Merge branch 'main' into feature/api-key-authorization-tests

Author: dbasunag

.pre-commit-config.yaml

@@ -41,14 +41,6 @@ repos:
       - id: ruff
       - id: ruff-format
 
-  # https://github.com/renovatebot/pre-commit-hooks/issues/2621
-  # This hook goes over the 250MiB limit that pre-commit.ci imposes
-  # Disable unless a solution is found.
-  # - repo: https://github.com/renovatebot/pre-commit-hooks
-  #   rev: 39.45.0
-  #   hooks:
-  #     - id: renovate-config-validator
-
   - repo: https://github.com/gitleaks/gitleaks
     rev: v8.30.1
     hooks:
@@ -62,6 +54,18 @@ repos:
         exclude: ^(docs/|.*test.*\.py$|utilities/manifests/.*|utilities/plugins/tgis_grpc/.*)
 
 
+  - repo: local
+    hooks:
+      - id: check-signoff
+        name: Check Signed-off-by
+        stages: [commit-msg]
+        language: system
+        entry: >
+          bash -c 'grep -q "^Signed-off-by: .* <.*@.*>" "$1" ||
+          { echo "ERROR: Commit message must include a valid Signed-off-by trailer.";
+          echo "  Use: git commit -s";
+          echo "  Or add manually: Signed-off-by: Your Name <your@email.com>"; exit 1; }' --
+
   - repo: https://github.com/espressif/conventional-precommit-linter
     rev: v1.11.0
     hooks:

Dockerfile

@@ -23,8 +23,7 @@ RUN curl -sSL "https://github.com/fullstorydev/grpcurl/releases/download/v1.9.2/
     && mv grpcurl /usr/bin/grpcurl
 
 # Install cosign
-RUN curl -sSL "https://github.com/sigstore/cosign/releases/download/v2.4.2/cosign-linux-amd64" --output /usr/bin/cosign \
-    && chmod +x /usr/bin/cosign
+COPY --from=quay.io/securesign/cli-cosign@sha256:a8289d488491991d454a32784de19476f2c984917eb7a33b4544e55512f2747c /usr/local/bin/cosign /usr/bin/cosign
 
 RUN useradd -ms /bin/bash $USER
 USER $USER

docs/GETTING_STARTED.md

@@ -138,7 +138,7 @@ To run tests with admin client only, pass `--tc=use_unprivileged_client:False` t
 ### jira integration
 
 To skip running tests which have open bugs, [pytest_jira](https://github.com/rhevm-qe-automation/pytest_jira) plugin is used.
-To run tests with jira integration, you need to set `PYTEST_JIRA_URL`, `PYTEST_JIRA_USERNAME` and `PYTEST_JIRA_PASSWORD` environment variables.
+To run tests with jira integration, you need to set `PYTEST_JIRA_URL` and `PYTEST_JIRA_TOKEN` environment variables.
 To make a test with jira marker, add: `@pytest.mark.jira(jira_id="RHOAIENG-0000", run=False)` to the test.
 
 ### Running containerized tests

semgrep.yaml

@@ -810,7 +810,7 @@ rules:
           env:
             TITLE: ${{ github.event.pull_request.title }}
     patterns:
-      - pattern-regex: 'run:\s*(?:[|>][-+]?)?[\s\S]*?\$\{\{\s*github\.(head_ref|event\.(issue|pull_request|discussion|review|review_comment|comment)\.(title|body|head\.ref|head\.label)|event\.head_commit\.message|event\.commits\[\d+\]\.message)\s*\}\}'
+      - pattern-regex: 'run:\s*(?:[|>][-+]?\n(?:[ \t]+[^\n]*\n)*|[^\n]*)\$\{\{\s*github\.(head_ref|event\.(issue|pull_request|discussion|review|review_comment|comment)\.(title|body|head\.ref|head\.label)|event\.head_commit\.message|event\.commits\[\d+\]\.message)\s*\}\}'
     paths:
       include:
         - "**/.github/workflows/*.yml"
@@ -848,7 +848,7 @@ rules:
         - If checkout is needed, use merge commit: refs/pull/${{ github.event.number }}/merge
         - Add persist-credentials: false to limit token scope
     patterns:
-      - pattern-regex: 'pull_request_target[\s\S]*?uses:\s*actions/checkout@[^\n]*\n(\s+\w+:.*\n)*\s+ref:\s*\$\{\{[^\}]*pull_request\.head\.(sha|ref)\s*\}\}'
+      - pattern-regex: 'pull_request_target[\s\S]*?uses:\s*actions/checkout@[^\n]*\n(\s+[\w-]+:.*\n)*\s+ref:\s*\$\{\{[^\}]*pull_request\.head\.(sha|ref)\s*\}\}'
     paths:
       include:
         - "**/.github/workflows/*.yml"
@@ -1066,8 +1066,6 @@ rules:
           $VAR := os.Getenv("...")
       - pattern-not: |
           var $VAR = os.Getenv("...")
-      - pattern-not: |
-          const $VAR = os.Getenv("...")
       - pattern-not: |
           $VAR, $_ := os.LookupEnv("...")
     metadata:
@@ -1869,7 +1867,7 @@ rules:
       Remediation: Always quote variables in file operations:
         rm "$FILE"         # correct
         rm $FILE           # dangerous
-    pattern-regex: '(rm|cp|mv|eval|chmod|chown|kill|pkill)\s+[^|;]*(?<!["''\\])\$[A-Za-z_][A-Za-z0-9_]*'
+    pattern-regex: '(rm|cp|mv|eval|chmod|chown|kill|pkill)\s+[^|;]*(?<!["''\\])\$(?:\{[A-Za-z_][A-Za-z0-9_]*(?:[:\-\+\?=][^}]*)?\}|[A-Za-z_][A-Za-z0-9_]*)'
     metadata:
       cwe: "CWE-78"
       category: "security"

utilities/jira.py

@@ -23,8 +23,8 @@ def get_jira_connection() -> JIRA:
 
     """
     return JIRA(
-        basic_auth=(os.getenv("PYTEST_JIRA_USERNAME"), os.getenv("PYTEST_JIRA_PASSWORD")),
-        options={"server": os.getenv("PYTEST_JIRA_URL")},
+        server=os.getenv("PYTEST_JIRA_URL"),
+        basic_auth=(os.getenv("PYTEST_JIRA_USERNAME"), os.getenv("PYTEST_JIRA_TOKEN")),
     )