Merge pull request #216 from AnotherStranger/dev

Dev

.github/workflows/security.yml

+name: 'Run Security Tests'
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+  schedule:
+    - cron: '* * * * 0' # run weekly
+
+permissions:
+  contents: read
+  actions: read
+  checks: write
+  security-events: write
+
+jobs:
+  report:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
+        with:
+          scan-type: 'fs'
+          format: 'sarif'
+          output: 'trivy-results-fs.sarif'
+          severity: 'CRITICAL,HIGH,MEDIUM'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3
+        with:
+          sarif_file: 'trivy-results-fs.sarif'

.pre-commit-config.yaml

 default_stages:
-- commit
+- pre-commit
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.6.0
+  rev: v5.0.0
   hooks:
   - id: trailing-whitespace
   - id: end-of-file-fixer
   - id: check-added-large-files
 - repo: https://github.com/commitizen-tools/commitizen
-  rev: v3.29.0
+  rev: v4.6.0
   hooks:
   - id: commitizen
     stages:
@@ -17,14 +17,14 @@ repos:
   hooks:
   - id: check-useless-excludes
 - repo: https://github.com/hadolint/hadolint
-  rev: v2.13.0-beta
+  rev: v2.13.1-beta
   hooks:
   - id: hadolint-docker
     args:
     - -t
     - warning
 - repo: https://github.com/igorshubovych/markdownlint-cli
-  rev: v0.41.0
+  rev: v0.44.0
   hooks:
   - id: markdownlint-fix
     args:
@@ -35,6 +35,6 @@ repos:
   hooks:
   - id: shellcheck
 - repo: https://github.com/renovatebot/pre-commit-hooks
-  rev: 38.85.1
+  rev: 39.251.0
   hooks:
     - id: renovate-config-validator

Dockerfile

@@ -122,7 +122,7 @@ RUN set -x && \
     && chmod 700 /home/borg/.ssh
 
 COPY --from=builder /wheel /wheel
-RUN pip --no-cache-dir install /wheel/*.whl
+RUN pip --no-cache-dir install --compile /wheel/*.whl
 
 # Configure SSH
 RUN set -x \
@@ -142,4 +142,5 @@ VOLUME ["/home/borg/backups/", "/var/lib/docker-borg", "/home/borg/.ssh/"]
 COPY ./entrypoint.sh /
 
 EXPOSE 22
+
 CMD ["/entrypoint.sh"]

docker-compose.yml

-version: '3'
-
 services:
   borg:
     #image: ghcr.io/anotherstranger/borg-server:latest

renovate.json

 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:best-practices", ":semanticCommitTypeAll(refactor)"],
-  "baseBranches": ["dev"],
+  "extends": [
+    "config:best-practices",
+    ":semanticCommitTypeAll(refactor)",
+    "group:all",
+    "workarounds:all",
+    "automergeDigest",
+    "automergeMinor",
+    ":configMigration"
+  ],
+  "baseBranches": [
+    "dev"
+  ],
   "packageRules": [
     {
-      "matchDatasources": ["docker"],
-      "matchPackageNames": ["python"],
+      "matchDatasources": [
+        "docker"
+      ],
+      "matchPackageNames": [
+        "python"
+      ],
       "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)(?<prerelease>[^.-]+)?(-(?<compatibility>[^0.9]+)(?<build>[0-9.]+))?$"
     },
     {
-      "matchUpdateTypes": ["minor", "patch"],
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ],
       "matchCurrentVersion": "!/^0/",
       "automerge": true
     }
@@ -17,7 +34,9 @@
   "customManagers": [
     {
       "customType": "regex",
-      "fileMatch": ["^Dockerfile$"],
+      "fileMatch": [
+        "^Dockerfile$"
+      ],
       "matchStrings": [
         "#\\s*renovate:\\s*datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\sARG .*?_VERSION=\"(?<currentValue>.*)\"\\s"
       ],