diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index 00949d4..d7d7e38 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -8,6 +8,9 @@ on: release: types: [published] +permissions: + contents: read + packages: write env: dockerhub: ${{ secrets.DOCKERHUB_NAMESPACE }}/pihole @@ -43,19 +46,19 @@ jobs: - &checkout-repo name: Checkout Repo if: github.event_name != 'schedule' - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - &checkout-dev name: Checkout dev branch if scheduled if: github.event_name == 'schedule' - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: ref: development - &docker-meta name: Docker meta id: meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 #v5.9.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 #v5.10.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} images: | @@ -70,7 +73,7 @@ jobs: - &login-dockerhub name: Login to Docker Hub - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef #v3.6.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 #v3.7.0 with: registry: docker.io username: ${{ secrets.DOCKERHUB_USER }} @@ -78,7 +81,7 @@ jobs: - &login-ghcr name: Login to GitHub Container Registry - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef #v3.6.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 #v3.7.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -91,11 +94,15 @@ jobs: - &setup-buildx name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f #v3.12.0 + with: + # Buildx version 0.31.1 broke our publish workflow, this need to be revised when 0.32.0 is released + # https://github.com/docker/buildx/releases/tag/v0.31.1 + version: v0.31.0 - name: Build container and push by digest id: build - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 #v6.19.2 with: context: ./src/ platforms: ${{ matrix.platform }} @@ -116,7 +123,7 @@ jobs: touch "/tmp/digests/${digest_docker#sha256:}" - name: Upload digest - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 #v5.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0 with: name: digests-${{ env.PLATFORM_PAIR }} path: /tmp/digests/* @@ -135,7 +142,7 @@ jobs: - *checkout-dev - name: Download digests - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0 with: path: /tmp/digests pattern: digests-* diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index c3e54a7..0521dc9 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -2,6 +2,9 @@ name: Build Image and Test on: pull_request: +permissions: + contents: read + jobs: build-and-test: runs-on: ${{ matrix.runner }} @@ -25,13 +28,13 @@ jobs: CI_ARCH: ${{ matrix.platform }} steps: - name: Checkout Repo - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - name: Set up QEMU uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 #v3.7.0 - name: Set up Python - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #v6.0.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0 with: python-version: "3.13" diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 7a9c781..0858ba8 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -3,6 +3,9 @@ on: pull_request: types: [opened, synchronize, reopened, ready_for_review] +permissions: + contents: read + jobs: spell-check: if: github.event.pull_request.draft == false @@ -10,7 +13,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - name: Spell-Checking uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 #v2.2 diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index d434fc4..6865fe5 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -12,7 +12,7 @@ jobs: dockerHubDescription: runs-on: ubuntu-latest steps: - - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - name: Docker Hub Description uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa #v5 diff --git a/.github/workflows/editorconfig.yml b/.github/workflows/editorconfig.yml index 30736e5..a84e902 100644 --- a/.github/workflows/editorconfig.yml +++ b/.github/workflows/editorconfig.yml @@ -3,13 +3,16 @@ on: pull_request: types: [opened, synchronize, reopened, ready_for_review] +permissions: + contents: read + jobs: editorconfig-checker: if: github.event.pull_request.draft == false runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - name: Get editorconfig-checker uses: editorconfig-checker/action-editorconfig-checker@4b6cd6190d435e7e084fb35e36a096e98506f7b9 #v2.1.0 diff --git a/.github/workflows/housekeeping.yml b/.github/workflows/housekeeping.yml index c2acdf7..2dc4933 100644 --- a/.github/workflows/housekeeping.yml +++ b/.github/workflows/housekeeping.yml @@ -4,6 +4,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + packages: write + jobs: housekeeping: runs-on: ubuntu-latest diff --git