Merge branch 'main' into feature/reduce-unnecessary-copy-and-wget

Author: rjaegers

.devcontainer/cpp/devcontainer-lock.json

@@ -11,9 +11,9 @@
       "integrity": "sha256:ca677566507c4118e4368cd76a4800807e911e5e350cc3525fb67ebc9132dfa1"
     },
     "ghcr.io/devcontainers/features/node:1": {
-      "version": "1.6.2",
-      "resolved": "ghcr.io/devcontainers/features/node@sha256:36c03732c3421f11de7a3eefc7e9a7fb3df123cb2e48b115d61fdfe8994911d9",
-      "integrity": "sha256:36c03732c3421f11de7a3eefc7e9a7fb3df123cb2e48b115d61fdfe8994911d9"
+      "version": "1.6.3",
+      "resolved": "ghcr.io/devcontainers/features/node@sha256:3c35dff2aedeaeb86f03e10c265c29b56a1b3609324d83d6e901dbb6032543a4",
+      "integrity": "sha256:3c35dff2aedeaeb86f03e10c265c29b56a1b3609324d83d6e901dbb6032543a4"
     }
   }
 }

.devcontainer/cpp/requirements.in

@@ -1,3 +1,3 @@
-cmake==4.0.2
+cmake==4.0.3
 conan==2.17.0
 gcovr==8.3

.devcontainer/cpp/requirements.txt

@@ -115,26 +115,26 @@ charset-normalizer==3.4.0 \
     --hash=sha256:fe9f97feb71aa9896b81973a7bbada8c49501dc73e58a10fcef6663af95e5079 \
     --hash=sha256:ffc519621dce0c767e96b9c53f09c5d215578e10b02c285809f76509a3931482
     # via requests
-cmake==4.0.2 \
-    --hash=sha256:0e1ade8fc1527c678ff5b2ef732a9a52dad60481097438eb19e43eec8eb2fc9c \
-    --hash=sha256:166a0515a61183149be70df0def8097c6dc638484bcbb785340ae81cb5a94f50 \
-    --hash=sha256:2e62d1518e7983b4df9b793fe47897d5f2eaee3781addd8e1663264090eb4bf6 \
-    --hash=sha256:47806759aa5748c2b5f1e2a035ef887bbd293b12a2a9603e42673f698c0e1a63 \
-    --hash=sha256:4a469718c87253e67c81e5518ba19dc789f87a0e9f73ecd5af0ca139933b671f \
-    --hash=sha256:60c7ff7b5fa725bbc4067f3256e68b21454e97f6e646bae123c756553245c7f3 \
-    --hash=sha256:61cddbaa7586b8e9a2718619fd8935811a8af45e102ed3acc506b575e3766266 \
-    --hash=sha256:86ade184b259b18ba53ff343d4d5f263ec59dfb7304633523ba0efacfd98f41a \
-    --hash=sha256:9d123ea46c0dffe057fcfeaf448f623d6f79211cdd2b32fe779a86833fd3f4d9 \
-    --hash=sha256:a0415add60972fb3650a73bcc742bae9e19e03dd29219d9d89e18e0a3c0cd1d1 \
-    --hash=sha256:bb666564334530a9305ce0e5d7137d558e53c2f1a8175b798047550fefe7bb87 \
-    --hash=sha256:d6ce25b2cbebc073344d38b603ba223f8e633a07335f8056375f397a0f0027e5 \
-    --hash=sha256:dc4ff87bbdf6ccf6cdce1f98089f5669f70e4a6c4d30d315df8e79a8cdc1c581 \
-    --hash=sha256:deee8aae77599c17e32e4c80288e463ed3f1ebed04e1a819118f510854a82d8e \
-    --hash=sha256:e77546cd96e6edd514ac675a6c1512314519dac6dd4c5b975e564a6f09b4ccbc \
-    --hash=sha256:e96921b6abfb627913d02cec9f4736a760741804044ac0740d8eefdcb7c47b4b \
-    --hash=sha256:eea2c303cf3f009ffc71135e4e0cf03c3ad6cd409543270dc0601de32b50d0c1 \
-    --hash=sha256:f8ea86bfd9925575d4a49b3d98ce352f07bbae4fdbb6d703bd26314ca7a3db0c \
-    --hash=sha256:fc483ed8a31c22cb1b46c81017b0703b469360584d004ac0f5e346f04b75e3c8
+cmake==4.0.3 \
+    --hash=sha256:004e58b1a1a384c2ca799c9c41ac4ed86ac3b80129462992c43c1121f8729ffd \
+    --hash=sha256:04c40c92fdcaa96c66a5731b5b3fbbdf87da99cc68fdd30ff30b90c34d222986 \
+    --hash=sha256:133dbc33f995cb97a4456d83d67fa0a7a798f53f979454359140588baa928f43 \
+    --hash=sha256:215732f09ea8a7088fe1ab46bbd61669437217278d709fd3851bf8211e8c59e3 \
+    --hash=sha256:2a66ecdd4c3238484cb0c377d689c086a9b8b533e25329f73d21bd1c38f1ae86 \
+    --hash=sha256:3e07bdd14e69ea67d1e67a4f5225ac2fd91ee9e349c440143cdddd7368be1f46 \
+    --hash=sha256:434f84fdf1e21578974876b8414dc47afeaea62027d9adc37a943a6bb08eb053 \
+    --hash=sha256:47dc28bee6cfb4de00c7cf7e87d565b5c86eb4088da81b60a49e214fcdd4ffda \
+    --hash=sha256:67103f2bcce8f57b8705ba8e353f18fdc3684a346eee97dc5f94d11575a424c6 \
+    --hash=sha256:6ef63bbabcbe3b89c1d80547913b6caceaad57987a27e7afc79ebc88ecd829e4 \
+    --hash=sha256:880a1e1ae26d440d7e4f604fecbf839728ca7b096c870f2e7359855cc4828532 \
+    --hash=sha256:94a52e67b264a51089907c9e74ca5a9e2f3e65c57c457e0f40f02629a0de74d8 \
+    --hash=sha256:9a349ff2b4a7c63c896061676bc0f4e6994f373d54314d79ba3608ee7fa75442 \
+    --hash=sha256:beec48371a4b906fe398758ded5df57fc16e9bb14fd34244d9d66ee35862fb9f \
+    --hash=sha256:c403b660bbff1fd4d7f1c5d9e015ea27566e49ca9461e260c9758f2fd4e5e813 \
+    --hash=sha256:d41b83d061bcc375a7a5f2942ba523a7563368d296d91260f9d8a53a10f5e5e5 \
+    --hash=sha256:d840e780c48c5df1330879d50615176896e8e6eee554507d21ce8e2f1a5f0ff8 \
+    --hash=sha256:e10fdc972b3211915b65cc89e8cd24e1a26c9bd684ee71c3f369fb488f2c4388 \
+    --hash=sha256:f2adfb459747025f40f9d3bdd1f3a485d43e866c0c4eb66373d1fcd666b13e4a
     # via -r cpp/requirements.in
 colorama==0.4.6 \
     --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \

.github/actions/container-size-diff/action.yml

@@ -18,14 +18,10 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - run: echo "$GITHUB_ACTION_PATH" >> "$GITHUB_PATH"
-      shell: bash
-      env:
-        GITHUB_ACTION_PATH: ${{ github.action_path }}
     - run: |
         EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
         echo "markdown<<${EOF}" >> "${GITHUB_OUTPUT}"
-        echo "$(container-size-diff.sh ${INPUT_FROM_CONTAINER} ${INPUT_TO_CONTAINER})" >> "${GITHUB_OUTPUT}"
+        echo "$(${GITHUB_ACTION_PATH}/container-size-diff.sh ${INPUT_FROM_CONTAINER} ${INPUT_TO_CONTAINER})" >> "${GITHUB_OUTPUT}"
         echo "${EOF}" >> "${GITHUB_OUTPUT}"
       id: size-diff
       shell: bash

.github/actions/container-size-diff/container-size-diff.sh

@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+set -Eeuo pipefail
+
 FROM_CONTAINER=${1:?}
 TO_CONTAINER=${2:?}
 
@@ -23,11 +25,9 @@ get_sizes_from_manifest() {
 get_sizes_from_manifest ${FROM_CONTAINER} FROM_CONTAINER_SIZES
 get_sizes_from_manifest ${TO_CONTAINER} TO_CONTAINER_SIZES
 
-echo "## 📊 Container Size Analysis"
+echo "## 📦 Container Size Analysis"
 echo
-echo "Comparing compressed layer sizes of:"
-echo "📦 Base: \`${FROM_CONTAINER}\`"
-echo "📦 Current: \`${TO_CONTAINER}\`"
+echo "Comparing \`${FROM_CONTAINER}\` to \`${TO_CONTAINER}\`"
 echo
 
 echo "### 📈 Size Comparison Table"
@@ -37,24 +37,28 @@ echo "|-------------|:-------------:|:------------:|:------:|:-----:|"
 
