Commit Graph

51 Commits

Author SHA1 Message Date
dependabot[bot] 66c22f4636 Bump the github-actions group with 4 updates
Bumps the github-actions group with 4 updates: [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action), [docker/login-action](https://github.com/docker/login-action), [docker/metadata-action](https://github.com/docker/metadata-action) and [docker/build-push-action](https://github.com/docker/build-push-action).


Updates `docker/setup-buildx-action` from 3.12.0 to 4.0.0
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/8d2750c68a42422c14e847fe6c8ac0403b4cbd6f...4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd)

Updates `docker/login-action` from 3.7.0 to 4.0.0
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/c94ce9fb468520275223c153574b00df6fe4bcc9...b45d80f862d83dbcd57f89517bcf500b2ab88fb2)

Updates `docker/metadata-action` from 5.10.0 to 6.0.0
- [Release notes](https://github.com/docker/metadata-action/releases)
- [Commits](https://github.com/docker/metadata-action/compare/c299e40c65443455700f0fdfc63efafe5b349051...030e881283bb7a6894de51c315a6bfe6a94e05cf)

Updates `docker/build-push-action` from 6.19.2 to 7.0.0
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/10e90e3645eae34f1e60eeb005ba3a3d33f178e8...d08e5c354a6adb9ed34480a06d141179aa583294)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: docker/login-action
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: docker/metadata-action
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: docker/build-push-action
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-18 01:45:09 +00:00
Mike Dalessio e518d638f2 ci: suppress dependabot-execution warning in dependabot config 2026-03-17 18:27:45 -04:00
Mike Dalessio fa12aca387 ci: update pinned github versions (minor bump) 2026-03-17 18:08:11 -04:00
Mike Dalessio 58f94b0cc1 ci: add job to lint github actions
using zizmor
2026-03-17 18:08:09 -04:00
Mike Dalessio dd7f7005b2 ci: fix template injection by passing tags through env vars 2026-03-17 17:57:34 -04:00
Mike Dalessio bc6703b0df ci: disable credential persistence after checkout
suppress artipacked warning in dependabot lockfile sync workflow
2026-03-17 17:57:34 -04:00
Mike Dalessio 310e271908 ci: suppress zizmor secrets-outside-env in test workflow 2026-03-17 17:57:34 -04:00
Mike Dalessio b6e00b77e3 ci: scope permissions to jobs in publish-image workflow 2026-03-17 17:57:32 -04:00
Mike Dalessio 99e683125b ci: batch github actions dependabot updates into a single PR 2026-03-17 17:39:54 -04:00
Mike Dalessio 463f289072 ci: pin github actions
using `pinact`
2026-03-17 17:19:37 -04:00
dependabot[bot] 9585d13f5f Bump actions/attest-build-provenance from 3.2.0 to 4.1.0 (#2668)
Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 3.2.0 to 4.1.0.
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](https://github.com/actions/attest-build-provenance/compare/v3.2.0...v4.1.0)

---
updated-dependencies:
- dependency-name: actions/attest-build-provenance
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-09 08:58:45 -07:00
dependabot[bot] 31713aa396 Bump docker/build-push-action from 6.18.0 to 6.19.2 (#2587)
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.18.0 to 6.19.2.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v6.18.0...v6.19.2)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-version: 6.19.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 23:27:38 -08:00
dependabot[bot] 0ead67f85b Bump the development-dependencies group across 1 directory with 3 updates (#2546)
* Bump the development-dependencies group across 1 directory with 3 updates

Bumps the development-dependencies group with 3 updates in the / directory: [brakeman](https://github.com/presidentbeef/brakeman), [faker](https://github.com/faker-ruby/faker) and [selenium-webdriver](https://github.com/SeleniumHQ/selenium).


