Merge branch 'master' into MaxymVlasov-patch-2

Author: MaxymVlasov

.codecov.yml

@@ -4,8 +4,8 @@ codecov:
     wait_for_ci: false
 
   require_ci_to_pass: false
-
-  token: >-  # notsecret  # repo-scoped, upload-only, stability in fork PRs
+  # notsecret  # repo-scoped, upload-only, stability in fork PRs
+  token: >-
     7316089b-55fe-4646-b640-78d84b79d109
 
 comment:

.git-blame-ignore-revs

@@ -0,0 +1,70 @@
+# `git blame` master ignore list.
+#
+# This file contains a list of git hashes of revisions to be ignored
+# by `git blame`. These revisions are considered "unimportant" in
+# that they are unlikely to be what you are interested in when blaming.
+# They are typically expected to be formatting-only changes.
+#
+# It can be used for `git blame` using `--ignore-revs-file` or by
+# setting `blame.ignoreRevsFile` in the `git config`[1].
+#
+# Ignore these commits when reporting with blame. Calling
+#
+#   git blame --ignore-revs-file .git-blame-ignore-revs
+#
+# will tell `git blame` to ignore changes made by these revisions when
+# assigning blame, as if the change never happened.
+#
+# You can enable this as a default for your local repository by
+# running
+#
+#   git config blame.ignoreRevsFile .git-blame-ignore-revs
+#
+# This will probably be automatically picked by your IDE
+# (VSCode+GitLens and JetBrains products are confirmed to do this).
+#
+# Important: if you are switching to a branch without this file,
+# `git blame` will fail with an error.
+#
+# GitHub also excludes the commits listed below from its "Blame"
+# views[2][3].
+#
+# [1]: https://git-scm.com/docs/git-blame#Documentation/git-blame.txt-blameignoreRevsFile
+# [2]: https://github.blog/changelog/2022-03-24-ignore-commits-in-the-blame-view-beta/
+# [3]: https://docs.github.com/en/repositories/working-with-files/using-files/viewing-a-file#ignore-commits-in-the-blame-view
+#
+# Guidelines:
+# - Only large (generally automated) reformatting or renaming PRs
+#   should be added to this list. Do not put things here just because
+#   you feel they are trivial or unimportant. If in doubt, do not put
+#   it on this list.
+# - When adding a single revision, use inline comment to link relevant
+#   issue/PR. Alternatively, paste the commit title instead.
+#   Example:
+#     d4a8b7307acc2dc8a8833ccfa65426ad28b3ffc9  # https://github.com/sanitizers/octomachinery/issues/1
+# - When adding multiple revisions (like a bulk of work over many
+#   commits), organize them in blocks. Precede each such block with a
+#   comment starting with the word "START", followed by a link to the
+#   relevant issue or PR. Add a similar comment after the last block
+#   line but use the word "END", followed by the same link.
+#   Alternatively, add or augment the link with a text motivation and
+#   description of work performed in each commit.
+#   After each individual commit in the block, add an inline comment
+#   with the commit title line.
+#   Example:
+#     # START https://github.com/sanitizers/octomachinery/issues/1
+#     6f0bd2d8a1e6cd2e794cd39976e9756e0c85ac66  # Bulk-replace smile emojis with unicorns
+#     d53974df11dbc22cbea9dc7dcbc9896c25979a27  # Replace double with single quotes
+#     ... <rest of the list>
+#     # END https://github.com/sanitizers/octomachinery/issues/1
+# - Only put full 40-character hashes on this list (not short hashes
+#   or any other revision reference).
+# - Append to the bottom of the file, regardless of the chronological
+#   order of the revisions. Revisions within blocks should be in
+#   chronological order from oldest to newest.
+# - Because you must use a hash, you need to append to this list in a
+#   follow-up PR to the actual reformatting PR that you are trying to
+#   ignore. This approach helps avoid issues with arbitrary rebases
+#   and squashes while the pull request is in progress.
+
+23928fbf8511697c915c3231977ee254bd3fa0c2  # chore(linters): Apply ruff-format

.github/CODEOWNERS

@@ -1 +1 @@
-* @maxymvlasov @yermulnik
+* @maxymvlasov @yermulnik @antonbabenko

.github/CONTRIBUTING.md

@@ -1,5 +1,6 @@
 # Notes for contributors
 
+* [Configure `git blame` to ignore formatting commits](#configure-git-blame-to-ignore-formatting-commits)
 * [Run and debug hooks locally](#run-and-debug-hooks-locally)
 * [Run hook performance test](#run-hook-performance-test)
   * [Run via BASH](#run-via-bash)
@@ -13,6 +14,11 @@
   * [Add code](#add-code)
   * [Finish with the documentation](#finish-with-the-documentation)
 * [Contributing to Python code](#contributing-to-python-code)
+* [Run tests in your fork](#run-tests-in-your-fork)
+
+## Configure `git blame` to ignore formatting commits
+
+This project uses `.git-blame-ignore-revs` to exclude formatting-related commits from `git blame` history. To configure your local `git blame` to ignore these commits, refer to the [.git-blame-ignore-revs](/.git-blame-ignore-revs) file for details.
 
 ## Run and debug hooks locally
 
@@ -182,3 +188,11 @@ You can use [this PR](https://github.com/antonbabenko/pre-commit-terraform/pull/
     ```bash
     tox list
     ```
+
+## Run tests in your fork
+
+Go to your fork's `Actions` tab and click the big green button.
+
+![Enable workflows](/assets/contributing/enable_actions_in_fork.png)
+
+Now you can verify that the tests pass before submitting your PR.

