Merge branch 'main' into copilot/automate-clean-up-attestations

Author: rjaegers

.devcontainer/base/apt-requirements.json

@@ -4,7 +4,7 @@
   "g++-14": "14.2.0-4ubuntu2~24.04.1",
   "git": "1:2.43.0-1ubuntu7.3",
   "gnupg2": "2.4.4-2ubuntu17.4",
-  "udev": "255.4-1ubuntu8.12",
+  "udev": "255.4-1ubuntu8.14",
   "wget": "1.21.4-1ubuntu4.1",
   "xz-utils": "5.6.1+really5.4.5-1ubuntu0.2"
 }

.devcontainer/cpp/Dockerfile

@@ -2,18 +2,23 @@
 # hadolint global ignore=DL3006
 
 ARG BASE_IMAGE=ghcr.io/philips-software/amp-devcontainer-base:edge
-ARG CCACHE_VERSION=4.12.2
-ARG XWIN_VERSION=0.7.0
+# Public minisign key for verifying ccache releases,
+# taken from https://ccache.dev/minisign.pub
+ARG CCACHE_MINISIGN_PUBKEY=RWQX7yXbBedVfI4PNx6FLdFXu9GHUFsr28s4BVGxm4BeybtnX3P06saF
+ARG CCACHE_VERSION=4.13.1
+ARG XWIN_VERSION=0.8.0
 
 # Downloader stage for AMD64 architecture
 FROM scratch AS downloader-amd64
 
 ARG CCACHE_VERSION
 ARG XWIN_VERSION
 
-ADD --checksum=sha256:630c34ec94d451b200f5b14a6a25580d6a45bc80c394b7e0b93e33556eee5d32 \
- https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-linux-x86_64.tar.xz /ccache.tar.xz
-ADD --checksum=sha256:f1bffe5319728fca9cde5bb03fcb6c88cdf44922bd003fca8b4b9ce5b6f259d2 \
+ADD --checksum=sha256:dd9fc188e738add3c12509063bb082b05e77a9a71fa85a20e01230044aa410f1 \
+ https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-linux-x86_64-glibc.tar.xz /ccache.tar.xz
+ADD --checksum=sha256:fdf00b1eadebf437e898ca3c0c94fd3e8d03b9e2bbe4f3d74ac6df2fecbf0a74 \
+ https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-linux-x86_64-glibc.tar.xz.minisig /ccache.tar.xz.minisig
+ADD --checksum=sha256:8a354e12475dd154d0a2d3084eefd2c105f872ec8062965baaa7e9f2f76fe611 \
  https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-x86_64-unknown-linux-musl.tar.gz /xwin.tar.gz
 
 # Downloader stage for ARM64 architecture
@@ -22,9 +27,11 @@ FROM scratch AS downloader-arm64
 ARG CCACHE_VERSION
 ARG XWIN_VERSION
 
-ADD --checksum=sha256:b01c270c245e41998ab777164aba085dbeb23ce515f4e2134a1fdddabf0bf6ad \
- https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-linux-aarch64.tar.xz /ccache.tar.xz
-ADD --checksum=sha256:b85cd1e0c94f249338b02a6e54b380154a5af6b5dd754121b15722125a67cf9f \
+ADD --checksum=sha256:4cf4b05d9c381b3a60f1f10189f45ad9402bbc58979dbdc4901659c7f5e42dc8 \
+ https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-linux-aarch64-glibc.tar.xz /ccache.tar.xz
+ADD --checksum=sha256:24b50ebf8ce5ec9e5e56af298ddb17699a46f0d9bb035d7c824500270a5cde74 \
+ https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-linux-aarch64-glibc.tar.xz.minisig /ccache.tar.xz.minisig
+ADD --checksum=sha256:fe106caefbb316664d73fd03166c28c09e580bb2a3ad65b4d50c51c67368aeab \
  https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-aarch64-unknown-linux-musl.tar.gz /xwin.tar.gz
 
 # Select downloader stage based on target architecture.
@@ -40,14 +47,20 @@ ADD --checksum=sha256:db2938ce5fd422f2db7a07508452772c945135d99274004c462190c323
 # Extractor stage using target architecture specific downloader
 FROM ${BASE_IMAGE} AS extractor
 
+ARG CCACHE_MINISIGN_PUBKEY
 ARG CCACHE_VERSION
 ARG XWIN_VERSION
 
 SHELL ["/bin/bash", "-Eeuo", "pipefail", "-c"]
 
 WORKDIR /
 
-RUN --mount=from=downloader,target=/dl <<EOF
+# hadolint ignore=DL3008
+RUN --mount=from=downloader,target=/dl \
+    --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked <<EOF
+    apt-get update && apt-get install --no-install-recommends -y minisign
+
     ARM_GNU_TOOLCHAIN_URL="https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-$(uname -m)-arm-none-eabi.tar.xz"
     ARM_GNU_TOOLCHAIN_TAR="/tmp/arm-gnu-toolchain.tar.xz"
 
@@ -60,8 +73,10 @@ RUN --mount=from=downloader,target=/dl <<EOF
     wget --no-hsts -qO "${ARM_GNU_TOOLCHAIN_TAR}" "${ARM_GNU_TOOLCHAIN_URL}"
     echo "${ARM_GNU_TOOLCHAIN_SHA256}  ${ARM_GNU_TOOLCHAIN_TAR}" | sha256sum -c -
 
+    minisign -P "${CCACHE_MINISIGN_PUBKEY}" -Vm /dl/ccache.tar.xz
+
     tar xJf "${ARM_GNU_TOOLCHAIN_TAR}" --exclude="*arm-none-eabi-gdb*" --exclude="share"
-    tar xJf /dl/ccache.tar.xz --strip-components=1 "ccache-${CCACHE_VERSION}-linux-$(uname -m)/ccache"
+    tar xJf /dl/ccache.tar.xz --strip-components=1 "ccache-${CCACHE_VERSION}-linux-$(uname -m)-glibc/ccache"
     tar xzf /dl/xwin.tar.gz --strip-components=1 "xwin-${XWIN_VERSION}-$(uname -m)-unknown-linux-musl/xwin"
     cp /dl/llvm.gpg.key /llvm.gpg.key
     cp /dl/mull.gpg.key /mull.gpg.key
@@ -90,7 +105,6 @@ ENV CCACHE_DIR=/cache/.ccache \
     PYTHONPYCACHEPREFIX=/cache/.python
 
 # Install the base system with all tool dependencies
-# hadolint ignore=DL3008
 RUN --mount=type=bind,source=.devcontainer/cpp/apt-requirements-base.json,target=/tmp/apt-requirements-base.json \
     --mount=type=bind,source=.devcontainer/cpp/apt-requirements-clang.json,target=/tmp/apt-requirements-clang.json \
     --mount=type=bind,source=.devcontainer/cpp/requirements.txt,target=/tmp/requirements.txt \

.devcontainer/cpp/apt-requirements-base.json

@@ -1,5 +1,5 @@
 {
-  "gdb-multiarch": "15.0.50.20240403-0ubuntu1",
+  "gdb-multiarch": "15.1-1ubuntu1~24.04.1",
   "ninja-build": "1.11.1-2",
   "python3-pip": "24.0+dfsg-1ubuntu1.3",
   "unzip": "6.0-28ubuntu4.1",

.devcontainer/cpp/apt-requirements-clang.json

@@ -7,5 +7,5 @@
   "libclang-rt-20-dev": "1:20.1.8~++20250804090239+87f0227cb601-1~exp1~20250804210352.139",
   "lld-20": "1:20.1.8~++20250804090239+87f0227cb601-1~exp1~20250804210352.139",
   "llvm-20": "1:20.1.8~++20250804090239+87f0227cb601-1~exp1~20250804210352.139",
-  "mull-20": "0.29.0"
+  "mull-20": "0.31.1"
 }

.devcontainer/cpp/devcontainer-metadata.json

@@ -9,9 +9,9 @@
         "marus25.cortex-debug@1.12.1",
         "mhutchie.git-graph@1.30.0",
         "ms-vscode.cmake-tools@1.22.28",
-        "ms-vscode.cpptools@1.30.5",
+        "ms-vscode.cpptools@1.31.3",
         "ms-vsliveshare.vsliveshare@1.0.5959",
-        "sonarsource.sonarlint-vscode@4.44.0"
+        "sonarsource.sonarlint-vscode@4.45.0"
       ],
       "settings": {
         "C_Cpp.intelliSenseEngine": "disabled",

.devcontainer/cpp/devcontainer.json

@@ -36,16 +36,16 @@
       "extensions": [
         "alexkrechik.cucumberautocomplete@3.1.0",
         "github.copilot@1.388.0",
-        "github.vscode-github-actions@0.31.0",
-        "github.vscode-pull-request-github@0.132.0",
+        "github.vscode-github-actions@0.31.2",
+        "github.vscode-pull-request-github@0.132.2",
         "jetmartin.bats@0.1.10",
         "kherring.bats-test-runner@0.1.3",
         "mhutchie.git-graph@1.30.0",
         "ms-azuretools.vscode-docker@2.0.0",
         "ms-playwright.playwright@1.1.17",
         "ms-vscode.cmake-tools@1.22.28",
-        "ms-vscode.cpptools@1.30.5",
-        "sonarsource.sonarlint-vscode@4.44.0",
+        "ms-vscode.cpptools@1.31.3",
+        "sonarsource.sonarlint-vscode@4.45.0",
         "usernamehw.errorlens@3.28.0"
       ]
     }

.devcontainer/cpp/requirements.txt

@@ -135,7 +135,7 @@ cmake==4.2.3 \
     --hash=sha256:e3dfbaeffac5848dce60b62a93eecd96b7a3eb0af6d874efc4ec0edb72ec7a24 \
     --hash=sha256:e9d3761edc558b89321283c258f3bc036d2cda4c22ecfa181a25bb84e96afd4a \
     --hash=sha256:f3693c97daaeedc931c6c2ef67b7213e60ef8e51c11050b6a7f4628f5f2a7883
-    # via -r cpp/requirements.in
+    # via -r requirements.in
 colorama==0.4.6 \
     --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \
     --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6
@@ -146,7 +146,7 @@ colorlog==6.8.2 \
     # via gcovr
 conan==2.26.2 \
     --hash=sha256:28bfbbd276935623f1b304811335acb9d2b8ce3a57aa649e432d10d4f51ce055
-    # via -r cpp/requirements.in
+    # via -r requirements.in
 distro==1.8.0 \
     --hash=sha256:02e111d1dc6a50abb8eed6bf31c3e48ed8b0830d1ea2a1b78c61765c2513fdd8 \
     --hash=sha256:99522ca3e365cac527b44bde033f64c6945d90eb9f769703caaec52b09bbd3ff
@@ -158,7 +158,7 @@ fasteners==0.19 \
 gcovr==8.6 \
     --hash=sha256:b2e7042abca9321cadbab8a06eb34d19f801b831557b28cdc30a029313de8b9e \
     --hash=sha256:dbf9d87c38042752ad6f530aa8210427e22b526611bb7b7bfed0e81977d1f1ef
-    # via -r cpp/requirements.in
+    # via -r requirements.in
 idna==3.10 \
     --hash=sha256:12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9 \
     --hash=sha256:946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3
@@ -328,9 +328,9 @@ markupsafe==2.1.3 \
 patch-ng==1.18.0 \
     --hash=sha256:da067628d6d5fd9dc5a55eab37951d46bd95661b7219fab364b711366abcc690
     # via conan
-pygments==2.17.2 \
-    --hash=sha256:b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c \
-    --hash=sha256:da46cec9fd2de5be3a8a784f434e4c4ab670b4ff54d605c4c2717e9d49c4c367
+pygments==2.20.0 \
+    --hash=sha256:6757cd03768053ff99f3039c1a36d6c0aa0b263438fcab17520b30a303a82b5f \
+    --hash=sha256:81a9e26dd42fd28a23a2d169d86d7ac03b46e2f8b59ed4698fb4785f946d0176
     # via gcovr
 python-dateutil==2.9.0.post0 \
     --hash=sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3 \
@@ -391,9 +391,9 @@ pyyaml==6.0.2 \
     --hash=sha256:f753120cb8181e736c57ef7636e83f31b9c0d1722c516f7e86cf15b7aa57ff12 \
     --hash=sha256:ff3824dc5261f50c9b0dfb3be22b4567a6f938ccce4587b38952d85fd9e9afe4
     # via conan
-requests==2.32.4 \
-    --hash=sha256:27babd3cda2a6d50b30443204ee89830707d396671944c998b5975b031ac2b2c \
-    --hash=sha256:27d0316682c8a29834d3264820024b62a36942083d52caf2f14c0591336d3422
+requests==2.33.0 \
+    --hash=sha256:3324635456fa185245e24865e810cecec7b4caf933d7eb133dcde67d48cee69b \
+    --hash=sha256:c7ebc5e8b0f21837386ad0e1c8fe8b829fa5f544d8df3b2253bff14ef29d7652
     # via conan
 six==1.16.0 \
     --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \

.devcontainer/rust/devcontainer-metadata.json

@@ -7,7 +7,7 @@
       "extensions": [
         "mhutchie.git-graph@1.30.0",
         "ms-vsliveshare.vsliveshare@1.0.5959",
-        "rust-lang.rust-analyzer@0.3.2819",
+        "rust-lang.rust-analyzer@0.3.2836",
         "tamasfe.even-better-toml@0.21.2",
         "usernamehw.errorlens@3.28.0"
       ]

.devcontainer/rust/devcontainer.json

@@ -19,14 +19,14 @@
       },
       "extensions": [
         "github.copilot@1.388.0",
-        "github.vscode-github-actions@0.31.0",
-        "github.vscode-pull-request-github@0.132.0",
+        "github.vscode-github-actions@0.31.2",
+        "github.vscode-pull-request-github@0.132.2",
         "jetmartin.bats@0.1.10",
         "kherring.bats-test-runner@0.1.3",
         "mhutchie.git-graph@1.30.0",
         "ms-azuretools.vscode-docker@2.0.0",
-        "rust-lang.rust-analyzer@0.3.2819",
-        "sonarsource.sonarlint-vscode@4.44.0",
+        "rust-lang.rust-analyzer@0.3.2836",
+        "sonarsource.sonarlint-vscode@4.45.0",
         "tamasfe.even-better-toml@0.21.2",
         "usernamehw.errorlens@3.28.0"
       ]

.github/workflows/continuous-integration.yml

@@ -47,11 +47,11 @@ jobs:
     needs: build-push-test
     if: ${{ !cancelled() }}
     steps:
-      - uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+      - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           disable-sudo: true
           egress-policy: audit
-      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           merge-multiple: true
           pattern: test-results-*