a/.github/workflows/merge-conflict.yml b/.github/workflows/merge-conflict.yml index c7ceb93..760e2fe 100644 --- a/.github/workflows/merge-conflict.yml +++ b/.github/workflows/merge-conflict.yml @@ -8,6 +8,10 @@ on: pull_request_target: types: [synchronize] +permissions: + contents: read + pull-requests: write + jobs: main: runs-on: ubuntu-latest diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 3505cb7..83a8d0f 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -6,6 +6,10 @@ on: workflow_dispatch: issue_comment: +permissions: + issues: write + pull-requests: write + env: stale_label: stale @@ -17,7 +21,7 @@ jobs: issues: write steps: - - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 #v10.1.0 + - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d #v10.1.1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-stale: 30 @@ -41,7 +45,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - name: Remove 'stale' label run: gh issue edit ${{ github.event.issue.number }} --remove-label ${{ env.stale_label }} env: diff --git a/.github/workflows/stale_pr.yml b/.github/workflows/stale_pr.yml index bb13d67..e15e3c9 100644 --- a/.github/workflows/stale_pr.yml +++ b/.github/workflows/stale_pr.yml @@ -17,7 +17,7 @@ jobs: pull-requests: write steps: - - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 #v10.1.0 + - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d #v10.1.1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} # Do not automatically mark PR/issue as stale diff --git a/.github/workflows/sync-back-to-dev.yml b/.github/workflows/sync-back-to-dev.yml index bacf3ef..9c7ba41 100644 --- a/.github/workflows/sync-back-to-dev.yml +++ b/.github/workflows/sync-back-to-dev.yml @@ -5,13 +5,17 @@ on: branches: - master +permissions: + contents: write + pull-requests: write + jobs: sync-branches: runs-on: ubuntu-latest name: Syncing branches steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - name: Opening pull request run: gh pr create -B development -H master --title 'Sync master back into development' --body 'Created by Github action' --label 'internal' env: diff --git a/src/Dockerfile b/src/Dockerfile index cb7a061..cf6a6ac 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG FTL_SOURCE=remote # Pull Stable images -FROM alpine:3.22 AS base +FROM alpine:3.23.3@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 AS base ARG TARGETPLATFORM ARG WEB_BRANCH="development" diff --git a/test/requirements.txt b/test/requirements.txt index cf6a1aa..eae6ccc 100644 --- a/test/requirements.txt +++ b/test/requirements.txt @@ -1,6 +1,6 @@ -pytest == 9.0.1 +pytest == 9.0.2 pytest-testinfra == 10.2.2 pytest-clarity == 1.0.1 -tox == 4.32.0 +tox == 4.35.0 # Not adding pytest-xdist as using pytest with n > 1 cores # causes random issues with the emulated architectures diff --git a/test/tests/test_bash_functions.py b/test/tests/test_bash_functions.py index 596c362..9c86b7f 100644 --- a/test/tests/test_bash_functions.py +++ b/test/tests/test_bash_functions.py @@ -6,12 +6,10 @@ import pytest def test_ftlconf_webserver_port(docker): func = docker.run("echo ${FTLCONF_webserver_port}") assert "999" in func.stdout - func = docker.run( - """ + func = docker.run(""" sleep 5 pihole-FTL --config webserver.port - """ - ) + """) assert "999" in func.stdout @@ -22,12 +20,10 @@ def test_ftlconf_webserver_port(docker): def test_ftlconf_dns_upstreams(docker): func = docker.run("echo ${FTLCONF_dns_upstreams}") assert "1.2.3.4;5.6.7.8#1234" in func.stdout - func = docker.run( - """ + func = docker.run(""" sleep 5 pihole-FTL --config dns.upstreams - """ - ) + """) assert "[ 1.2.3.4, 5.6.7.8#1234 ]" in func.stdout diff --git a/test/tests/test_general.py b/test/tests/test_general.py index c08c3ae..e29bf45 100644 --- a/test/tests/test_general.py +++ b/test/tests/test_general.py @@ -7,12 +7,10 @@ import os def test_pihole_uid_env_var(docker): func = docker.run("echo ${PIHOLE_UID}") assert "456" in func.stdout - func = docker.run( - """ + func = docker.run(""" sleep 5 id -u pihole - """ - ) + """) assert "456" in func.stdout @@ -21,12 +19,10 @@ def test_pihole_uid_env_var(docker): def test_pihole_gid_env_var(docker): func = docker.run("echo ${PIHOLE_GID}") assert "456" in func.stdout - func = docker.run( - """ + func = docker.run(""" sleep 5 id -g pihole - """ - ) + """) assert "456" in func.stdout @@ -90,11 +86,9 @@ def test_pihole_ftl_starts_and_shuts_down_cleanly(docker): def test_cronfile_valid(docker): - func = docker.run( - """ + func = docker.run(""" /usr/bin/crontab /crontab.txt crond -d 8 -L /cron.log grep 'parse error' /cron.log - """ - ) + """) assert "parse error" not in func.stdout