Skip to content
This repository was archived by the owner on Apr 2, 2026. It is now read-only.
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .github/workflows/build-push-chart.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ name: Build/Push Image and Release Charts
permissions: read-all
jobs:
setenv:
uses: ortelius/workflow-toolkit/.github/workflows/env-config-workflow.yml@f4838576b2f6cc71062002313e23e7be5c636158
uses: ortelius/workflow-toolkit/.github/workflows/env-config-workflow.yml@9d6701c2bf14c91cacc3718682e6c11eb41ecbf9
with:
gh_head_ref: ${{ github.head_ref }}
gh_ref_name: ${{ github.ref_name }}
Expand All @@ -27,7 +27,7 @@ jobs:
permissions:
id-token: write
contents: write
uses: ortelius/workflow-toolkit/.github/workflows/container-release-workflow.yml@f4838576b2f6cc71062002313e23e7be5c636158
uses: ortelius/workflow-toolkit/.github/workflows/container-release-workflow.yml@9d6701c2bf14c91cacc3718682e6c11eb41ecbf9
needs: setenv
with:
gh_repository_owner: ${{ github.repository_owner }}
Expand All @@ -44,7 +44,7 @@ jobs:
permissions:
security-events: write
statuses: write
uses: ortelius/workflow-toolkit/.github/workflows/trivy-scan-workflow.yml@f4838576b2f6cc71062002313e23e7be5c636158
uses: ortelius/workflow-toolkit/.github/workflows/trivy-scan-workflow.yml@9d6701c2bf14c91cacc3718682e6c11eb41ecbf9
needs:
- setenv
- release
Expand All @@ -56,7 +56,7 @@ jobs:
helm:
permissions:
contents: write
uses: ortelius/workflow-toolkit/.github/workflows/helm-release-workflow.yml@f4838576b2f6cc71062002313e23e7be5c636158
uses: ortelius/workflow-toolkit/.github/workflows/helm-release-workflow.yml@9d6701c2bf14c91cacc3718682e6c11eb41ecbf9
needs:
- setenv
- release
Expand All @@ -76,7 +76,7 @@ jobs:
GPG_KEY: ${{ secrets.GPG_KEY }}
gh_token: ${{ secrets.HELM_INDEXER_TOKEN }}
sbom:
uses: ortelius/workflow-toolkit/.github/workflows/sbom-generation-workflow.yml@f4838576b2f6cc71062002313e23e7be5c636158
uses: ortelius/workflow-toolkit/.github/workflows/sbom-generation-workflow.yml@9d6701c2bf14c91cacc3718682e6c11eb41ecbf9
needs:
- setenv
- release
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,19 +21,19 @@ jobs:

steps:
- name: Harden Runner
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

- name: Initialize CodeQL
uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
uses: github/codeql-action/init@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
with:
languages: "python"

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
uses: github/codeql-action/analyze@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
with:
category: "/language:python"
12 changes: 6 additions & 6 deletions .github/workflows/mega-linter.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,12 @@ jobs:
steps:
# Git Checkout
- name: Harden Runner
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit

- name: Checkout Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances
Expand All @@ -40,7 +40,7 @@ jobs:
id: ml
# You can override MegaLinter flavor used to have faster performances
# More info at https://megalinter.io/flavors/
uses: oxsecurity/megalinter/flavors/python@ec124f7998718d79379a3c5b39f5359952baf21d # v8.4.2
uses: oxsecurity/megalinter/flavors/python@e08c2b05e3dbc40af4c23f41172ef1e068a7d651 # v8.8.0
env:
# All available variables are described in documentation
# https://megalinter.io/configuration/
Expand All @@ -51,7 +51,7 @@ jobs:
# Upload MegaLinter artifacts
- name: Archive production artifacts
if: ${{ success() || failure() }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: MegaLinter reports
path: |
Expand All @@ -62,7 +62,7 @@ jobs:
- name: Create Pull Request with applied fixes
id: cpr
if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix')
uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
with:
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
commit-message: "[MegaLinter] Apply linters automatic fixes"
Expand All @@ -80,7 +80,7 @@ jobs:
run: sudo chown -Rc $UID .git/
- name: Commit and push applied linter fixes
if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix')
uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
with:
branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
commit_message: "[MegaLinter] Apply linters fixes"
8 changes: 4 additions & 4 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,24 +26,24 @@ jobs:

steps:
- name: Harden Runner
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: "Checkout code"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
with:
results_file: results.sarif
results_format: sarif
publish_results: true

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
uses: github/codeql-action/upload-sarif@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
with:
sarif_file: results.sarif
4 changes: 2 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM cgr.dev/chainguard/python:latest-dev@sha256:9e7d10b641a219baa71afd8fec83ab8622a0486f7d8bdab4ed5536c361b1add1 AS builder
FROM cgr.dev/chainguard/python:latest-dev@sha256:0aa32d755c1c870b5a7f4da25fa86cd9c30eba6517f02abaf55a18fbec47f5fe AS builder

COPY . /app

Expand All @@ -9,7 +9,7 @@ ENV PATH=/home/nonroot/.local/bin:$PATH
RUN wget -q -O - https://install.python-poetry.org | python -
RUN poetry install --no-root;

FROM cgr.dev/chainguard/python:latest@sha256:b9328fd1f02d7836c7a75b0423ea9b0098e1cc10f6d3b9398bac5ebb4410f316
FROM cgr.dev/chainguard/python:latest@sha256:17cd737bfcfd3fd8b7a32036dcbbf80ae9e85c503f0b46d755e31208a46a392f
USER nonroot
ENV DB_HOST=localhost
ENV DB_NAME=postgres
Expand Down
Loading
Loading