Merge pull request #12386 from DefectDojo/release/2.46.0

Release: Merge release into master from: release/2.46.0

Author: rossops

.github/workflows/build-docker-images-for-testing.yml

@@ -51,7 +51,7 @@ jobs:
 
       - name: Build
         id: docker_build
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
         timeout-minutes: 15
         env:
           DOCKER_BUILD_CHECKS_ANNOTATIONS: false

.github/workflows/gh-pages.yml

@@ -19,9 +19,9 @@ jobs:
           extended: true
 
       - name: Setup Node
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          node-version: '22.14.0'
+          node-version: '22.15.0'
 
       - name: Cache dependencies
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
@@ -52,6 +52,7 @@ jobs:
 
       - name: Deploy
         uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
+        if: github.repository == 'DefectDojo/django-DefectDojo' # Deploy docs only in core repo, not in forks - it would just fail in fork
         with: # publishes to the `gh-pages` branch by default
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./docs/public

.github/workflows/integration-tests.yml

@@ -45,7 +45,7 @@ jobs:
 
       # load docker images from build jobs
       - name: Load images from artifacts
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           path: built-docker-image
           pattern: built-docker-image-*

.github/workflows/k8s-tests.yml

@@ -35,7 +35,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Minikube
-        uses: manusa/actions-setup-minikube@5d9440a1b535e8b4f541eaac559681a9022df29d # v2.13.1
+        uses: manusa/actions-setup-minikube@b589f2d61bf96695c546929c72b38563e856059d # v2.14.0
         with:
           minikube version: 'v1.33.1'
           kubernetes version: ${{ matrix.k8s }}
@@ -48,7 +48,7 @@ jobs:
           minikube status
 
       - name: Load images from artifacts
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           path: built-docker-image
           pattern: built-docker-image-*

.github/workflows/plantuml.yml

@@ -33,7 +33,7 @@ jobs:
         with:
           args: -v -tpng ${{ steps.getfile.outputs.files }}
       - name: Push Local Changes
-        uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
+        uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
         with:
           commit_user_name: "PlantUML_bot"
           commit_user_email: "[email protected]"

.github/workflows/release-1-create-pr.yml

@@ -9,8 +9,13 @@ on:
       # the actual branch that can be chosen on the UI is made irrelevant by further steps
       # because someone will forget one day to change it.
       from_branch:
-        description: "Select branch to release from ('release/x.y.z'. If `dev` is entered, a new release branch will be created from `dev`)"
+        description: "Select branch to release from. Dev branch releases happen the first monday of the month. Otherwise, use bugfix."
         required: true
+        type: choice
+        default: 'bugfix'
+        options:
+          - bugfix
+          - dev
       release_number:
         description: "Release version (x.y.z format)"
         required: true
@@ -19,31 +24,37 @@ jobs:
   create_pr:
     runs-on: ubuntu-latest
     steps:
+      - name: Validate proper bugfix branch release_number format is being used
+        if: ${{ inputs.from_branch == 'bugfix' }}
+        run: |
+          # Expect the last octet in release_number to not be 0
+          echo "${{ inputs.release_number }}" | grep "^[0-9]*\.[0-9]*\.[1-9]$"
+
+      - name: Validate proper dev branch release_number format is being used
+        if: ${{ inputs.from_branch == 'dev' }}
+        run: |
+          # Expect the last octet in release_number to not be 1-9
+          echo "${{ inputs.release_number }}" | grep "^[0-9]*\.[0-9]*\.0$"
+
       - id: Set-GitHub-org
         run: echo "GITHUB_ORG=${GITHUB_REPOSITORY%%/*}" >> $GITHUB_ENV
 
       - name: Checkout from_branch branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ github.event.inputs.from_branch }}
+          ref: ${{ inputs.from_branch }}
 
       - name: Create release branch
-        if: ${{ !startsWith(github.event.inputs.from_branch, 'release/') }}
-        run: |
-          echo "NEW_BRANCH=release/${{ github.event.inputs.release_number }}" >> $GITHUB_ENV
-
-      - name: Use existing release branch
-        if: startsWith(github.event.inputs.from_branch, 'release/')
         run: |
-          echo "NEW_BRANCH=${{ github.event.inputs.from_branch }}" >> $GITHUB_ENV
+          echo "NEW_BRANCH=release/${{ inputs.release_number }}" >> $GITHUB_ENV
 