 for PLATFORM in "${!FROM_CONTAINER_SIZES[@]}";
 do
-    BASE_SIZE=${FROM_CONTAINER_SIZES[${PLATFORM}]}
-    HEAD_SIZE=${TO_CONTAINER_SIZES[${PLATFORM}]}
-    DELTA=$((${HEAD_SIZE} - ${BASE_SIZE}))
-    PERCENT_CHANGE=$(python -c "print('{:+0.2f}'.format(((${HEAD_SIZE} - ${BASE_SIZE}) / ${BASE_SIZE}) * 100))")
+    FROM_SIZE=${FROM_CONTAINER_SIZES[${PLATFORM}]:0}
+    TO_SIZE=${TO_CONTAINER_SIZES[${PLATFORM}]:0}
+    DELTA=$((${TO_SIZE} - ${FROM_SIZE}))
+
+    if [[ ${FROM_SIZE} -eq 0 ]]; then
+        # If from size was 0, and there's a change, that's infinite percentage change
+        if [[ ${TO_SIZE} -gt 0 ]]; then
+            PERCENT_CHANGE="+∞"
+        else
+            PERCENT_CHANGE="+0.00"
+        fi
+    else
+        PERCENT_CHANGE=$(awk -v to="${TO_SIZE}" -v from="${FROM_SIZE}" 'BEGIN { printf "%+0.2f", ((to - from) / from) * 100 }')
+    fi
 
     if (( DELTA < 0 )); then
         ICON="🔽"
-        MD_COLOR_START="<span style=\"color:green\">"
-        MD_COLOR_END="</span>"
     elif (( DELTA > 0 )); then
         ICON="🔼"
-        MD_COLOR_START="<span style=\"color:red\">"
-        MD_COLOR_END="</span>"
     else
         ICON="🔄"
-        MD_COLOR_START=""
-        MD_COLOR_END=""
     fi
 
-    echo "| ${PLATFORM} | $(numfmt --to iec --format '%.2f' ${BASE_SIZE}) | $(numfmt --to iec --format '%.2f' ${HEAD_SIZE}) | ${MD_COLOR_START}$(numfmt --to iec --format '%.2f' ${DELTA}) (${PERCENT_CHANGE}%)${MD_COLOR_END} | ${ICON} |"
+    echo "| ${PLATFORM} | $(numfmt --to iec --format '%.2f' ${FROM_SIZE}) | $(numfmt --to iec --format '%.2f' ${TO_SIZE}) | $(numfmt --to iec --format '%.2f' ${DELTA}) (${PERCENT_CHANGE}%) | ${ICON} |"
 done

.github/actions/update-apt-packages/action.yml

@@ -15,16 +15,12 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - run: echo "$GITHUB_ACTION_PATH" >> "$GITHUB_PATH"
-      shell: bash
-      env:
-        GITHUB_ACTION_PATH: ${{ github.action_path }}
     - run: |
         apt-get update
         apt-get install --no-install-recommends -y jq
       shell: bash
     - run: |
-        update-apt-packages.sh ${INPUT_FILE}
+        ${GITHUB_ACTION_PATH}/update-apt-packages.sh ${INPUT_FILE}
         echo "updated-dependencies=$(cat updated-packages.json)" >> "${GITHUB_OUTPUT}"
         rm updated-packages.json
       id: update-extensions

.github/actions/update-vscode-extensions/action.yml

@@ -18,10 +18,6 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - run: echo "$GITHUB_ACTION_PATH" >> "$GITHUB_PATH"
-      shell: bash
-      env:
-        GITHUB_ACTION_PATH: ${{ github.action_path }}
     - run: |
         sudo apt-get update
         sudo apt-get install --no-install-recommends -y jq
@@ -30,7 +26,7 @@ runs:
     - run: |
         EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
         echo "markdown-summary<<${EOF}" >> "${GITHUB_OUTPUT}"
-        echo "$(update-vscode-extensions.sh ${INPUT_FILE})" >> "${GITHUB_OUTPUT}"
+        echo "$(${GITHUB_ACTION_PATH}/update-vscode-extensions.sh ${INPUT_FILE})" >> "${GITHUB_OUTPUT}"
         echo "${EOF}" >> "${GITHUB_OUTPUT}"
 
         echo "updated-dependencies=$(cat updated-extensions.json)" >> "${GITHUB_OUTPUT}"

.github/linters/.trivyignore.yml

@@ -0,0 +1,15 @@
+---
+misconfigurations:
+  - id: AVD-DS-0002
+    statement: We allow root access in our container that we use for development purposes (https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0002/)
+vulnerabilities:
+  - id: CVE-2025-50181
+    paths:
+      - ".devcontainer/cpp/requirements.txt"
+    expired_at: 2025-10-01
+    statement: This vulnerable dependency comes in via the Conan package, work is in-progress on supporting a non-vulnerable version (https://github.com/conan-io/conan/issues/13948)
+  - id: CVE-2025-50182
+    paths:
+      - ".devcontainer/cpp/requirements.txt"
+    expired_at: 2025-10-01
+    statement: This vulnerable dependency comes in via the Conan package, work is in-progress on supporting a non-vulnerable version (https://github.com/conan-io/conan/issues/13948)