence → Low error[excessive-permissions]: overly broad workflow or job-level permissions --> /Users/alexw/dev/ruff/.github/workflows/release.yml:17:1 | 17 | / permissions: 18 | | "contents": "write" ... | 39 | | # If there's a prerelease-style suffix to the version, then the release(s) 40 | | # will be marked as a prerelease. | |_________________________________^ contents: write is overly broad at the workflow level | = note: audit confidence → High error[template-injection]: code injection via template expansion --> /Users/alexw/dev/ruff/.github/workflows/release.yml:80:9 | 80 | - id: plan | _________^ 81 | | run: | | |_________^ 82 | || dist ${{ (inputs.tag && inputs.tag != 'dry-run' && format('host --steps=create --tag={0}', inputs.tag)) || 'plan' }} --out... 83 | || echo "dist ran successfully" 84 | || cat plan-dist-manifest.json 85 | || echo "manifest=$(jq -c "." plan-dist-manifest.json)" >> "$GITHUB_OUTPUT" | ||__________________________________________________________________________________^ this step | ||__________________________________________________________________________________^ inputs.tag may expand into attacker-controllable code | = note: audit confidence → Low error[template-injection]: code injection via template expansion --> /Users/alexw/dev/ruff/.github/workflows/release.yml:80:9 | 80 | - id: plan | _________^ 81 | | run: | | |_________^ 82 | || dist ${{ (inputs.tag && inputs.tag != 'dry-run' && format('host --steps=create --tag={0}', inputs.tag)) || 'plan' }} --out... 83 | || echo "dist ran successfully" 84 | || cat plan-dist-manifest.json 85 | || echo "manifest=$(jq -c "." plan-dist-manifest.json)" >> "$GITHUB_OUTPUT" | ||__________________________________________________________________________________^ this step | ||__________________________________________________________________________________^ inputs.tag may expand into attacker-controllable code | = note: audit confidence → Low error[template-injection]: code injection via template expansion --> /Users/alexw/dev/ruff/.github/workflows/release.yml:80:9 | 80 | - id: plan | _________^ 81 | | run: | | |_________^ 82 | || dist ${{ (inputs.tag && inputs.tag != 'dry-run' && format('host --steps=create --tag={0}', inputs.tag)) || 'plan' }} --out... 83 | || echo "dist ran successfully" 84 | || cat plan-dist-manifest.json 85 | || echo "manifest=$(jq -c "." plan-dist-manifest.json)" >> "$GITHUB_OUTPUT" | ||__________________________________________________________________________________^ this step | ||__________________________________________________________________________________^ inputs.tag may expand into attacker-controllable code | = note: audit confidence → Low ``` </details> ## Test Plan `uvx pre-commit run -a` |
||
|
samypr100
|
7dbd8f0f8e |
ci(docker): incorporate docker release enhancements from uv (#13274)
## Summary This PR updates `ruff` to match `uv` updated [docker releases approach](https://github.com/astral-sh/uv/blob/main/.github/workflows/build-docker.yml). It's a combined PR with changes from these PR's * https://github.com/astral-sh/uv/pull/6053 * https://github.com/astral-sh/uv/pull/6556 * https://github.com/astral-sh/uv/pull/6734 * https://github.com/astral-sh/uv/pull/7568 Summary of changes / features 1. This change would publish an additional tags that includes only `major.minor`. For a release with `x.y.z`, this would publish the tags: * ghcr.io/astral-sh/ruff:latest * ghcr.io/astral-sh/ruff:x.y.z * ghcr.io/astral-sh/ruff:x.y 2. Parallelizes multi-platform builds using multiple workers (hence the new docker-build / docker-publish jobs), which cuts docker releases time in half. 3. This PR introduces additional images with the ruff binaries from scratch for both amd64/arm64 and makes the mapping easy to configure by generating the Dockerfile on the fly. This approach focuses on minimizing CI time by taking advantage of dedicating a worker per mapping (20-30s~ per job). For example, on release `x.y.z`, this will publish the following image tags with format `ghcr.io/astral-sh/ruff:{tag}` with manifests for both amd64/arm64. This also include `x.y` tags for each respective additional tag. Note, this version does not include the python based images, unlike `uv`. * From **scratch**: `latest`, `x.y.z`, `x.y` (currently being published) * From **alpine:3.20**: `alpine`, `alpine3.20`, `x.y.z-alpine`, `x.y.z-alpine3.20` * From **debian:bookworm-slim**: `debian-slim`, `bookworm-slim`, `x.y.z-debian-slim`, `x.y.z-bookworm-slim` * From **buildpack-deps:bookworm**: `debian`, `bookworm`, `x.y.z-debian`, `x.y.z-bookworm` 4. This PR also fixes `org.opencontainers.image.version` for all tags (including the one from `scratch`) to contain the right release version instead of branch name `main` (current behavior). ``` > docker inspect ghcr.io/astral-sh/ruff:0.6.4 | jq -r '.