.github/SECURITY.md

@@ -0,0 +1,22 @@
+# Reporting a Vulnerability
+
+If you believe you have discovered a potential security vulnerability in this project, please report it securely. **Do not create a public GitHub issue for any security concerns.**
+
+## How to Report
+
+Send an email with a detailed description of the vulnerability, including any evidence of the disclosure, the impact, and any timelines related to the issue to: [[email protected]](mailto:[email protected])
+
+## Vulnerability Disclosure Process
+
+- **Confidential Disclosure:** All vulnerability reports will be kept confidential until a fix is developed and verified.
+- **Assessment and Response:** We aim to acknowledge any valid report within 15 business days.
+- **Timelines:** After verification, we plan to have a coordinated disclosure within 60 days, though this may vary depending on the complexity of the fix.
+- **Communication:** We will work directly with the vulnerability reporter to clarify details, answer questions, and discuss potential mitigations.
+- **Updates:** We may provide periodic updates on the progress of the remediation of the reported vulnerability.
+
+## Guidelines
+
+- **Vulnerability Definition:** A vulnerability is any flaw or weakness in this project that can be exploited to compromise system security.
+- **Disclosure Expectations:** When you report a vulnerability, please include as much detail as possible to allow us to assess its validity and scope without exposing sensitive information publicly.
+
+By following this process, you help us improve the security of our project while protecting users and maintainers. We appreciate your efforts to responsibly disclose vulnerabilities.

.github/renovate.json5

@@ -1,6 +1,16 @@
 {
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
-  extends: ["local>SpotOnInc/renovate-config"],
+  extends: [
+    "local>SpotOnInc/renovate-config",
+    // Automerge patch and minor upgrades if they pass tests. | https://docs.renovatebot.com/presets-default/#automergeminor
+    ":automergeMinor",
+    // Require all status checks to pass before any automerging. | https://docs.renovatebot.com/presets-default/#automergerequireallstatuschecks
+    ":automergeRequireAllStatusChecks",
+    // Automerge digest upgrades if they pass tests. | https://docs.renovatebot.com/presets-default/#automergedigest
+    ":automergeDigest",
+    // Raise a PR first before any automerging. | https://docs.renovatebot.com/presets-default/#automergepr
+    ":automergePr",
+  ],
   // To make happy 'Validate PR title' GHA
   commitMessageLowerCase: "never",
   // Disable auto-rebase on every commit to avoid reaching Github limits on macos runners

.github/workflows/build-image-test.yaml

@@ -1,6 +1,7 @@
 name: Build Dockerfile if changed and run smoke tests
 
 on:
+  merge_group:
   pull_request:
 
 permissions:
@@ -38,14 +39,14 @@ jobs:
 
     - name: Get changed Docker related files
       id: changed-files-specific
-      uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8  # v45.0.7
+      uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c  # v46.0.5
       with:
         files: |
-          Dockerfile
           .dockerignore
-          tools/entrypoint.sh
           .github/workflows/build-image-test.yaml
-          tools/*.sh
+          Dockerfile
+          tools/entrypoint.sh
+          tools/install/*.sh
 
     - name: Set IMAGE environment variable
       if: steps.changed-files-specific.outputs.any_changed == 'true'
@@ -56,12 +57,12 @@ jobs:
         >> $GITHUB_ENV
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca  # v3.9.0
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2  # v3.10.0
       if: steps.changed-files-specific.outputs.any_changed == 'true'
 
     - name: Build if Dockerfile changed
       if: steps.changed-files-specific.outputs.any_changed == 'true'
-      uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991  # v6.13.0
+      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83  # v6.18.0
       with:
         context: .
         build-args: |
@@ -100,7 +101,7 @@ jobs:
 
     - name: Dive - check image for waste files
       if: steps.changed-files-specific.outputs.any_changed == 'true'
-      uses: MaxymVlasov/dive-action@b6a02b38f0f309e8817199658eab090d4f0f93ce  # v1.1.0
+      uses: MaxymVlasov/dive-action@43dafd0015826beaca5110157c9262c5dc10672a  # v1.4.0
       with:
         image: ${{ env.IMAGE }}
         config-file: ${{ github.workspace }}/.github/.dive-ci.yaml
@@ -112,7 +113,7 @@ jobs:
       if: >-
         steps.changed-files-specific.outputs.any_changed == 'true'
         && matrix.os == 'ubuntu-latest'
-      uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991  # v6.13.0
+      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83  # v6.18.0
       with:
         context: .
         build-args: |

.github/workflows/build-image.yaml

@@ -22,9 +22,9 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca  # v3.9.0
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2  # v3.10.0
     - name: Login to GitHub Container Registry
-      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567  # v3.3.0
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772  # v3.4.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
@@ -43,11 +43,11 @@ jobs:
       run: >-
         echo "IMAGE_REPO=ghcr.io/${GITHUB_REPOSITORY@L}" >> $GITHUB_ENV
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca  # v3.9.0
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2  # v3.10.0
 
     - name: Build and Push release
       if: github.event_name != 'schedule'
-      uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991  # v6.13.0
+      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83  # v6.18.0
       with:
         context: .
         build-args: |
@@ -64,7 +64,7 @@ jobs:
 
     - name: Build and Push nightly
       if: github.event_name == 'schedule'
-      uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991  # v6.13.0
+      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83  # v6.18.0
       with:
         context: .
         build-args: |