Merge branch 'main' into georgewallace-patch-1

Author: szabosteve

.github/actions/aws-auth/action.yml

@@ -37,7 +37,7 @@ runs:
           with open(os.environ["GITHUB_OUTPUT"], "a") as f:
             f.write(f"result=arn:aws:iam::{os.environ["AWS_ACCOUNT_ID"]}:role/{prefix}{hash}")
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+      uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
       with:
         role-to-assume: ${{ steps.role_arn.outputs.result }}
         aws-region: ${{ inputs.aws_region }}

.github/actions/bootstrap/action.yml

@@ -24,7 +24,7 @@ runs:
       run: |
         git config --global init.defaultBranch main
 
-    - uses: actions/setup-dotnet@v4
+    - uses: actions/setup-dotnet@v5
       with:
         global-json-file: global.json
 
@@ -38,7 +38,7 @@ runs:
         echo "full-version=${REPO_VERSION}" >> $GITHUB_OUTPUT
         echo "major-version=$(echo ${REPO_VERSION} | cut -d"." -f1)" >> $GITHUB_OUTPUT
         
-    - uses: actions/setup-node@v4
+    - uses: actions/setup-node@v5
       with:
         cache: npm
         cache-dependency-path: src/Elastic.Documentation.Site/package-lock.json

.github/dependabot.yml

@@ -12,6 +12,8 @@ updates:
   - package-ecosystem: npm
     directories:
       - '**/*'
+    cooldown:
+      default-days: 14
     schedule:
       interval: 'weekly'
       day: 'monday'

updatecli/updatecli.d/versions.yml …ithub/updatecli/updatecli.d/versions.ymlupdatecli/updatecli.d/versions.yml renamed to .github/updatecli/updatecli.d/versions.yml updatecli/updatecli.d/versions.yml renamed to .github/updatecli/updatecli.d/versions.yml

@@ -25,20 +25,14 @@ actions:
       title: '[Automation] Bump product version numbers'
 
 sources:
-  # TODO Automate only for patch releases
-  # latest-stack-version:
-  #   name: Get latest stack version
-  #   kind: githubrelease
-  #   transformers:
-  #     - trimprefix: v
-  #   spec:
-  #     owner: elastic
-  #     repository: elasticsearch
-  #     token: '{{ requiredEnv "GITHUB_TOKEN" }}'
-  #     username: '{{ requiredEnv "GITHUB_ACTOR" }}'
-  #     versionfilter:
-  #       kind: regex
-  #       pattern: "v9.(\\d*).(\\d*)$"
+  latest-stack-version:
+    name: Get latest stack version
+    kind: json
+    spec:
+      files:
+        - https://artifacts.elastic.co/releases/stack.json
+      engine: dasel/v2
+      key: "releases.last().version"
 
   latest-edot-android-version:
     name: Get latest release version for the apm-agent-android
@@ -64,8 +58,8 @@ sources:
       token: '{{ requiredEnv "GITHUB_TOKEN" }}'
       username: '{{ requiredEnv "GITHUB_ACTOR" }}'
       versionfilter:
-        kind: regex
-        pattern: "v9.(\\d*).(\\d*)$"
+        kind: semver
+        pattern: "^9.0.0"
 
   latest-edot-dotnet-version:
     name: Get latest release version for the elastic-otel-dotnet
@@ -292,15 +286,15 @@ sources:
         pattern: "^@elastic/apm-rum@(\\d*).(\\d*).(\\d*)$"
 
 targets:
-  # update-docs-docset-stack:
-  #   name: 'Update config/versions.yml stack {{ source "latest-stack-version" }}'
-  #   scmid: githubConfig
-  #   sourceid: latest-stack-version
-  #   kind: file
-  #   spec:
-  #     file: config/versions.yml
-  #     matchpattern: '(stack: &stack\s+base: [\d\.]+\s+current:)\s+(.+)'
-  #     replacepattern: '$1 {{ source "latest-stack-version" }}'
+  update-docs-docset-stack:
+    name: 'Update config/versions.yml stack {{ source "latest-stack-version" }}'
+    scmid: githubConfig
+    sourceid: latest-stack-version
+    kind: file
+    spec:
+      file: config/versions.yml
+      matchpattern: '(stack: &stack\s+base: [\d\.]+\s+current:)\s+(.+)'
+      replacepattern: '$1 {{ source "latest-stack-version" }}'
 
