ci: fix linter warnings

Author: fredleger

.github/actions/should-build-image/action.yml

@@ -20,19 +20,23 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Checkout
+    - if: ${{ github.event_name == 'push' }}
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 2
+    - if: ${{ github.event_name != 'push' }}
       uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
     - id: changed-files
-      uses: tj-actions/changed-files@v44.5.2
+      uses: tj-actions/changed-files@v45.0.5
       with:
         base_sha: ${{ inputs.base-sha }}
         since_last_remote_commit: ${{ github.event_name == 'push' }}
         files: |
-          ./${{ inputs.build-context }}/*
-          .github/actions/should-build-image/*
+          ${{ inputs.build-context }}/
+          .github/actions/should-build-image/
           .github/workflows/__shared-ci.yml
           .github/workflows/__shared-get-available-images-matrix.yml
 

.github/dependabot.template.yml

@@ -6,6 +6,8 @@ on:
       images-matrix:
         description: 'Available images matrix. Example: ["composer","drupal-10"]'
         value: ${{ jobs.get-available-images-matrix.outputs.images-matrix }}
+permissions:
+  contents: read
 
 jobs:
   get-available-images-matrix:

.github/workflows/__shared-get-available-images-matrix.yml

@@ -4,6 +4,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   get-available-images-matrix:
     uses: ./.github/workflows/__shared-get-available-images-matrix.yml
@@ -58,7 +61,7 @@ jobs:
           app_id: ${{ vars.CI_BOT_APP_ID }}
           private_key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
 
-      - uses: hoverkraft-tech/ci-github-common/actions/create-and-merge-pull-request@0.4.3
+      - uses: hoverkraft-tech/ci-github-common/actions/create-and-merge-pull-request@0.16.0
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           branch: chore/release-config

.github/workflows/generate-release-config.yml

@@ -4,6 +4,15 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+  issues: read
+  packages: write
+  pull-requests: read
+  statuses: write
+  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+  id-token: write
+
 jobs:
   ci:
     name: Continuous Integration
@@ -15,6 +24,12 @@ jobs:
     uses: ./.github/workflows/__shared-get-available-images-matrix.yml
 
   clean:
+  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+      packages: write
     needs: get-available-images-matrix
     uses: hoverkraft-tech/ci-github-container/.github/workflows/[email protected]
     with:

.github/workflows/main-ci.yml

@@ -0,0 +1,26 @@
+name: Need fix to Issue
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      #checkov:skip=CKV_GHA_7: required
+      manual-commit-ref:
+        description: "The SHA of the commit to get the diff for"
+        required: true
+      manual-base-ref:
+        description: "By default, the commit entered above is compared to the one directly before it; to go back further, enter an earlier SHA here"
+        required: false
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  main:
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/[email protected]
+    with:
+      manual-commit-ref: ${{ inputs.manual-commit-ref }}
+      manual-base-ref: ${{ inputs.manual-base-ref }}

.github/workflows/need-fix-to-issue.yml

@@ -62,7 +62,7 @@ jobs:
               core.setOutput('comment-body','No images have been built.');
             }
 
-      - uses: hoverkraft-tech/ci-github-common/actions/create-or-update-comment@0.15.0
+      - uses: hoverkraft-tech/ci-github-common/actions/create-or-update-comment@0.16.0
         with:
           title: "Images have been built :sparkles: !"
           body: |

.github/workflows/pull-request-ci.yml

@@ -3,6 +3,14 @@ name: • 🛫 Release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: write
+  issues: read
+  packages: write
+  pull-requests: read
+  # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+  id-token: write
+
 jobs:
   get-available-images-matrix:
     uses: ./.github/workflows/__shared-get-available-images-matrix.yml
@@ -48,7 +56,7 @@ jobs:
 
       - id: release
         if: steps.should-build-image.outputs.should-build-image == 'true'
-        uses: release-drafter/release-drafter@v5
+        uses: release-drafter/release-drafter@v6.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -59,36 +67,46 @@ jobs:
         if: steps.should-build-image.outputs.should-build-image == 'true' && steps.release.outputs.tag_name != ''
         run: |
           BUILD_TAG=$(echo "${{ steps.release.outputs.tag_name }}" | sed -E "s/^${{ matrix.image }}-//")
-          BUILD_IMAGES='{"name":"${{ matrix.image }}","context":"images/${{ matrix.image }}", "dockerfile":"Dockerfile", "tag":"'$BUILD_TAG'", "platforms": ["linux/amd64","linux/arm64","linux/arm/v7"]}'
+          BUILD_IMAGES='{"name":"${{ matrix.image }}","context":"images/${{ matrix.image }}", "dockerfile":"Dockerfile", "tag":"'$BUILD_TAG'", "platforms": ["linux/amd64","linux/arm64"]}'
+          echo "BUILD_IMAGES=$BUILD_IMAGES"
           echo "images<<EOF" >> "$GITHUB_OUTPUT" && echo "$BUILD_IMAGES" >> "$GITHUB_OUTPUT" && echo "EOF" >> "$GITHUB_OUTPUT"
 
       # FIXME: Set built images infos in file to be uploaded as artifacts, because github action does not handle job outputs for matrix
       # https://github.com/orgs/community/discussions/26639
       - if: steps.should-build-image.outputs.should-build-image == 'true'
-        uses: hoverkraft-tech/ci-github-common/actions/set-matrix-output@0.4.3
+        uses: hoverkraft-tech/ci-github-common/actions/set-matrix-output@0.16.0
         with:
           value: ${{ steps.set-images-to-build.outputs.images }}
           artifact-name: images-to-build
 
   # FIXME: Download matrix ouputs from artifacts, because github action does not handle job outputs for matrix
   # https://github.com/orgs/community/discussions/26639
+  # jscpd:ignore-start
   get-images-to-build:
     needs: prepare-images-to-build
     runs-on: "ubuntu-latest"
     outputs:
       images: ${{ steps.get-matrix-outputs.outputs.result }}
     steps:
       - id: get-matrix-outputs
-        uses: hoverkraft-tech/ci-github-common/actions/get-matrix-outputs@0.4.3
+        uses: hoverkraft-tech/ci-github-common/actions/get-matrix-outputs@0.16.0
         with:
           artifact-name: "images-to-build"
 
   build-images:
     needs: get-images-to-build
     if: needs.get-images-to-build.outputs.images != '[]'
+    # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659
+    permissions:
+      id-token: write
+      contents: read
+      packages: write
+      issues: read
+      pull-requests: read
     uses: hoverkraft-tech/ci-github-container/.github/workflows/[email protected]
     with:
       oci-registry: ${{ vars.OCI_REGISTRY }}
       images: ${{ needs.get-images-to-build.outputs.images }}
     secrets:
       oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
+# jscpd:ignore-end

.github/workflows/release.yml

@@ -2,18 +2,25 @@
 
 Opinionated Docker base images
 
-## Builded Images
+## Our images
 
 ### [ci-helm](images/ci-helm/README.md)
 
+A docker image with all the tools needed to validate an helm chart
+
+- helm chart-testing (aka ct)
+- helm kubeconform plugin
+
 ### [mydumper](images/mydumper/README.md)
 
-### Prerequisites
+An image with an opiniated mydumper command as entrypoint
+
+## Prerequisites
 
 - [Docker](https://docs.docker.com/get-docker/)
 - Make
 
-### Linting
+## Linting
 
 - Lint all files: `make lint`
 - Lint a specific file: `make lint images/ci-helm/Dockerfile`