Merge remote-tracking branch 'upstream/dev' into dedupe-batching

Author: valentijnscholten

.github/renovate.json

@@ -23,6 +23,15 @@
     "commitMessageSuffix": "({{packageFile}})",
     "labels": ["dependencies"]
   }],
+  "customDatasources": {
+    "endoflife-oldest-maintained": {
+      "defaultRegistryUrlTemplate": "https://endoflife.date/api/v1/products/{{packageName}}",
+      "format": "json",
+      "transformTemplates": [
+        "{ \"releases\": [$.result.releases[isMaintained = true]^(<eolFrom)[0].latest.{\"version\": name, \"releaseTimestamp\": date, \"changelogUrl\": link}], \"sourceUrl\": \"https://github.com/kubernetes/kubernetes\", \"homepage\": \"https://kubernetes.io/\" }"
+      ]
+    }
+  },
   "customManagers": [
     {
       "customType": "regex",

.github/workflows/helm-docs-updates.yml

@@ -18,7 +18,7 @@ jobs:
           # are tested (https://kubernetes.io/releases/)
           - k8s: 'v1.34.1' # renovate: datasource=github-releases depName=kubernetes/kubernetes versioning=loose
             os: debian
-          - k8s: 'v1.31.13' # Do not track with renovate as we likely want to rev this manually
+          - k8s: 'v1.31.13' # renovate: datasource=custom.endoflife-oldest-maintained depName=kubernetes
             os: debian
     steps:
       - name: Checkout

.github/workflows/k8s-tests.yml

@@ -21,4 +21,4 @@ jobs:
         uses: suzuki-shunsuke/github-action-renovate-config-validator@c22827f47f4f4a5364bdba19e1fe36907ef1318e # v1.1.1
         with:
           strict: "true"
-          validator_version: 41.168.0 # renovate: datasource=github-releases depName=renovatebot/renovate
+          validator_version: 41.173.0 # renovate: datasource=github-releases depName=renovatebot/renovate

