copilot-swe-agent[bot]
40f722ec18
fix: harden workflow permissions - set top-level permissions: {} and scope perms to jobs
...
Set `permissions: {}` at the top level of all workflow files to deny all
permissions by default, then grant only the minimum required permissions at
the job level. This fixes the Docker push failure caused by missing
`packages: write` permission being scoped incorrectly.
Changes per workflow:
- build-testing-image.yml: add contents: read + packages: write to job
- action-security.yml: consolidate contents: read, actions: read,
pull-requests: read into the analyze job
- codeql-new.yml: add actions: read to the analyze job
- dependency-review.yml: add contents: read to the dependency-review job
- issue-stats.yml: top-level only (no checkout, existing job perms sufficient)
- new-release.yml: was read-all; job already has contents: write
- pr-lint.yml: was contents: read + packages: read; job already has full perms
- release.yml: job already has contents: write
- security-suite.yml: move all perms to job level
- stale.yml: top-level only (no checkout, existing job perms sufficient)
- sync-labels.yml: was read-all; add contents: read to job for checkout
- version-maintenance.yml: move all perms to job level
Co-authored-by: ivuorinen <11024+ivuorinen@users.noreply.github.com >
2026-03-05 21:22:44 +00:00
copilot-swe-agent[bot]
763cbbb0be
Initial plan
2026-03-05 21:18:15 +00:00
renovate[bot]
d1af04260d
chore(deps)!: update docker/login-action (v3.7.0 → v4.0.0) ( #477 )
2026-03-05 22:41:05 +02:00
renovate[bot]
0921e373ce
chore(deps)!: update docker/setup-buildx-action (v3.12.0 → v4.0.0) ( #478 )
2026-03-05 22:26:51 +02:00
renovate[bot]
6bbe5089d2
chore(deps)!: update docker/setup-qemu-action (v3.7.0 → v4.0.0) ( #479 )
2026-03-05 22:15:39 +02:00
renovate[bot]
7cf51e5364
chore(deps): lock file maintenance ( #481 )
2026-03-05 22:14:11 +02:00
renovate[bot]
72c6155089
chore(deps)!: update github/issue-metrics (v3.25.5 → v4.1.0) ( #480 )
2026-03-05 22:07:00 +02:00
renovate[bot]
6e8f2aae9d
chore(deps): update pre-commit hook astral-sh/uv-pre-commit (0.10.5 → 0.10.7) ( #475 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-02 17:22:01 +02:00
renovate[bot]
f15daec6dc
chore(deps): update pre-commit hook astral-sh/ruff-pre-commit (v0.15.2 → v0.15.4) ( #474 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-02 17:21:37 +02:00
renovate[bot]
66870c6d0c
chore(deps): update oxsecurity/megalinter action (v9.3.0 → v9.4.0) ( #476 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-02 17:20:54 +02:00
renovate[bot]
03eeb4c39f
chore(deps): update astral-sh/setup-uv action (v7.3.0 → v7.3.1) ( #473 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-02 03:04:57 +02:00
renovate[bot]
992b64a580
chore(deps)!: update hashicorp/setup-terraform (v3.1.2 → v4.0.0) ( #471 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-02 02:35:56 +02:00
renovate[bot]
f114b11df1
chore(deps): lock file maintenance ( #472 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-02 02:35:20 +02:00
bd59245cd7
fix(deps): replace step-security/retry and update action pins ( #468 )
...
* fix(deps): replace step-security/retry with nick-fields/retry
* chore(deps): update github action sha pins via pinact
* refactor: remove common-retry references from tests and validators
* chore: simplify description fallback and update action count
* docs: remove hardcoded test counts from memory and docs
Replace exact "769 tests" references with qualitative language
so these files don't go stale as test count grows.
2026-03-02 02:31:26 +02:00
dependabot[bot]
d919327c7e
chore(deps): bump minimatch ( #466 )
2026-02-28 16:20:54 +02:00
renovate[bot]
8faacf8a1c
chore(deps): update actions/dependency-review-action action (v4.8.2 → v4.8.3) ( #461 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-24 20:09:57 +02:00
renovate[bot]
bbca76975e
chore(deps): update pre-commit hook astral-sh/ruff-pre-commit (v0.15.1 → v0.15.2) ( #462 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-24 20:06:53 +02:00
renovate[bot]
b75d237069
chore(deps): update pre-commit hook bridgecrewio/checkov (3.2.502 → 3.2.506) ( #464 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-24 20:06:32 +02:00
renovate[bot]
7973e4945b
chore(deps): update markdownlint-cli2 (0.20.0 → 0.21.0) ( #465 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-24 20:06:10 +02:00
renovate[bot]
2ce9325ff9
chore(deps): update pre-commit hook astral-sh/uv-pre-commit (0.10.3 → 0.10.5) ( #463 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-24 20:05:35 +02:00
renovate[bot]
37e80e5224
chore(deps): lock file maintenance ( #457 )
2026-02-23 21:43:14 +02:00
renovate[bot]
2555420036
chore(deps): update aquasecurity/trivy-action action (0.34.0 → 0.34.1) ( #458 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-23 21:30:15 +02:00
renovate[bot]
2e4525cb96
chore(deps): update github/codeql-action action (v4.32.3 → v4.32.4) ( #459 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-23 21:29:42 +02:00
renovate[bot]
a75db3a84a
chore(deps): update actions/stale action (v10.1.1 → v10.2.0) ( #460 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-23 21:29:07 +02:00
renovate[bot]
309f4460ec
chore(deps): update pre-commit hook davidanson/markdownlint-cli2 (v0.20.0 → v0.21.0) ( #456 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-17 23:20:07 +02:00
renovate[bot]
55897dfdeb
chore(deps): update pre-commit hook rhysd/actionlint (v1.7.10 → v1.7.11) ( #455 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-17 19:15:21 +02:00
renovate[bot]
88a0b89d8d
chore(deps): update pre-commit hook astral-sh/ruff-pre-commit (v0.15.0 → v0.15.1) ( #452 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-17 19:13:47 +02:00
renovate[bot]
0131cbfcf6
chore(deps): update docker/build-push-action action (v6.18.0 → v6.19.2) ( #451 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-17 19:13:25 +02:00
renovate[bot]
f36f50e375
chore(deps): update aquasecurity/trivy-action action (0.33.1 → 0.34.0) ( #450 )
...
