From 02e1cf4bef4adfdcc260ddd5eb9e1c6823b9e938 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Dec 2025 19:17:03 +0000 Subject: [PATCH 01/15] chore(deps): bump js-yaml in the npm_and_yarn group across 1 directory Bumps the npm_and_yarn group with 1 update in the / directory: [js-yaml](https://github.com/nodeca/js-yaml). Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](https://github.com/nodeca/js-yaml/compare/4.1.0...4.1.1) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] --- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index fa96151173..6568a76631 100644 --- a/yarn.lock +++ b/yarn.lock @@ -4344,9 +4344,9 @@ jquery@3.7.1: integrity sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ== js-yaml@^4.1.0: - version "4.1.0" - resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-4.1.0.tgz#c1fb65f8f5017901cdd2c951864ba18458a10602" - integrity sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA== + version "4.1.1" + resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-4.1.1.tgz#854c292467705b699476e1a2decc0c8a3458806b" + integrity sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA== dependencies: argparse "^2.0.1" From a25f012e8aa793f7bf69a50b8108c245660d9991 Mon Sep 17 00:00:00 2001 From: Cody Kickertz Date: Thu, 18 Dec 2025 13:27:53 -0600 Subject: [PATCH 02/15] Add SonarCloud analysis workflow This workflow triggers a SonarCloud analysis of the code and populates GitHub Code Scanning alerts with vulnerabilities found. --- .github/workflows/sonarcloud.yml | 67 ++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .github/workflows/sonarcloud.yml diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml new file mode 100644 index 0000000000..0f2ef9e2ca --- /dev/null +++ b/.github/workflows/sonarcloud.yml @@ -0,0 +1,67 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow helps you trigger a SonarCloud analysis of your code and populates +# GitHub Code Scanning alerts with the vulnerabilities found. +# Free for open source project. + +# 1. Login to SonarCloud.io using your GitHub account + +# 2. Import your project on SonarCloud +# * Add your GitHub organization first, then add your repository as a new project. +# * Please note that many languages are eligible for automatic analysis, +# which means that the analysis will start automatically without the need to set up GitHub Actions. +# * This behavior can be changed in Administration > Analysis Method. +# +# 3. Follow the SonarCloud in-product tutorial +# * a. Copy/paste the Project Key and the Organization Key into the args parameter below +# (You'll find this information in SonarCloud. Click on "Information" at the bottom left) +# +# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarCloud, click on your avatar on top-right > My account > Security +# or go directly to https://sonarcloud.io/account/security/) + +# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) + +name: SonarCloud analysis + +on: + push: + branches: [ "develop", "Core" ] + pull_request: + branches: [ "develop" ] + workflow_dispatch: + +permissions: + pull-requests: read # allows SonarCloud to decorate PRs with analysis results + +jobs: + Analysis: + runs-on: ubuntu-latest + + steps: + - name: Analyze with SonarCloud + + # You can pin the exact commit or the version. + # uses: SonarSource/sonarcloud-github-action@v2.2.0 + uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments for the SonarScanner CLI + args: + # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) + # mandatory + -Dsonar.projectKey= + -Dsonar.organization= + # Comma-separated paths to directories containing main source files. + #-Dsonar.sources= # optional, default is project base directory + # Comma-separated paths to directories containing test source files. + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false + # When you need the analysis to take place in a directory other than the one from which it was launched, default is . + projectBaseDir: . From 97bf43626960f68ae3c5911ec4dcb63d534501de Mon Sep 17 00:00:00 2001 From: Cody Kickertz Date: Thu, 18 Dec 2025 13:29:57 -0600 Subject: [PATCH 03/15] Add GitHub Super Linter workflow This workflow runs multiple linters on code changes in the 'develop' branch for both pushes and pull requests. --- .github/workflows/super-linter.