Merge branch 'dev' into master-into-dev/2.51.2-2.52.0-dev

Author: Maffooch

.github/pull_request_template.md

@@ -26,7 +26,7 @@ This checklist is for your information.
 - [ ] Bugfixes should be submitted against the `bugfix` branch.
 - [ ] Give a meaningful name to your PR, as it may end up being used in the release notes.
 - [ ] Your code is flake8 compliant.
-- [ ] Your code is python 3.12 compliant.
+- [ ] Your code is python 3.13 compliant.
 - [ ] If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
 - [ ] Model changes must include the necessary migrations in the dojo/db_migrations folder.
 - [ ] Add applicable tests to the unit tests.

.github/workflows/close-stale.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Close issues and PRs that are pending closure
-        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+        uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
         with:
           # Disable automatic stale marking - only close manually labeled items
           days-before-stale: -1

.github/workflows/gh-pages.yml

@@ -19,7 +19,7 @@ jobs:
           extended: true
 
       - name: Setup Node
-        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: '22.20.0' # TODO: Renovate helper might not be needed here - needs to be fully tested
 

.github/workflows/k8s-tests.yml

@@ -5,15 +5,6 @@ on:
 
 env:
   DD_HOSTNAME: defectdojo.default.minikube.local
-  HELM_REDIS_BROKER_SETTINGS: " \
-    --set redis.enabled=true \
-    --set celery.broker=redis \
-    --set createRedisSecret=true \
-    "
-  HELM_PG_DATABASE_SETTINGS: " \
-    --set postgresql.enabled=true \
-    --set createPostgresqlSecret=true \
-   "
 jobs:
   setting_minikube_cluster:
     name: Kubernetes Deployment
@@ -23,11 +14,11 @@ jobs:
       matrix:
         include:
           # databases, broker and k8s are independent, so we don't need to test each combination
-          # lastest k8s version (https://kubernetes.io/releases/) and oldest supported version from aws
-          # are tested (https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#available-versions)
-          - databases: pgsql
-            brokers: redis
-            k8s: 'v1.34.0' # renovate: datasource=github-releases depName=kubernetes/kubernetes versioning=loose
+          # lastest k8s version (https://kubernetes.io/releases/) and the oldest officially supported version
+          # are tested (https://kubernetes.io/releases/)
+          - k8s: 'v1.34.1' # renovate: datasource=github-releases depName=kubernetes/kubernetes versioning=loose
+            os: debian
+          - k8s: 'v1.31.13' # Do not track with renovate as we likely want to rev this manually
             os: debian
     steps:
       - name: Checkout
@@ -68,12 +59,6 @@ jobs:
              helm dependency list ./helm/defectdojo
              helm dependency update ./helm/defectdojo
 
-      - name: Set confings into Outputs
-        id: set
-        run: |-
-              echo "pgsql=${{ env.HELM_PG_DATABASE_SETTINGS }}" >> $GITHUB_ENV
-              echo "redis=${{ env.HELM_REDIS_BROKER_SETTINGS }}" >> $GITHUB_ENV
-
       - name: Deploying Django application with ${{ matrix.databases }} ${{ matrix.brokers }}
         timeout-minutes: 15
         run: |-
@@ -84,10 +69,14 @@ jobs:
                defectdojo \
                ./helm/defectdojo \
                --set django.ingress.enabled=true \
+               --set images.django.image.tag=latest \
+               --set images.nginx.image.tag=latest \
                --set imagePullPolicy=Never \
                --set initializer.keepSeconds="-1" \
-               ${{ env[matrix.databases] }} \
-               ${{ env[matrix.brokers] }} \
+               --set redis.enabled=true \
+               --set createRedisSecret=true \
+               --set postgresql.enabled=true \
+               --set createPostgresqlSecret=true \
                --set createSecret=true
 
       - name: Check deployment status

.github/workflows/release-1-create-pr.yml

@@ -98,7 +98,7 @@ jobs:
           chart-search-root: "helm/defectdojo"
 
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
+        uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"

.github/workflows/release-3-master-into-dev.yml

@@ -86,7 +86,7 @@ jobs:
           chart-search-root: "helm/defectdojo"
 
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
+        uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"
@@ -162,7 +162,7 @@ jobs:
           chart-search-root: "helm/defectdojo"
 
       - name: Push version changes
-        uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
+        uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
         with:
           commit_user_name: "${{ env.GIT_USERNAME }}"
           commit_user_email: "${{ env.GIT_EMAIL }}"

.github/workflows/release-x-manual-helm-chart.yml

@@ -69,16 +69,6 @@ jobs:
              helm dependency list ./helm/defectdojo
              helm dependency update ./helm/defectdojo
 
-      - name: Add yq
-        uses: mikefarah/yq@6251e95af8df3505def48c71f3119836701495d6 # v4.47.2
-
-      - name: Pin version docker version
-        id: pin_image
-        run: |-
-          yq --version
-          yq -i '.tag="${{ inputs.release_number }}"'  helm/defectdojo/values.yaml
-          echo "Current image tag:`yq -r '.tag' helm/defectdojo/values.yaml`"
-
       - name: Package Helm chart
         id: package-helm-chart
         run: |
@@ -87,7 +77,7 @@ jobs:
           echo "chart_version=$(ls build | cut -d '-' -f 2,3 | sed 's|\.tgz||')" >> $GITHUB_ENV
 
       - name: Create release ${{ inputs.release_number }}
-        uses: softprops/action-gh-release@62c96d0c4e8a889135c1f3a25910db8dbe0e85f7 # v2.3.4
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
         with:
           name: '${{ inputs.release_number }} 🌈'
           tag_name: ${{ inputs.release_number }}

.github/workflows/test-helm-chart.yml

@@ -24,7 +24,7 @@ jobs:
 
       - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
-          python-version: 3.13  # Renovate helper is not needed here
+          python-version: 3.14 # Renovate helper is not needed here
 
       - name: Configure Helm repos
         run: |-
@@ -34,8 +34,8 @@ jobs:
       - name: Set up chart-testing
         uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
         with:
-          yamale_version: 4.0.4 # renovate: datasource=pypi depName=yamale versioning=semver
-          yamllint_version: 1.35.1 # renovate: datasource=pypi depName=yamllint versioning=semver
+          yamale_version: 6.0.0 # renovate: datasource=pypi depName=yamale versioning=semver
+          yamllint_version: 1.37.1 # renovate: datasource=pypi depName=yamllint versioning=semver
 
       - name: Determine target branch
         id: ct-branch-target
@@ -68,15 +68,23 @@ jobs:
       - name: Check update of "artifacthub.io/changes" HELM annotation
         if: env.changed == 'true'
         run: |
+          # fast fail if `git show` fails
+          set -e
+          set -o pipefail
+
           target_branch=${{ env.ct-branch }}
 
           echo "Checking Chart.yaml annotation changes"
 
           # Get current branch annotation
           current_annotation=$(yq e '.annotations."artifacthub.io/changes"' "helm/defectdojo/Chart.yaml")
+          echo "Current annotation: "
+          echo $current_annotation
 
           # Get target branch version of Chart.yaml annotation
-          target_annotation=$(git show "${{ env.ct-branch }}:helm/defectdojo/Chart.yaml" | yq e '.annotations."artifacthub.io/changes"' -)
+          target_annotation=$(git show "origin/${{ env.ct-branch }}:helm/defectdojo/Chart.yaml" | yq e '.annotations."artifacthub.io/changes"' -)
+          echo "Target annotation: "
+          echo $target_annotation
 
           if [[ "$current_annotation" == "$target_annotation" ]]; then
             echo "::error file=helm/defectdojo/Chart.yaml::The 'artifacthub.io/changes' annotation has not been updated compared to ${{ env.ct-branch }}. For more, check the hint in 'helm/defectdojo/Chart.yaml'"
@@ -121,7 +129,7 @@ jobs:
       # If this step fails, install https://github.com/losisin/helm-values-schema-json and run locally `helm schema --use-helm-docs` in `helm/defectdojo` before committing your changes.
       # The helm schema will be generated for you.
       - name: Generate values schema json
-        uses: losisin/helm-values-schema-json-action@d5847286fa04322702c4f8d45031974798c83ac7 # v2.3.0
+        uses: losisin/helm-values-schema-json-action@660c441a4a507436a294fc55227e1df54aca5407 # v2.3.1
         with:
           fail-on-diff: true
           working-directory: "helm/defectdojo"

.github/workflows/validate_docs_build.yml

@@ -16,7 +16,7 @@ jobs:
           extended: true
 
       - name: Setup Node
-        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: '22.20.0' # TODO: Renovate helper might not be needed here - needs to be fully tested
 

Dockerfile.django-alpine

@@ -5,7 +5,7 @@
 # Dockerfile.nginx to use the caching mechanism of Docker.
 
 # Ref: https://devguide.python.org/#branchstatus
-FROM python:3.12.11-alpine3.22@sha256:02a73ead8397e904cea6d17e18516f1df3590e05dc8823bd5b1c7f849227d272 AS base
+FROM python:3.13.7-alpine3.22@sha256:9ba6d8cbebf0fb6546ae71f2a1c14f6ffd2fdab83af7fa5669734ef30ad48844 AS base
 FROM base AS build
 WORKDIR /app
 RUN \