diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index 7c8e15cca..c75ebaefd 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -4,7 +4,7 @@ # This file is maintained in https://github.com/WeblateOrg/meta/ # and generated from .github/ISSUE_TEMPLATE/snippets there. -name: Bug report +name: Reproducible bug report description: Create a report to help us improve body: - type: markdown diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml index 572680fcb..6ab950156 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.yml +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -27,8 +27,8 @@ body: - type: textarea id: solution attributes: - label: Describe the solution you would like - description: A clear and concise description of what the new feature should do. + label: Solution brainstorm + description: We know you have ideas how to address this, please share it. placeholder: I'd like to get… validations: required: true diff --git a/.github/renovate.json b/.github/renovate.json index cddf14889..21a0a85f8 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -1,161 +1,6 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ - "config:recommended", - ":dependencyDashboard", - "helpers:pinGitHubActionDigests", - "replacements:all", - "customManagers:biomeVersions" - ], - "labels": [ - "dependencies" - ], - "rangeStrategy": "widen", - "automerge": true, - "automergeType": "pr", - "automergeStrategy": "rebase", - "platformAutomerge": true, - "git-submodules": { - "enabled": true - }, - "pre-commit": { - "enabled": true - }, - "pip_requirements": { - "fileMatch": [ - "^requirements-.*\\.txt$" - ] - }, - "pep723": { - "fileMatch": [ - "^scripts/.*\\.py$" - ] - }, - "packageRules": [ - { - "matchDatasources": [ - "git-refs" - ], - "automerge": false, - "schedule": "on the first day of the month" - }, - { - "matchDatasources": [ - "helm" - ], - "automerge": false, - "schedule": "on the first day of the month" - }, - { - "matchFileNames": [ - "**/package.json" - ], - "automerge": false - }, - { - "matchPackageNames": [ - "shellcheck-py/shellcheck-py", - "scop/pre-commit-shfmt" - ], - "versioning": "loose" - }, - { - "matchPackageNames": [ - "Django" - ], - "matchDatasources": [ - "pypi" - ], - "separateMinorPatch": true - }, - { - "matchPackageNames": [ - "python" - ], - "matchDatasources": [ - "docker" - ], - "separateMinorPatch": true, - "minor": { - "dependencyDashboardApproval": true - } - } - ], - "customManagers": [ - { - "customType": "regex", - "fileMatch": [ - "\\.pre-commit-config\\.yaml" - ], - "matchStrings": [ - "(?[^'\" ]+)==(?[^'\" ,\\s]+)" - ], - "datasourceTemplate": "pypi", - "versioningTemplate": "pep440" - }, - { - "customType": "regex", - "fileMatch": [ - "\\.pre-commit-config\\.yaml" - ], - "matchStrings": [ - "(?[^'\" ]+)@(?[^'\" ,\\s]+)" - ], - "datasourceTemplate": "npm", - "versioningTemplate": "npm" - }, - { - "customType": "regex", - "fileMatch": [ - "^.*Dockerfile$" - ], - "matchStrings": [ - "ENV WEBLATE_VERSION=(?.*?)\\n" - ], - "depNameTemplate": "Weblate", - "datasourceTemplate": "pypi", - "versioningTemplate": "pep440" - }, - { - "customType": "regex", - "fileMatch": [ - "^.*Dockerfile$" - ], - "matchStrings": [ - "ENV UV_VERSION=(?.*?)\\n" - ], - "depNameTemplate": "uv", - "datasourceTemplate": "pypi", - "versioningTemplate": "pep440" - }, - { - "customType": "regex", - "fileMatch": [ - "(^|/)Chart\\.yaml$" - ], - "matchStrings": [ - "renovate: datasource=(?.*?) depName=(?.*?)( versioning=(?.*?))?\\s+appVersion: (?.*)\\s" - ] - }, - { - "customType": "regex", - "fileMatch": [ - "^\\.github/workflows/[^/]+\\.ya?ml$" - ], - "matchStrings": [ - "renovate: datasource=(?.