   update-docs-docset-android:
     name: 'Update config/versions.yml edot-android {{ source "latest-edot-android-version" }}'
@@ -318,7 +312,7 @@ targets:
     kind: yaml
     spec:
       file: config/versions.yml
-      key: versioning_systems.edot_collector.current
+      key: $.versioning_systems.edot_collector.current
 
   update-docs-docset-dotnet:
     name: 'Update config/versions.yml edot-dotnet {{ source "latest-edot-dotnet-version" }}'

updatecli/values.d/scm.yml .github/updatecli/values.d/scm.ymlupdatecli/values.d/scm.yml renamed to .github/updatecli/values.d/scm.yml

@@ -0,0 +1,26 @@
+---
+name: Auto-add triage label
+
+on:
+  issues:
+    types:
+      - opened
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  add-triage-label:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Add needs triage label
+        uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.issues.addLabels({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              labels: ['needs triage']
+            })

.github/workflows/auto-add-needs-triage-label.yml

@@ -21,7 +21,7 @@ jobs:
     env:
       BINARY_PATH: .artifacts/Elastic.Documentation.Api.Lambda/release_linux-x64/bootstrap
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with: 
           ref: ${{ inputs.ref }}
       - name: Amazon Linux 2023 build

.github/workflows/build-api-lambda.yml

@@ -18,7 +18,7 @@ jobs:
     env:
       BINARY_PATH: .artifacts/docs-lambda-index-publisher/release_linux-x64/bootstrap
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with: 
           ref: ${{ inputs.ref }}
       - name: Amazon Linux 2023 build

.github/workflows/build-link-index-updater-lambda.yml

@@ -20,7 +20,7 @@ jobs:
   validate-assembler:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Bootstrap Action Workspace
         id: bootstrap
@@ -44,9 +44,9 @@ jobs:
       run: 
         working-directory: src/Elastic.Documentation.Site
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           cache: npm
           cache-dependency-path: src/Elastic.Documentation.Site/package-lock.json
@@ -55,6 +55,14 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+        ## https://semgrep.dev/blog/2025/security-advisory-npm-packages-using-secret-scanning-tools-to-steal-credentials/
+      - name: Check shai-hulud attack
+        run: |
+          if find . -type f -name "*.js" -exec sha256sum {} \; | grep -q "46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09"; then
+            echo "Vulnerable version of serialize-javascript found in:"
+            find . -type f -name "*.js" -exec sha256sum {} \; | grep "46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09" | awk '{print $2}'
+            exit 1
+          fi
       - name: Lint
         run: npm run lint
 
@@ -78,7 +86,7 @@ jobs:
          - macos-latest
          - windows-latest
     steps:          
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Bootstrap Action Workspace
         id: bootstrap
@@ -94,19 +102,24 @@ jobs:
         run: dotnet run --project build -c release -- unit-test
 
       - name: Publish AOT
+        if: ${{ matrix.os != 'ubuntu-latest' }} # publish containers already validates AOT build
         run: dotnet run --project build -c release -- publishbinaries
+        
+      - name: Publish Containers
+        if: ${{ matrix.os == 'ubuntu-latest' }} 
+        env:
+          DOCKER_NO_PUBLISH: true
+        run: dotnet run --project build -c release -- publishcontainers
+        
+      - name: Run Container
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: dotnet run --project build -c release -- runlocalcontainer
+        
 
   integration:
-    if: false
-    runs-on: ubuntu-latest
+    runs-on: docs-builder-latest-16
     steps:
-      - uses: actions/checkout@v4
-
-      - name: Free Disk Space
-        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
-        with:
-          tool-cache: false
-          dotnet: true
+      - uses: actions/checkout@v5
 
       - name: Bootstrap Action Workspace
         id: bootstrap

.github/workflows/ci.yml

@@ -15,7 +15,7 @@ jobs:
   create-major-tag:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Get major version
         run: |
           MAJOR_VERSION=$(echo "${GITHUB_REF#refs/tags/}" | awk -F. '{print $1}')