Merge branch 'master' into MaxymVlasov-patch-1

Author: MaxymVlasov

.codecov.yml

@@ -1,13 +1,11 @@
----
-
 codecov:
   notify:
     after_n_builds: 21  # Number of test matrix+lint jobs uploading coverage
     wait_for_ci: false
 
   require_ci_to_pass: false
-
-  token: >-  # notsecret  # repo-scoped, upload-only, stability in fork PRs
+  # notsecret  # repo-scoped, upload-only, stability in fork PRs
+  token: >-
     7316089b-55fe-4646-b640-78d84b79d109
 
 comment:
@@ -50,5 +48,3 @@ github_checks:
   # Annotations are deprecated in Codecov because they are misleading.
   # Ref: https://github.com/codecov/codecov-action/issues/1710
   annotations: false
-
-...

.coderabbit.yaml

@@ -0,0 +1,19 @@
+# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
+reviews:
+  # Collapse main AI comment by default, as it takes too much space when
+  # expanded. It also is needless for subsequent rounds of PR review, mostly
+  # only for the first one
+  collapse_walkthrough: true
+  # Move AI-generated summary from PR description to main AI comment. It
+  # hallucinates sometimes, especially with PRs that change code linting rules
+  high_level_summary_in_walkthrough: true
+  # Disable false-positive cross links to issues
+  related_issues: false
+  # Disable false-positive cross links to PRs
+  related_prs: false
+  # Disable useless Poem generation
+  poem: false
+
+  auto_review:
+    # Enable AI review for Draft PRs
+    drafts: true

.github/.container-structure-test-config.yaml

@@ -1,5 +1,3 @@
----
-
 schemaVersion: 2.0.0
 
 commandTests:
@@ -137,7 +135,6 @@ commandTests:
 
 fileExistenceTests:
 - name: terrascan init
-  # yamllint disable-line rule:line-length
   path: >-
     /root/.terrascan/pkg/policies/opa/rego/github/github_repository/privateRepoEnabled.rego
   shouldExist: true

.github/.dive-ci.yaml

@@ -1,5 +1,3 @@
----
-
 rules:
   # If the efficiency is measured below X%, mark as failed.
   # Expressed as a ratio between 0-1.

.github/CODEOWNERS

@@ -1 +1 @@
-* @maxymvlasov @yermulnik
+* @maxymvlasov @yermulnik @antonbabenko

.github/CONTRIBUTING.md

@@ -13,6 +13,7 @@
   * [Add code](#add-code)
   * [Finish with the documentation](#finish-with-the-documentation)
 * [Contributing to Python code](#contributing-to-python-code)
+* [Run tests in your fork](#run-tests-in-your-fork)
 
 ## Run and debug hooks locally
 
@@ -182,3 +183,11 @@ You can use [this PR](https://github.com/antonbabenko/pre-commit-terraform/pull/
     ```bash
     tox list
     ```
+
+## Run tests in your fork
+
+Go to your fork's `Actions` tab and click the big green button.
+
+![Enable workflows](/assets/contributing/enable_actions_in_fork.png)
+
+Now you can verify that the tests pass before submitting your PR.

.github/FUNDING.yml

@@ -1,4 +1,2 @@
----
-
 github: [antonbabenko]
 custom: https://www.paypal.me/antonbabenko

