From 42766a1e57da9c4616f818249f06cf6d356d3fee Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 24 Apr 2025 10:04:19 +0200 Subject: [PATCH 01/10] chore: Bump cachix/install-nix-action to 31.2.0 --- .github/workflows/generate_prs.yml | 2 +- template/.github/workflows/build.yml.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/generate_prs.yml b/.github/workflows/generate_prs.yml index 325cbcd6..7628aa44 100644 --- a/.github/workflows/generate_prs.yml +++ b/.github/workflows/generate_prs.yml @@ -108,7 +108,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/install-nix-action@754537aaedb35f72ab11a60cc162c49ef3016495 # v31.2.0 - name: Install Ansible env: DEBIAN_FRONTEND: noninteractive diff --git a/template/.github/workflows/build.yml.j2 b/template/.github/workflows/build.yml.j2 index a5e2a90b..f0963616 100644 --- a/template/.github/workflows/build.yml.j2 +++ b/template/.github/workflows/build.yml.j2 @@ -334,7 +334,7 @@ jobs: with: persist-credentials: false submodules: recursive - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/install-nix-action@754537aaedb35f72ab11a60cc162c49ef3016495 # v31.2.0 - uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c with: toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} From 8fcf7a30e86466433cc6b3fc3030abf5d579c13d Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 24 Apr 2025 10:05:28 +0200 Subject: [PATCH 02/10] chore: Bump stackabletech/actions/run-pre-commit to 0.8.0 --- .github/workflows/pr_pre-commit.yml | 2 +- template/.github/workflows/pr_pre-commit.yaml.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr_pre-commit.yml b/.github/workflows/pr_pre-commit.yml index 77cf8bfd..9a48f328 100644 --- a/.github/workflows/pr_pre-commit.yml +++ b/.github/workflows/pr_pre-commit.yml @@ -18,7 +18,7 @@ jobs: with: persist-credentials: false fetch-depth: 0 - - uses: stackabletech/actions/run-pre-commit@2d3d7ddad981ae09901d45a0f6bf30c2658b1b78 # v0.7.0 + - uses: stackabletech/actions/run-pre-commit@4bfd3b65f22af597fe784599c077dc34bf5894a7 # v0.8.0 with: python-version: ${{ env.PYTHON_VERSION }} hadolint: ${{ env.HADOLINT_VERSION }} diff --git a/template/.github/workflows/pr_pre-commit.yaml.j2 b/template/.github/workflows/pr_pre-commit.yaml.j2 index 141578bc..2ce38c74 100644 --- a/template/.github/workflows/pr_pre-commit.yaml.j2 +++ b/template/.github/workflows/pr_pre-commit.yaml.j2 @@ -24,7 +24,7 @@ jobs: persist-credentials: false submodules: recursive fetch-depth: 0 - - uses: stackabletech/actions/run-pre-commit@2d3d7ddad981ae09901d45a0f6bf30c2658b1b78 # v0.7.0 + - uses: stackabletech/actions/run-pre-commit@4bfd3b65f22af597fe784599c077dc34bf5894a7 # v0.8.0 with: python-version: ${{ env.PYTHON_VERSION }} rust: ${{ env.RUST_TOOLCHAIN_VERSION }} From 4325b999a34ffc7b58ae2d851e47d127df19a5e1 Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 24 Apr 2025 10:06:48 +0200 Subject: [PATCH 03/10] chore(template): Bump dtolnay/rust-toolchain --- template/.github/workflows/build.yml.j2 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/template/.github/workflows/build.yml.j2 b/template/.github/workflows/build.yml.j2 index f0963616..0303c38a 100644 --- a/template/.github/workflows/build.yml.j2 +++ b/template/.github/workflows/build.yml.j2 @@ -50,7 +50,7 @@ jobs: with: persist-credentials: false submodules: recursive - - uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c + - uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 with: toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7 @@ -126,7 +126,7 @@ jobs: with: persist-credentials: false submodules: recursive - - uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c + - uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 with: toolchain: ${{ env.RUST_NIGHTLY_TOOLCHAIN_VERSION }} components: rustfmt @@ -147,7 +147,7 @@ jobs: with: persist-credentials: false submodules: recursive - - uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c + - uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 with: toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} components: clippy @@ -182,7 +182,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive - - uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c + - uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 with: toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} components: rustfmt @@ -205,7 +205,7 @@ jobs: with: persist-credentials: false submodules: recursive - - uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c + - uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 with: toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7 @@ -270,7 +270,7 @@ jobs: with: version: v3.16.1 - name: Set up cargo - uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c + uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 with: toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7 @@ -335,7 +335,7 @@ jobs: persist-credentials: false submodules: recursive - uses: cachix/install-nix-action@754537aaedb35f72ab11a60cc162c49ef3016495 # v31.2.0 - - uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c + - uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 with: toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} components: rustfmt From 275556be7022af8986a0434929c8522d8f53ebaf Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 24 Apr 2025 10:07:58 +0200 Subject: [PATCH 04/10] chore(template): Bump Swatinem/rust-cache to 2.7.8 squash me --- template/.github/workflows/build.yml.j2 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/template/.github/workflows/build.yml.j2 b/template/.github/workflows/build.yml.j2 index 0303c38a..f977865f 100644 --- a/template/.github/workflows/build.yml.j2 +++ b/template/.github/workflows/build.yml.j2 @@ -53,7 +53,7 @@ jobs: - uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 with: toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7 + - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 with: key: udeps cache-all-crates: "true" @@ -151,7 +151,7 @@ jobs: with: toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} components: clippy - - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7 + - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 with: key: clippy cache-all-crates: "true" @@ -186,7 +186,7 @@ jobs: with: toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} components: rustfmt - - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7 + - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 with: key: doc cache-all-crates: "true" @@ -208,7 +208,7 @@ jobs: - uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 with: toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7 + - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 with: key: test cache-all-crates: "true" @@ -273,7 +273,7 @@ jobs: uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 with: toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7 + - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 with: key: charts cache-all-crates: "true" From a1fbdcbcdc54115ea0d7e15e2b1b32341631c243 Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 24 Apr 2025 10:09:14 +0200 Subject: [PATCH 05/10] chore(template): Bump EmbarkStudios/cargo-deny-action to 2.0.11 --- template/.github/workflows/build.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/.github/workflows/build.yml.j2 b/template/.github/workflows/build.yml.j2 index f977865f..8c08af44 100644 --- a/template/.github/workflows/build.yml.j2 +++ b/template/.github/workflows/build.yml.j2 @@ -114,7 +114,7 @@ jobs: with: persist-credentials: false submodules: recursive - - uses: EmbarkStudios/cargo-deny-action@8d73959fce1cdc8989f23fdf03bec6ae6a6576ef # v2.0.7 + - uses: EmbarkStudios/cargo-deny-action@34899fc7ba81ca6268d5947a7a16b4649013fea1 # v2.0.11 with: command: check ${{ matrix.checks }} From 252ba4a0ee46610c57b95c1ad7f2041b0e7735e9 Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 24 Apr 2025 10:10:08 +0200 Subject: [PATCH 06/10] chore(template): Bump actions/setup-python to 5.6.0 --- template/.github/workflows/build.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/.github/workflows/build.yml.j2 b/template/.github/workflows/build.yml.j2 index 8c08af44..3b630a22 100644 --- a/template/.github/workflows/build.yml.j2 +++ b/template/.github/workflows/build.yml.j2 @@ -226,7 +226,7 @@ jobs: with: persist-credentials: false submodules: recursive - - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ env.PYTHON_VERSION }} - name: Install jinja2-cli From 4a363ce39ab2858cc3258bed6cba1ac6ab8a643d Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 24 Apr 2025 10:11:05 +0200 Subject: [PATCH 07/10] chore(template): Bump azure/setup-helm to 4.3.0 --- template/.github/workflows/build.