Updates `brakeman` from 7.1.2 to 8.0.1
- [Release notes](https://github.com/presidentbeef/brakeman/releases)
- [Changelog](https://github.com/presidentbeef/brakeman/blob/main/CHANGES.md)
- [Commits](https://github.com/presidentbeef/brakeman/compare/v7.1.2...v8.0.1)

Updates `faker` from 3.5.3 to 3.6.0
- [Release notes](https://github.com/faker-ruby/faker/releases)
- [Changelog](https://github.com/faker-ruby/faker/blob/main/CHANGELOG.md)
- [Commits](https://github.com/faker-ruby/faker/compare/v3.5.3...v3.6.0)

Updates `selenium-webdriver` from 4.39.0 to 4.40.0
- [Release notes](https://github.com/SeleniumHQ/selenium/releases)
- [Changelog](https://github.com/SeleniumHQ/selenium/blob/trunk/rb/CHANGES)
- [Commits](https://github.com/SeleniumHQ/selenium/compare/selenium-4.39.0...selenium-4.40.0)

---
updated-dependencies:
- dependency-name: brakeman
  dependency-version: 8.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: development-dependencies
- dependency-name: faker
  dependency-version: 3.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-dependencies
- dependency-name: selenium-webdriver
  dependency-version: 4.40.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

* Auto-sync Gemfile.saas.lock on Dependabot PRs

Dependabot can't update custom-named Gemfiles, so Gemfile.saas.lock
drifts whenever it bumps shared gems in Gemfile.lock.

Add `bin/bundle-drift forward` to push oss lockfile changes into the
saas lockfile (the reverse of `correct`), and a GitHub Actions workflow
that runs it automatically on Dependabot bundler branches.

* Update brakeman ignore fingerprint for 8.0.1

Brakeman 8.0.1 changed how it computes warning fingerprints, so the
existing ignore entry for the safe_constantize warning in Notifier
became obsolete. Update to the new fingerprint.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jeremy Daer <jeremy@37signals.com>
2026-02-16 15:29:51 -08:00
dependabot[bot] 9622e5dad4 Bump actions/attest-build-provenance from 3.1.0 to 3.2.0 (#2499)
Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 3.1.0 to 3.2.0.
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](https://github.com/actions/attest-build-provenance/compare/v3.1.0...v3.2.0)

---
updated-dependencies:
- dependency-name: actions/attest-build-provenance
  dependency-version: 3.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-08 10:35:19 -08:00
dependabot[bot] 52ec23ff21 Bump docker/login-action from 3.6.0 to 3.7.0 (#2500)
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.6.0 to 3.7.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v3.6.0...v3.7.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 3.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-08 10:35:11 -08:00
Kevin McConnell e27456b8f8 Include arm64 build in Docker workflow 2026-01-23 14:33:31 +00:00
dependabot[bot] 6ec61df7d7 Bump actions/attest-build-provenance from 3.0.0 to 3.1.0 (#2257)
Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](https://github.com/actions/attest-build-provenance/compare/v3.0.0...v3.1.0)

---
updated-dependencies:
- dependency-name: actions/attest-build-provenance
  dependency-version: 3.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-26 21:10:05 -08:00
dependabot[bot] e221833571 Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#2256)
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.11.1 to 3.12.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/v3.11.1...v3.12.0)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: 3.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-26 21:09:38 -08:00
Mike Dalessio 6a244b17e6 Use new FIZZY_GH_TOKEN with limited access
because this is a public repo and so doesn't have access to the
private org secret GH_TOKEN anymore.
2025-12-12 13:04:26 -05:00
Jeremy Daer 586015c3f9 Bundle drift detection and correction (#2101)
Gemfile.saas evals Gemfile, so shared gems should have identical versions
in both lockfiles. This adds bin/bundle-drift to detect and fix drift:

* `bin/bundle-drift check` compares shared gem versions
* `bin/bundle-drift correct` seeds Gemfile.lock from Gemfile.saas.lock
  and re-locks, letting Bundler prune SaaS-only gems while preserving
  shared versions

Adds drift check to bin/ci and GitHub CI. Corrects existing drift.
2025-12-11 21:32:34 -08:00
dependabot[bot] ef538abb4f Bump actions/checkout from 4 to 6 (#2047)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-10 13:25:42 -08:00
dependabot[bot] 19cd7bfeec Bump docker/login-action from 3.5.0 to 3.6.0 (#2046)
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.5.0 to 3.6.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v3.5.0...v3.6.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 3.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-10 13:25:17 -08:00
dependabot[bot] 9ee8b131c5 Bump docker/metadata-action from 5.8.0 to 5.10.0 (#2045)
Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5.8.0 to 5.10.0.
- [Release notes](https://github.com/docker/metadata-action/releases)
- [Commits](https://github.com/docker/metadata-action/compare/v5.8.0...v5.10.0)