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/super-linter.yml diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml new file mode 100644 index 0000000000..ac124ceead --- /dev/null +++ b/.github/workflows/super-linter.yml @@ -0,0 +1,29 @@ +# This workflow executes several linters on changed files based on languages used in your code base whenever +# you push a code or open a pull request. +# +# You can adjust the behavior by modifying this file. +# For more information, see: +# https://github.com/github/super-linter +name: Lint Code Base + +on: + push: + branches: [ "develop" ] + pull_request: + branches: [ "develop" ] +jobs: + run-lint: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + # Full git history is needed to get a proper list of changed files within `super-linter` + fetch-depth: 0 + + - name: Lint Code Base + uses: github/super-linter@v4 + env: + VALIDATE_ALL_CODEBASE: false + DEFAULT_BRANCH: "develop" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 6a76b0b89d13ea493e79ad672996747bb95f7ec3 Mon Sep 17 00:00:00 2001 From: Cody Kickertz Date: Thu, 18 Dec 2025 13:30:49 -0600 Subject: [PATCH 04/15] Add Trivy vulnerability scanning workflow --- .github/workflows/trivy.yml | 48 +++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000000..1ebbef4531 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: trivy + +on: + push: + branches: [ "develop", "Core" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "develop" ] + schedule: + - cron: '19 12 * * 3' + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Build + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + with: + image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' From 81b3814c1aa1a1035e17a2a50c4ef547a2837ebb Mon Sep 17 00:00:00 2001 From: admin Date: Thu, 18 Dec 2025 13:34:45 -0600 Subject: [PATCH 05/15] ci: fix workflow configs and add dependabot - SonarCloud: add proper projectKey and organization - Trivy: fix image reference, add schedule comment - Super Linter: upgrade to v6, configure linter selection - Add Dependabot for NuGet, npm, Docker, GitHub Actions --- .github/dependabot.yml | 60 +++++++++++++++++++---- .github/workflows/sonarcloud.yml | 77 ++++++++++-------------------- .github/workflows/super-linter.yml | 41 ++++++++++------ .github/workflows/trivy.yml | 42 +++++++--------- 4 files changed, 120 insertions(+), 100 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f33a02cd16..1eaf7a5cfa 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,12 +1,54 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for more information: -# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates -# https://containers.dev/guide/dependabot +# Dependabot configuration for automated dependency updates +# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates version: 2 updates: - - package-ecosystem: "devcontainers" - directory: "/" - schedule: - interval: weekly + # NuGet (.NET packages) + - package-ecosystem: nuget + directory: / + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 5 + labels: + - dependencies + - .net + commit-message: + prefix: "chore(deps)" + + # npm (frontend) + - package-ecosystem: npm + directory: /frontend + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 5 + labels: + - dependencies + - frontend + commit-message: + prefix: "chore(deps)" + + # Docker (base images) + - package-ecosystem: docker + directory: / + schedule: + interval: weekly + day: monday + labels: + - dependencies + - docker + commit-message: + prefix: "chore(deps)" + + # GitHub Actions + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + day: monday + labels: + - dependencies + - ci + commit-message: + prefix: "ci(deps)" diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index 0f2ef9e2ca..4c66a52a53 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -1,67 +1,38 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow helps you trigger a SonarCloud analysis of your code and populates -# GitHub Code Scanning alerts with the vulnerabilities