Merge branch 'master' into dependabot/docker/docker/cassandra/bitnami…

…/cassandra-5.0.0

.github/dependabot.yml

@@ -2,7 +2,7 @@ version: 2
 updates:
   - package-ecosystem: gomod
     directory: "/"
-    open-pull-requests-limit: 4
+    open-pull-requests-limit: 10
     schedule:
       interval: weekly
     commit-message:
@@ -38,9 +38,9 @@ updates:
         - "sigs.k8s.io/*"
   - package-ecosystem: github-actions
     directory: "/"
-    open-pull-requests-limit: 3
+    open-pull-requests-limit: 5
     schedule:
-      interval: daily
+      interval: monthly
     commit-message:
       prefix: "deps(github):"
     groups:
@@ -54,13 +54,21 @@ updates:
 
   # Update pinned pip packages via requiements.txt
   - package-ecosystem: "pip"
-    schedule: weekly
+    schedule:
+      interval: weekly
     commit-message:
       prefix: "deps(docker,pip):"
     directories:
       - "/docker/build"
       - "/docker/postgres-kanister-tools"
       - "/docker/postgresql"
+    groups:
+      common-pip:
+        patterns:
+        - "pip"
+        - "setuptools"
+        - "wheel"
+        - "awscli"
 
   - package-ecosystem: "docker"
     schedule:
@@ -96,5 +104,3 @@ updates:
       - "/docker/mssql-tools"
       - "/docker/postgresql"
       - "/docker/redis-tools"
-
-

.github/workflows/atlas-image-build.yaml

@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
-      - uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275 # v45.0.1
+      - uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45.0.2
         name: Get changed files
         id: changed-files
         with:
@@ -39,7 +39,7 @@ jobs:
     if: needs.check-files.outputs.changed == 'true'
     steps:
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+      uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
     - name: Image metadata
       id: meta
       uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
@@ -57,7 +57,7 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
     - name: Build and push
-      uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
+      uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
       with:
         context: "{{defaultContext}}:docker/mongodb-atlas"
         push: true

.github/workflows/build_docker.yaml

@@ -47,7 +47,7 @@ jobs:
     - name: Set up QEMU
       uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
     - name: Login to GHCR
       uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
       with:
@@ -66,7 +66,7 @@ jobs:
           ${{ inputs.extra_tags }}
         labels: ${{ inputs.labels }}
     - name: Build and push
-      uses: docker/build-push-action@v6
+      uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
       with:
         context: .
         file: ${{ inputs.image_file }}

.github/workflows/dependendy-review.yml

@@ -18,4 +18,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4

.github/workflows/govulncheck.yaml

@@ -24,7 +24,7 @@ jobs:
           echo "go_version=$version" >> "$GITHUB_OUTPUT"
       - id: govulncheck
         name: 'Govulncheck'
-        uses: golang/govulncheck-action@dd0578b371c987f96d1185abb54344b44352bd58 # v1.0.3
+        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
         continue-on-error: ${{ github.event_name == 'pull_request' }}
         with:
           repo-checkout: false

.github/workflows/kanister-image-build.yaml

@@ -54,7 +54,7 @@ jobs:
     - name: Set up QEMU
       uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+      uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
     - name: Image metadata
       id: meta
       uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
@@ -73,7 +73,7 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
     - name: Build and push
-      uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
+      uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
       with:
         context: "{{defaultContext}}:docker/build"
         platforms: linux/amd64,linux/arm64

.github/workflows/main.yaml

@@ -75,7 +75,7 @@ jobs:
       run: echo "${{needs.gomod.outputs.gomod}}" > go.mod
     - name: restore_gosum
       run: echo "${{needs.gomod.outputs.gosum}}" > go.sum
-    - uses: helm/[email protected]
+    - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
     - run: |
         make install-csi-hostpath-driver
         make install-minio

.github/workflows/ossf-scorecard.yml

@@ -39,12 +39,12 @@ jobs:
       -
         # Upload the results to GitHub's code scanning dashboard.
         name: "Upload to results to dashboard"
-        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
+        uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
         with:
           sarif_file: results.sarif
       -
         name: "Upload analysis results as 'Job Artifact'"
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: SARIF file
           path: results.sarif