[0].Config.Labels' { ... "org.opencontainers.image.version": "main" } ``` Closes https://github.com/astral-sh/ruff/issues/13481 ## Test Plan Approach mimics `uv` with almost no changes so risk is low but I still tested the full workflow. * I have a working CI release pipeline on my fork run https://github.com/samypr100/ruff/actions/runs/10966657733 * The resulting images were published to https://github.com/samypr100/ruff/pkgs/container/ruff |
||
|
renovate[bot]
|
85ede4a88c | Update docker/build-push-action action to v6 (#12127) | ||
|
Charlie Marsh
|
b0b68a5601 |
Migrate release workflow to cargo-dist (#9559)
## Summary This PR migrates our release workflow to [`cargo-dist`](https://github.com/axodotdev/cargo-dist). The primary motivation here is that we want to ship dedicated installers for Ruff that work across platforms, and `cargo-dist` gives us those installers out-of-the-box. The secondary motivation is that `cargo-dist` formalizes some of the patterns that we've built up over time in our own release process. At a high level: - The `release.yml` file is generated by `cargo-dist` with `cargo dist generate`. It doesn't contain any modifications vis-a-vis the generated file. (If it's edited out of band from generation, the release fails.) - Our customizations are inserted as custom steps within the `cargo-dist` workflow. Specifically, `build-binaries` builds the wheels and packages them into binaries (as on `main`), while `build-docker.yml` builds the Docker image. `publish-pypi.yml` publishes the wheels to PyPI. This is effectively our `release.yaml` (on `main`), broken down into individual workflows rather than steps within a single workflow. ### Changes from `main` The workflow is _nearly_ unchanged. We kick off a release manually via the GitHub Action by providing a tag. If the tag doesn't match the `Cargo.toml`, the release fails. If the tag matches an already-existing release, the release fails. The release proceeds by (in order): 0. Doing some upfront validation via `cargo-dist`. 1. Creating the wheels and archives. 2. Building and pushing the Docker image. 3. Publishing to PyPI (if it's not a "dry run"). 4. Creating the GitHub Release (if it's not a "dry run"). 5. Notifying `ruff-pre-commit` (if it's not a "dry run"). There are a few changes in the workflow as compared to `main`: - **We no longer validate the SHA** (just the tag). It's not an input to the job. The Axo team is considering whether / how to support this. - **Releases are now published directly** (rather than as draft). Again, the Axo team is considering whether / how to support this. The downside of drafts is that the URLs aren't stable, so the installers don't work _as long as the release is in draft_. This is fine for our workflow. It seems like the Axo team will add it. - Releases already contain the latest entry from the changelog (we don't need to copy it over). This "Just Works", which is nice, though we'll still want to edit them to add contributors. There are also a few **breaking changes** for consumers of the binaries: - **We no longer include the version tag in the file name**. This enables users to install via `/latest` URLs on GitHub, and is part of the cargo-dist paradigm. - **Archives now include an extra level of nesting,** which you can remove with `--strip-components=1` when untarring. Here's an example release that I created -- I omitted all the artifacts since I was just testing a workflow, so none of the installers or links work, but it gives you a sense for what the release looks like: https://github.com/charliermarsh/cargodisttest/releases/tag/0.1.13. ### Test Plan I ran a successful release to completion last night, and installed Ruff via the installer:   The piece I'm least confident about is the Docker push. We build the image, but the push fails in my test repo since I haven't wired up the credentials. |