found. -# Free for open source project. - -# 1. Login to SonarCloud.io using your GitHub account - -# 2. Import your project on SonarCloud -# * Add your GitHub organization first, then add your repository as a new project. -# * Please note that many languages are eligible for automatic analysis, -# which means that the analysis will start automatically without the need to set up GitHub Actions. -# * This behavior can be changed in Administration > Analysis Method. +# SonarCloud analysis for code quality and security # -# 3. Follow the SonarCloud in-product tutorial -# * a. Copy/paste the Project Key and the Organization Key into the args parameter below -# (You'll find this information in SonarCloud. Click on "Information" at the bottom left) -# -# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN -# (On SonarCloud, click on your avatar on top-right > My account > Security -# or go directly to https://sonarcloud.io/account/security/) +# Setup required: +# 1. Create project at sonarcloud.io using your GitHub account +# 2. Add SONAR_TOKEN secret to repository (Settings > Secrets > Actions) +# 3. Update projectKey and organization below -# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) -# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) - -name: SonarCloud analysis +name: SonarCloud on: push: - branches: [ "develop", "Core" ] + branches: [develop, main] pull_request: - branches: [ "develop" ] + branches: [develop] workflow_dispatch: permissions: - pull-requests: read # allows SonarCloud to decorate PRs with analysis results + pull-requests: read jobs: - Analysis: + analyze: runs-on: ubuntu-latest - steps: - - name: Analyze with SonarCloud - - # You can pin the exact commit or the version. - # uses: SonarSource/sonarcloud-github-action@v2.2.0 - uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216 - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + - name: Checkout + uses: actions/checkout@v4 with: - # Additional arguments for the SonarScanner CLI - args: - # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) - # mandatory - -Dsonar.projectKey= - -Dsonar.organization= - # Comma-separated paths to directories containing main source files. - #-Dsonar.sources= # optional, default is project base directory - # Comma-separated paths to directories containing test source files. - #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ - # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - #-Dsonar.verbose= # optional, default is false - # When you need the analysis to take place in a directory other than the one from which it was launched, default is . - projectBaseDir: . + fetch-depth: 0 + + - name: SonarCloud Scan + uses: SonarSource/sonarcloud-github-action@v2 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + with: + args: > + -Dsonar.projectKey=cheir-mneme_aletheia + -Dsonar.organization=cheir-mneme + -Dsonar.sources=src + -Dsonar.exclusions=**/node_modules/**,**/bin/**,**/obj/**,**/*.min.js diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml index ac124ceead..7c42b95935 100644 --- a/.github/workflows/super-linter.yml +++ b/.github/workflows/super-linter.yml @@ -1,29 +1,42 @@ -# This workflow executes several linters on changed files based on languages used in your code base whenever -# you push a code or open a pull request. -# -# You can adjust the behavior by modifying this file. -# For more information, see: -# https://github.com/github/super-linter +# Super Linter for code quality checks on changed files +# https://github.com/super-linter/super-linter + name: Lint Code Base on: push: - branches: [ "develop" ] + branches: [develop, main] pull_request: - branches: [ "develop" ] + branches: [develop] + +permissions: + contents: read + statuses: write + jobs: - run-lint: + lint: runs-on: ubuntu-latest steps: - - name: Checkout code + - name: Checkout uses: actions/checkout@v4 with: - # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 - name: Lint Code Base - uses: github/super-linter@v4 + uses: super-linter/super-linter/slim@v6 env: - VALIDATE_ALL_CODEBASE: false - DEFAULT_BRANCH: "develop" GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + DEFAULT_BRANCH: develop + VALIDATE_ALL_CODEBASE: false + # C# linting handled by dotnet build + VALIDATE_CSHARP: false + # TypeScript/JavaScript + VALIDATE_TYPESCRIPT_ES: true + VALIDATE_JAVASCRIPT_ES: true + # Config files + VALIDATE_YAML: true + VALIDATE_JSON: true + VALIDATE_DOCKERFILE_HADOLINT: true + # Disable noisy linters + VALIDATE_JSCPD: false + VALIDATE_NATURAL_LANGUAGE: false diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 1ebbef4531..c2bf576694 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,48 +1,42 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. +# Trivy vulnerability scanner for container images +# Scans Docker images for CVEs and uploads results to GitHub Security tab -name: trivy +name: Trivy Security Scan on: push: - branches: [ "develop", "Core" ] + branches: [develop, main] pull_request: - # The branches below must be a subset of the branches above - branches: [ "develop" ] + branches: [develop] schedule: - - cron: '19 12 * * 3' + - cron: '0 6 * * 1' # Weekly on Monday at 6am UTC permissions: contents: read + security-events: write + actions: read jobs: - build: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: Build + scan: runs-on: ubuntu-latest steps: - - name: Checkout code + - name: Checkout uses: actions/checkout@v4 - - name: Build an image from Dockerfile - run: | - docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + - name: Build Docker image + run: docker build -t ghcr.io/cheir-mneme/aletheia:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + uses: aquasecurity/trivy-action@master with: - image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' - format: 'template' - template: '@/contrib/sarif.tpl' + image-ref: 'ghcr.io/cheir-mneme/aletheia:${{ github.sha }}' + format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' + ignore-unfixed: true - - name: Upload Trivy scan results to GitHub Security tab + - name: Upload Trivy results to GitHub Security uses: github/codeql-action/upload-sarif@v3 + if: always() with: sarif_file: 'trivy-results.sarif' From 4fe3c5f48314fa22ffbecfe9a44ef30f7bbf1a2d Mon Sep 17 00:00:00 2001 From: admin Date: Thu, 18 Dec 2025 13:37:45 -0600 Subject: [PATCH 06/15] fix(ci): correct Dockerfile path and skip SonarCloud when token missing --- .github/workflows/sonarcloud.yml | 12 ++++++++++++ .github/workflows/trivy.yml | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index 4c66a52a53..8cb2ce9f52 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -21,12 +21,24 @@ jobs: analyze: runs-on: ubuntu-latest steps: + - name: Check for SONAR_TOKEN + id: check-secret + run: | + if [ -n "${{ secrets.SONAR_TOKEN }}" ]; then + echo "available=true" >> $GITHUB_OUTPUT + else + echo "available=false" >> $GITHUB_OUTPUT + echo "::warning::SONAR_TOKEN not configured - skipping SonarCloud scan" + fi + - name: Checkout + if: steps.check-secret.outputs.available == 'true' uses: actions/checkout@v4 with: fetch-depth: 0 - name: SonarCloud Scan + if: steps.check-secret.outputs.available == 'true' uses: SonarSource/sonarcloud-github-action@v2 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index c2bf576694..9f0dcdc71e 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -24,7 +24,7 @@ jobs: uses: actions/checkout@v4 - name: Build Docker image - run: docker build -t ghcr.io/cheir-mneme/aletheia:${{ github.sha }} . + run: docker build -t ghcr.io/cheir-mneme/aletheia:${{ github.sha }} -f docker/Dockerfile . - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master From f7098a3a496790412fe1d3d3a7b9d1bde90e2ee4 Mon Sep 17 00:00:00 2001 From: admin Date: Thu, 18 Dec 2025 13:39:07 -0600 Subject: [PATCH 07/15] fix(ci): use filesystem scan instead of image scan for Trivy --- .github/workflows/trivy.