.github/SECURITY.md

@@ -0,0 +1,22 @@
+# Reporting a Vulnerability
+
+If you believe you have discovered a potential security vulnerability in this project, please report it securely. **Do not create a public GitHub issue for any security concerns.**
+
+## How to Report
+
+Send an email with a detailed description of the vulnerability, including any evidence of the disclosure, the impact, and any timelines related to the issue to: [[email protected]](mailto:[email protected])
+
+## Vulnerability Disclosure Process
+
+- **Confidential Disclosure:** All vulnerability reports will be kept confidential until a fix is developed and verified.
+- **Assessment and Response:** We aim to acknowledge any valid report within 15 business days.
+- **Timelines:** After verification, we plan to have a coordinated disclosure within 60 days, though this may vary depending on the complexity of the fix.
+- **Communication:** We will work directly with the vulnerability reporter to clarify details, answer questions, and discuss potential mitigations.
+- **Updates:** We may provide periodic updates on the progress of the remediation of the reported vulnerability.
+
+## Guidelines
+
+- **Vulnerability Definition:** A vulnerability is any flaw or weakness in this project that can be exploited to compromise system security.
+- **Disclosure Expectations:** When you report a vulnerability, please include as much detail as possible to allow us to assess its validity and scope without exposing sensitive information publicly.
+
+By following this process, you help us improve the security of our project while protecting users and maintainers. We appreciate your efforts to responsibly disclose vulnerabilities.

.github/renovate.json5

@@ -1,6 +1,16 @@
 {
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
-  extends: ["local>SpotOnInc/renovate-config"],
+  extends: [
+    "local>SpotOnInc/renovate-config",
+    // Automerge patch and minor upgrades if they pass tests. | https://docs.renovatebot.com/presets-default/#automergeminor
+    ":automergeMinor",
+    // Require all status checks to pass before any automerging. | https://docs.renovatebot.com/presets-default/#automergerequireallstatuschecks
+    ":automergeRequireAllStatusChecks",
+    // Automerge digest upgrades if they pass tests. | https://docs.renovatebot.com/presets-default/#automergedigest
+    ":automergeDigest",
+    // Raise a PR first before any automerging. | https://docs.renovatebot.com/presets-default/#automergepr
+    ":automergePr",
+  ],
   // To make happy 'Validate PR title' GHA
   commitMessageLowerCase: "never",
   // Disable auto-rebase on every commit to avoid reaching Github limits on macos runners

.github/workflows/build-image-test.yaml

@@ -1,5 +1,3 @@
----
-
 name: Build Dockerfile if changed and run smoke tests
 
 on:
@@ -40,15 +38,14 @@ jobs:
 
     - name: Get changed Docker related files
       id: changed-files-specific
-      # yamllint disable-line rule:line-length
-      uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f  # v45.0.6
+      uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32  # v46.0.1
       with:
         files: |
-          Dockerfile
           .dockerignore
-          tools/entrypoint.sh
           .github/workflows/build-image-test.yaml
-          tools/*.sh
+          Dockerfile
+          tools/entrypoint.sh
+          tools/install/*.sh
 
     - name: Set IMAGE environment variable
       if: steps.changed-files-specific.outputs.any_changed == 'true'
@@ -59,14 +56,12 @@ jobs:
         >> $GITHUB_ENV
 
     - name: Set up Docker Buildx
-      # yamllint disable-line rule:line-length
-      uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5  # v3.8.0
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2  # v3.10.0
       if: steps.changed-files-specific.outputs.any_changed == 'true'
 
     - name: Build if Dockerfile changed
       if: steps.changed-files-specific.outputs.any_changed == 'true'
-      # yamllint disable-line rule:line-length
-      uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d  # v6.12.0
+      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4  # v6.15.0
       with:
         context: .
         build-args: |
@@ -105,8 +100,7 @@ jobs:
 
     - name: Dive - check image for waste files
       if: steps.changed-files-specific.outputs.any_changed == 'true'
-      # yamllint disable-line rule:line-length
-      uses: MaxymVlasov/dive-action@b6a02b38f0f309e8817199658eab090d4f0f93ce  # v1.1.0
+      uses: MaxymVlasov/dive-action@43dafd0015826beaca5110157c9262c5dc10672a  # v1.4.0
       with:
         image: ${{ env.IMAGE }}
         config-file: ${{ github.workspace }}/.github/.dive-ci.yaml
@@ -118,8 +112,7 @@ jobs:
       if: >-
         steps.changed-files-specific.outputs.any_changed == 'true'
         && matrix.os == 'ubuntu-latest'
-      # yamllint disable-line rule:line-length
-      uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d  # v6.12.0
+      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4  # v6.15.0
       with:
         context: .
         build-args: |