*?) depName=(?.*?)( versioning=(?.*?))?\\s+version: (?.*)\\s" - ] - }, - { - "customType": "regex", - "fileMatch": [ - "^Dockerfile$" - ], - "matchStrings": [ - "#\\s*renovate:\\s*?(repo=(?.*?))?\\s*?(release=(?.*?))?\\s*depName=(?.*?)?\\sENV .*?_VERSION=\"(?.*)\"" - ], - "registryUrlTemplate": "{{#if repo }}{{repo}}{{else}}https://deb.debian.org/debian{{/if}}?{{#if release }}release={{release}}{{else}}suite=stable{{/if}}&components=main&binaryArch=amd64", - "datasourceTemplate": "deb" - } + "github>WeblateOrg/meta:renovate" ] } diff --git a/.github/workflows/bleeding.yml b/.github/workflows/bleeding.yml index 8f3bf035e..53c483f44 100644 --- a/.github/workflows/bleeding.yml +++ b/.github/workflows/bleeding.yml @@ -18,7 +18,9 @@ permissions: jobs: ci: uses: ./.github/workflows/container-ci.yml - secrets: inherit + secrets: + DOCKERHUB_ACCESS_TOKEN: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} permissions: security-events: write packages: write diff --git a/.github/workflows/closing.yml b/.github/workflows/closing.yml index 8cbd6dcd9..047bda4f6 100644 --- a/.github/workflows/closing.yml +++ b/.github/workflows/closing.yml @@ -28,11 +28,11 @@ jobs: if: | github.actor != 'renovate[bot]' && github.event.issue.state_reason == 'completed' && - ( + (( contains(github.event.issue.labels.*.name, 'question') && ! contains(github.event.issue.labels.*.name, 'duplicate') && ! contains(github.event.issue.labels.*.name, 'wontfix') - ) || join(github.event.issue.labels.*.name) == '' + ) || join(github.event.issue.labels.*.name) == '') with: token: ${{ secrets.GITHUB_TOKEN }} issue-number: ${{ github.event.issue.number }} diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml index 8458fa075..d5bc04f45 100644 --- a/.github/workflows/container-build.yml +++ b/.github/workflows/container-build.yml @@ -1,4 +1,4 @@ -name: Docker container test +name: Docker container build on: workflow_call: @@ -24,6 +24,8 @@ jobs: MATRIX_ARCHITECTURE: linux/${{ inputs.architecture }} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: uv cache uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 id: cache @@ -41,10 +43,13 @@ jobs: uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 with: # renovate: datasource=github-releases depName=docker/buildx - version: v0.22.0 + version: v0.23.0 - name: Adjust bleeding edge image if: inputs.variant == 'bleeding' - run: .github/bin/bleeding ${{ inputs.weblate_sha }} ${{ inputs.weblate_date }} + run: .github/bin/bleeding "$WEBLATE_SHA" "$WEBLATE_DATE" + env: + WEBLATE_SHA: ${{ inputs.weblate_sha }} + WEBLATE_DATE: ${{ inputs.weblate_date }} - name: Configure Docker build run: .github/bin/get-buildx-args - name: inject cache into docker diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index f4fe652ba..1a4c2fcda 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -6,6 +6,11 @@ on: variant: required: true type: string + secrets: + DOCKERHUB_ACCESS_TOKEN: + description: Docker Hub access token + DOCKERHUB_USERNAME: + description: Docker Hub username permissions: contents: read @@ -132,26 +137,33 @@ jobs: MATRIX_ARCHITECTURE: linux/amd64 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Expose GitHub Runtime uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 with: # renovate: datasource=github-releases depName=docker/buildx - version: v0.22.0 - - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + version: v0.23.0 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: Docker cache amd64 path: /tmp/.buildx-cache/linux/amd64 - name: Adjust bleeding edge image if: inputs.variant == 'bleeding' - run: .github/bin/bleeding ${{needs.revisions.outputs.weblate_sha}} ${{needs.revisions.outputs.weblate_date}} + run: .github/bin/bleeding "$WEBLATE_SHA" "$WEBLATE_DATE" + env: + WEBLATE_SHA: ${{ needs.revisions.outputs.weblate_sha }} + WEBLATE_DATE: ${{ needs.revisions.outputs.weblate_date }} - name: Build the Docker image run: .github/bin/docker-build load - name: List Docker images run: docker image ls --all - name: Checkout the code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Anchore scan action uses: anchore/scan-action@7c05671ae9be166aeb155bad2d7df9121823df32 # v6.1.0 id: scan @@ -159,7 +171,7 @@ jobs: image: weblate/weblate:test fail-build: false - name: Upload Anchore Scan Report - uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 + uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16 with: sarif_file: ${{ steps.scan.outputs.sarif }} @@ -175,26 +187,33 @@ jobs: MATRIX_ARCHITECTURE: linux/amd64 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Expose GitHub Runtime uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 with: # renovate: datasource=github-releases depName=docker/buildx - version: v0.22.0 - - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + version: v0.23.0 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: Docker cache amd64 path: /tmp/.buildx-cache/linux/amd64 - name: Adjust bleeding edge image if: inputs.variant == 'bleeding' - run: .github/bin/bleeding ${{needs.revisions.outputs.weblate_sha}} ${{needs.revisions.outputs.weblate_date}} + run: .github/bin/bleeding "$WEBLATE_SHA" "$WEBLATE_DATE" + env: + WEBLATE_SHA: ${{ needs.revisions.outputs.weblate_sha }} + WEBLATE_DATE: ${{ needs.revisions.outputs.weblate_date }} - name: Build the Docker image run: .github/bin/docker-build load - name: List Docker images run: docker image ls --all - name: Checkout the code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0 with: @@ -204,7 +223,7 @@ jobs: severity: CRITICAL,HIGH - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 + uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16 with: sarif_file: trivy-results.sarif - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 @@ -222,6 +241,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 with: @@ -232,18 +253,21 @@ jobs: uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 with: # renovate: datasource=github-releases depName=docker/buildx - version: v0.22.0 - - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + version: v0.23.0 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: Docker cache amd64 path: /tmp/.buildx-cache/linux/amd64 - - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: Docker cache arm64 path: /tmp/.buildx-cache/linux/arm64 - name: Adjust bleeding edge image if: inputs.variant == 'bleeding' - run: .github/bin/bleeding ${{needs.revisions.outputs.weblate_sha}} ${{needs.revisions.outputs.weblate_date}} + run: .github/bin/bleeding "$WEBLATE_SHA" "$WEBLATE_DATE" + env: + WEBLATE_SHA: ${{ needs.revisions.outputs.weblate_sha }} + WEBLATE_DATE: ${{ needs.revisions.outputs.weblate_date }} - name: Configure Docker build run: .github/bin/get-buildx-args - name: Merge the Docker images @@ -286,6 +310,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 with: @@ -296,12 +322,12 @@ jobs: uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 with: # renovate: datasource=github-releases depName=docker/buildx - version: v0.22.0 - - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + version: v0.23.0 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: Docker cache amd64 path: /tmp/.buildx-cache/linux/amd64 - - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: Docker cache arm64 path: /tmp/.buildx-cache/linux/arm64 @@ -309,11 +335,18 @@ jobs: run: echo "${{ secrets.DOCKERHUB_ACCESS_TOKEN }}" | docker login --username "${{ secrets.DOCKERHUB_USERNAME }}" --password-stdin - name: Adjust bleeding edge image if: inputs.variant == 'bleeding' - run: .github/bin/bleeding ${{needs.revisions.outputs.weblate_sha}} ${{needs.revisions.outputs.weblate_date}} + run: .github/bin/bleeding "$WEBLATE_SHA" "$WEBLATE_DATE" + env: + WEBLATE_SHA: ${{ needs.revisions.outputs.weblate_sha }} + WEBLATE_DATE: ${{ needs.revisions.outputs.weblate_date }} - name: Configure Docker build - run: .github/bin/get-buildx-args publish-${{ inputs.variant }} + run: .github/bin/get-buildx-args "publish-$WEBLATE_VARIANT" + env: + WEBLATE_VARIANT: ${{ inputs.variant }} - name: Publish the Docker images - run: .github/bin/docker-build publish-${{ inputs.variant }} + run: .github/bin/docker-build "publish-$WEBLATE_VARIANT" + env: + WEBLATE_VARIANT: ${{ inputs.variant }} push_github: runs-on: ubuntu-24.04 @@ -331,6 +364,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 with: @@ -341,12 +376,12 @@ jobs: uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 with: # renovate: datasource=github-releases depName=docker/buildx - version: v0.22.0 - - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + version: v0.23.0 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: Docker cache amd64 path: /tmp/.buildx-cache/linux/amd64 - - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: Docker cache arm64 path: /tmp/.buildx-cache/linux/arm64 @@ -359,8 +394,15 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Adjust bleeding edge image if: inputs.variant == 'bleeding' - run: .github/bin/bleeding ${{needs.revisions.outputs.weblate_sha}} ${{needs.revisions.outputs.weblate_date}} + run: .github/bin/bleeding "$WEBLATE_SHA" "$WEBLATE_DATE" + env: + WEBLATE_SHA: ${{ needs.revisions.outputs.weblate_sha }} + WEBLATE_DATE: ${{ needs.revisions.outputs.weblate_date }} - name: Configure Docker build - run: .github/bin/get-buildx-args publish-${{ inputs.variant }} + run: .github/bin/get-buildx-args "publish-$WEBLATE_VARIANT" + env: + WEBLATE_VARIANT: ${{ inputs.variant }} - name: Publish the Docker images - run: .github/bin/docker-build publish-${{ inputs.variant }} + run: .github/bin/docker-build "publish-$WEBLATE_VARIANT" + env: + WEBLATE_VARIANT: ${{ inputs.variant }} diff --git a/.github/workflows/container-test.yml b/.github/workflows/container-test.yml index 4807037a1..aec07124f 100644 --- a/.github/workflows/container-test.yml +++ b/.github/workflows/container-test.yml @@ -35,20 +35,24 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive + persist-credentials: false - name: Expose GitHub Runtime uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 with: # renovate: datasource=github-releases depName=docker/buildx - version: v0.22.0 - - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + version: v0.23.0 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: Docker cache amd64 path: /tmp/.buildx-cache/linux/amd64 - name: Adjust bleeding edge image if: inputs.variant == 'bleeding' - run: .github/bin/bleeding ${{inputs.weblate_sha}} ${{inputs.weblate_date}} + run: .github/bin/bleeding "$WEBLATE_SHA" "$WEBLATE_DATE" + env: + WEBLATE_SHA: ${{ inputs.weblate_sha }} + WEBLATE_DATE: ${{ inputs.weblate_date }} - name: Build the Docker image run: .github/bin/docker-build load - name: List Docker images @@ -57,7 +61,11 @@ jobs: run: ./docker-compose/test-content - name: Generate configuration working-directory: docker-compose - run: ./test-generate ${{ inputs.port || 8080 }} ${{ inputs.protocol || 'http' }} ${{ inputs.test }} + run: ./test-generate "$WEBLATE_PORT" "$WEBLATE_PROTOCOL" "$WEBLATE_TEST" + env: + WEBLATE_PORT: ${{ inputs.port || 8080 }} + WEBLATE_PROTOCOL: ${{ inputs.protocol || 'http' }} + WEBLATE_TEST: ${{ inputs.test }} - name: Generate SSL certificate if: inputs.protocol == 'https' working-directory: docker-compose @@ -96,7 +104,9 @@ jobs: run: ./test-admin - name: Verify SAML certificate working-directory: docker-compose - run: ./test-saml ${{ inputs.test }} + run: ./test-saml "$WEBLATE_TEST" + env: + WEBLATE_TEST: ${{ inputs.test }} - name: Test commands working-directory: docker-compose run: ./test-commands diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index 8c2387c00..eaf8f49cd 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -18,7 +18,9 @@ permissions: jobs: ci: uses: ./.github/workflows/container-ci.yml - secrets: inherit + secrets: + DOCKERHUB_ACCESS_TOKEN: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} permissions: security-events: write packages: write diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml index 22131fb36..9ab1263fa 100644 --- a/.github/workflows/hadolint.yml +++ b/.github/workflows/hadolint.yml @@ -23,4 +23,6 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 diff --git a/.github/workflows/label-sync.yml b/.github/workflows/label-sync.yml index d81d755df..9ed6649a7 100644 --- a/.github/workflows/label-sync.yml +++ b/.github/workflows/label-sync.yml @@ -22,6 +22,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: srealmoreno/label-sync-action@850ba5cef2b25e56c6c420c4feed0319294682fd # v2.0.0 with: clean-labels: true diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 8f6fd9402..473cc8d09 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -21,15 +21,17 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: ~/.cache/pre-commit key: ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }} - name: Setup Python - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.13' - - uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1 + - uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 # v6.0.0 - name: detect method id: detect run: | diff --git a/.github/workflows/pull_requests.yaml b/.github/workflows/pull_requests.yaml index 313954c10..3cc569522 100644 --- a/.github/workflows/pull_requests.yaml +++ b/.github/workflows/pull_requests.yaml @@ -6,7 +6,7 @@ name: Pull request automation -on: +on: # zizmor: ignore[dangerous-triggers] pull_request_target: types: opened @@ -23,6 +23,8 @@ jobs: if: github.actor == 'weblate' steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Enable Pull Request Automerge run: gh pr merge --rebase --auto "${{ github.event.pull_request.number }}" env: diff --git a/.github/workflows/readme-sync.yml b/.github/workflows/readme-sync.yml index 887e60a32..7d0fd1b32 100644 --- a/.github/workflows/readme-sync.yml +++ b/.github/workflows/readme-sync.yml @@ -17,6 +17,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Docker Hub Description uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2 with: diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 8b9df5030..4c923e5c3 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -18,9 +18,11 @@ jobs: env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: - image: returntocorp/semgrep + image: returntocorp/semgrep@sha256:f552de9f1ad268552aaea0487a9c1694eb08071b01ff3e51fbdb02420ce828a6 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - run: semgrep ci permissions: contents: read diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 90cd483ca..26dc706f9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -55,5 +55,9 @@ repos: rev: 1.19.1 hooks: - id: blacken-docs +- repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.6.0 + hooks: + - id: zizmor ci: autoupdate_schedule: quarterly diff --git a/Dockerfile b/Dockerfile index 5b516765b..77a2cab3e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,8 @@ -FROM weblate/dev:2025.16.2 AS build +FROM weblate/dev:2025.17.0@sha256:5ea9704f39e9e3551ec14818186b55983a440104a555eee276c942172bf52491 AS build ARG TARGETARCH -ENV WEBLATE_VERSION=5.11 +ENV WEBLATE_VERSION=5.11.1 ENV WEBLATE_EXTRAS=all,MySQL,zxcvbn SHELL ["/bin/bash", "-o", "pipefail", "-x", "-c"] @@ -44,9 +44,9 @@ RUN --mount=type=cache,target=/.uv-cache,sharing=locked \ && ln -s /app/venv/share/weblate/examples/ /app/ -FROM weblate/base:2025.16.1 AS final +FROM weblate/base:2025.17.0@sha256:6be4634dccb3ca57d94997c4564c13313973c439902118930bf5a9ccf4a196ef AS final -ENV WEBLATE_VERSION=5.11 +ENV WEBLATE_VERSION=5.11.1 LABEL name="Weblate" LABEL version=$WEBLATE_VERSION diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index c8b272871..d41aa1f49 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -36,7 +36,7 @@ http { # SSL Settings ## - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE + ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ## diff --git a/health_check b/health_check index 7639a4f06..25586fd76 100755 --- a/health_check +++ b/health_check @@ -1,8 +1,17 @@ #!/bin/sh -set -e -if [ -f /app/data/ssl/privkey.pem ]; then - curl --max-time 30 --cacert /app/data/ssl/fullchain.pem https://localhost:4443/healthz/ || exit 1 -else - curl --max-time 30 http://localhost:8080/healthz/ || exit 1 +# Web health check if web is started in this container +if [ -f /run/supervisor.conf.d/web.conf ]; then + if [ -f /app/data/ssl/privkey.pem ]; then + curl --silent --max-time 30 --cacert /app/data/ssl/fullchain.pem https://localhost:4443/healthz/ > /dev/null || exit 1 + else + curl --silent --max-time 30 http://localhost:8080/healthz/ > /dev/null || exit 1 + fi +fi + +# Supervisor based health check +failing="$(supervisorctl status | grep -v '^check *EXITED' | grep -v RUNNING)" +if [ -n "$failing" ]; then + echo "$failing" + exit 1 fi diff --git a/requirements.txt b/requirements.txt index b729e67cb..23411621e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,17 +2,18 @@ aeidon==1.15 ahocorasick-rs==0.22.2 aliyun-python-sdk-alimt==3.2.0 argon2-cffi==23.1.0 -borgbackup==1.4.0 -boto3==1.37.34 +borgbackup==1.4.1 +boto3==1.38.2 celery==5.5.1 certifi>=2023.7.22 # not directly required, pinned by Snyk to avoid a vulnerability # For Argon2 and misaka cffi==1.17.1 # For Azure Tenant auth cryptography==44.0.2 -Django==5.1.8 +Django==5.2 django-appconf==1.1.0 django-auth-ldap==5.1.0 +django-celery-beat==2.8.0 django-cors-headers==4.7.0 django-crispy-forms==2.4 django-otp==1.6.0 @@ -21,7 +22,7 @@ django-redis==5.4.0 django_compressor==4.5.1 djangorestframework==3.16.0 # Alernative Celery pool implementation -gevent==24.11.1 +gevent==25.4.2 git-review==2.4.0 google-cloud-translate==3.20.2 gunicorn==23.0.0 @@ -29,11 +30,11 @@ hiredis==3.1.0 html2text==2025.4.15 httpretty==1.1.4 iniparse==0.5 -lxml==5.3.2 +lxml==5.4.0 mercurial==7.0.1 mistletoe==1.4.0 nh3==0.2.21 -openai==1.74.0 +openai==1.76.0 openpyxl==3.1.5 phply==1.2.6 Pillow==11.2.1 @@ -52,12 +53,12 @@ redis==5.2.1 requests>=2.31.0 # not directly required, pinned by Snyk to avoid a vulnerability rollbar==1.3.0 ruamel.yaml==0.18.10 -sentry-sdk==2.26.1 +sentry-sdk==2.27.0 siphashc==2.5 social-auth-app-django==5.4.3 -social-auth-core==4.5.6 +social-auth-core==4.6.0 tesserocr==2.8.0 -translate-toolkit==3.15.1 +translate-toolkit==3.15.2 translation-finder==2.19 urllib3==2.4.0 weblate-fedora-messaging==0.11