.github/workflows/publish_docs.yaml

@@ -0,0 +1,77 @@
+name: Publish docs
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+    inputs:
+      release_tag:
+        description: 'Existing git tag in the format x.x.x'
+        required: true
+        type: string
+  workflow_dispatch:
+     inputs:
+      release_tag:
+        description: 'Existing git tag in the format x.x.x'
+        required: true
+        type: string
+
+jobs:
+  build_docs:
+    runs-on: ubuntu-latest
+    env:
+      RELEASE_TAG: ${{ inputs.release_tag }}
+    steps:
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          ref: ${{ env.RELEASE_TAG }}
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          run_install: false
+          package_json_file: docs_new/package.json
+          version: 8
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+      - name: Setup Pages
+        uses: actions/configure-pages@v5
+      - name: Install dependencies
+        run: pnpm install
+        working-directory: ./docs_new
+      - name: Build with VitePress
+        run: |
+          echo "{\"version\":\"${RELEASE_TAG}\"}" > ./.vitepress/version.json
+          pnpm docs:build
+        working-directory: ./docs_new
+      - name: Download the helm index
+        run: |
+          curl https://github.com/kanisterio/kanister/releases/download/${RELEASE_TAG}/helm_index.yaml -f -L -o docs_new/.vitepress/dist/index.yaml
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: docs_new/.vitepress/dist
+          name: docs
+
+  publish_docs:
+    needs: build_docs
+
+    # Grant GITHUB_TOKEN the permissions required to make a Pages deployment
+    permissions:
+      pages: write      # to deploy to Pages
+      id-token: write   # to verify the deployment originates from an appropriate source
+
+    # Deploy to the github-pages environment
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+
+    # Specify runner + deployment step
+    runs-on: ubuntu-latest
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4 # or specific "vX.X.X" version tag for this action
+        with:
+          artifact_name: docs

.github/workflows/release.yaml

@@ -91,79 +91,50 @@ jobs:
         export HELM_RELEASE_REPO_INDEX=https://charts.kanister.io/
         make package-helm VERSION=${RELEASE_TAG}
     - name: Free Disk Space (Ubuntu)
-      uses: jlumbroso/free-disk-space@main
+      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
     - name: gorelease
       run: make gorelease
       env:
         GHCR_LOGIN_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         GHCR_LOGIN_USER: ${{ github.actor }}
         GORELEASE_PARAMS: ${{ env.DRAFT_RELEASE == 'true' && '--draft' || '' }}
-    ## Upload to use in docs publishing
-    - uses: actions/upload-artifact@v4
-      with:
-        name: helm-index
-        path: helm_package/index.yaml
     - id: output_release
       run: echo "release_url=https://github.com/kanisterio/kanister/releases/tag/${RELEASE_TAG}" >> "$GITHUB_OUTPUT"
 
   build_docs:
-    runs-on: ubuntu-latest
     needs: [run_if, release_packages]
-    env:
-      RELEASE_TAG: ${{ needs.run_if.outputs.release_tag }}
-    steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-        with:
-          ref: ${{ env.RELEASE_TAG }}
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          run_install: false
-          package_json_file: docs_new/package.json
-          version: 8
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-      - name: Setup Pages
-        uses: actions/configure-pages@v5
-      - name: Install dependencies
-        run: pnpm install
-        working-directory: ./docs_new
-      - name: Build with VitePress
-        run: |
-          echo "{\"version\":\"${RELEASE_TAG}\"}" > ./.vitepress/version.json
-          pnpm docs:build
-        working-directory: ./docs_new
-      - name: download helm index
-        uses: actions/download-artifact@v4
-        with:
-          name: helm-index
-          path: docs_new/.vitepress/dist/helm_charts/
-      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
-        with:
-          path: docs_new/.vitepress/dist
-
-  publish_docs_and_charts:
-    needs: build_docs
-
-    # Grant GITHUB_TOKEN the permissions required to make a Pages deployment
     permissions:
+      contents: read
       pages: write      # to deploy to Pages
       id-token: write   # to verify the deployment originates from an appropriate source
+    uses: ./.github/workflows/publish_docs.yaml
+    with:
+      release_tag: ${{ needs.run_if.outputs.release_tag }}
 
-    # Deploy to the github-pages environment
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
-
-    # Specify runner + deployment step
-    runs-on: ubuntu-latest
+  publish_charts:
+    needs: [run_if, release_packages]
+    env:
+      GH_TOKEN: ${{ secrets.GH_TOKEN }}
+      RELEASE_TAG: ${{ needs.run_if.outputs.release_tag }}
     steps:
-      - name: Deploy to GitHub Pages
-        id: deployment
-        uses: actions/deploy-pages@v4 # or specific "vX.X.X" version tag for this action
+      - name: clone helm pages
+        run: |
+          git clone https://infraq:${GH_TOKEN}@github.com/kanisterio/kanister-charts
+      - name: Download the helm index
+        working-directory: ./kanister-charts
+        run: |
+          curl https://github.com/kanisterio/kanister/releases/download/${RELEASE_TAG}/helm_index.yaml -f -L -o index.yaml
+      - name: Commit changes
+        working-directory: ./kanister-charts
+        run: |
+          git config --global user.name 'Kasten Production'
+          git config --global user.email '[email protected]'
+          git add -A
+          git commit -s -m "Update chart index to ${RELEASE_TAG}"
+      - name: Push changes
+        working-directory: ./kanister-charts
+        run: |
+          git push
 
   ## TODO: using https://github.com/slackapi/slack-github-action/blob/main/README.md#technique-3-slack-incoming-webhook
   ## we need to set up incoming webhook

.github/workflows/stale.yaml

@@ -22,9 +22,7 @@ jobs:
         close-pr-label: rotten
         stale-issue-label: stale
         stale-pr-label: stale
-        exempt-issue-labels:
-          - frozen
-          - accepted
+        exempt-issue-labels: frozen,accepted
         exempt-pr-labels: frozen
         close-issue-message: This issue is closed due to inactivity. Feel free to reopen it, if it's still relevant. CC @kanisterio/maintainers
         close-pr-message: This PR is closed due to inactivity. Feel free to reopen it, if it's still relevant. CC @kanisterio/maintainers

.github/workflows/triage-issues.yaml

@@ -19,13 +19,13 @@ jobs:
     steps:
     -
       name: Add label
-      uses: actions-ecosystem/[email protected]
+      uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3
       with:
         labels: "triage"
         github_token: ${{ secrets.GITHUB_TOKEN }}
     -
       name: Add comment
-      uses: actions-ecosystem/[email protected]
+      uses: actions-ecosystem/action-create-comment@e23bc59fbff7aac7f9044bd66c2dc0fe1286f80b # v1.0.2
       if: github.event.action == 'opened'
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -37,7 +37,7 @@ jobs:
           If you haven't already, please take a moment to review our project's [Code of Conduct](https://github.com/kanisterio/kanister/blob/master/CODE_OF_CONDUCT.md) document.
     -
       name: Update project
-      uses: alex-page/[email protected]
+      uses: alex-page/github-project-automation-plus@303f24a24c67ce7adf565a07e96720faf126fe36 # v0.9.0
       with:
         repo-token: ${{ secrets.GH_TOKEN }} # must use a PAT here
         project: Kanister

.github/workflows/triage-prs.yaml

@@ -20,7 +20,7 @@ jobs:
     steps:
     -
       name: Comment
-      uses: actions-ecosystem/[email protected]
+      uses: actions-ecosystem/action-create-comment@e23bc59fbff7aac7f9044bd66c2dc0fe1286f80b # v1.0.2
       # Avoid adding a comment when the PR is on the same repo.
       if: github.event.action == 'opened' && github.event.pull_request.head.repo.fork
       with:
@@ -31,7 +31,7 @@ jobs:
           If you haven't already, please take a moment to review our project [contributing guideline](https://github.com/kanisterio/kanister/blob/master/CONTRIBUTING.md) and [Code of Conduct](https://github.com/kanisterio/kanister/blob/master/CODE_OF_CONDUCT.md) document.
     -
       name: Update status in project
-      uses: alex-page/[email protected]
+      uses: alex-page/github-project-automation-plus@303f24a24c67ce7adf565a07e96720faf126fe36 # v0.9.0
       # This only works for PRs opened in the same repo and not by dependabot.
       # Other PRs don't get the necessary credentials.
       if: github.repository == 'kanisterio/kanister' && !github.event.pull_request.head.repo.fork