Merge branch 'main' into feature/update-rust

rjaegers · web-flow · commit f4eaca702a36 · 2025-06-25T11:31:36.000+02:00
diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile
@@ -4,7 +4,6 @@ ARG BATS_VERSION=1.11.0
 ARG CCACHE_VERSION=4.11
 ARG CLANG_VERSION=18
 ARG CPM_VERSION=0.40.2
-ARG DOCKER_VERSION=27.3.1
 ARG INCLUDE_WHAT_YOU_USE_VERSION=0.22
 ARG XWIN_VERSION=0.6.5
 
@@ -32,11 +31,11 @@ RUN python3 -m pip install --break-system-packages --require-hashes --no-cache-d
  && rm -rf /tmp/requirements.txt
 
 # Set default environment options for CMake and ccache
-ENV CCACHE_DIR=/cache/.ccache
-ENV CMAKE_EXPORT_COMPILE_COMMANDS="On"
-ENV CMAKE_GENERATOR="Ninja"
-ENV CONAN_HOME=/opt/conan
-ENV CPM_SOURCE_CACHE=/cache/.cpm-cache
+ENV CCACHE_DIR=/cache/.ccache \
+    CMAKE_EXPORT_COMPILE_COMMANDS="On" \
+    CMAKE_GENERATOR="Ninja" \
+    CONAN_HOME=/opt/conan \
+    CPM_SOURCE_CACHE=/cache/.cpm-cache
 
 # Install clang toolchain and mull mutation testing framework
 COPY .devcontainer/cpp/apt-requirements-clang.json /tmp/apt-requirements-clang.json
@@ -58,11 +57,6 @@ RUN mkdir /opt/gcc-arm-none-eabi \
  && wget -qO - "https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-$(uname -m)-arm-none-eabi.tar.xz" | tar --exclude='*arm-none-eabi-gdb*' --exclude='share' --strip-components=1 -xJC /opt/gcc-arm-none-eabi
 ENV PATH="$PATH:/opt/gcc-arm-none-eabi/bin"
 
-# Install docker-cli for Docker-from-Docker tools
-RUN wget -qO - "https://download.docker.com/linux/static/stable/$(uname -m)/docker-${DOCKER_VERSION}.tgz" | tar xz -C /tmp \
- && mv /tmp/docker/docker /usr/local/bin/ \
- && rm -rf /tmp/docker
-
 # Install bats
 RUN batstmp="$(mktemp -d /tmp/bats-core-${BATS_VERSION}.XXXX)" \
  && wget -qO - https://github.com/bats-core/bats-core/archive/refs/tags/v${BATS_VERSION}.tar.gz | tar xz -C "${batstmp}" \
diff --git a/.devcontainer/cpp/devcontainer.json b/.devcontainer/cpp/devcontainer.json
@@ -8,9 +8,6 @@
     "CONTAINER_FLAVOR": "cpp",
     "NODE_EXTRA_CA_CERTS": "/usr/local/share/ca-certificates/Cisco_Umbrella_Root_CA.crt"
   },
-  "mounts": [
-    "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind"
-  ],
   "features": {
     "ghcr.io/devcontainers/features/desktop-lite:1": {},
     "ghcr.io/devcontainers/features/github-cli:1": {},
diff --git a/.devcontainer/rust/devcontainer-metadata-vscode.json b/.devcontainer/rust/devcontainer-metadata-vscode.json
@@ -7,7 +7,7 @@
       "extensions": [
         "mhutchie.git-graph@1.30.0",
         "ms-vsliveshare.vsliveshare@1.0.5948",
-        "rust-lang.rust-analyzer@0.3.2490",
+        "rust-lang.rust-analyzer@0.3.2500",
         "tamasfe.even-better-toml@0.21.2",
         "usernamehw.errorlens@3.26.0"
       ]
diff --git a/.devcontainer/rust/devcontainer.json b/.devcontainer/rust/devcontainer.json
@@ -7,9 +7,6 @@
   "remoteEnv": {
     "CONTAINER_FLAVOR": "rust"
   },
-  "mounts": [
-    "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind"
-  ],
   "customizations": {
     "vscode": {
       "settings": {
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
@@ -16,7 +16,11 @@ permissions: {}
 jobs:
   build-push-test:
     uses: ./.github/workflows/wc-build-push-test.yml
-    secrets: inherit
+    secrets:
+      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
+      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
+      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
+      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     permissions:
       actions: read
       attestations: write
diff --git a/.github/workflows/pr-conventional-title.yml b/.github/workflows/pr-conventional-title.yml
@@ -29,7 +29,7 @@ jobs:
             doesn't start with an uppercase character.
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
+      - uses: marocchino/sticky-pull-request-comment@d2ad0de260ae8b0235ce059e63f2949ba9e05943 # v2.9.3
         if: always() && steps.pr-title.outputs.error_message != null
         with:
           header: pr-title-lint-error
@@ -43,7 +43,7 @@ jobs:
             ${{ steps.pr-title.outputs.error_message }}
 
