Merge branch 'master' into introduce_ruff

Author: MaxymVlasov

.github/workflows/build-image-test.yaml

@@ -38,14 +38,14 @@ jobs:
 
     - name: Get changed Docker related files
       id: changed-files-specific
-      uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8  # v45.0.7
+      uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32  # v46.0.1
       with:
         files: |
-          Dockerfile
           .dockerignore
-          tools/entrypoint.sh
           .github/workflows/build-image-test.yaml
-          tools/*.sh
+          Dockerfile
+          tools/entrypoint.sh
+          tools/install/*.sh
 
     - name: Set IMAGE environment variable
       if: steps.changed-files-specific.outputs.any_changed == 'true'
@@ -56,12 +56,12 @@ jobs:
         >> $GITHUB_ENV
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca  # v3.9.0
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2  # v3.10.0
       if: steps.changed-files-specific.outputs.any_changed == 'true'
 
     - name: Build if Dockerfile changed
       if: steps.changed-files-specific.outputs.any_changed == 'true'
-      uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991  # v6.13.0
+      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4  # v6.15.0
       with:
         context: .
         build-args: |
@@ -100,7 +100,7 @@ jobs:
 
     - name: Dive - check image for waste files
       if: steps.changed-files-specific.outputs.any_changed == 'true'
-      uses: MaxymVlasov/dive-action@94506fd846be3ec26406118c3878ccd2ad2b0150  # v1.3.0
+      uses: MaxymVlasov/dive-action@43dafd0015826beaca5110157c9262c5dc10672a  # v1.4.0
       with:
         image: ${{ env.IMAGE }}
         config-file: ${{ github.workspace }}/.github/.dive-ci.yaml
@@ -112,7 +112,7 @@ jobs:
       if: >-
         steps.changed-files-specific.outputs.any_changed == 'true'
         && matrix.os == 'ubuntu-latest'
-      uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991  # v6.13.0
+      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4  # v6.15.0
       with:
         context: .
         build-args: |

.github/workflows/build-image.yaml

@@ -22,9 +22,9 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca  # v3.9.0
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2  # v3.10.0
     - name: Login to GitHub Container Registry
-      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567  # v3.3.0
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772  # v3.4.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
@@ -43,11 +43,11 @@ jobs:
       run: >-
         echo "IMAGE_REPO=ghcr.io/${GITHUB_REPOSITORY@L}" >> $GITHUB_ENV
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca  # v3.9.0
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2  # v3.10.0
 
     - name: Build and Push release
       if: github.event_name != 'schedule'
-      uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991  # v6.13.0
+      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4  # v6.15.0
       with:
         context: .
         build-args: |
@@ -64,7 +64,7 @@ jobs:
 
     - name: Build and Push nightly
       if: github.event_name == 'schedule'
-      uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991  # v6.13.0
+      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4  # v6.15.0
       with:
         context: .
         build-args: |

.github/workflows/ci-cd.yml

@@ -161,7 +161,7 @@ jobs:
         echo "dir=$(python -m pip cache dir)" >> "${GITHUB_OUTPUT}"
       shell: bash
     - name: Set up pip cache
-      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57  # v4.2.0
+      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf  # v4.2.2
       with:
         path: ${{ steps.pip-cache-dir.outputs.dir }}
         key: >-
@@ -307,7 +307,7 @@ jobs:
       run: >-
         echo "dir=$(python -m pip cache dir)" >> "${GITHUB_OUTPUT}"
     - name: Set up pip cache
-      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57  # v4.2.0
+      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf  # v4.2.2
       with:
         path: ${{ steps.pip-cache-dir.outputs.dir }}
         key: >-
@@ -372,7 +372,7 @@ jobs:
         >> "${GITHUB_OUTPUT}"
       working-directory: dist
     - name: Store the distribution packages
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08  # v4.6.0
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1  # v4.6.1
       with:
         name: >-
           ${{ needs.pre-setup.outputs.dists-artifact-name }}

.github/workflows/codeql.yml

@@ -46,7 +46,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0  # v3.28.9
+      uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5  # v3.28.11
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in
@@ -58,7 +58,7 @@ jobs:
     # If this step fails, then you should remove it and run the build
     # manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0  # v3.28.9
+      uses: github/codeql-action/autobuild@6bb031afdd8eb862ea3fc1848194185e076637e5  # v3.28.11
 