       - name: Configure git
         run: |
           git config --global user.name "${{ env.GIT_USERNAME }}"
           git config --global user.email "${{ env.GIT_EMAIL }}"
 
       - name: Push branch
-        if: "!startsWith('${{ github.event.inputs.from_branch }}', 'release/')"
+        if: "!startsWith('${{ inputs.from_branch }}', 'release/')"
         run: git push origin HEAD:${NEW_BRANCH}
 
       - name: Checkout release branch
@@ -53,9 +64,9 @@ jobs:
 
       - name: Update version numbers in key files
         run: |
-          sed -ri 's/__version__ = ".*"/__version__ = "${{ github.event.inputs.release_number }}"/' dojo/__init__.py
-          sed -ri 's/"version": ".*"/"version": "${{ github.event.inputs.release_number }}"/' components/package.json
-          sed -ri 's/appVersion: ".*"/appVersion: "${{ github.event.inputs.release_number }}"/' helm/defectdojo/Chart.yaml
+          sed -ri 's/__version__ = ".*"/__version__ = "${{ inputs.release_number }}"/' dojo/__init__.py
+          sed -ri 's/"version": ".*"/"version": "${{ inputs.release_number }}"/' components/package.json
+          sed -ri 's/appVersion: ".*"/appVersion: "${{ inputs.release_number }}"/' helm/defectdojo/Chart.yaml
 
           if grep "\-dev" helm/defectdojo/Chart.yaml; then
               echo "x.y.z-dev found in Chart.yaml, probably releasing a new minor version"
@@ -77,7 +88,7 @@ jobs:
           grep -H version helm/defectdojo/Chart.yaml
 
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
+        uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"

.github/workflows/release-2-tag-docker-push.yml

@@ -10,6 +10,7 @@ on:
       # the actual branch that can be chosen on the UI is made irrelevant by further steps
       # because someone will forget one day to change it.
       release_number:
+        type: string
         description: 'Release version (x.y.z format)'
         required: true
 
@@ -27,41 +28,51 @@ jobs:
           git config --global user.name "${{ env.GIT_USERNAME }}"
           git config --global user.email "${{ env.GIT_EMAIL }}"
 
-      - name: Create new tag ${{ github.event.inputs.release_number }}
+      - name: Create new tag ${{ inputs.release_number }}
         # at this point, the PR from the 1st workflow is merged into master.
         run: |
-          git tag -a ${{ github.event.inputs.release_number }} -m "[bot] release ${{ github.event.inputs.release_number }}"
-          git push origin ${{ github.event.inputs.release_number }}
-
-  release-helm-chart:
-    needs: tag
-    uses: ./.github/workflows/release-x-manual-helm-chart.yml
-    with:
-      release_number: ${{ github.event.inputs.release_number }}
-    secrets: inherit
+          git tag -a ${{ inputs.release_number }} -m "[bot] release ${{ inputs.release_number }}"
+          git push origin ${{ inputs.release_number }}
 
   publish-docker-containers:
+    needs: tag
     strategy:
-        matrix:
+      matrix:
           platform: ['linux/amd64', 'linux/arm64']
-        fail-fast: false
-    needs: tag
+      fail-fast: false
     uses: ./.github/workflows/release-x-manual-docker-containers.yml
     with:
-      release_number: ${{ github.event.inputs.release_number }}
+      release_number: ${{ inputs.release_number }}
       platform: ${{ matrix.platform }}
     secrets: inherit
 
   publish-container-digests:
     needs: publish-docker-containers
     uses: ./.github/workflows/release-x-manual-merge-container-digests.yml
     with:
-        release_number: ${{ github.event.inputs.release_number }}
+      release_number: ${{ inputs.release_number }}
+    secrets: inherit
+
+  # for releases we need to tag the images with the latest tag
+  # this could be parametrized in the merge-container-digests workflow
+  # but it's simpler to just add a explicit workflow for this here
+  tag-as-latest:
+    needs: publish-container-digests
+    uses: ./.github/workflows/release-x-manual-tag-as-latest.yml
+    with:
+      release_number: ${{ inputs.release_number }}
+    secrets: inherit
+
+  release-helm-chart:
+    needs: publish-container-digests
+    uses: ./.github/workflows/release-x-manual-helm-chart.yml
+    with:
+      release_number: ${{ inputs.release_number }}
     secrets: inherit
 
   release-drafter:
     needs: publish-container-digests
     uses: ./.github/workflows/release-drafter.yml
     with:
-      version: ${{ github.event.inputs.release_number }}
+      version: ${{ inputs.release_number }}
     secrets: inherit

