From bb84de4775481121b4a321e409fd00414c17a2e9 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Fri, 12 Sep 2025 10:37:41 +0200 Subject: [PATCH 1/5] Enforce npm strict engine --- Dockerfile | 2 +- frontend/.npmrc | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 frontend/.npmrc diff --git a/Dockerfile b/Dockerfile index 14eda1924..b54509e8e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,7 +24,7 @@ FROM --platform=${BUILDPLATFORM} docker.io/library/node:${NODEJS_VERSION}-${DEBI WORKDIR /app/frontend -COPY ./frontend/package.json ./frontend/package-lock.json /app/frontend/ +COPY ./frontend/.npmrc ./frontend/package.json ./frontend/package-lock.json /app/frontend/ # Network access: to fetch dependencies RUN --network=default \ npm ci diff --git a/frontend/.npmrc b/frontend/.npmrc new file mode 100644 index 000000000..b6f27f135 --- /dev/null +++ b/frontend/.npmrc @@ -0,0 +1 @@ +engine-strict=true From 6feaed5f904b61bd004abc8eccee23607ce12af0 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Fri, 12 Sep 2025 10:45:12 +0200 Subject: [PATCH 2/5] Upgrade Node in the Dockerfile to 22.19.0 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b54509e8e..e8b991937 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ ARG DEBIAN_VERSION=12 ARG DEBIAN_VERSION_NAME=bookworm ARG RUSTC_VERSION=1.89.0 -ARG NODEJS_VERSION=20.15.0 +ARG NODEJS_VERSION=22.19.0 ARG OPA_VERSION=1.1.0 ARG CARGO_AUDITABLE_VERSION=0.6.6 From 6fa132c0d31e8e8c0c865d9612f5379d42f631e8 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Fri, 12 Sep 2025 10:45:39 +0200 Subject: [PATCH 3/5] Upgrade cargo-auditable to 0.7.0 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index e8b991937..ed4f54ae7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ ARG DEBIAN_VERSION_NAME=bookworm ARG RUSTC_VERSION=1.89.0 ARG NODEJS_VERSION=22.19.0 ARG OPA_VERSION=1.1.0 -ARG CARGO_AUDITABLE_VERSION=0.6.6 +ARG CARGO_AUDITABLE_VERSION=0.7.0 ########################################## ## Build stage that builds the frontend ## From a5e75541efb199c01a7027a5bf66eb9376b2948b Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Fri, 12 Sep 2025 10:52:39 +0200 Subject: [PATCH 4/5] Upgrade OPA and regal to latest versions --- .github/actions/build-policies/action.yml | 3 ++- .github/workflows/ci.yaml | 3 ++- Dockerfile | 3 ++- policies/.regal/config.yaml | 3 +++ policies/Makefile | 6 ++++-- 5 files changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/actions/build-policies/action.yml b/.github/actions/build-policies/action.yml index 0eba08e6e..e1dc28547 100644 --- a/.github/actions/build-policies/action.yml +++ b/.github/actions/build-policies/action.yml @@ -12,7 +12,8 @@ runs: - name: Install Open Policy Agent uses: open-policy-agent/setup-opa@v2.2.0 with: - version: 1.1.0 + # Keep in sync with the Dockerfile and policies/Makefile + version: 1.8.0 - name: Build the policies run: make diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 93c3b1b5f..080fae3df 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -41,7 +41,8 @@ jobs: - name: Setup Regal uses: StyraInc/setup-regal@v1 with: - version: 0.29.2 + # Keep in sync with policies/Makefile + version: 0.36.1 - name: Lint policies working-directory: ./policies diff --git a/Dockerfile b/Dockerfile index ed4f54ae7..0a6ff4322 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,8 @@ ARG DEBIAN_VERSION=12 ARG DEBIAN_VERSION_NAME=bookworm ARG RUSTC_VERSION=1.89.0 ARG NODEJS_VERSION=22.19.0 -ARG OPA_VERSION=1.1.0 +# Keep in sync with .github/actions/build-policies/action.yml and policies/Makefile +ARG OPA_VERSION=1.8.0 ARG CARGO_AUDITABLE_VERSION=0.7.0 ########################################## diff --git a/policies/.regal/config.yaml b/policies/.regal/config.yaml index 0620e6872..2c99d0efa 100644 --- a/policies/.regal/config.yaml +++ b/policies/.regal/config.yaml @@ -4,6 +4,9 @@ # Please see LICENSE files in the repository root for full details. rules: + imports: + unresolved-reference: + level: ignore style: external-reference: level: ignore diff --git a/policies/Makefile b/policies/Makefile index 0e4d8ebdd..2d4b7f2cb 100644 --- a/policies/Makefile +++ b/policies/Makefile @@ -6,8 +6,10 @@ # Set to 1 to run OPA through Docker DOCKER := 0 PODMAN := 0 -OPA_DOCKER_IMAGE := docker.io/openpolicyagent/opa:1.1.0-debug -REGAL_DOCKER_IMAGE := ghcr.io/styrainc/regal:0.31.0 +# Keep in sync with Dockerfile and .github/actions/build-policies/action.yml +OPA_DOCKER_IMAGE := docker.io/openpolicyagent/opa:1.8.0-debug +# Keep in sync with .github/workflows/ci.yaml +REGAL_DOCKER_IMAGE := ghcr.io/styrainc/regal:0.36.1 INPUTS := \ common/common.rego \ From 80825d28ce3945e2e1a06fa1e63f2a30f835b6bc Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Fri, 12 Sep 2025 10:58:55 +0200 Subject: [PATCH 5/5] Fix reference to the regal image --- policies/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/Makefile b/policies/Makefile index 2d4b7f2cb..421990d07 100644 --- a/policies/Makefile +++ b/policies/Makefile @@ -9,7 +9,7 @@ PODMAN := 0 # Keep in sync with Dockerfile and .github/actions/build-policies/action.yml OPA_DOCKER_IMAGE := docker.io/openpolicyagent/opa:1.8.0-debug # Keep in sync with .github/workflows/ci.yaml -REGAL_DOCKER_IMAGE := ghcr.io/styrainc/regal:0.36.1 +REGAL_DOCKER_IMAGE := ghcr.io/open-policy-agent/regal:0.36.1 INPUTS := \ common/common.rego \