Align files (#131)

Co-authored-by: github-actions <[email protected]>

Author: architectbot

.github/workflows/zz_generated.check_values_schema.yaml

@@ -2,7 +2,7 @@
 #
 #    devctl
 #
-#    https://github.com/giantswarm/devctl/blob/8960b8810d2fdb97543d84baa8b50ffa40da26a9/pkg/gen/input/workflows/internal/file/check_values_schema.yaml.template
+#    https://github.com/giantswarm/devctl/blob/f2b5cf71dfa175afa70f721eca503072d0e7d4c4/pkg/gen/input/workflows/internal/file/check_values_schema.yaml.template
 #
 name: 'Values and schema'
 on:
@@ -20,7 +20,7 @@ on:
 jobs:
   check:
     name: 'validate values.yaml against values.schema.json'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/zz_generated.create_release.yaml

@@ -2,7 +2,7 @@
 #
 #    devctl
 #
-#    https://github.com/giantswarm/devctl/blob/8960b8810d2fdb97543d84baa8b50ffa40da26a9/pkg/gen/input/workflows/internal/file/create_release.yaml.template
+#    https://github.com/giantswarm/devctl/blob/9fedf13cca653e8c1828fdc57294c06273e427d6/pkg/gen/input/workflows/internal/file/create_release.yaml.template
 #
 name: Create Release
 on:
@@ -193,7 +193,7 @@ jobs:
           git push "${REMOTE_REPO}" --tags
       - name: Create release
         id: create_gh_release
-        uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5  # v1.14.0
+        uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174  # v1.16.0
         env:
           GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}"
         with:

.github/workflows/zz_generated.create_release_pr.yaml

@@ -2,7 +2,7 @@
 #
 #    devctl
 #
-#    https://github.com/giantswarm/devctl/blob/43bd088e6bf64525a8e566fc1b0f4761a293afc4/pkg/gen/input/workflows/internal/file/create_release_pr.yaml.template
+#    https://github.com/giantswarm/devctl/blob/771e68c7deeda0e8cbd4af23d718a34e708822e4/pkg/gen/input/workflows/internal/file/create_release_pr.yaml.template
 #
 name: Create Release PR
 on:
@@ -146,7 +146,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ needs.gather_facts.outputs.branch }}
-      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: '20'
       - uses: borales/actions-yarn@3766bb1335b98fb13c60eaf358fe20811b730a88 # v5.0.0

.github/workflows/zz_generated.fix_vulnerabilities.yaml

@@ -0,0 +1,112 @@
+# DO NOT EDIT. Generated with:
+#
+#    devctl
+#
+#    https://github.com/giantswarm/devctl/blob/4460c761238f42b86238478267338d8e2a74d901/pkg/gen/input/workflows/internal/file/fix_vulnerabilities.yaml.template
+#
+name: Fix Vulnerabilities
+on:
+  schedule:
+    - cron: '0 9 * * 1-5'
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: "Branch on which to fix vulnerabilities"
+        required: true
+        type: string
+  workflow_call:
+    inputs:
+      branch:
+        required: true
+        type: string
+jobs:
+  gather_facts:
+    name: Gather facts
+    runs-on: ubuntu-22.04
+    outputs:
+      branch: ${{ steps.gather_facts.outputs.branch }}
+      skip : ${{ steps.gather_facts.outputs.skip }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.branch || github.ref }}
+      - name: Gather facts
+        id: gather_facts
+        run: |
+          head="${{ inputs.branch || github.ref }}"
+          branch="${{ github.ref_name }}"
+
+          echo "branch=${branch}" >> $GITHUB_OUTPUT
+
+          head="${head#refs/heads/}" # Strip "refs/heads/" prefix.
+          echo "head=${head}" >> $GITHUB_OUTPUT
+
+          # Skip if there are no go mod files
+          if [[ ! -e go.mod ]] && [[ ! -e go.sum ]]; then
+            skip=true
+            echo "There are no go mod files in the repo, skipping"
+          else
+            skip=false
+          fi
+
+          echo "skip=${skip}" >> $GITHUB_OUTPUT
+          echo "head=\"$head\" branch=\"$branch\" skip=\"$skip\""
+  run_nancy_fixer:
+    name: Fix vulnerabilities with nancy-fixer
+    runs-on: ubuntu-22.04
+    needs:
+      - gather_facts
+    if: ${{ needs.gather_facts.outputs.skip != 'true' }}
+    steps:
+      - name: Generate a token
+        id: generate_token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        with:
+          app-id: ${{ secrets.HERALD_APP_ID }}
+          private-key: ${{ secrets.HERALD_APP_KEY }}
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          persist-credentials: false
+          ref: ${{ needs.gather_facts.outputs.branch }}
+      - name: Create new branch
+        id: create_branch
+        run: |
+          branch="remediate-vulnerabilities-${{ needs.gather_facts.outputs.branch }}"
+          echo "branch=${branch}" >> $GITHUB_OUTPUT
+          git checkout -b "${branch}"
+          git pull origin "${branch}" || true
+      - name: Run nancy-fixer fix
+        uses: docker://gsoci.azurecr.io/giantswarm/nancy-fixer:0.4.4
+        timeout-minutes: 20
+      - name: Set up git identity
+        run: |
+          git config --local user.email "149080493+heraldbot[bot]@users.noreply.github.com"
+          git config --local user.name "HeraldBot[bot]"
+      - name: Commit new files
+        id: commit_changes
+        run: |
+          git add -A
+          if git diff-index --quiet HEAD; then
+            echo "No changes found"
+            skip=true
+          else
+            git commit -m "Remediate Nancy findings"
+            skip=false
+          fi
+          echo "skip=${skip}" >> $GITHUB_OUTPUT
+      - name: Push changes
+        if: "${{ steps.commit_changes.outputs.skip != 'true' }}"
+        env:
+          remote_repo: "https://${{ github.actor }}:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git"
+        run: |
+          git push "${remote_repo}" HEAD:"${{ steps.create_branch.outputs.branch }}"
+      - name: Create PR
+        env:
+          GITHUB_TOKEN: "${{ steps.generate_token.outputs.token }}"
+        if: "${{ steps.commit_changes.outputs.skip != 'true' }}"
+        run: |
+          gh pr create --title "Remediate Nancy findings on ${{ needs.gather_facts.outputs.branch }}" --body "Fix Nancy findings on branch ${{ needs.gather_facts.outputs.branch }}" --head ${{ steps.create_branch.outputs.branch }} --base "${{ needs.gather_facts.outputs.branch }}"
+          gh pr merge --auto --squash

