Merge branch 'dev' into dynamic-group

Author: LeoOMaia

.github/workflows/build-docker-images-for-testing.yml

@@ -24,6 +24,8 @@ jobs:
         os: [alpine, debian]
         platform: ["${{ inputs.platform }}"]
         exclude:
+            - docker-image: nginx
+              os: debian
             - docker-image: integration-tests
               os: alpine
             - docker-image: integration-tests

.github/workflows/close-stale.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Close stale issues and PRs
-        uses: actions/stale@v9
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
           # Disable automatic stale marking - only close manually labeled items
           days-before-stale: -1

.github/workflows/integration-tests.yml

@@ -61,7 +61,7 @@ jobs:
       - name: Load docker images
         timeout-minutes: 10
         run: |-
-             docker load -i built-docker-image/nginx-${{ matrix.os }}-linux-amd64_img
+             docker load -i built-docker-image/nginx-alpine-linux-amd64_img
              docker load -i built-docker-image/django-${{ matrix.os }}-linux-amd64_img
              docker load -i built-docker-image/integration-tests-debian-linux-amd64_img
              docker images
@@ -73,14 +73,14 @@ jobs:
         run: docker compose up --no-deps -d postgres nginx celerybeat celeryworker mailhog uwsgi redis
         env:
           DJANGO_VERSION: ${{ matrix.os }}
-          NGINX_VERSION: ${{ matrix.os }}
+          NGINX_VERSION: alpine
 
       - name: Initialize
         timeout-minutes: 10
         run: docker compose up --no-deps --exit-code-from initializer initializer
         env:
           DJANGO_VERSION: ${{ matrix.os }}
-          NGINX_VERSION: ${{ matrix.os }}
+          NGINX_VERSION: alpine
 
       - name: Integration tests
         timeout-minutes: 10

.github/workflows/k8s-tests.yml

@@ -27,7 +27,7 @@ jobs:
           # are tested (https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#available-versions)
           - databases: pgsql
             brokers: redis
-            k8s: 'v1.30.3'
+            k8s: 'v1.33.4'
             os: debian
     steps:
       - name: Checkout
@@ -57,8 +57,10 @@ jobs:
         timeout-minutes: 15
         run: |-
              eval $(minikube docker-env)
-             docker load -i built-docker-image/nginx-${{ matrix.os }}-linux-amd64_img
+             docker load -i built-docker-image/nginx-alpine-linux-amd64_img
              docker load -i built-docker-image/django-${{ matrix.os }}-linux-amd64_img
+             docker tag defectdojo/defectdojo-nginx:alpine defectdojo/defectdojo-nginx:latest
+             docker tag defectdojo/defectdojo-django:${{ matrix.os }} defectdojo/defectdojo-django:latest
              docker images
 
       - name: Configure HELM repos
@@ -87,8 +89,7 @@ jobs:
                --set initializer.keepSeconds="-1" \
                ${{ env[matrix.databases] }} \
                ${{ env[matrix.brokers] }} \
-               --set createSecret=true \
-               --set tag=${{ matrix.os }}
+               --set createSecret=true
 
       - name: Check deployment status
         if: always()
@@ -125,7 +126,7 @@ jobs:
              while :
                do
                DJANGO_IP=$(kubectl get svc defectdojo-django -o jsonpath='{.spec.clusterIP}')
-               OUT=$(kubectl run  curl --quiet=true --image=curlimages/curl:7.73.0 \
+               OUT=$(kubectl run  curl --quiet=true --image=curlimages/curl:8.15.0 \
                   --overrides='{ "apiVersion": "v1" }' \
                   --restart=Never -i --rm -- \
                     --silent \
@@ -156,7 +157,7 @@ jobs:
              ADMIN_PASS=$(kubectl get secret/defectdojo -o jsonpath='{.data.DD_ADMIN_PASSWORD}' | base64 -d)
              echo "Simple API check"
              DJANGO_IP=$(kubectl get svc defectdojo-django -o jsonpath='{.spec.clusterIP}')
-             CR=$(kubectl run  curl --quiet=true --image=curlimages/curl:7.73.0 \
+             CR=$(kubectl run  curl --quiet=true --image=curlimages/curl:8.15.0 \
                --overrides='{ "apiVersion": "v1" }' \
                --restart=Never -i --rm -- \
                  --silent \