       - if: steps.pr-title.outputs.error_message == null
-        uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
+        uses: marocchino/sticky-pull-request-comment@d2ad0de260ae8b0235ce059e63f2949ba9e05943 # v2.9.3
         with:
           header: pr-title-lint-error
           delete: true
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -17,7 +17,11 @@ permissions: {}
 jobs:
   build-push-test:
     uses: ./.github/workflows/wc-build-push-test.yml
-    secrets: inherit
+    secrets:
+      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
+      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
+      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
+      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     permissions:
       actions: read
       attestations: write
@@ -31,6 +35,8 @@ jobs:
       enable-cache: false
   apply-release-notes-template:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
         with:
@@ -54,6 +60,8 @@ jobs:
       matrix:
         flavor: [cpp, rust]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     needs: [build-push-test, apply-release-notes-template]
     env:
       CONTAINER_FLAVOR: ${{ matrix.flavor }}
diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml
@@ -21,7 +21,7 @@ jobs:
       contents: write
       pull-requests: write
     steps:
-      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+      - uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
         with:
           egress-policy: audit
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
@@ -20,7 +20,7 @@ jobs:
       - uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
         with:
           egress-policy: audit
-      - uses: crazy-max/ghaction-container-scan@74ce8ef8146e9632a852a8f79744bbcab1a527ee # v3.1.0
+      - uses: crazy-max/ghaction-container-scan@4d8e0acba576e46016cbd65b9ecfc604e85e3990 # v3.2.0
         id: scan
         with:
           image: ghcr.io/${{ github.repository }}-${{ matrix.flavor }}:latest
diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml
@@ -7,6 +7,15 @@ on:
       flavor:
         required: true
         type: string
+    secrets:
+      TEST_GITHUB_TOKEN:
+        required: true
+      TEST_GITHUB_USER:
+        required: true
+      TEST_GITHUB_PASSWORD:
+        required: true
+      TEST_GITHUB_TOTP_SECRET:
+        required: true
 
 concurrency:
   group: ${{ github.workflow }}
diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml
@@ -8,6 +8,15 @@ on:
         required: false
         type: boolean
         default: true
+    secrets:
+      TEST_GITHUB_TOKEN:
+        required: true
+      TEST_GITHUB_USER:
+        required: true
+      TEST_GITHUB_PASSWORD:
+        required: true
+      TEST_GITHUB_TOTP_SECRET:
+        required: true
 
 permissions:
   contents: read
@@ -37,7 +46,7 @@ jobs:
     needs: build-push
     if: github.event_name == 'pull_request'
     steps:
-      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+      - uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
         with:
           egress-policy: audit
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -55,7 +64,6 @@ jobs:
         runner: ["ubuntu-latest", "ubuntu-24.04-arm"]
     needs: build-push
     uses: ./.github/workflows/wc-integration-test.yml
-    secrets: inherit
     with:
       flavor: ${{ matrix.flavor }}
       runner: ${{ matrix.runner }}
@@ -66,7 +74,11 @@ jobs:
         flavor: [cpp]
     needs: build-push
     uses: ./.github/workflows/wc-acceptance-test.yml
-    secrets: inherit
+    secrets:
+      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
+      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
+      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
+      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     with:
       flavor: ${{ matrix.flavor }}
 
diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml
@@ -34,7 +34,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
-      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ${{ env.REGISTRY }}
@@ -108,7 +108,7 @@ jobs:
           path: ${{ runner.temp }}/digests
           pattern: digests-${{ inputs.flavor }}-*
           merge-multiple: true
-      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ${{ env.REGISTRY }}
@@ -165,7 +165,7 @@ jobs:
         with:
           from-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}:edge
           to-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}:${{ steps.metadata.outputs.version }}
-      - uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
+      - uses: marocchino/sticky-pull-request-comment@d2ad0de260ae8b0235ce059e63f2949ba9e05943 # v2.9.3
         with:
           header: container-size-diff-${{ inputs.flavor }}
           message: |
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -2,12 +2,12 @@
   "name": "amp-devcontainer-tests",
   "version": "1.0.0",
   "devDependencies": {
-    "@playwright/test": "^1.53.0",
-    "@types/node": "^24.0.2",
+    "@playwright/test": "^1.53.1",
+    "@types/node": "^24.0.3",
     "dotenv": "^16.5.0",
     "nodemon": "^3.1.10",
     "otpauth": "^9.4.0",
-    "playwright-bdd": "^8.3.0"
+    "playwright-bdd": "^8.3.1"
   },
   "scripts": {
     "test": "cd $INIT_CWD && npx bddgen && npx playwright test",
diff --git a/test/cpp/integration-tests.bats b/test/cpp/integration-tests.bats
@@ -190,12 +190,6 @@ teardown() {
   assert_output "Hello World!"
 }
 
-@test "when the docker socket is mounted, using the docker cli should give access to the host docker daemon" {
-  run docker info
-  assert_success
-  assert_output --partial "Server Version:"
-}
-
 @test "sanitizers should detect undefined or suspicious behavior in code compiled with gcc" {
   build_and_run_with_sanitizers gcc
 }

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@`
`7`	`7`	`"extensions": [`
`8`	`8`	`"mhutchie.git-graph@1.30.0",`
`9`	`9`	`"ms-vsliveshare.vsliveshare@1.0.5948",`
`10`		`- "rust-lang.rust-analyzer@0.3.2490",`
	`10`	`+ "rust-lang.rust-analyzer@0.3.2500",`
`11`	`11`	`"tamasfe.even-better-toml@0.21.2",`
`12`	`12`	`"usernamehw.errorlens@3.26.0"`
`13`	`13`	`]`