     # ℹ️ Command-line programs to run using the OS shell.
     # yamllint disable-line rule:line-length
@@ -73,6 +73,6 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0  # v3.28.9
+      uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5  # v3.28.11
       with:
         category: /language:${{matrix.language}}

.github/workflows/pre-commit.yaml

@@ -55,7 +55,7 @@ jobs:
     # Skip terraform_tflint which interferes to commit pre-commit auto-fixes
     - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38  # v5.4.0
       with:
-        python-version: '3.9'
+        python-version: '3.13'
     - name: Execute pre-commit
       uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe  # v2.0.3
       env:

.github/workflows/release.yml

@@ -36,7 +36,7 @@ jobs:
         fetch-depth: 0
 
     - name: Release
-      uses: cycjimmy/semantic-release-action@b1b432f13acb7768e0c8efdec416d363a57546f2  # v4.1.1
+      uses: cycjimmy/semantic-release-action@0a51e81a6baff2acad3ee88f4121c589c73d0f0e  # v4.2.0
       with:
         semantic_version: 18.0.0
         extra_plugins: |

.github/workflows/reusable-tox.yml

@@ -181,7 +181,7 @@ jobs:
 
     - name: Cache pre-commit.com virtualenvs
       if: inputs.toxenv == 'pre-commit'
-      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57  # v4.2.0
+      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf  # v4.2.2
       with:
         path: ~/.cache/pre-commit
         key: >-
@@ -239,7 +239,7 @@ jobs:
       shell: bash
     - name: Set up pip cache
       if: fromJSON(steps.py-abi.outputs.is-stable-abi)
-      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57  # v4.2.0
+      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf  # v4.2.2
       with:
         path: ${{ steps.pip-cache-dir.outputs.dir }}
         key: >-
@@ -266,7 +266,7 @@ jobs:
     - name: Download all the dists
       if: >-
         contains(fromJSON('["metadata-validation", "pytest"]'), inputs.toxenv)
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16  # v4.1.8
+      uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765  # v4.2.0
       with:
         name: ${{ inputs.dists-artifact-name }}
         path: dist/
@@ -375,7 +375,7 @@ jobs:
       if: >-
         !cancelled()
         && steps.tox-run.outputs.cov-report-files != ''
-      uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3  # v5.3.1
+      uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574  # v5.4.0
       with:
         disable_search: true
         fail_ci_if_error: >-
@@ -399,7 +399,10 @@ jobs:
       if: >-
         !cancelled()
         && steps.tox-run.outputs.test-result-files != ''
-      uses: codecov/test-results-action@44ecb3a270cd942bdf0fa8f2ce14cb32493e810a  # v1.0.3
+      uses: codecov/test-results-action@f2dba722c67b86c6caa034178c6e4d35335f6706  # v1.1.0
+      # FIXME There is a bug in action which provokes it to fail during upload
+      # Related issue: https://github.com/codecov/codecov-action/issues/1794
+      continue-on-error: true
       with:
         disable_search: true
         fail_ci_if_error: >-

.github/workflows/scorecards.yml

@@ -42,7 +42,7 @@ jobs:
         persist-credentials: false
 
     - name: Run analysis
-      uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46  # v2.4.0
+      uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186  # v2.4.1
       with:
         results_file: results.sarif
         results_format: sarif
@@ -66,14 +66,14 @@ jobs:
     # Upload the results as artifacts (optional). Commenting out will disable
     # uploads of run results in SARIF format to the repository Actions tab.
     - name: Upload artifact
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08  # v4.6.0
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1  # v4.6.1
       with:
         name: SARIF file
         path: results.sarif
         retention-days: 5
 
     # Upload the results to GitHub's code scanning dashboard.
     - name: Upload to code-scanning
-      uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0  # v3.28.9
+      uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5  # v3.28.11
       with:
         sarif_file: results.sarif

.pre-commit-config.yaml

@@ -43,28 +43,17 @@ repos:
 
   # Detect hardcoded secrets
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.23.3
+  rev: v8.24.0
   hooks:
   - id: gitleaks
 
