From 5bcb756502d3046aeeabbe7479f8d07168681dc5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Sep 2025 01:04:31 +0000 Subject: [PATCH 1/8] Bump senzing-factory/build-resources from 2 to 3 Bumps [senzing-factory/build-resources](https://github.com/senzing-factory/build-resources) from 2 to 3. - [Release notes](https://github.com/senzing-factory/build-resources/releases) - [Changelog](https://github.com/senzing-factory/build-resources/blob/main/CHANGELOG.md) - [Commits](https://github.com/senzing-factory/build-resources/compare/v2...v3) --- updated-dependencies: - dependency-name: senzing-factory/build-resources dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/add-labels-standardized.yaml | 4 ++-- .github/workflows/add-to-project-garage-dependabot.yaml | 4 ++-- .github/workflows/add-to-project-garage.yaml | 4 ++-- .github/workflows/dependabot-approve-and-merge.yaml | 2 +- .github/workflows/lint-workflows.yaml | 2 +- .github/workflows/move-pr-to-done-dependabot.yaml | 2 +- .github/workflows/pylint.yaml | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/add-labels-standardized.yaml b/.github/workflows/add-labels-standardized.yaml index 2802969..1629140 100644 --- a/.github/workflows/add-labels-standardized.yaml +++ b/.github/workflows/add-labels-standardized.yaml @@ -14,13 +14,13 @@ jobs: secrets: ORG_MEMBERSHIP_TOKEN: ${{ secrets.ORG_MEMBERSHIP_TOKEN }} SENZING_MEMBERS: ${{ secrets.SENZING_MEMBERS }} - uses: senzing-factory/build-resources/.github/workflows/add-labels-to-issue.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/add-labels-to-issue.yaml@v3 slack-notification: needs: [add-issue-labels] if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.add-issue-labels.outputs.job-status) }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.add-issue-labels.outputs.job-status }} diff --git a/.github/workflows/add-to-project-garage-dependabot.yaml b/.github/workflows/add-to-project-garage-dependabot.yaml index fdb30e4..677116a 100644 --- a/.github/workflows/add-to-project-garage-dependabot.yaml +++ b/.github/workflows/add-to-project-garage-dependabot.yaml @@ -11,7 +11,7 @@ jobs: add-to-project-dependabot: secrets: SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/add-to-project-dependabot.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/add-to-project-dependabot.yaml@v3 with: project: ${{ vars.SENZING_PROJECT_GARAGE }} @@ -20,6 +20,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.add-to-project-dependabot.outputs.job-status) }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.add-to-project-dependabot.outputs.job-status }} diff --git a/.github/workflows/add-to-project-garage.yaml b/.github/workflows/add-to-project-garage.yaml index 5040ae3..82cc8c6 100644 --- a/.github/workflows/add-to-project-garage.yaml +++ b/.github/workflows/add-to-project-garage.yaml @@ -13,7 +13,7 @@ jobs: add-to-project: secrets: SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/add-to-project.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/add-to-project.yaml@v3 with: classic: false project-number: ${{ vars.SENZING_PROJECT_GARAGE }} @@ -24,6 +24,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.add-to-project.outputs.job-status) }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.add-to-project.outputs.job-status }} diff --git a/.github/workflows/dependabot-approve-and-merge.yaml b/.github/workflows/dependabot-approve-and-merge.yaml index 0aad27e..47d8e5d 100644 --- a/.github/workflows/dependabot-approve-and-merge.yaml +++ b/.github/workflows/dependabot-approve-and-merge.yaml @@ -12,4 +12,4 @@ jobs: dependabot-approve-and-merge: secrets: SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN: ${{ secrets.SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v3 diff --git a/.github/workflows/lint-workflows.yaml b/.github/workflows/lint-workflows.yaml index c471330..d2384c6 100644 --- a/.github/workflows/lint-workflows.yaml +++ b/.github/workflows/lint-workflows.yaml @@ -14,4 +14,4 @@ permissions: jobs: lint-workflows: - uses: senzing-factory/build-resources/.github/workflows/lint-workflows.