.github/workflows/renovate.yaml

@@ -2,124 +2,17 @@
 name: Shellcheck
 on:
   pull_request:
-env:
-  SHELLCHECK_REPO: 'koalaman/shellcheck'
-  SHELLCHECK_VERSION: 'v0.9.0' # renovate: datasource=github-releases depName=koalaman/shellcheck
-  SHELLCHECK_SHA: '038fd81de6b7e20cc651571362683853670cdc71' # Renovate config is not currently adjusted to update hash - it needs to be done manually for now
+
 jobs:
   shellcheck:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
-      - name: Grab shellcheck
-        run: |
-          set -e
-
-          SHELLCHECK_TARBALL_URL="https://github.com/${SHELLCHECK_REPO}/releases/download/${SHELLCHECK_VERSION}/shellcheck-${SHELLCHECK_VERSION}.linux.x86_64.tar.xz"
-          SHELLCHECK_TARBALL_LOC="shellcheck.tar.xz"
-          curl -L "${SHELLCHECK_TARBALL_URL}" -o "${SHELLCHECK_TARBALL_LOC}"
-          tarball_sha=$(shasum ${SHELLCHECK_TARBALL_LOC} | awk '{print $1}')
-          if [ "${tarball_sha}" != "${SHELLCHECK_SHA}" ]; then
-            echo "Got invalid SHA for shellcheck: ${tarball_sha}"
-            exit 1
-          fi
-          tar -xvf "${SHELLCHECK_TARBALL_LOC}"
-          cd "shellcheck-${SHELLCHECK_VERSION}" || exit 1
-          mv shellcheck "${GITHUB_WORKSPACE}/shellcheck"
-
-      - name: Run shellcheck
-        shell: bash
-        run: |
-          set -o pipefail
-
-          # Make sure we already put the proper shellcheck binary in place
-          if [ ! -f "./shellcheck" ]; then
-              echo "shellcheck not found"
-              exit 1
-          fi
-
-          # Make sure we know what to compare the PR's changes against
-          if [ -z "${GITHUB_BASE_REF}" ]; then
-              echo "No base reference supplied"
-              exit 1
-          fi
-
-          num_findings=0
-
-          # Execute shellcheck and add errors based on the output
-          run_shellcheck() {
-              local modified_shell_script="${1}"
-              local findings_file="findings.txt"
-
-              # Remove leftover findings file from previous iterations
-              if [ -f "${findings_file}" ]; then
-                  rm "${findings_file}"
-              fi
-
-              echo "Running shellcheck against ${modified_shell_script}..."
-
-              # If shellcheck reported no errors (exited with 0 status code), return
-              if ./shellcheck -f json -S warning "${modified_shell_script}" | jq -c '.[]' > "${findings_file}"; then
-                  return 0
-              fi
-
-              # Walk each of the individual findings
-              while IFS= read -r finding; do
-                  num_findings=$((num_findings+1))
-
-                  line=$(echo "${finding}" | jq '.line')
-                  end_line=$(echo "${finding}" | jq '.endLine')
-                  column=$(echo "${finding}" | jq '.column')
-                  end_column=$(echo "${finding}" | jq '.endColumn')
-                  code=$(echo "${finding}" | jq '.code')
-                  title="SC${code}"
-                  message="$(echo "${finding}" | jq -r '.message') See https://github.com/koalaman/shellcheck/wiki/${title}"
-
-                  echo "Line: ${line}"
-                  echo "End line: ${end_line}"
-                  echo "Column: ${column}"
-                  echo "End column: ${end_column}"
-                  echo "Title: ${title}"
-                  echo "Message: ${message}"
-
-                  # Raise an error with the file/line/etc
-                  echo "::error file=${modified_shell_script},line=${line},endLine=${end_line},column=${column},endColumn=${end_column},title=${title}::${message}"
-              done < ${findings_file}
-          }
-
-          # Find the shell scripts that were created or modified by this PR
-          find_modified_shell_scripts() {
-              shell_scripts="shell_scripts.txt"
-              modified_files="modified_files.txt"
-              modified_shell_scripts="modified_shell_scripts.txt"
-
-              find . -name "*.sh" -or -name "*.bash" | sed 's#^\./##' > "${shell_scripts}"
-              git diff --name-only "origin/${GITHUB_BASE_REF}" HEAD > "${modified_files}"
-
-              if [ ! -s "${shell_scripts}" ] || [ ! -s "${modified_files}" ]; then
-                  echo "No modified shell scripts detected"
-                  exit 0
-              fi
-
-              if ! grep -Fxf "${shell_scripts}" "${modified_files}" > "${modified_shell_scripts}"; then
-                echo "No modified shell scripts detected"
-                exit 0
-              fi
-          }
-
-          git fetch origin "${GITHUB_BASE_REF}" || exit 1
-
-          find_modified_shell_scripts
-
-          # Loop through the modified shell scripts
-          while IFS= read -r modified_shell_script; do
-              run_shellcheck "${modified_shell_script}"
-          done < ${modified_shell_scripts}
-
-          # If shellcheck reported any findings, fail the workflow
-          if [ ${num_findings} -gt 0 ]; then
-              echo "shellcheck reported ${num_findings} findings."
-              exit 1
-          fi
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
+        with:
+          version: 'v0.11.0' # renovate: datasource=github-releases depName=koalaman/shellcheck versioning=loose
+        env:
+          SHELLCHECK_OPTS: -e SC1091 -e SC2086  # TODO: fix following findings

.github/workflows/shellcheck.yml

@@ -11,7 +11,7 @@ jobs:
     if: github.repository == 'DefectDojo/django-DefectDojo' # Notify only in core repo, not in forks - it would just fail in fork
     steps:
       - name: Notify reviewers in Slack
-        uses: DefectDojo-Inc/notify-pr-reviewers-action@be26734e06338b41be6e70ce96027a51aa9ba9c6 # master
+        uses: DefectDojo-Inc/notify-pr-reviewers-action@master # Do not use a specific version to always get the latest updates
         with:
           owner: "DefectDojo"
           repository: "django-DefectDojo"