* chore(deps): update pre-commit hook rhysd/actionlint (v1.7.10 → v1.7.11)
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* chore(deps): update aquasecurity/trivy-action action (0.33.1 → 0.34.0)
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---------
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-17 19:11:17 +02:00
renovate[bot]
f0c398f47d
chore(deps): update pre-commit hook bridgecrewio/checkov (3.2.500 → 3.2.502) ( #454 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-17 19:00:40 +02:00
renovate[bot]
1eb60955d1
chore(deps): update pre-commit hook astral-sh/uv-pre-commit (0.10.0 → 0.10.3) ( #453 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-17 18:59:38 +02:00
renovate[bot]
291bb2fdc4
chore(deps): update github/codeql-action action (v4.32.2 → v4.32.3) ( #449 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-16 09:31:18 +02:00
renovate[bot]
8fa4dc84f2
chore(deps): lock file maintenance ( #448 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-16 09:30:59 +02:00
renovate[bot]
c40f80e9c5
chore(deps): update actions/setup-python action (v6.1.0 → v6.2.0) ( #439 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-10 13:34:34 +02:00
renovate[bot]
20fb4bc79c
chore(deps): update astral-sh/setup-uv action (v7.2.1 → v7.3.0) ( #440 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-10 13:33:59 +02:00
renovate[bot]
9277758f30
chore(deps): update docker/login-action action (v3.6.0 → v3.7.0) ( #441 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-10 13:33:40 +02:00
renovate[bot]
a9605c642f
chore(deps): update github/codeql-action action (v4.31.9 → v4.32.2) ( #442 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-10 13:32:33 +02:00
renovate[bot]
6d25c0f8b6
chore(deps): update peter-evans/create-pull-request action (v8.0.0 → v8.1.0) ( #443 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-10 13:31:35 +02:00
renovate[bot]
6c04d8b197
chore(deps): update image python to v3.14.3 ( #444 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-10 13:31:12 +02:00
renovate[bot]
e6c7e60e25
chore(deps): update pre-commit hook adrienverge/yamllint (v1.37.1 → v1.38.0) ( #445 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-10 13:30:49 +02:00
renovate[bot]
01292232b4
chore(deps): update pre-commit hook astral-sh/ruff-pre-commit (v0.14.14 → v0.15.0) ( #446 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-10 13:30:28 +02:00
renovate[bot]
052b78f9f7
chore(deps): update pre-commit hook astral-sh/uv-pre-commit (0.9.28 → 0.10.0) ( #447 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-10 13:30:12 +02:00
renovate[bot]
f371da218e
chore(deps): update pre-commit hook astral-sh/ruff-pre-commit (v0.14.11 → v0.14.14) ( #434 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-03 10:11:35 +02:00
renovate[bot]
175a9f5356
chore(deps): update pre-commit hook astral-sh/uv-pre-commit (0.9.24 → 0.9.28) ( #435 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-03 10:11:20 +02:00
renovate[bot]
b3299e0670
chore(deps): update pre-commit hook bridgecrewio/checkov (3.2.497 → 3.2.500) ( #436 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-03 10:11:00 +02:00
renovate[bot]
fb37d38f17
chore(deps): update actions/setup-go action (v6.1.0 → v6.2.0) ( #437 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-03 10:10:43 +02:00
renovate[bot]
80621c08b4
chore(deps): update actions/setup-node action (v6.1.0 → v6.2.0) ( #438 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-03 10:09:53 +02:00
renovate[bot]
77429988fd
chore(deps): update raven-actions/actionlint action (v2.1.0 → v2.1.1) ( #432 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-02 07:53:24 +02:00
renovate[bot]
f5cedd5870
chore(deps): update oven-sh/setup-bun action (v2.1.0 → v2.1.2) ( #431 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-02 07:52:59 +02:00
renovate[bot]
0b0e96a2ed
chore(deps): update actions/setup-dotnet action (v5.0.1 → v5.1.0) ( #433 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-02 07:52:16 +02:00