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 9f0dcdc71e..449e322476 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,5 +1,6 @@ -# Trivy vulnerability scanner for container images -# Scans Docker images for CVEs and uploads results to GitHub Security tab +# Trivy vulnerability scanner +# Scans for CVEs in filesystem/dependencies and uploads to GitHub Security tab +# Note: Image scanning requires built artifacts, use release workflow for that name: Trivy Security Scan @@ -23,13 +24,11 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: Build Docker image - run: docker build -t ghcr.io/cheir-mneme/aletheia:${{ github.sha }} -f docker/Dockerfile . - - - name: Run Trivy vulnerability scanner + - name: Run Trivy filesystem scanner uses: aquasecurity/trivy-action@master with: - image-ref: 'ghcr.io/cheir-mneme/aletheia:${{ github.sha }}' + scan-type: 'fs' + scan-ref: '.' format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' From 1119dfaf56ae342d4892522c69cedad5f9d632f0 Mon Sep 17 00:00:00 2001 From: admin Date: Thu, 18 Dec 2025 13:42:17 -0600 Subject: [PATCH 08/15] fix(ci): use exclusion-only config for super-linter --- .github/workflows/super-linter.yml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml index 7c42b95935..29a45f3aa1 100644 --- a/.github/workflows/super-linter.yml +++ b/.github/workflows/super-linter.yml @@ -28,15 +28,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DEFAULT_BRANCH: develop VALIDATE_ALL_CODEBASE: false - # C# linting handled by dotnet build + # Disable linters not needed for this project VALIDATE_CSHARP: false - # TypeScript/JavaScript - VALIDATE_TYPESCRIPT_ES: true - VALIDATE_JAVASCRIPT_ES: true - # Config files - VALIDATE_YAML: true - VALIDATE_JSON: true - VALIDATE_DOCKERFILE_HADOLINT: true - # Disable noisy linters VALIDATE_JSCPD: false VALIDATE_NATURAL_LANGUAGE: false + VALIDATE_MARKDOWN: false + VALIDATE_GITLEAKS: false From d2da953d27269af38d377acc17a65e16b12edca1 Mon Sep 17 00:00:00 2001 From: admin Date: Thu, 18 Dec 2025 13:46:50 -0600 Subject: [PATCH 09/15] fix(ci): disable checkov and github_actions linters in super-linter --- .github/workflows/super-linter.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml index 29a45f3aa1..24dcbfe7b7 100644 --- a/.github/workflows/super-linter.yml +++ b/.github/workflows/super-linter.yml @@ -28,9 +28,11 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DEFAULT_BRANCH: develop VALIDATE_ALL_CODEBASE: false - # Disable linters not needed for this project + # Disable linters not needed or handled elsewhere VALIDATE_CSHARP: false VALIDATE_JSCPD: false VALIDATE_NATURAL_LANGUAGE: false VALIDATE_MARKDOWN: false VALIDATE_GITLEAKS: false + VALIDATE_CHECKOV: false + VALIDATE_GITHUB_ACTIONS: false From ff176f6c2e1e9b936a0838fe788ad85e1a940016 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Dec 2025 19:56:59 +0000 Subject: [PATCH 10/15] ci(deps): bump actions/checkout from 4 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- .github/workflows/sonarcloud.yml | 2 +- .github/workflows/super-linter.yml | 2 +- .github/workflows/trivy.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 480b768aa4..6a177affcf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -28,7 +28,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: fetch-depth: 1 diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index 8cb2ce9f52..d20e22a6fa 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -33,7 +33,7 @@ jobs: - name: Checkout if: steps.check-secret.outputs.available == 'true' - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml index 24dcbfe7b7..e02b0ed0e0 100644 --- a/.github/workflows/super-linter.yml +++ b/.github/workflows/super-linter.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 449e322476..774d5f135b 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Run Trivy filesystem scanner uses: aquasecurity/trivy-action@master From f483306517a04d7cf1e37de2879e500a20fd31a9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Dec 2025 19:57:03 +0000 Subject: [PATCH 11/15] ci(deps): bump actions/cache from 4 to 5 Bumps [actions/cache](https://github.com/actions/cache) from 4 to 5. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/cache dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 480b768aa4..c77587f8f6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -42,7 +42,7 @@ jobs: echo "DATE=$(date --rfc-3339=date)" >> "$GITHUB_ENV" - name: Cache NuGet packages - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: _cache/nuget key: nuget-${{ runner.os }}-${{ hashFiles('src/Directory.Packages.props', 'src/**/*.csproj', 'global.json') }} @@ -50,7 +50,7 @@ jobs: nuget-${{ runner.os }}- - name: Cache Node modules - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: | _cache/node @@ -60,7 +60,7 @@ jobs: node-${{ runner.os }}- - name: Cache MSBuild outputs - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: _cache/msbuild key: msbuild-${{ runner.os }}-${{ hashFiles('src/**/*.cs', 'src/**/*.csproj', 'src/**/*.targets', 'src/**/*.props') }} @@ -69,7 +69,7 @@ jobs: msbuild-${{ runner.os }}- - name: Cache Webpack - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: _cache/webpack key: webpack-${{ runner.os }}-${{ hashFiles('frontend/src/**/*', 'yarn.lock') }} From 16aef7e9006e4cf8055cfa00da20c5f3c7c26681 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Dec 2025 19:57:07 +0000 Subject: [PATCH 12/15] ci(deps): bump codecov/codecov-action from 4 to 5 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4 to 5. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/v4...v5) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 480b768aa4..c80a0fcdb0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -118,7 +118,7 @@ jobs: reporttypes: "HtmlInline;Cobertura;TextSummary" - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@v5 if: always() continue-on-error: true with: From 59c18967cc088b657afdf43e98b260b42e297fb5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Dec 2025 19:57:10 +0000 Subject: [PATCH 13/15] ci(deps): bump dessant/label-actions from 3 to 5 Bumps [dessant/label-actions](https://github.com/dessant/label-actions) from 3 to 5. - [Release notes](https://github.com/dessant/label-actions/releases) - [Changelog](https://github.com/dessant/label-actions/blob/main/CHANGELOG.md) - [Commits](https://github.com/dessant/label-actions/compare/v3...v5) --- updated-dependencies: - dependency-name: dessant/label-actions dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/label-actions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/label-actions.yml b/.github/workflows/label-actions.yml index a7fc89446a..1ae680fc8d 100644 --- a/.github/workflows/label-actions.yml +++ b/.github/workflows/label-actions.yml @@ -12,6 +12,6 @@ jobs: action: runs-on: ubuntu-latest steps: - - uses: dessant/label-actions@v3 + - uses: dessant/label-actions@v5 with: process-only: 'issues' From f5bee00f7cdd0a29dc9b6057a15faf44625fcd70 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Dec 2025 20:00:46 +0000 Subject: [PATCH 14/15] Bump the nuget group with 1 update Bumps System.Private.Uri from 4.3.0 to 4.3.2 --- updated-dependencies: - dependency-name: System.Private.Uri dependency-version: 4.3.2 dependency-type: direct:production dependency-group: nuget - dependency-name: System.Private.Uri dependency-version: 4.3.2 dependency-type: direct:production dependency-group: nuget ... Signed-off-by: dependabot[bot] --- src/NzbDrone.Common/Radarr.Common.csproj | 1 + 1 file changed, 1 insertion(+) diff --git a/src/NzbDrone.Common/Radarr.Common.csproj b/src/NzbDrone.Common/Radarr.Common.csproj index 8a25ce5619..27ea960f82 100644 --- a/src/NzbDrone.Common/Radarr.Common.csproj +++ b/src/NzbDrone.Common/Radarr.Common.csproj @@ -27,6 +27,7 @@ + True True From 1f754424361df0e357a60d82cf1c4bc9383c7de7 Mon Sep 17 00:00:00 2001 From: admin Date: Thu, 18 Dec 2025 14:10:59 -0600 Subject: [PATCH 15/15] docs: update CLA to reference Aletheia --- CLA.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CLA.md b/CLA.md index 05ce7890dd..5a1b566bf3 100644 --- a/CLA.md +++ b/CLA.md @@ -1,6 +1,6 @@ -# Radarr Individual Contributor License Agreement # +# Aletheia Individual Contributor License Agreement # -Thank you for your interest in contributing to Radarr ("We" or "Us"). +Thank you for your interest in contributing to Aletheia ("We" or "Us"). This contributor agreement ("Agreement") documents the rights granted by contributors to Us. To make this document effective, please complete the form below. This is a legally binding document, so please read it carefully before agreeing to it. The Agreement may cover more than one software project managed by Us. ## 1. Definitions ##