chore(deps): Bump github/codeql-action from 4.35.1 to 4.35.3

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.1 to 4.35.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/c10b8064de6f491fea524254123dbe5e09572f13...e46ed2cbd01164d986452f91f178727624ae40d7) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
2026-05-04 14:44:12 +00:00
10 changed files with 2151 additions and 0 deletions
@@ -0,0 +1,146 @@
 # reusable workflow
 name: .e2e-run
 permissions:
  contents: read
 on:
  workflow_call:
    inputs:
      id:
        required: false
        type: string
      type:
        required: true
        type: string
      name:
        required: true
        type: string
      registry:
        required: false
        type: string
      slug:
        required: false
        type: string
    secrets:
      registry_username:
        required: false
      registry_password:
        required: false
 env:
  HARBOR_VERSION: v2.13.2
  NEXUS_VERSION: 3.47.1
  DISTRIBUTION_VERSION: 3.0.0
 jobs:
  run:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        include:
          -
            buildx_version: edge
            buildkit_image: moby/buildkit:latest
          -
            buildx_version: latest
            buildkit_image: moby/buildkit:buildx-stable-1
          -
            buildx_version: https://github.com/docker/buildx.git#master
            buildkit_image: moby/buildkit:master
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up env
        if: inputs.type == 'local'
        env:
          ID: ${{ inputs.id }}
        run: |
          cat ./.github/e2e/${ID}/env >> $GITHUB_ENV
      -
        name: Set up BuildKit config
        env:
          TYPE: ${{ inputs.type }}
        run: |
          touch /tmp/buildkitd.toml
          if [ "${TYPE}" = "local" ]; then
            echo -e "[registry.\"${{ env.REGISTRY_FQDN }}\"]\nhttp = true\ninsecure = true" > /tmp/buildkitd.toml
          fi
      -
        name: Set up Docker daemon
        if: inputs.type == 'local'
        run: |
          if [ ! -e /etc/docker/daemon.json ]; then
            echo '{}' | sudo tee /etc/docker/daemon.json >/dev/null
          fi
          DOCKERD_CONFIG=$(jq '.+{"insecure-registries":["http://${{ env.REGISTRY_FQDN }}"]}' /etc/docker/daemon.json)
          sudo tee /etc/docker/daemon.json <<<"$DOCKERD_CONFIG" >/dev/null
          cat /etc/docker/daemon.json
          sudo service docker restart
      -
        name: Install ${{ inputs.name }}
        if: inputs.type == 'local'
        env:
          ID: ${{ inputs.id }}
        run: |
          sudo -E bash ./.github/e2e/${ID}/install.sh
          sudo chown $(id -u):$(id -g) -R ~/.docker
      -
        name: Docker meta
        id: meta
        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: ${{ env.REGISTRY_SLUG || inputs.slug }}
          tags: |
            type=ref,event=branch,enable=${{ matrix.buildx_version == 'latest' && matrix.buildkit_image == 'moby/buildkit:buildx-stable-1' }}
            type=ref,event=tag,enable=${{ matrix.buildx_version == 'latest' && matrix.buildkit_image == 'moby/buildkit:buildx-stable-1' }}
            type=raw,gh-runid-${{ github.run_id }}
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
        with:
          version: ${{ matrix.buildx_version }}
          buildkitd-config: /tmp/buildkitd.toml
          buildkitd-flags: --debug --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host
          driver-opts: |
            image=${{ matrix.buildkit_image }}
            network=host
      -
        name: Login to Registry
        if: github.event_name != 'pull_request' && (inputs.type == 'remote' || env.REGISTRY_USER != '')
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ${{ env.REGISTRY_FQDN || inputs.registry }}
          username: ${{ env.REGISTRY_USER || secrets.registry_username }}
          password: ${{ env.REGISTRY_PASSWORD || secrets.registry_password }}
      -
        name: Build and push
        uses: ./
        with:
          context: ./test
          file: ./test/multi.Dockerfile
          platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=registry,ref=${{ env.REGISTRY_SLUG || inputs.slug }}:master
          cache-to: type=inline
      -
        name: Inspect image
        env:
          SLUG: ${{ env.REGISTRY_SLUG || inputs.slug }}
        run: |
          docker pull ${SLUG}:${{ steps.meta.outputs.version }}
          docker image inspect ${SLUG}:${{ steps.meta.outputs.version }}
      -
        name: Check manifest
        env:
          SLUG: ${{ env.REGISTRY_SLUG || inputs.slug }}
        run: |
          docker buildx imagetools inspect ${SLUG}:${{ steps.meta.outputs.version }} --format '{{json .}}'
@@ -0,0 +1,46 @@
 name: codeql
 permissions:
  contents: read
 on:
  push:
    branches:
      - 'master'
      - 'releases/v*'
  pull_request:
 env:
  NODE_VERSION: "24"
 jobs:
  analyze:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Enable corepack
        run: |
          corepack enable
          yarn --version
      -
        name: Set up Node
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: ${{ env.NODE_VERSION }}
      -
        name: Initialize CodeQL
        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
        with:
          languages: javascript-typescript
          build-mode: none
      -
        name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
        with:
          category: "/language:javascript-typescript"
@@ -0,0 +1,127 @@
 name: e2e
 permissions:
  contents: read
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 on:
  workflow_dispatch:
  schedule:
    - cron: '0 10 * * *'
  push:
    branches:
      - 'master'
    tags:
      - 'v*'
 jobs:
  build:
    uses: ./.github/workflows/.e2e-run.yml
    strategy:
      fail-fast: false
      matrix:
        include:
          -
            name: Distribution
            id: distribution
            auth: none
            type: local
          -
            name: Docker Hub
            registry: ''
            slug: ghactionstest/ghactionstest
            auth: dockerhub
            type: remote
          -
            name: GitHub
            registry: ghcr.io
            slug: ghcr.io/docker-ghactiontest/test
            auth: ghcr
            type: remote
          -
            name: GitLab
            registry: registry.gitlab.com
            slug: registry.gitlab.com/test1716/test
            auth: gitlab
            type: remote
          -
            name: AWS ECR
            registry: 175142243308.dkr.ecr.us-east-2.amazonaws.com
            slug: 175142243308.dkr.ecr.us-east-2.amazonaws.com/sandbox/test-docker-action
            auth: aws
            type: remote
          -
            name: AWS ECR Public
            registry: public.ecr.aws
            slug: public.ecr.aws/q3b5f1u4/test-docker-action
            auth: aws
            type: remote
          -
            name: Google Artifact Registry
            registry: us-east4-docker.pkg.dev
            slug: us-east4-docker.pkg.dev/sandbox-298914/docker-official-github-actions/test-docker-action
            auth: gar
            type: remote
          -
            name: Azure Container Registry
            registry: officialgithubactions.azurecr.io
            slug: officialgithubactions.azurecr.io/test-docker-action
            auth: acr
            type: remote
          -
            name: Quay
            registry: quay.io
            slug: quay.io/docker_build_team/ghactiontest
            auth: quay
            type: remote
          -
            name: Artifactory
            registry: infradock.jfrog.io
            slug: infradock.jfrog.io/test-ghaction/build-push-action
            auth: artifactory
            type: remote
          -
            name: Harbor
            id: harbor
            auth: none
            type: local
          -
            name: Nexus
            id: nexus
            auth: none
            type: local
    with:
      id: ${{ matrix.id }}
      type: ${{ matrix.type }}
      name: ${{ matrix.name }}
      registry: ${{ matrix.registry }}
      slug: ${{ matrix.slug }}
    secrets:
      # Pass only the two secrets needed by each matrix entry.
      registry_username: >-
        ${{
          matrix.auth == 'dockerhub' && secrets.DOCKERHUB_USERNAME ||
          matrix.auth == 'ghcr' && secrets.GHCR_USERNAME ||
          matrix.auth == 'gitlab' && secrets.GITLAB_USERNAME ||
          matrix.auth == 'aws' && secrets.AWS_ACCESS_KEY_ID ||
          matrix.auth == 'gar' && secrets.GAR_USERNAME ||
          matrix.auth == 'acr' && secrets.AZURE_CLIENT_ID ||
          matrix.auth == 'quay' && secrets.QUAY_USERNAME ||
          matrix.auth == 'artifactory' && secrets.ARTIFACTORY_USERNAME ||
          ''
        }}
      registry_password: >-
        ${{
          matrix.auth == 'dockerhub' && secrets.DOCKERHUB_TOKEN ||
          matrix.auth == 'ghcr' && secrets.GHCR_PAT ||
          matrix.auth == 'gitlab' && secrets.GITLAB_TOKEN ||
          matrix.auth == 'aws' && secrets.AWS_SECRET_ACCESS_KEY ||
          matrix.auth == 'gar' && secrets.GAR_JSON_KEY ||
          matrix.auth == 'acr' && secrets.AZURE_CLIENT_SECRET ||
          matrix.auth == 'quay' && secrets.QUAY_TOKEN ||
          matrix.auth == 'artifactory' && secrets.ARTIFACTORY_TOKEN ||
          ''
        }}
@@ -0,0 +1,17 @@
 name: pr-assign-author
 permissions:
  contents: read
 on:
  pull_request_target: # zizmor: ignore[dangerous-triggers] safe to use without checkout
    types:
      - opened
      - reopened
 jobs:
  run:
    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@64a0bfaf6e6bb1c448d6e4c42b11034ee7094f16 # v1.7.1
    permissions:
      contents: read
      pull-requests: write
@@ -0,0 +1,28 @@
 name: publish
 permissions:
  contents: read
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 on:
  release:
    types:
      - published
 jobs:
  publish:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      packages: write
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Publish
        uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4
@@ -0,0 +1,35 @@
 name: test
 permissions:
  contents: read
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 on:
  push:
    branches:
      - 'master'
      - 'releases/v*'
  pull_request:
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Test
        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
        with:
          source: .
          targets: test
      -
        name: Upload coverage
        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          files: ./coverage/clover.xml
          token: ${{ secrets.CODECOV_TOKEN }}
@@ -0,0 +1,56 @@
 name: update-dist
 permissions:
  contents: read
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 on:
  pull_request:
    types:
      - opened
      - synchronize
 jobs:
  update-dist:
    if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
    runs-on: ubuntu-latest
    steps:
      -
        name: GitHub auth token from GitHub App
        id: docker-read-app
        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
        with:
          app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
          private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
          owner: docker
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          fetch-depth: 0
          token: ${{ steps.docker-read-app.outputs.token }}
      -
        name: Build
        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
        with:
          source: .
          targets: build
      -
        name: Commit and push dist
        run: |
          if [ -n "$(git status --porcelain -- dist)" ]; then
            (
              set -x
              git config user.name "github-actions[bot]"
              git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
              git add dist
              git commit -m "chore: update generated content"
              git push
            )
          else
            echo "No changes in dist"
          fi
@@ -0,0 +1,46 @@
 name: validate
 permissions:
  contents: read
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 on:
  push:
    branches:
      - 'master'
      - 'releases/v*'
  pull_request:
 jobs:
  prepare:
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.generate.outputs.matrix }}
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Generate matrix
        id: generate
        uses: docker/bake-action/subaction/matrix@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
        with:
          target: validate
  validate:
    runs-on: ubuntu-latest
    needs:
      - prepare
    strategy:
      fail-fast: false
      matrix:
        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
    steps:
      -
        name: Validate
        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
        with:
          targets: ${{ matrix.target }}
@@ -0,0 +1,29 @@
 name: zizmor
 permissions:
  contents: read
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 on:
  workflow_dispatch:
  push:
    branches:
      - 'master'
      - 'releases/v*'
    tags:
      - 'v*'
  pull_request:
 jobs:
  zizmor:
    uses: crazy-max/.github/.github/workflows/zizmor.yml@64a0bfaf6e6bb1c448d6e4c42b11034ee7094f16 # v1.7.1
    permissions:
      contents: read
      security-events: write
    with:
      min-severity: medium
      min-confidence: medium
      persona: pedantic