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/lint-workflows.yaml@v3 diff --git a/.github/workflows/move-pr-to-done-dependabot.yaml b/.github/workflows/move-pr-to-done-dependabot.yaml index b59571b..fd498c4 100644 --- a/.github/workflows/move-pr-to-done-dependabot.yaml +++ b/.github/workflows/move-pr-to-done-dependabot.yaml @@ -12,6 +12,6 @@ jobs: move-pr-to-done-dependabot: secrets: SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/move-pr-to-done-dependabot.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/move-pr-to-done-dependabot.yaml@v3 with: project: ${{ vars.SENZING_PROJECT_GARAGE }} diff --git a/.github/workflows/pylint.yaml b/.github/workflows/pylint.yaml index accd4be..3148d85 100644 --- a/.github/workflows/pylint.yaml +++ b/.github/workflows/pylint.yaml @@ -37,6 +37,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.pylint.outputs.status ) && github.ref_name == github.event.repository.default_branch }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.pylint.outputs.status }} From 7c7daf13b5ba9451fdc80e9b55c2786b228818d8 Mon Sep 17 00:00:00 2001 From: Sam <109683132+kernelsam@users.noreply.github.com> Date: Wed, 1 Oct 2025 07:57:58 -0700 Subject: [PATCH 2/8] linting updates --- .github/linters/zizmor.yaml | 5 +++++ .github/workflows/add-labels-standardized.yaml | 5 +++-- .../workflows/add-to-project-garage-dependabot.yaml | 5 +++-- .github/workflows/add-to-project-garage.yaml | 6 +++--- .github/workflows/dependabot-approve-and-merge.yaml | 7 ++++--- .github/workflows/docker-build-container.yaml | 5 +++-- .github/workflows/lint-workflows.yaml | 11 ++++++----- .github/workflows/move-pr-to-done-dependabot.yaml | 5 +++-- .github/workflows/pylint.yaml | 7 +++++-- .github/workflows/spellcheck.yaml | 7 +++++-- 10 files changed, 40 insertions(+), 23 deletions(-) create mode 100644 .github/linters/zizmor.yaml diff --git a/.github/linters/zizmor.yaml b/.github/linters/zizmor.yaml new file mode 100644 index 0000000..00ea2bb --- /dev/null +++ b/.github/linters/zizmor.yaml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "*": ref-pin diff --git a/.github/workflows/add-labels-standardized.yaml b/.github/workflows/add-labels-standardized.yaml index 1629140..38b4e6f 100644 --- a/.github/workflows/add-labels-standardized.yaml +++ b/.github/workflows/add-labels-standardized.yaml @@ -6,11 +6,12 @@ on: - opened - reopened -permissions: - issues: write +permissions: {} jobs: add-issue-labels: + permissions: + issues: write secrets: ORG_MEMBERSHIP_TOKEN: ${{ secrets.ORG_MEMBERSHIP_TOKEN }} SENZING_MEMBERS: ${{ secrets.SENZING_MEMBERS }} diff --git a/.github/workflows/add-to-project-garage-dependabot.yaml b/.github/workflows/add-to-project-garage-dependabot.yaml index 677116a..d1914fb 100644 --- a/.github/workflows/add-to-project-garage-dependabot.yaml +++ b/.github/workflows/add-to-project-garage-dependabot.yaml @@ -4,11 +4,12 @@ on: pull_request: branches: [main] -permissions: - repository-projects: write +permissions: {} jobs: add-to-project-dependabot: + permissions: + repository-projects: write secrets: SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }} uses: senzing-factory/build-resources/.github/workflows/add-to-project-dependabot.yaml@v3 diff --git a/.github/workflows/add-to-project-garage.yaml b/.github/workflows/add-to-project-garage.yaml index 82cc8c6..2ccc1e7 100644 --- a/.github/workflows/add-to-project-garage.yaml +++ b/.github/workflows/add-to-project-garage.yaml @@ -6,16 +6,16 @@ on: - opened - reopened -permissions: - repository-projects: write +permissions: {} jobs: add-to-project: + permissions: + repository-projects: write secrets: SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }} uses: senzing-factory/build-resources/.github/workflows/add-to-project.yaml@v3 with: - classic: false project-number: ${{ vars.SENZING_PROJECT_GARAGE }} org: ${{ vars.SENZING_GITHUB_ACCOUNT_NAME }} diff --git a/.github/workflows/dependabot-approve-and-merge.yaml b/.github/workflows/dependabot-approve-and-merge.yaml index 47d8e5d..d5e12aa 100644 --- a/.github/workflows/dependabot-approve-and-merge.yaml +++ b/.github/workflows/dependabot-approve-and-merge.yaml @@ -4,12 +4,13 @@ on: pull_request: branches: [main] -permissions: - contents: write - pull-requests: write +permissions: {} jobs: dependabot-approve-and-merge: + permissions: + contents: write + pull-requests: write secrets: SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN: ${{ secrets.SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN }} uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v3 diff --git a/.github/workflows/docker-build-container.yaml b/.github/workflows/docker-build-container.yaml index 40fc2cf..c7c9570 100644 --- a/.github/workflows/docker-build-container.yaml +++ b/.github/workflows/docker-build-container.yaml @@ -6,11 +6,12 @@ on: - main workflow_dispatch: -permissions: - contents: read +permissions: {} jobs: docker-build-container: + permissions: + contents: read runs-on: ubuntu-latest steps: diff --git a/.github/workflows/lint-workflows.yaml b/.github/workflows/lint-workflows.yaml index d2384c6..a119dda 100644 --- a/.github/workflows/lint-workflows.yaml +++ b/.github/workflows/lint-workflows.yaml @@ -6,12 +6,13 @@ on: pull_request: branches: [main] -permissions: - contents: read - packages: read - pull-requests: read - statuses: write +permissions: {} jobs: lint-workflows: + permissions: + contents: read + packages: read + pull-requests: read + statuses: write uses: senzing-factory/build-resources/.github/workflows/lint-workflows.yaml@v3 diff --git a/.github/workflows/move-pr-to-done-dependabot.yaml b/.github/workflows/move-pr-to-done-dependabot.yaml index fd498c4..205f333 100644 --- a/.github/workflows/move-pr-to-done-dependabot.yaml +++ b/.github/workflows/move-pr-to-done-dependabot.yaml @@ -5,11 +5,12 @@ on: branches: [main] types: [closed] -permissions: - repository-projects: write +permissions: {} jobs: move-pr-to-done-dependabot: + permissions: + repository-projects: write secrets: SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }} uses: senzing-factory/build-resources/.github/workflows/move-pr-to-done-dependabot.yaml@v3 diff --git a/.github/workflows/pylint.yaml b/.github/workflows/pylint.yaml index 3148d85..1174f4b 100644 --- a/.github/workflows/pylint.yaml +++ b/.github/workflows/pylint.yaml @@ -2,13 +2,14 @@ name: pylint on: [push] -permissions: - contents: read +permissions: {} jobs: pylint: outputs: status: ${{ job.status }} + permissions: + contents: read runs-on: ubuntu-latest strategy: matrix: @@ -16,6 +17,8 @@ jobs: steps: - uses: actions/checkout@v5 + with: + persist-credentials: false - name: set up Python ${{ matrix.python-version }} uses: actions/setup-python@v6 diff --git a/.github/workflows/spellcheck.yaml b/.github/workflows/spellcheck.yaml index bdd3f9d..8e8f35b 100644 --- a/.github/workflows/spellcheck.yaml +++ b/.github/workflows/spellcheck.yaml @@ -4,15 +4,18 @@ on: pull_request: branches: [main] -permissions: - contents: read +permissions: {} jobs: spellcheck: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: streetsidesoftware/cspell-action@v7 with: From be5ee439472daf84ee8bc76865d2e3d214887ae0 Mon Sep 17 00:00:00 2001 From: Sam <109683132+kernelsam@users.noreply.github.com> Date: Wed, 1 Oct 2025 08:21:30 -0700 Subject: [PATCH 3/8] linting updates --- Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 105c65c..303d6c7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,7 +21,7 @@ USER root # Install packages via apt-get. RUN apt-get update \ - && apt-get -y install \ + && apt-get -y --no-install-recommends install \ git \ python3 \ python3-dev \ @@ -44,7 +44,7 @@ RUN python3 -m pip install --upgrade pip \ && python3 -m pip install --requirement requirements.txt \ && python3 -m pip install build - # ----------------------------------------------------------------------------- +# ----------------------------------------------------------------------------- # Stage: final # ----------------------------------------------------------------------------- @@ -67,7 +67,7 @@ USER root # Install packages via apt-get. RUN apt-get update \ - && apt-get -y install \ + && apt-get -y --no-install-recommends install \ gnupg2 \ python3 \ wget \ @@ -81,7 +81,7 @@ RUN mkdir -p /etc/apt/keyrings \ RUN echo "deb [signed-by=/etc/apt/keyrings/adoptium.asc] https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" >> /etc/apt/sources.list RUN apt-get update \ - && apt-get install -y temurin-11-jdk \ + && apt-get install -y --no-install-recommends temurin-11-jdk \ && rm -rf /var/lib/apt/lists/* # Copy files from repository. From 03551954a36a03b26435004840e4d54efe4c9839 Mon Sep 17 00:00:00 2001 From: Sam <109683132+kernelsam@users.noreply.github.com> Date: Wed, 1 Oct 2025 08:40:28 -0700 Subject: [PATCH 4/8] update java install --- .vscode/cspell.json | 3 ++- Dockerfile | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.vscode/cspell.json b/.vscode/cspell.json index 2625b3b..c3121a1 100644 --- a/.vscode/cspell.json +++ b/.vscode/cspell.json @@ -12,6 +12,7 @@ "buildx", "CCLA", "CODEOWNER", + "dearmor", "Dockerfiles", "DOCKERHUB", "genkey", @@ -42,4 +43,4 @@ ".git/**", ".gitignore" ] -} \ No newline at end of file +} diff --git a/Dockerfile b/Dockerfile index 303d6c7..45e75bc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -68,17 +68,18 @@ USER root RUN apt-get update \ && apt-get -y --no-install-recommends install \ + apt-transport-https \ gnupg2 \ + gpg \ python3 \ wget \ && rm -rf /var/lib/apt/lists/* # Install Java-11. -RUN mkdir -p /etc/apt/keyrings \ - && wget -O - https://packages.adoptium.net/artifactory/api/gpg/key/public > /etc/apt/keyrings/adoptium.asc +RUN wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor | tee /etc/apt/trusted.gpg.d/adoptium.gpg > /dev/null -RUN echo "deb [signed-by=/etc/apt/keyrings/adoptium.asc] https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" >> /etc/apt/sources.list +RUN echo "deb https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" | tee /etc/apt/sources.list.d/adoptium.list RUN apt-get update \ && apt-get install -y --no-install-recommends temurin-11-jdk \ From 1f93c97be467e1b9a74664483375d24205f0e6de Mon Sep 17 00:00:00 2001 From: Sam <109683132+kernelsam@users.noreply.github.com> Date: Wed, 1 Oct 2025 08:48:46 -0700 Subject: [PATCH 5/8] bump java version --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 7855160..1c70aeb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -82,7 +82,7 @@ RUN wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gp RUN echo "deb https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" | tee /etc/apt/sources.list.d/adoptium.list RUN apt-get update \ - && apt-get install -y --no-install-recommends temurin-11-jdk \ + && apt-get install -y --no-install-recommends temurin-25-jdk \ && rm -rf /var/lib/apt/lists/* # Copy files from repository. From 9320710abd7d238b0b28bce5326f78ec1c0ae89d Mon Sep 17 00:00:00 2001 From: Sam <109683132+kernelsam@users.noreply.github.com> Date: Wed, 1 Oct 2025 08:51:47 -0700 Subject: [PATCH 6/8] bump java version --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 1c70aeb..4e1f1d0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -82,7 +82,7 @@ RUN wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gp RUN echo "deb https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" | tee /etc/apt/sources.list.d/adoptium.list RUN apt-get update \ - && apt-get install -y --no-install-recommends temurin-25-jdk \ + && apt-get install -y --no-install-recommends temurin-21-jdk \ && rm -rf /var/lib/apt/lists/* # Copy files from repository. From dfc5c2d2394c3df1bad5a571a55d450f1226378f Mon Sep 17 00:00:00 2001 From: Sam <109683132+kernelsam@users.noreply.github.com> Date: Thu, 9 Oct 2025 12:03:15 -0700 Subject: [PATCH 7/8] fix java install --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4e1f1d0..9919869 100644 --- a/Dockerfile +++ b/Dockerfile @@ -69,13 +69,14 @@ USER root RUN apt-get update \ && apt-get -y --no-install-recommends install \ apt-transport-https \ + ca-certificates \ gnupg2 \ gpg \ python3 \ wget \ && rm -rf /var/lib/apt/lists/* -# Install Java-11. +# Install Java 21. RUN wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor | tee /etc/apt/trusted.gpg.d/adoptium.gpg > /dev/null From a4012b1a0b83549c5db04e26647a9eae58cd5990 Mon Sep 17 00:00:00 2001 From: Sam <109683132+kernelsam@users.noreply.github.com> Date: Thu, 9 Oct 2025 12:08:12 -0700 Subject: [PATCH 8/8] update linting --- .vscode/cspell.json | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.vscode/cspell.json b/.vscode/cspell.json index c3121a1..5ebf4bf 100644 --- a/.vscode/cspell.json +++ b/.vscode/cspell.json @@ -1,9 +1,6 @@ { - // Version of the setting file. Always 0.2 "version": "0.2", - // language - current active spelling language "language": "en", - // words - list of words to be always considered correct "words": [ "adoptium", "alnum", @@ -39,8 +36,5 @@ "truststore", "venv" ], - "ignorePaths": [ - ".git/**", - ".gitignore" - ] + "ignorePaths": [".git/**", ".gitignore"] }