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/.github/workflows/build.yml.j2 b/template/.github/workflows/build.yml.j2 index 3b630a22..3dee2b00 100644 --- a/template/.github/workflows/build.yml.j2 +++ b/template/.github/workflows/build.yml.j2 @@ -266,7 +266,7 @@ jobs: persist-credentials: false submodules: recursive - name: Set up Helm - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0 with: version: v3.16.1 - name: Set up cargo From b8093da8e3cceec8295052745bab65f4216ff744 Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 24 Apr 2025 10:12:03 +0200 Subject: [PATCH 08/10] chore(template): Bump sigstore/cosign-installer to 3.8.2 --- template/.github/workflows/build.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/.github/workflows/build.yml.j2 b/template/.github/workflows/build.yml.j2 index 3dee2b00..23c026f3 100644 --- a/template/.github/workflows/build.yml.j2 +++ b/template/.github/workflows/build.yml.j2 @@ -370,7 +370,7 @@ jobs: # Recreate charts and publish charts and docker image. - name: Install cosign - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 + uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 - name: Install syft uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0 - name: Build Docker image and Helm chart @@ -415,7 +415,7 @@ jobs: OCI_REGISTRY_SDP_CHARTS_USERNAME: "robot$sdp-charts+github-action-build" steps: - name: Install cosign - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 + uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: From cab6673ffa31b1a7dc018e413ee8c463fed2ebc7 Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 24 Apr 2025 10:12:34 +0200 Subject: [PATCH 09/10] chore(template): Bump rustsec/audit-check to 2.0.0 --- template/.github/workflows/general_daily_security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/.github/workflows/general_daily_security.yml b/template/.github/workflows/general_daily_security.yml index f6b90496..46a1862d 100644 --- a/template/.github/workflows/general_daily_security.yml +++ b/template/.github/workflows/general_daily_security.yml @@ -19,6 +19,6 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - - uses: rustsec/audit-check@dd51754d4e59da7395a4cd9b593f0ff2d61a9b95 # v1.4.1 + - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} From 36054fbcbe14a40e30b362d966ebc5871d1d3b93 Mon Sep 17 00:00:00 2001 From: Techassi Date: Thu, 24 Apr 2025 10:13:20 +0200 Subject: [PATCH 10/10] chore(template): Add TODO comments to build workflow --- template/.github/workflows/build.yml.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/template/.github/workflows/build.yml.j2 b/template/.github/workflows/build.yml.j2 index 23c026f3..d5e87ba4 100644 --- a/template/.github/workflows/build.yml.j2 +++ b/template/.github/workflows/build.yml.j2 @@ -155,6 +155,7 @@ jobs: with: key: clippy cache-all-crates: "true" + # TODO (@Techassi): Remove this step (unmaintained action, kinda useless step anyway) - name: Run clippy action to produce annotations uses: giraffate/clippy-action@13b9d32482f25d29ead141b79e7e04e7900281e0 # v1.0.1 env: @@ -164,12 +165,14 @@ jobs: clippy_flags: --all-targets -- -D warnings reporter: 'github-pr-review' github_token: ${{ secrets.GITHUB_TOKEN }} + # TODO (@Techassi): Remove, done by pre-commit - name: Run clippy manually without annotations env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} if: env.GITHUB_TOKEN == null run: cargo clippy --color never -q --all-targets -- -D warnings + # TODO (@Techassi): Can be done by pre-commit run_rustdoc: name: Run RustDoc runs-on: ubuntu-latest @@ -192,6 +195,7 @@ jobs: cache-all-crates: "true" - run: cargo doc --document-private-items + # TODO (@Techassi): Remove, done by pre-commit run_tests: name: Run Cargo Tests runs-on: ubuntu-latest @@ -304,6 +308,8 @@ jobs: - name: log run: echo All tests have passed! + # TODO (@Techassi): Most of these publishing and signing tasks can be done by our own actions. + # Make use of them just like we do in docker-images. package_and_publish: name: Package Charts, Build Docker Image and publish them - ${{ matrix.runner }} needs: