super-linterアップデート

.dockle-version

@@ -1 +1 @@
-0.4.13
+0.4.14

.github/workflows/add-to-task-list.yml

@@ -7,6 +7,7 @@ on:
   issues:
     types:
       - opened
+permissions: read-all
 jobs:
   add-to-task-list:
     runs-on: ubuntu-latest

.github/workflows/codeql-analysis.yml

@@ -18,6 +18,10 @@ on:
   merge_group:
   schedule:
     - cron: '38 8 * * 4'
+permissions:
+  actions: read
+  contents: read
+  security-events: write
 jobs:
   analyze:
     name: Analyze
@@ -28,10 +32,6 @@ jobs:
     # Consider using larger runners for possible analysis time improvements.
     runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
     strategy:
       fail-fast: false
       matrix:

.github/workflows/dependency_review.yml

@@ -2,6 +2,7 @@ name: 'Dependency Review'
 on:
   pull_request:
   merge_group:
+permissions: read-all
 jobs:
   dependency-review:
     runs-on: ubuntu-latest

.github/workflows/fail-notify.yml

@@ -17,6 +17,7 @@ on:
       - update-gitleaks
     types:
       - completed
+permissions: read-all
 jobs:
   fail-notify:
     runs-on: ubuntu-latest

.github/workflows/fix-fail-notify.yml

@@ -3,6 +3,7 @@ name: fix-fail-notify
 on:
   pull_request:
   merge_group:
+permissions: read-all
 jobs:
   fix-fail-notify:
     runs-on: ubuntu-latest

.github/workflows/gcr-cleaner.yml

@@ -7,12 +7,12 @@ on:
 env:
   GCP_WORKLOAD_IDENTITY_PROVIDER: 'projects/765091727073/locations/global/workloadIdentityPools/hato-atama-workload-identity/providers/github'
   GCP_SERVICE_ACCOUNT: '[email protected]'
+permissions:
+  id-token: write
+  contents: read
 jobs:
   gcr-cleaner:
     runs-on: 'ubuntu-latest'
-    permissions:
-      id-token: write
-      contents: read
     steps:
       - uses: actions/[email protected]
       - id: 'auth'

.github/workflows/github-actions-cache-cleaner.yml

@@ -7,6 +7,7 @@ on:
   schedule:
     - cron: '0 21 * * *' # 06:00 JST
   workflow_dispatch:
+permissions: read-all
 jobs:
   github-actions-cache-cleaner:
     runs-on: ubuntu-latest

.github/workflows/remove_app_engine_versions.yml

@@ -4,12 +4,12 @@ on:
   pull_request:
     types:
       - closed
+permissions:
+  id-token: write
+  contents: read
 jobs:
   remove-app-engine-versions:
     runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
     if: github.repository == github.event.pull_request.head.repo.full_name && github.repository == 'dev-hato/hato-atama'
     steps:
       - uses: actions/[email protected]

.github/workflows/resource-update.yml

@@ -2,11 +2,7 @@
 name: resource-update
 on:
   workflow_dispatch:
-    inputs:
-      base-branch-name:
-        description: "base branch name"
-        required: false
-        default: "master"
+permissions: read-all
 jobs:
   update-frontend:
     runs-on: ubuntu-latest
@@ -31,7 +27,7 @@ jobs:
       - uses: dev-hato/[email protected]
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
-          branch-name-prefix: ${{ github.event.inputs.base-branch-name }}-update-frontend
+          branch-name-prefix: update-frontend
           pr-title-prefix: Update frontend
   update-test-e2e:
     runs-on: ubuntu-latest
@@ -56,7 +52,7 @@ jobs:
       - uses: dev-hato/[email protected]
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
-          branch-name-prefix: ${{ github.event.inputs.base-branch-name }}-update-test-e2e
+          branch-name-prefix: update-test-e2e
           pr-title-prefix: Update test/e2e
   update-go:
     runs-on: ubuntu-latest
@@ -83,5 +79,5 @@ jobs:
       - uses: dev-hato/[email protected]
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
-          branch-name-prefix: ${{ github.event.inputs.base-branch-name }}-update-go
+          branch-name-prefix: update-go
           pr-title-prefix: Update go

.github/workflows/super-linter.yml

@@ -5,22 +5,30 @@ on:
     branches: [master]
   merge_group:
   workflow_dispatch:
+permissions:
+  contents: read
+  packages: read
+  statuses: write
 jobs:
   super-linter:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
       - uses: actions/[email protected]
+        with:
+          fetch-depth: 0
       - uses: actions/[email protected]
         with:
           node-version-file: .node-version
           cache: npm
       - run: bash "${GITHUB_WORKSPACE}/scripts/super_linter/super_linter/set_path.sh"
       - name: Super-Linter
-        uses: super-linter/super-linter/slim@v5.7.2
+        uses: super-linter/super-linter/slim@v6.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           LINTER_RULES_PATH: .
+          # Go modulesを使っているため、こちらはfalseにする
+          VALIDATE_GO: false
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }}
   cancel-in-progress: true

elm/Dockerfile

@@ -1,5 +1,6 @@
 # https://dev.to/csaltos/elm-for-linux-arm64-32bc
 # GitHub Actionsでビルドするとうまく行かないため、手元でビルドする前提
+#checkov:skip=CKV_DOCKER_2
 FROM debian:bullseye-slim
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
@@ -42,13 +43,18 @@ RUN apt-get update \
        && apt-get clean \
        && rm -rf /var/lib/apt/lists/*
 
-WORKDIR /
+RUN mkdir /app  \
+    && useradd -m appuser \
+    && chown appuser:appuser /app
+
+WORKDIR /app
+USER appuser
 
 COPY frontend/elm.json ./
 RUN elm_version="$(yq -oy '."elm-version"' elm.json)" \
     && git clone -b "${elm_version}" https://github.com/elm/compiler.git
 
-WORKDIR /compiler
+WORKDIR /app/compiler
 
 RUN rm worker/elm.cabal \
     && cabal new-update \

gcp/datastore/Dockerfile

@@ -1,3 +1,4 @@
+#checkov:skip=CKV_DOCKER_3
 FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:462.0.1-emulators
 
 RUN find / -type f -perm /u+s -ignore_readdir_race -exec chmod u-s {} \; \

gcp/datastore/start.sh

@@ -3,6 +3,6 @@
 gcloud config set project "${DATASTORE_PROJECT_ID}"
 
 gcloud beta emulators datastore start \
-  --data-dir=/opt/data \
-  --host-port="${DATASTORE_LISTEN_ADDRESS}" \
-  "${@}"
+	--data-dir=/opt/data \
+	--host-port="${DATASTORE_LISTEN_ADDRESS}" \
+	"${@}"

scripts/release/deploy_app_engine/wait_for_deployment.sh

@@ -2,18 +2,18 @@
 
 # 最大10分待つ
 for i in $(seq 600); do
-  serving_status=$(gcloud app versions describe \
-    "v${RUN_NUMBER}" \
-    --service "default" \
-    --format \
-    "value(servingStatus)")
-  echo "${i}: servingStatus: ${serving_status}"
+	serving_status=$(gcloud app versions describe \
+		"v${RUN_NUMBER}" \
+		--service "default" \
+		--format \
+		"value(servingStatus)")
+	echo "${i}: servingStatus: ${serving_status}"
 
-  if [ "${serving_status}" = "SERVING" ]; then
-    exit 0
-  fi
+	if [ "${serving_status}" = "SERVING" ]; then
+		exit 0
+	fi
 
-  sleep 1
+	sleep 1
 done
 
 exit 1

scripts/release/dockle/run_dockle.sh

@@ -8,33 +8,33 @@ docker compose -f compose.yml -f "${DOCKER_COMPOSE_FILE_NAME}" pull "${SERVICE_N
 docker compose -f compose.yml -f "${DOCKER_COMPOSE_FILE_NAME}" up -d "${SERVICE_NAME}"
 
 for image_name in $(docker compose -f compose.yml -f "${DOCKER_COMPOSE_FILE_NAME}" images "${SERVICE_NAME}" | awk 'OFS=":" {print $2,$3}' | tail -n +2); do
-  cmd="dockle --exit-code 1 "
+	cmd="dockle --exit-code 1 "
 
-  if [[ "${image_name}" =~ "gcloud_datastore" ]] || [[ "${image_name}" =~ "server-dev" ]] || [[ "${image_name}" =~ "server-base" ]]; then
-    cmd+="-i DKL-LI-0003 "
+	if [[ "${image_name}" =~ "gcloud_datastore" ]] || [[ "${image_name}" =~ "server-dev" ]] || [[ "${image_name}" =~ "server-base" ]]; then
+		cmd+="-i DKL-LI-0003 "
 
-    if [[ "${image_name}" =~ "gcloud_datastore" ]] || [[ "${image_name}" =~ "server-base" ]]; then
-      cmd+="-i CIS-DI-0001 "
-      if [[ "${image_name}" =~ "gcloud_datastore" ]]; then
-        cmd+="-af settings.py "
-      fi
-    fi
+		if [[ "${image_name}" =~ "gcloud_datastore" ]] || [[ "${image_name}" =~ "server-base" ]]; then
+			cmd+="-i CIS-DI-0001 "
+			if [[ "${image_name}" =~ "gcloud_datastore" ]]; then
+				cmd+="-af settings.py "
+			fi
+		fi
 
-    if [[ "${image_name}" =~ "server-dev" ]] || [[ "${image_name}" =~ "server-base" ]]; then
-      cmd+="--timeout 600s "
-      if [[ "${image_name}" =~ "server-dev" ]]; then
-        cmd+="-af credentials "
-      fi
-    fi
-  elif [[ "${image_name}" =~ "frontend:" ]]; then
-    cmd+="-ak NGINX_GPGKEY "
-  fi
+		if [[ "${image_name}" =~ "server-dev" ]] || [[ "${image_name}" =~ "server-base" ]]; then
+			cmd+="--timeout 600s "
+			if [[ "${image_name}" =~ "server-dev" ]]; then
+				cmd+="-af credentials "
+			fi
+		fi
+	elif [[ "${image_name}" =~ "frontend:" ]]; then
+		cmd+="-ak NGINX_GPGKEY "
+	fi
 
-  if [[ "${image_name}" =~ "frontend-base" ]] || [[ "${image_name}" =~ "server-base" ]]; then
-    cmd+="-i CIS-DI-0006 "
-  fi
+	if [[ "${image_name}" =~ "frontend-base" ]] || [[ "${image_name}" =~ "server-base" ]]; then
+		cmd+="-i CIS-DI-0006 "
+	fi
 
-  cmd+="${image_name}"
-  echo "> ${cmd}"
-  eval "${cmd}"
+	cmd+="${image_name}"
+	echo "> ${cmd}"
+	eval "${cmd}"
 done

scripts/release/update_package/update_versions.sh

@@ -1,23 +1,23 @@
 #!/usr/bin/env bash
 
 for path in "frontend" "test/e2e" "."; do
-  echo "${NODE_VERSION}" >${path}/.node-version
+	echo "${NODE_VERSION}" >${path}/.node-version
 
-  NODE_PATTERN="s/\"node\": \".*\"/\"node\": \"^${DEPENDABOT_NODE_VERSION}"
+	NODE_PATTERN="s/\"node\": \".*\"/\"node\": \"^${DEPENDABOT_NODE_VERSION}"
 
-  if [ "${DEPENDABOT_NODE_VERSION}" != "${NODE_VERSION}" ]; then
-    NODE_PATTERN+=" || ^${NODE_VERSION}"
-  fi
+	if [ "${DEPENDABOT_NODE_VERSION}" != "${NODE_VERSION}" ]; then
+		NODE_PATTERN+=" || ^${NODE_VERSION}"
+	fi
 
-  NODE_PATTERN+="\"/g"
-  sed -i -e "${NODE_PATTERN}" ${path}/package.json
+	NODE_PATTERN+="\"/g"
+	sed -i -e "${NODE_PATTERN}" ${path}/package.json
 
-  NPM_PATTERN="s/\"npm\": \".*\"/\"npm\": \"^${DEPENDABOT_NPM_VERSION}"
+	NPM_PATTERN="s/\"npm\": \".*\"/\"npm\": \"^${DEPENDABOT_NPM_VERSION}"
 
-  if [ "${DEPENDABOT_NPM_VERSION}" != "${NPM_VERSION}" ]; then
-    NPM_PATTERN+=" || ^${NPM_VERSION}"
-  fi
+	if [ "${DEPENDABOT_NPM_VERSION}" != "${NPM_VERSION}" ]; then
+		NPM_PATTERN+=" || ^${NPM_VERSION}"
+	fi
 
-  NPM_PATTERN+="\"/g"
-  sed -i -e "${NPM_PATTERN}" ${path}/package.json
+	NPM_PATTERN+="\"/g"
+	sed -i -e "${NPM_PATTERN}" ${path}/package.json
 done

scripts/super_linter/super_linter/set_path.sh

@@ -3,4 +3,4 @@
 npm ci
 action="$(yq '.jobs.super-linter.steps[-1].uses' .github/workflows/super-linter.yml)"
 PATH="$(docker run --rm --entrypoint '' "ghcr.io/${action//\/slim@/:slim-}" /bin/sh -c 'echo $PATH')"
-echo "PATH=/github/workspace/node_modules/.bin:${PATH}" >> "$GITHUB_ENV"
+echo "PATH=/github/workspace/node_modules/.bin:${PATH}" >>"$GITHUB_ENV"