Merge branch 'release/v5.3.0'

Author: bolshakov

.github/workflows/ci.yml

@@ -5,6 +5,9 @@ on:
   push:
     branches: [ master ]
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   rubocop:
     name: Standard 👮
@@ -13,10 +16,15 @@ jobs:
       checks: write
       contents: read
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Standard Ruby
-        uses: "standardrb/standard-ruby-action@v1"
+        uses: standardrb/standard-ruby-action@eecb3f730879f5b8830705348c2961e5aa26de78 # v1.5.0
         with:
           autofix: false
 
@@ -37,11 +45,16 @@ jobs:
         ports:
           - 6379:6379
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@bb6434c747fa7022e12fa1cae2a0951fcffcff26 # v1.253.0
         with:
           ruby-version: 3.3.4
           bundler-cache: true
@@ -54,6 +67,9 @@ jobs:
           CUCUMBER_PUBLISH_ENABLED: true
 
   spec:
+    permissions:
+      checks: write  # for coverallsapp/github-action to create new checks
+      contents: read  # for actions/checkout to fetch code
     name: Specs on Ruby ${{ matrix.ruby }} with Redis ${{ matrix.redis }} 💚
     runs-on: ubuntu-latest
     strategy:
@@ -71,11 +87,16 @@ jobs:
         ports:
           - 6379:6379
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@bb6434c747fa7022e12fa1cae2a0951fcffcff26 # v1.253.0
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true
@@ -85,17 +106,24 @@ jobs:
         env:
           STOPLIGHT_REDIS_URL: "redis://127.0.0.1:6379/0"
       - name: Coveralls
-        uses: coverallsapp/github-action@v1.1.2
+        uses: coverallsapp/github-action@8cbef1dea373ebce56de0a14c68d6267baa10b44 # v1.1.2
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           flag-name: ruby-${{ matrix.ruby }}
           parallel: true
   finish:
+    permissions:
+      checks: write  # for coverallsapp/github-action to create new checks
     needs: spec
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
       - name: Coveralls Finished
-        uses: coverallsapp/github-action@master
+        uses: coverallsapp/github-action@09b709cf6a16e30b0808ba050c7a6e8a5ef13f8d # master
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           parallel-finished: true

.github/workflows/docker-build.yml

@@ -0,0 +1,69 @@
+name: Release 🚀
+on:
+  release:
+    types: [published]
+
+env:
+  version: ${{ github.event.release.tag_name }}
+  docker_username: ${{ secrets.DOCKER_HUB_USERNAME }}
+  docker_password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
+jobs:
+  gem:
+    name: Ruby Gem 📦
+    runs-on: ubuntu-latest
+    environment: releases
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@bb6434c747fa7022e12fa1cae2a0951fcffcff26 # v1.253.0
+        with:
+          bundler-cache: true
+          ruby-version: ruby
+
+      - name: Release Gem
+        uses: rubygems/release-gem@ebe1ec66bd8d2c709ac29aa2b43438d450e7a0a6 # v1
+
+  docker:
+    name: Docker Image 🐳
+    depends-on: gem
+    runs-on: ubuntu-latest
+    environment: releases
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout Repository
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
+      - name: Checkout release
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        with:
+          ref: refs/tags/${{ env.version }}
+      - name: Login to Docker Hub
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        with:
+          username: ${{ env.docker_username }}
+          password: ${{ env.docker_password }}
+      - name: Build and push
+        uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
+        with:
+          push: true
+          tags: |
+            bolshakov/stoplight-admin:${{ env.version }}
+            bolshakov/stoplight-admin:latest
+          platforms: linux/amd64, linux/arm64
+          context: .
+          file: Dockerfile

.github/workflows/release.yml

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    stoplight (5.2.0)
+    stoplight (5.3.0)
       zeitwerk
 
 GEM
@@ -112,7 +112,7 @@ GEM
     mustermann (3.0.3)
       ruby2_keywords (~> 0.0.1)
     nio4r (2.7.4)
-    nokogiri (1.18.8)
+    nokogiri (1.18.9)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     parallel (1.27.0)
@@ -162,9 +162,9 @@ GEM
     rdoc (6.14.1)
       erb
       psych (>= 4.0.0)
-    redis (5.4.0)
+    redis (5.4.1)
       redis-client (>= 0.22.0)
-    redis-client (0.24.0)
+    redis-client (0.25.1)
       connection_pool
     regexp_parser (2.10.0)
     reline (0.6.1)
@@ -248,7 +248,7 @@ GEM
     stringio (3.1.7)
     sys-uname (1.3.1)
       ffi (~> 1.1)
-    thor (1.3.2)
+    thor (1.4.0)
     tilt (2.6.0)
     timecop (0.9.10)
     tzinfo (2.0.6)

Gemfile.lock

@@ -6,8 +6,8 @@ You can expect to receive security fixes for the latest minor version only.
 
 | Version | Supported          |
 |---------| ------------------ |
-| 5.2.x   | :white_check_mark: |
-| < 5.2   | :x:                |
+| 5.3.x   | :white_check_mark: |
+| < 5.3   | :x:                |
 
 ## Reporting a Vulnerability
 

SECURITY.md

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Stoplight
-  VERSION = Gem::Version.new("5.2.0")
+  VERSION = Gem::Version.new("5.3.0")
 end