.github/workflows/release-3-master-into-dev.yml

@@ -29,7 +29,7 @@ jobs:
 
       - name: Create merge back branch
         run: |
-          echo "NEW_BRANCH=master-into-dev/${{ github.event.inputs.release_number_new }}-${{ github.event.inputs.release_number_dev }}" >> $GITHUB_ENV
+          echo "NEW_BRANCH=master-into-dev/${{ inputs.release_number_new }}-${{ inputs.release_number_dev }}" >> $GITHUB_ENV
 
       - name: Configure git
         run: |
@@ -46,9 +46,9 @@ jobs:
 
       - name: Update version numbers in key files
         run: |
-          sed -ri 's/__version__ = ".*"/__version__ = "${{ github.event.inputs.release_number_dev }}"/' dojo/__init__.py
-          sed -ri 's/"version": ".*"/"version": "${{ github.event.inputs.release_number_dev }}"/' components/package.json
-          sed -ri 's/appVersion: ".*"/appVersion: "${{ github.event.inputs.release_number_dev }}"/' helm/defectdojo/Chart.yaml
+          sed -ri 's/__version__ = ".*"/__version__ = "${{ inputs.release_number_dev }}"/' dojo/__init__.py
+          sed -ri 's/"version": ".*"/"version": "${{ inputs.release_number_dev }}"/' components/package.json
+          sed -ri 's/appVersion: ".*"/appVersion: "${{ inputs.release_number_dev }}"/' helm/defectdojo/Chart.yaml
           CURRENT_CHART_VERSION=$(grep -oP 'version: (\K\S*)?' helm/defectdojo/Chart.yaml | head -1)
           sed -ri "0,/version/s/version: \S+/$(echo "version: $CURRENT_CHART_VERSION" | awk -F. -v OFS=. 'NF==1{print ++$NF}; NF>1{$NF=sprintf("%0*d", length($NF), ($NF+1)); print}')-dev/" helm/defectdojo/Chart.yaml
 
@@ -60,8 +60,8 @@ jobs:
 
       - name: Create upgrade notes to documentation
         run: |
-          minorv=$(echo ${{ github.event.inputs.release_number_dev }} | cut -d '.' -f -2)
-          patchv=$(echo ${{ github.event.inputs.release_number_dev }} | cut -d '-' -f -1)
+          minorv=$(echo ${{ inputs.release_number_dev }} | cut -d '.' -f -2)
+          patchv=$(echo ${{ inputs.release_number_dev }} | cut -d '-' -f -1)
           weight=$(date +%Y%m%d)
           echo -n "---
           title: 'Upgrading to DefectDojo Version $minorv.x'
@@ -72,10 +72,10 @@ jobs:
           There are no special instructions for upgrading to $minorv.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/$patchv) for the contents of the release.
           " > docs/content/en/open_source/upgrading/$minorv.md
           git add docs/content/en/open_source/upgrading/$minorv.md
-        if: endsWith(github.event.inputs.release_number_new, '.0') && endsWith(github.event.inputs.release_number_dev, '.0-dev')
+        if: endsWith(inputs.release_number_new, '.0') && endsWith(inputs.release_number_dev, '.0-dev')
 
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
+        uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"
@@ -91,7 +91,7 @@ jobs:
             github.rest.pulls.create({
               owner: '${{ env.GITHUB_ORG }}',
               repo: 'django-DefectDojo',
-              title: 'Release: Merge back ${{ github.event.inputs.release_number_new }} into dev from: ${{ env.NEW_BRANCH }}',
+              title: 'Release: Merge back ${{ inputs.release_number_new }} into dev from: ${{ env.NEW_BRANCH }}',
               body: `Release triggered by \`${ process.env.GITHUB_ACTOR }\``,
               head: '${{ env.NEW_BRANCH }}',
               base: 'dev'
@@ -110,7 +110,7 @@ jobs:
 
       - name: Create merge back branch
         run: |
-          echo "NEW_BRANCH=master-into-bugfix/${{ github.event.inputs.release_number_new }}-${{ github.event.inputs.release_number_dev }}" >> $GITHUB_ENV
+          echo "NEW_BRANCH=master-into-bugfix/${{ inputs.release_number_new }}-${{ inputs.release_number_dev }}" >> $GITHUB_ENV
 
       - name: Configure git
         run: |
@@ -127,9 +127,9 @@ jobs:
 
       - name: Update version numbers in key files
         run: |
-          sed -ri "s/__version__ = '.*'/__version__ = '${{ github.event.inputs.release_number_dev }}'/" dojo/__init__.py
-          sed -ri "s/appVersion: \".*\"/appVersion: \"${{ github.event.inputs.release_number_dev }}\"/" helm/defectdojo/Chart.yaml
-          sed -ri "s/\"version\": \".*\"/\"version\": \"${{ github.event.inputs.release_number_dev }}\"/" components/package.json
+          sed -ri "s/__version__ = '.*'/__version__ = '${{ inputs.release_number_dev }}'/" dojo/__init__.py
+          sed -ri "s/appVersion: \".*\"/appVersion: \"${{ inputs.release_number_dev }}\"/" helm/defectdojo/Chart.yaml
+          sed -ri "s/\"version\": \".*\"/\"version\": \"${{ inputs.release_number_dev }}\"/" components/package.json
           CURRENT_CHART_VERSION=$(grep -oP 'version: (\K\S*)?' helm/defectdojo/Chart.yaml | head -1)
           sed -ri "0,/version/s/version: \S+/$(echo "version: $CURRENT_CHART_VERSION" | awk -F. -v OFS=. 'NF==1{print ++$NF}; NF>1{$NF=sprintf("%0*d", length($NF), ($NF+1)); print}')-dev/" helm/defectdojo/Chart.yaml
 
@@ -140,7 +140,7 @@ jobs:
           grep version components/package.json
 
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
+        uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"
@@ -156,7 +156,7 @@ jobs:
             github.rest.pulls.create({
               owner: '${{ env.GITHUB_ORG }}',
               repo: 'django-DefectDojo',
-              title: 'Release: Merge back ${{ github.event.inputs.release_number_new }} into bugfix from: ${{ env.NEW_BRANCH }}',
+              title: 'Release: Merge back ${{ inputs.release_number_new }} into bugfix from: ${{ env.NEW_BRANCH }}',
               body: `Release triggered by \`${ process.env.GITHUB_ACTOR }\``,
               head: '${{ env.NEW_BRANCH }}',
               base: 'bugfix'

.github/workflows/release-drafter.yml

@@ -29,25 +29,25 @@ jobs:
         id: create_release
         uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
         with:
-          version: ${{ github.event.inputs.version }}  
+          version: ${{ inputs.version }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   # Generate the OAS schemas in another workflow
   oas-fetch:
     needs: update_release_draft
     uses: ./.github/workflows/fetch-oas.yml
     with:
-      version: ${{ github.event.inputs.version }} 
+      version: ${{ inputs.version }}
     secrets: inherit
   # Upload the OAS schemas to the release object
   add-oas-to-release:
-    needs: 
+    needs:
       - update_release_draft
       - oas-fetch
     runs-on: ubuntu-latest
     steps:
       - name: Load OAS files from artifacts
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           pattern: oas-*
 
@@ -73,4 +73,4 @@ jobs:
           asset_name: oas.json
           asset_content_type: application/json
 
-    
+

.github/workflows/release-nightly-dev.yml

@@ -0,0 +1,20 @@
+name: "Release-Nightly: Build & Push DEV"
+
+env:
+  GIT_USERNAME: "DefectDojo release bot"
+  GIT_EMAIL: "[email protected]"
+
+on:
+  schedule:
+    # every day at 5:00 UTC
+    # in this case inputs are all null/empty, hence the default values are used below
+    - cron: "* 5 * * *"
+  workflow_dispatch:
+
+jobs:
+  nightly-build-dev:
+    uses: ./.github/workflows/release-x-nightly.yml
+    with:
+        branch-to-build: 'dev'
+        tag-to-apply: 'nightly-dev'
+    secrets: inherit