Merge branch 'main' into feature/remove-docker-cli

Author: rjaegers

.devcontainer/rust/devcontainer-metadata-vscode.json

@@ -7,7 +7,7 @@
       "extensions": [
         "[email protected]",
         "[email protected]",
-        "[email protected].2490",
+        "[email protected].2500",
         "[email protected]",
         "[email protected]"
       ]

.github/workflows/continuous-integration.yml

@@ -16,7 +16,11 @@ permissions: {}
 jobs:
   build-push-test:
     uses: ./.github/workflows/wc-build-push-test.yml
-    secrets: inherit
+    secrets:
+      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
+      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
+      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
+      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     permissions:
       actions: read
       attestations: write

.github/workflows/pr-conventional-title.yml

@@ -29,7 +29,7 @@ jobs:
             doesn't start with an uppercase character.
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
+      - uses: marocchino/sticky-pull-request-comment@d2ad0de260ae8b0235ce059e63f2949ba9e05943 # v2.9.3
         if: always() && steps.pr-title.outputs.error_message != null
         with:
           header: pr-title-lint-error
@@ -43,7 +43,7 @@ jobs:
             ${{ steps.pr-title.outputs.error_message }}
 
       - if: steps.pr-title.outputs.error_message == null
-        uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
+        uses: marocchino/sticky-pull-request-comment@d2ad0de260ae8b0235ce059e63f2949ba9e05943 # v2.9.3
         with:
           header: pr-title-lint-error
           delete: true

.github/workflows/release-build.yml

@@ -17,7 +17,11 @@ permissions: {}
 jobs:
   build-push-test:
     uses: ./.github/workflows/wc-build-push-test.yml
-    secrets: inherit
+    secrets:
+      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
+      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
+      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
+      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     permissions:
       actions: read
       attestations: write
@@ -31,6 +35,8 @@ jobs:
       enable-cache: false
   apply-release-notes-template:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
         with:
@@ -54,6 +60,8 @@ jobs:
       matrix:
         flavor: [cpp, rust]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     needs: [build-push-test, apply-release-notes-template]
     env:
       CONTAINER_FLAVOR: ${{ matrix.flavor }}

.github/workflows/update-dependencies.yml

@@ -21,7 +21,7 @@ jobs:
       contents: write
       pull-requests: write
     steps:
-      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+      - uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
         with:
           egress-policy: audit
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/vulnerability-scan.yml

@@ -20,7 +20,7 @@ jobs:
       - uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
         with:
           egress-policy: audit
-      - uses: crazy-max/ghaction-container-scan@74ce8ef8146e9632a852a8f79744bbcab1a527ee # v3.1.0
+      - uses: crazy-max/ghaction-container-scan@4d8e0acba576e46016cbd65b9ecfc604e85e3990 # v3.2.0
         id: scan
         with:
           image: ghcr.io/${{ github.repository }}-${{ matrix.flavor }}:latest

.github/workflows/wc-acceptance-test.yml

@@ -7,6 +7,15 @@ on:
       flavor:
         required: true
         type: string
+    secrets:
+      TEST_GITHUB_TOKEN:
+        required: true
+      TEST_GITHUB_USER:
+        required: true
+      TEST_GITHUB_PASSWORD:
+        required: true
+      TEST_GITHUB_TOTP_SECRET:
+        required: true
 
 concurrency:
   group: ${{ github.workflow }}

.github/workflows/wc-build-push-test.yml

@@ -8,6 +8,15 @@ on:
         required: false
         type: boolean
         default: true
+    secrets:
+      TEST_GITHUB_TOKEN:
+        required: true
+      TEST_GITHUB_USER:
+        required: true
+      TEST_GITHUB_PASSWORD:
+        required: true
+      TEST_GITHUB_TOTP_SECRET:
+        required: true
 
 permissions:
   contents: read
@@ -37,7 +46,7 @@ jobs:
     needs: build-push
     if: github.event_name == 'pull_request'
     steps:
-      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+      - uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
         with:
           egress-policy: audit
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -55,7 +64,6 @@ jobs:
         runner: ["ubuntu-latest", "ubuntu-24.04-arm"]
     needs: build-push
     uses: ./.github/workflows/wc-integration-test.yml
-    secrets: inherit
     with:
       flavor: ${{ matrix.flavor }}
       runner: ${{ matrix.runner }}
@@ -66,7 +74,11 @@ jobs:
         flavor: [cpp]
     needs: build-push
     uses: ./.github/workflows/wc-acceptance-test.yml
-    secrets: inherit
+    secrets:
+      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
+      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
+      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
+      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     with:
       flavor: ${{ matrix.flavor }}
 

.github/workflows/wc-build-push.yml

@@ -34,7 +34,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
-      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ${{ env.REGISTRY }}
@@ -108,7 +108,7 @@ jobs:
           path: ${{ runner.temp }}/digests
           pattern: digests-${{ inputs.flavor }}-*
           merge-multiple: true
-      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ${{ env.REGISTRY }}
@@ -165,7 +165,7 @@ jobs:
         with:
           from-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}:edge
           to-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}:${{ steps.metadata.outputs.version }}
-      - uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
+      - uses: marocchino/sticky-pull-request-comment@d2ad0de260ae8b0235ce059e63f2949ba9e05943 # v2.9.3
         with:
           header: container-size-diff-${{ inputs.flavor }}
           message: |