.github/workflows/slack-pr-reminder.yml

@@ -32,7 +32,7 @@ jobs:
              helm dependency update ./helm/defectdojo
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0
         with:
           yamale_version: 6.0.0 # renovate: datasource=pypi depName=yamale versioning=semver
           yamllint_version: 1.37.1 # renovate: datasource=pypi depName=yamllint versioning=semver
@@ -107,12 +107,25 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      
+  
+      - name: Update values in HELM chart
+        if: startsWith(github.head_ref, 'renovate/') || startsWith(github.head_ref, 'dependabot/')
+        run: |
+          yq -i '.annotations."artifacthub.io/changes" += "- kind: changed\n  description: ${{ github.event.pull_request.title }}\n"' helm/defectdojo/Chart.yaml
+
+      - name: Run helm-docs (update)
+        uses: losisin/helm-docs-github-action@a57fae5676e4c55a228ea654a1bcaec8dd3cf5b5 # v1.6.2
+        if: startsWith(github.head_ref, 'renovate/') || startsWith(github.head_ref, 'dependabot/')
+        with:
+          chart-search-root: "helm/defectdojo"
+          git-push: true
+
       # Documentation provided in the README file needs to contain the latest information from `values.yaml` and all other related assets.
       # If this step fails, install https://github.com/norwoodj/helm-docs and run locally `helm-docs --chart-search-root helm/defectdojo` before committing your changes.
       # The helm-docs documentation will be generated for you.
-      - name: Run helm-docs
+      - name: Run helm-docs (check)
         uses: losisin/helm-docs-github-action@a57fae5676e4c55a228ea654a1bcaec8dd3cf5b5 # v1.6.2
+        if: ! startsWith(github.head_ref, 'renovate/') || startsWith(github.head_ref, 'dependabot/')
         with:
           fail-on-diff: true
           chart-search-root: "helm/defectdojo"

.github/workflows/test-helm-chart.yml

@@ -1,7 +1,7 @@
 
 # code: language=Dockerfile
 
-FROM openapitools/openapi-generator-cli:v7.16.0@sha256:e56372add5e038753fb91aa1bbb470724ef58382fdfc35082bf1b3e079ce353c AS openapitools
+FROM openapitools/openapi-generator-cli:v7.17.0@sha256:868b97eb4e5080d2cdfd5b3eeaa4d52e4bbb7c56f14e234b08b0b0bc4f38a78f AS openapitools
 # currently only supports x64, no arm yet due to chrome and selenium dependencies
 FROM python:3.13.7-slim-trixie@sha256:5f55cdf0c5d9dc1a415637a5ccc4a9e18663ad203673173b8cda8f8dcacef689 AS build
 WORKDIR /app

Dockerfile.integration-tests-debian

@@ -63,7 +63,7 @@ COPY dojo/ ./dojo/
 # always collect static for debug toolbar as we can't make it dependant on env variables or build arguments without breaking docker layer caching
 RUN env DD_SECRET_KEY='.' DD_DJANGO_DEBUG_TOOLBAR_ENABLED=True python3 manage.py collectstatic --noinput --verbosity=2 && true
 
-FROM nginx:1.29.2-alpine3.22@sha256:61e01287e546aac28a3f56839c136b31f590273f3b41187a36f46f6a03bbfe22
+FROM nginx:1.29.3-alpine3.22@sha256:b3c656d55d7ad751196f21b7fd2e8d4da9cb430e32f646adcf92441b72f82b14
 ARG uid=1001
 ARG appuser=defectdojo
 COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/

Dockerfile.nginx-alpine

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.52.0-dev",
+  "version": "2.53.0-dev",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {