chore(deps): Bump github/codeql-action from 4.35.1 to 4.35.3

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.1 to 4.35.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/c10b8064de6f491fea524254123dbe5e09572f13...e46ed2cbd01164d986452f91f178727624ae40d7) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
2026-05-04 14:44:12 +00:00
10 changed files with 2151 additions and 0 deletions
@@ -0,0 +1,146 @@
+# reusable workflow
+name: .e2e-run
+
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+    inputs:
+      id:
+        required: false
+        type: string
+      type:
+        required: true
+        type: string
+      name:
+        required: true
+        type: string
+      registry:
+        required: false
+        type: string
+      slug:
+        required: false
+        type: string
+    secrets:
+      registry_username:
+        required: false
+      registry_password:
+        required: false
+
+env:
+  HARBOR_VERSION: v2.13.2
+  NEXUS_VERSION: 3.47.1
+  DISTRIBUTION_VERSION: 3.0.0
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          -
+            buildx_version: edge
+            buildkit_image: moby/buildkit:latest
+          -
+            buildx_version: latest
+            buildkit_image: moby/buildkit:buildx-stable-1
+          -
+            buildx_version: https://github.com/docker/buildx.git#master
+            buildkit_image: moby/buildkit:master
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Set up env
+        if: inputs.type == 'local'
+        env:
+          ID: ${{ inputs.id }}
+        run: |
+          cat ./.github/e2e/${ID}/env >> $GITHUB_ENV
+      -
+        name: Set up BuildKit config
+        env:
+          TYPE: ${{ inputs.type }}
+        run: |
+          touch /tmp/buildkitd.toml
+          if [ "${TYPE}" = "local" ]; then
+            echo -e "[registry.\"${{ env.REGISTRY_FQDN }}\"]\nhttp = true\ninsecure = true" > /tmp/buildkitd.toml
+          fi
+      -
+        name: Set up Docker daemon
+        if: inputs.type == 'local'
+        run: |
+          if [ ! -e /etc/docker/daemon.json ]; then
+            echo '{}' | sudo tee /etc/docker/daemon.json >/dev/null
+          fi
+          DOCKERD_CONFIG=$(jq '.+{"insecure-registries":["http://${{ env.REGISTRY_FQDN }}"]}' /etc/docker/daemon.json)
+          sudo tee /etc/docker/daemon.json <<<"$DOCKERD_CONFIG" >/dev/null
+          cat /etc/docker/daemon.json
+          sudo service docker restart
+      -
+        name: Install ${{ inputs.name }}
+        if: inputs.type == 'local'
+        env:
+          ID: ${{ inputs.id }}
+        run: |
+          sudo -E bash ./.github/e2e/${ID}/install.sh
+          sudo chown $(id -u):$(id -g) -R ~/.docker
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        with:
+          images: ${{ env.REGISTRY_SLUG || inputs.slug }}
+          tags: |
+            type=ref,event=branch,enable=${{ matrix.buildx_version == 'latest' && matrix.buildkit_image == 'moby/buildkit:buildx-stable-1' }}
+            type=ref,event=tag,enable=${{ matrix.buildx_version == 'latest' && matrix.buildkit_image == 'moby/buildkit:buildx-stable-1' }}
+            type=raw,gh-runid-${{ github.run_id }}
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        with:
+          version: ${{ matrix.buildx_version }}
+          buildkitd-config: /tmp/buildkitd.toml
+          buildkitd-flags: --debug --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host
+          driver-opts: |
+            image=${{ matrix.buildkit_image }}
+            network=host
+      -
+        name: Login to Registry
+        if: github.event_name != 'pull_request' && (inputs.type == 'remote' || env.REGISTRY_USER != '')
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          registry: ${{ env.REGISTRY_FQDN || inputs.registry }}
+          username: ${{ env.REGISTRY_USER || secrets.registry_username }}
+          password: ${{ env.REGISTRY_PASSWORD || secrets.registry_password }}
+      -
+        name: Build and push
+        uses: ./
+        with:
+          context: ./test
+          file: ./test/multi.Dockerfile
+          platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=registry,ref=${{ env.REGISTRY_SLUG || inputs.slug }}:master
+          cache-to: type=inline
+      -
+        name: Inspect image
+        env:
+          SLUG: ${{ env.REGISTRY_SLUG || inputs.slug }}
+        run: |
+          docker pull ${SLUG}:${{ steps.meta.outputs.version }}
+          docker image inspect ${SLUG}:${{ steps.meta.outputs.version }}
+      -
+        name: Check manifest
+        env:
+          SLUG: ${{ env.REGISTRY_SLUG || inputs.slug }}
+        run: |
+          docker buildx imagetools inspect ${SLUG}:${{ steps.meta.outputs.version }} --format '{{json .}}'
@@ -0,0 +1,46 @@
+name: codeql
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+  pull_request:
+
+env:
+  NODE_VERSION: "24"
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Enable corepack
+        run: |
+          corepack enable
+          yarn --version
+      -
+        name: Set up Node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+      -
+        name: Initialize CodeQL
+        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        with:
+          languages: javascript-typescript
+          build-mode: none
+      -
+        name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        with:
+          category: "/language:javascript-typescript"
@@ -0,0 +1,127 @@
+name: e2e
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 10 * * *'
+  push:
+    branches:
+      - 'master'
+    tags:
+      - 'v*'
+
+jobs:
+  build:
+    uses: ./.github/workflows/.e2e-run.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          -
+            name: Distribution
+            id: distribution
+            auth: none
+            type: local
+          -
+            name: Docker Hub
+            registry: ''
+            slug: ghactionstest/ghactionstest
+            auth: dockerhub
+            type: remote
+          -
+            name: GitHub
+            registry: ghcr.io
+            slug: ghcr.io/docker-ghactiontest/test
+            auth: ghcr
+            type: remote
+          -
+            name: GitLab
+            registry: registry.gitlab.com