.github/workflows/plantuml.yml

@@ -36,6 +36,9 @@ jobs:
       matrix:
           docker-image: [django, nginx]
           os: [alpine, debian]
+          exclude:
+              - docker-image: nginx
+                os: debian
     steps:
       # Replace slashes so we can use this in filenames
       - name: Set-platform
@@ -86,7 +89,7 @@ jobs:
 
         # upload the digest file as artifact
       - name: Upload digest
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: digests-${{ matrix.docker-image}}-${{ matrix.os }}-${{ env.PLATFORM }}
           path: ${{ runner.temp }}/digests/*

.github/workflows/release-x-manual-docker-containers.yml

@@ -62,7 +62,7 @@ jobs:
           git config --global user.email "${{ env.GIT_EMAIL }}"
 
       - name: Set up Helm
-        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
 
       - name: Configure HELM repos
         run: |-

.github/workflows/release-x-manual-helm-chart.yml

@@ -31,15 +31,17 @@ jobs:
         matrix:
             docker-image: [django, nginx]
             os: [alpine, debian]
-
+            exclude:
+                - docker-image: nginx
+                  os: debian
     steps:
       # deduce docker org name from git repo to make the build also work in forks
     - id: Set-docker-org
       run: echo "DOCKER_ORG=$(echo ${GITHUB_REPOSITORY%%/*} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
 
       # only download digests for this image and this os
     - name: Download digests
-      uses: actions/download-artifact@v5
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         path: ${{ runner.temp }}/digests
         pattern: digests-${{ matrix.docker-image}}-${{ matrix.os }}-*
@@ -52,7 +54,7 @@ jobs:
         password: ${{ secrets.DOCKERHUB_TOKEN }}
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       # the alpine and debian images are tagged with the os name
     - name: Create OS specific manifest list and push
@@ -69,14 +71,14 @@ jobs:
 
       # debian images are the default / official ones, so these get the os-less tag
     - name: Tag Debian with os-less tags
-      if: ${{ matrix.os  == 'debian' }}
+      if: ${{ (matrix.docker-image == 'django' && matrix.os == 'debian') || (matrix.docker-image == 'nginx' && matrix.os == 'alpine') }}
       working-directory: ${{ runner.temp }}/digests
       run: |
         set -x
         docker buildx imagetools create -t "${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:${{ inputs.release_number }}" ${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:${{ inputs.release_number }}-${{ matrix.os }}
 
       # just for logging
     - name: Inspect default images
-      if: ${{ matrix.os  == 'debian' }}
+      if: ${{ (matrix.docker-image == 'django' && matrix.os == 'debian') || (matrix.docker-image == 'nginx' && matrix.os == 'alpine') }}
       run: |
           docker buildx imagetools inspect ${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:${{ inputs.release_number }}

.github/workflows/release-x-manual-merge-container-digests.yml

@@ -43,10 +43,9 @@ jobs:
         password: ${{ secrets.DOCKERHUB_TOKEN }}
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
-      # debian images are the default / official ones, and these were already tagged, so these get the latest tag
-    - name: Tag Debian with latest tags
+    - name: Tag with latest tags
       run: |
         set -x
         docker buildx imagetools create -t "${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:latest" ${{ env.DOCKER_ORG }}/defectdojo-${{ matrix.docker-image}}:${{ inputs.release_number }}

.github/workflows/release-x-manual-tag-as-latest.yml

@@ -20,7 +20,7 @@ jobs:
   update_release_draft:
     runs-on: ubuntu-latest
     steps:
-      - uses: valentijnscholten/release-drafter@master  # TODO: not maintained anymore - missing part is maybe already solved in the upstream
+      - uses: valentijnscholten/release-drafter@f587de96a420b4b7f767d7eb12817926f18cad69 # master  # TODO: not maintained anymore - missing part is maybe already solved in the upstream
         with:
           version: ${{github.event.inputs.version}}  
           previous-version: ${{github.event.inputs.previous-version}}