Merge remote-tracking branch 'origin/main' into docker-rename

.github/CODEOWNERS

@@ -1,2 +1,2 @@
 # All PRs to V1 must be approved by Frooodle
-* @Frooodle
+* @Frooodle @reecebrowne @Ludy87 @DarioGii

.github/dependabot.yml

@@ -11,7 +11,13 @@ updates:
       interval: "weekly"
     open-pull-requests-limit: 10
     rebase-strategy: "auto"
+
   - package-ecosystem: "docker"
     directory: "/" # Location of Dockerfile
     schedule:
       interval: "weekly"
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly

.github/release.yml

@@ -9,7 +9,7 @@ changelog:
     - title: Bug Fixes
       labels:
         - Bug
-    
+
     - title: Enhancements
       labels:
         - enhancement
@@ -26,7 +26,7 @@ changelog:
     - title: Translation Changes
       labels:
         - Translation
-    
+
     - title: Other Changes
       labels:
         - "*"

.github/workflows/PR-Demo-Comment.yml

@@ -8,14 +8,14 @@ jobs:
   check-comment:
     runs-on: ubuntu-latest
     if: |
-      github.event.issue.pull_request && 
+      github.event.issue.pull_request &&
       (
       contains(github.event.comment.body, 'prdeploy') ||
       contains(github.event.comment.body, 'deploypr')
       )
-      && 
+      &&
       (
-        github.event.comment.user.login == 'frooodle' || 
+        github.event.comment.user.login == 'frooodle' ||
         github.event.comment.user.login == 'sf298' ||
         github.event.comment.user.login == 'Ludy87' ||
         github.event.comment.user.login == 'LaserKaspar' ||
@@ -28,9 +28,14 @@ jobs:
       pr_ref: ${{ steps.get-pr-info.outputs.ref }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: Get PR data
         id: get-pr
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const prNumber = context.payload.issue.number;
@@ -39,41 +44,46 @@ jobs:
 
       - name: Get PR repository and ref
         id: get-pr-info
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { owner, repo } = context.repo;
             const prNumber = context.payload.issue.number;
-            
+
             const { data: pr } = await github.rest.pulls.get({
               owner,
               repo,
               pull_number: prNumber,
             });
-            
+
             // For forks, use the full repository name, for internal PRs use the current repo
             const repository = pr.head.repo.fork ? pr.head.repo.full_name : `${owner}/${repo}`;
-            
+
             console.log(`PR Repository: ${repository}`);
             console.log(`PR Branch: ${pr.head.ref}`);
-            
+
             core.setOutput('repository', repository);
             core.setOutput('ref', pr.head.ref);
 
   deploy-pr:
     needs: check-comment
     runs-on: ubuntu-latest
-    
+
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: Checkout PR
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: ${{ needs.check-comment.outputs.pr_repository }}
           ref: ${{ needs.check-comment.outputs.pr_ref }}
           token: ${{ secrets.GITHUB_TOKEN }}
-      
+
       - name: Set up JDK
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
         with:
           java-version: '17'
           distribution: 'temurin'
@@ -84,20 +94,20 @@ jobs:
           DOCKER_ENABLE_SECURITY: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
 
       - name: Get version number
         id: versionNumber
         run: echo "versionNumber=$(./gradlew printVersion --quiet | tail -1)" >> $GITHUB_OUTPUT
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_API }}
 
       - name: Build and push PR-specific image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
           context: .
           file: ./Dockerfile
@@ -146,10 +156,10 @@ jobs:
           ssh -i ../private.key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -T ${{ secrets.VPS_USERNAME }}@${{ secrets.VPS_HOST }} << 'ENDSSH'
             # Create PR-specific directories
             mkdir -p /stirling/PR-${{ needs.check-comment.outputs.pr_number }}/{data,config,logs}
-            
+
             # Move docker-compose file to correct location
             mv /tmp/docker-compose.yml /stirling/PR-${{ needs.check-comment.outputs.pr_number }}/docker-compose.yml
-            
+
             # Start or restart the container
             cd /stirling/PR-${{ needs.check-comment.outputs.pr_number }}
             docker-compose pull
@@ -158,7 +168,7 @@ jobs:
 
       - name: Post deployment URL to PR
         if: success()
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { GITHUB_REPOSITORY } = process.env;

.github/workflows/PR-Demo-cleanup.yml

@@ -4,9 +4,7 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, closed]
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: read-all
 
 env:
   SERVER_IP: ${{ secrets.VPS_IP }}  # Add this to your GitHub secrets
@@ -15,9 +13,17 @@ env:
 jobs:
   cleanup:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     if: github.event.action == 'closed'
-    
+
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: Set up SSH
         run: |
           mkdir -p ~/.ssh/
@@ -30,28 +36,28 @@ jobs:
           CLEANUP_STATUS=$(ssh -i ../private.key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -T ${{ secrets.VPS_USERNAME }}@${{ secrets.VPS_HOST }} << 'ENDSSH'
             if [ -d "/stirling/PR-${{ github.event.pull_request.number }}" ]; then
               echo "Found PR directory, proceeding with cleanup..."
-              
+
               # Stop and remove containers
               cd /stirling/PR-${{ github.event.pull_request.number }}
               docker-compose down || true
-              
+
               # Go back to root before removal
               cd /
-              
+
               # Remove PR-specific directories
               rm -rf /stirling/PR-${{ github.event.pull_request.number }}
-              
+
               # Remove the Docker image
               docker rmi --no-prune ${{ secrets.DOCKER_HUB_USERNAME }}/test:pr-${{ github.event.pull_request.number }} || true
-              
+
               echo "PERFORMED_CLEANUP"
             else
               echo "PR directory not found, nothing to clean up"
               echo "NO_CLEANUP_NEEDED"
             fi
           ENDSSH
           )
-          
+
           if [[ $CLEANUP_STATUS == *"PERFORMED_CLEANUP"* ]]; then
             echo "cleanup_performed=true" >> $GITHUB_OUTPUT
           else
@@ -60,7 +66,7 @@ jobs:
 
       - name: Post cleanup notice to PR
         if: steps.cleanup.outputs.cleanup_performed == 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { GITHUB_REPOSITORY } = process.env;

.github/workflows/auto-labeler.yml

@@ -3,17 +3,23 @@ on:
   pull_request_target:
     types: [opened, synchronize]
 
+permissions: read-all
+
 jobs:
   labeler:
+    runs-on: ubuntu-latest
     permissions:
-      contents: read
       pull-requests: write
-    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
       - name: Apply Labels
-        uses: actions/labeler@v5
+        uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           configuration-path: .github/labeler-config.yml

.github/workflows/build.yml

@@ -6,13 +6,13 @@ on:
   pull_request:
     branches: ["main"]
 
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     permissions:
-      actions: read
-      contents: read
       security-events: write
 
     strategy:
@@ -21,17 +21,22 @@ jobs:
         jdk-version: [17, 21]
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up JDK ${{ matrix.jdk-version }}
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
         with:
           java-version: ${{ matrix.jdk-version }}
           distribution: "temurin"
 
       - name: Set up Gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
         with:
           gradle-version: 8.7
 
@@ -56,25 +61,30 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Java 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
         with:
           java-version: "17"
           distribution: "adopt"
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
 
       - name: Install Docker Compose
         run: |
           sudo curl -SL "https://github.com/docker/compose/releases/download/v2.29.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
           sudo chmod +x /usr/local/bin/docker-compose
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: "3.12"