+            slug: registry.gitlab.com/test1716/test
+            auth: gitlab
+            type: remote
+          -
+            name: AWS ECR
+            registry: 175142243308.dkr.ecr.us-east-2.amazonaws.com
+            slug: 175142243308.dkr.ecr.us-east-2.amazonaws.com/sandbox/test-docker-action
+            auth: aws
+            type: remote
+          -
+            name: AWS ECR Public
+            registry: public.ecr.aws
+            slug: public.ecr.aws/q3b5f1u4/test-docker-action
+            auth: aws
+            type: remote
+          -
+            name: Google Artifact Registry
+            registry: us-east4-docker.pkg.dev
+            slug: us-east4-docker.pkg.dev/sandbox-298914/docker-official-github-actions/test-docker-action
+            auth: gar
+            type: remote
+          -
+            name: Azure Container Registry
+            registry: officialgithubactions.azurecr.io
+            slug: officialgithubactions.azurecr.io/test-docker-action
+            auth: acr
+            type: remote
+          -
+            name: Quay
+            registry: quay.io
+            slug: quay.io/docker_build_team/ghactiontest
+            auth: quay
+            type: remote
+          -
+            name: Artifactory
+            registry: infradock.jfrog.io
+            slug: infradock.jfrog.io/test-ghaction/build-push-action
+            auth: artifactory
+            type: remote
+          -
+            name: Harbor
+            id: harbor
+            auth: none
+            type: local
+          -
+            name: Nexus
+            id: nexus
+            auth: none
+            type: local
+    with:
+      id: ${{ matrix.id }}
+      type: ${{ matrix.type }}
+      name: ${{ matrix.name }}
+      registry: ${{ matrix.registry }}
+      slug: ${{ matrix.slug }}
+    secrets:
+      # Pass only the two secrets needed by each matrix entry.
+      registry_username: >-
+        ${{
+          matrix.auth == 'dockerhub' && secrets.DOCKERHUB_USERNAME ||
+          matrix.auth == 'ghcr' && secrets.GHCR_USERNAME ||
+          matrix.auth == 'gitlab' && secrets.GITLAB_USERNAME ||
+          matrix.auth == 'aws' && secrets.AWS_ACCESS_KEY_ID ||
+          matrix.auth == 'gar' && secrets.GAR_USERNAME ||
+          matrix.auth == 'acr' && secrets.AZURE_CLIENT_ID ||
+          matrix.auth == 'quay' && secrets.QUAY_USERNAME ||
+          matrix.auth == 'artifactory' && secrets.ARTIFACTORY_USERNAME ||
+          ''
+        }}
+      registry_password: >-
+        ${{
+          matrix.auth == 'dockerhub' && secrets.DOCKERHUB_TOKEN ||
+          matrix.auth == 'ghcr' && secrets.GHCR_PAT ||
+          matrix.auth == 'gitlab' && secrets.GITLAB_TOKEN ||
+          matrix.auth == 'aws' && secrets.AWS_SECRET_ACCESS_KEY ||
+          matrix.auth == 'gar' && secrets.GAR_JSON_KEY ||
+          matrix.auth == 'acr' && secrets.AZURE_CLIENT_SECRET ||
+          matrix.auth == 'quay' && secrets.QUAY_TOKEN ||
+          matrix.auth == 'artifactory' && secrets.ARTIFACTORY_TOKEN ||
+          ''
+        }}
@@ -0,0 +1,17 @@
+name: pr-assign-author
+
+permissions:
+  contents: read
+
+on:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] safe to use without checkout
+    types:
+      - opened
+      - reopened
+
+jobs:
+  run:
+    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@64a0bfaf6e6bb1c448d6e4c42b11034ee7094f16 # v1.7.1
+    permissions:
+      contents: read
+      pull-requests: write
@@ -0,0 +1,28 @@
+name: publish
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Publish
+        uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4
@@ -0,0 +1,35 @@
+name: test
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Test
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
+        with:
+          source: .
+          targets: test
+      -
+        name: Upload coverage
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
+        with:
+          files: ./coverage/clover.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
@@ -0,0 +1,56 @@
+name: update-dist
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+
+jobs:
+  update-dist:
+    if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: GitHub auth token from GitHub App
+        id: docker-read-app
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        with:
+          app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
+          private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
+          owner: docker
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          fetch-depth: 0
+          token: ${{ steps.docker-read-app.outputs.token }}
+      -
+        name: Build
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
+        with:
+          source: .
+          targets: build
+      -
+        name: Commit and push dist
+        run: |
+          if [ -n "$(git status --porcelain -- dist)" ]; then
+            (
+              set -x
+              git config user.name "github-actions[bot]"
+              git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+              git add dist
+              git commit -m "chore: update generated content"
+              git push
+            )
+          else
+            echo "No changes in dist"
+          fi
@@ -0,0 +1,46 @@
+name: validate
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+  pull_request:
+
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Generate matrix
+        id: generate
+        uses: docker/bake-action/subaction/matrix@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
+        with:
+          target: validate
+
+  validate:
+    runs-on: ubuntu-latest
+    needs:
+      - prepare
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
+    steps:
+      -
+        name: Validate
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
+        with:
+          targets: ${{ matrix.target }}
@@ -0,0 +1,29 @@
+name: zizmor
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+    tags:
+      - 'v*'
+  pull_request:
+
+jobs:
+  zizmor:
+    uses: crazy-max/.github/.github/workflows/zizmor.yml@64a0bfaf6e6bb1c448d6e4c42b11034ee7094f16 # v1.7.1
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      min-severity: medium
+      min-confidence: medium
+      persona: pedantic