-# Dockerfile linter
+# Dockerfile
 - repo: https://github.com/hadolint/hadolint
   rev: v2.12.1-beta
   hooks:
   - id: hadolint
-    args:
-    - --ignore=DL3007  # Using latest
-    - --ignore=DL3013  # Pin versions in pip
-    - --ignore=DL3027  # Do not use apt
-    - --ignore=DL3059  # Docker `RUN`s shouldn't be consolidated here
-    - --ignore=DL4006  # Not related to alpine
-    - --ignore=SC1091  # Useless check
-    - --ignore=SC2015  # Useless check
-    - --ignore=SC3037  # Not related to alpine
 
-#
-# YAML Linters
-#
+# YAML
 - repo: https://github.com/jumanjihouse/pre-commit-hook-yamlfmt
   rev: 0.2.3
   hooks:
@@ -77,7 +66,7 @@ repos:
     - --implicit_start
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.35.1
+  rev: v1.36.2
   hooks:
   - id: yamllint
     types:
@@ -86,16 +75,15 @@ repos:
     args:
     - --strict
 
-# JSON5 Linter
+# JSON5
 - repo: https://github.com/pre-commit/mirrors-prettier
   rev: v3.1.0
   hooks:
   - id: prettier
     # https://prettier.io/docs/en/options.html#parser
     files: .json5$
 
-
-# Bash Linter
+# Bash
 - repo: https://github.com/jumanjihouse/pre-commit-hooks
   rev: 3.0.0
   hooks:
@@ -109,9 +97,7 @@ repos:
     - -w
   - id: shellcheck
 
-#
-# Python Linters
-#
+# Python
 - repo: https://github.com/astral-sh/ruff-pre-commit
   rev: v0.8.4
   hooks:

Dockerfile

@@ -65,6 +65,8 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \
         echo "TRIVY_VERSION=latest"          >> /.env \
     ; fi
 
+# Docker `RUN`s shouldn't be consolidated here
+# hadolint global ignore=DL3059
 RUN /install/opentofu.sh
 RUN /install/terraform.sh
 
@@ -81,11 +83,15 @@ RUN /install/trivy.sh
 
 
 # Checking binaries versions and write it to debug file
+
+# SC2086 - We do not need to quote "$F" variable, because it's not contain spaces
+# DL4006 - Not Applicable for /bin/sh in alpine images. Disable, as recommended by check itself
+# hadolint ignore=SC2086,DL4006
 RUN . /.env && \
     F=tools_versions_info && \
     pre-commit --version >> $F && \
-    (if [ "$OPENTOFU_VERSION"       != "false" ]; then echo "./tofu --version | head -n 1" >> $F;      else echo "opentofu SKIPPED" >> $F      ; fi) && \
-    (if [ "$TERRAFORM_VERSION"      != "false" ]; then echo "./terraform --version | head -n 1" >> $F; else echo "terraform SKIPPED" >> $F     ; fi) && \
+    (if [ "$OPENTOFU_VERSION"       != "false" ]; then ./tofu --version | head -n 1 >> $F;            else echo "opentofu SKIPPED" >> $F       ; fi) && \
+    (if [ "$TERRAFORM_VERSION"      != "false" ]; then ./terraform --version | head -n 1 >> $F;       else echo "terraform SKIPPED" >> $F      ; fi) && \
     \
     (if [ "$CHECKOV_VERSION"        != "false" ]; then echo "checkov $(checkov --version)" >> $F;     else echo "checkov SKIPPED" >> $F        ; fi) && \
     (if [ "$HCLEDIT_VERSION"        != "false" ]; then echo "hcledit $(./hcledit version)" >> $F;     else echo "hcledit SKIPPED" >> $F        ; fi) && \
@@ -97,7 +103,7 @@ RUN . /.env && \
     (if [ "$TFSEC_VERSION"          != "false" ]; then echo "tfsec $(./tfsec --version)" >> $F;       else echo "tfsec SKIPPED" >> $F          ; fi) && \
     (if [ "$TFUPDATE_VERSION"       != "false" ]; then echo "tfupdate $(./tfupdate --version)" >> $F; else echo "tfupdate SKIPPED" >> $F       ; fi) && \
     (if [ "$TRIVY_VERSION"          != "false" ]; then echo "trivy $(./trivy --version)" >> $F;       else echo "trivy SKIPPED" >> $F          ; fi) && \
-    echo -e "\n\n" && cat $F && echo -e "\n\n"
+    printf "\n\n\n" && cat $F && printf "\n\n\n"