.github/workflows/zz_generated.gitleaks.yaml

@@ -2,15 +2,15 @@
 #
 #    devctl
 #
-#    https://github.com/giantswarm/devctl/blob/8960b8810d2fdb97543d84baa8b50ffa40da26a9/pkg/gen/input/workflows/internal/file/gitleaks.yaml.template
+#    https://github.com/giantswarm/devctl/blob/f2b5cf71dfa175afa70f721eca503072d0e7d4c4/pkg/gen/input/workflows/internal/file/gitleaks.yaml.template
 #
 name: gitleaks
 
 on: [pull_request]
 
 jobs:
   gitleaks:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:

.github/workflows/zz_generated.run_ossf_scorecard.yaml

@@ -2,7 +2,7 @@
 #
 #    devctl
 #
-#    https://github.com/giantswarm/devctl/blob/0a98d52f349ee9221b336515b877cd4a728ea9ca/pkg/gen/input/workflows/internal/file/run_ossf_scorecard.yaml.template
+#    https://github.com/giantswarm/devctl/blob/f2b5cf71dfa175afa70f721eca503072d0e7d4c4/pkg/gen/input/workflows/internal/file/run_ossf_scorecard.yaml.template
 #
 
 # This workflow uses actions that are not certified by GitHub. They are provided
@@ -28,7 +28,7 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecard analysis
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write
@@ -45,7 +45,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -67,14 +67,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
         with:
           sarif_file: results.sarif

.pre-commit-config.yaml

@@ -1,3 +1,6 @@
+# This file is maintained centrally at
+# https://github.com/giantswarm/github/blob/main/languages/go/.pre-commit-config.yaml
+
 minimum_pre_commit_version: '2.17'
 repos:
   # shell scripts
@@ -6,26 +9,35 @@ repos:
     hooks:
       - id: shell-lint
         args: [ --format=json ]
+        exclude: ".*\\.template"
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0
     hooks:
       - id: check-added-large-files
-      # check for unresolved merge conflicts
       - id: check-merge-conflict
       - id: check-shebang-scripts-are-executable
       - id: detect-private-key
       - id: end-of-file-fixer
+        exclude: ".*testdata/.*"
       - id: mixed-line-ending
       - id: trailing-whitespace
+        exclude: ".*testdata/.*"
 
   - repo: https://github.com/dnephin/pre-commit-golang
     rev: v0.5.1
     hooks:
       - id: go-fmt
       - id: go-mod-tidy
       - id: golangci-lint
-        # timeout is needed for CI
-        args: [ -E, gosec, -E, goconst, -E, govet, --timeout, 300s ]
+        args:
+          - -E=gosec
+          - -E=goconst
+          - -E=govet
+          # timeout is needed for CI
+          - --timeout=300s
+          # List all issues found
+          - --max-same-issues=0
+          - --max-issues-per-linter=0
       - id: go-imports
         args: [ -local, github.com/giantswarm/encryption-provider-operator ]