---
updated-dependencies:
- dependency-name: docker/metadata-action
  dependency-version: 5.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-10 13:25:02 -08:00
dependabot[bot] a90ad88bab Bump sigstore/cosign-installer from 3.9.2 to 4.0.0 (#2044)
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.9.2 to 4.0.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/v3.9.2...v4.0.0)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-10 13:24:47 -08:00
Stanko K.R. 9d5ddfccec Remove semver-major-days from Dependabot on GH actions 2025-12-10 09:18:20 +01:00
Rosa Gutierrez 2352f30b61 Adopt a cooldown period for dependency updates
As suggested by @flavorjones, and explained in:
https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns

This applies:
- 7 days as default: from the article, a 7-day
cooldown would have prevented 8 out of 10 recent
supply chain attacks. It seems reasonably long
but not crazy long.
- 14 days for major versions, to give some time
to the community to find problems.
2025-12-08 20:05:03 +01:00
Jeremy Daer bc1075f194 GitHub actions: limit GITHUB_TOKEN permissions (#1933) 2025-12-04 11:05:50 -08:00
Stanko K.R. 8bc2b7c8c8 Add contributing guide 2025-12-02 20:37:58 +01:00
Stanko K.R. fc8ca04c05 Disable ARM image builds 2025-12-02 18:59:40 +01:00
Stanko K.R. 94d1a1e10a Disable image builds for PRs 2025-12-02 18:51:07 +01:00
Stanko K.R. 2d0110963a Add automated Docker image builds 2025-12-02 18:42:51 +01:00
Mike Dalessio 04ed381742 update pipelines 2025-11-28 15:40:24 -05:00
Jorge Manrubia e15c4987c1 Remove saas from matrix or it will always run 2025-11-28 15:53:58 +01:00
Jorge Manrubia 15e654b526 Checks only in PRs 2025-11-28 15:53:58 +01:00
Jorge Manrubia f174058f43 Extract common checks to its own workflow to only run once 2025-11-28 15:53:58 +01:00
Jorge Manrubia 25cfa42872 Rename workflows 2025-11-28 15:53:58 +01:00
Jorge Manrubia 68bb4a84e2 Rename 2025-11-28 15:53:58 +01:00
Jorge Manrubia dd0f9f174e Split CI files to prevent PR workflows from accessing secrets 2025-11-28 15:53:58 +01:00
Jorge Manrubia 624b6680c7 Fix condition 2025-11-28 15:53:58 +01:00
Jorge Manrubia d81cf9161e Fix hostname 2025-11-28 15:53:58 +01:00
Jorge Manrubia 00cb9a3638 Set proper SaaS vars for mysql 2025-11-28 15:53:58 +01:00
Jorge Manrubia ac649f1af0 Try to pin the host 2025-11-28 15:53:58 +01:00
Jorge Manrubia 127a4ebdc9 LOL if does not exist 2025-11-28 15:53:58 +01:00
Jorge Manrubia 93c60d09a8 Omit MySQL service with if condition 2025-11-28 15:53:58 +01:00
Jorge Manrubia 5a1d40ae65 Omit empty image 2025-11-28 15:53:58 +01:00
Jorge Manrubia 0328149ba2 Initial github action setup 2025-11-28 15:53:58 +01:00
Mike Dalessio 3a8ea5ea85 dependabot: make the schedule weekly
Daily is very noisy when we're using so many git branches.
2025-10-03 22:17:21 -04:00
David Heinemeier Hansson 5316a6b821 It is Local CI now 2025-04-05 17:18:54 +02:00
Mike Dalessio 2756a0ebc1 ci: Set access token to pull from the private repo 2025-03-10 12:12:56 -04:00
Jeremy Daer 42130f71ab Dependabot: group dev deps 2025-02-04 10:32:17 -08:00