Update workflows and dependencies for improved security and functionality

devanshjainms · devanshjainms · commit 5f97c0e95ade · 2025-12-01T23:16:12.000Z
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -43,17 +43,17 @@ jobs:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@07bb2b932c90fc1ec97637495e4072a0966fa74c # v3.28.20
+        uses: github/codeql-action/init@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
         with:
           languages: ${{ matrix.language }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@07bb2b932c90fc1ec97637495e4072a0966fa74c # v3.28.20
+        uses: github/codeql-action/autobuild@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@07bb2b932c90fc1ec97637495e4072a0966fa74c # v3.28.20
+        uses: github/codeql-action/analyze@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -22,6 +22,6 @@ jobs:
           egress-policy: audit
 
       - name: 'Checkout Repository'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
diff --git a/.github/workflows/ossf-scoreboard.yml b/.github/workflows/ossf-scoreboard.yml
@@ -31,7 +31,7 @@ jobs:
           egress-policy: audit
 
       - name: "Checkout code"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           persist-credentials: false
 
@@ -52,6 +52,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
+        uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -23,7 +23,7 @@ jobs:
         egress-policy: audit
 
     - name: Checkout code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
     - name: Run Trivy vulnerability scanner (file system)
       uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
@@ -36,7 +36,7 @@ jobs:
         output: report-fs.sarif
 
     - name: Upload Trivy report (fs) GitHub Security
-      uses: github/codeql-action/upload-sarif@07bb2b932c90fc1ec97637495e4072a0966fa74c # v3.28.20
+      uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
       with:
         sarif_file: report-fs.sarif
         category: 'fs'
diff --git a/requirements.txt b/requirements.txt
@@ -4,18 +4,18 @@
 #
 #    pip-compile requirements.in
 #
-ansible-compat==25.8.2
+ansible-compat==25.11.0
     # via ansible-lint
 ansible-core==2.17.14
     # via
     #   -r requirements.in
     #   ansible-compat
     #   ansible-lint
-ansible-lint==25.9.2
+ansible-lint==25.11.1
     # via -r requirements.in
 ansible-runner==2.4.2
     # via -r requirements.in
-astroid==4.0.1
+astroid==4.0.2
     # via pylint
 attrs==25.4.0
     # via
@@ -33,35 +33,35 @@ azure-identity==1.25.1
     # via
     #   -r requirements.in
     #   azure-kusto-data
-azure-kusto-data==5.0.5
+azure-kusto-data==6.0.0
     # via
     #   -r requirements.in
     #   azure-kusto-ingest
-azure-kusto-ingest==5.0.5
+azure-kusto-ingest==6.0.0
     # via -r requirements.in
-azure-mgmt-compute==37.0.1
+azure-mgmt-compute==37.1.0
     # via -r requirements.in
 azure-mgmt-core==1.6.0
     # via
     #   azure-mgmt-compute
     #   azure-mgmt-network
-azure-mgmt-network==30.0.0
+azure-mgmt-network==30.1.0
     # via -r requirements.in
-azure-storage-blob==12.23.0
+azure-storage-blob==12.26.0
     # via
     #   -r requirements.in
     #   azure-kusto-ingest
-azure-storage-queue==12.12.0
+azure-storage-queue==12.13.0
     # via
     #   -r requirements.in
     #   azure-kusto-ingest
-black==25.9.0
+black==25.11.0
     # via
     #   -r requirements.in
     #   ansible-lint
 bracex==2.6
     # via wcmatch
-certifi==2025.10.5
+certifi==2025.11.12
     # via
     #   msrest
     #   requests
@@ -71,11 +71,11 @@ cffi==2.0.0
     #   cryptography
 charset-normalizer==3.4.4
     # via requests
-click==8.3.0
+click==8.3.1
     # via
     #   -r requirements.in
     #   black
-coverage[toml]==7.11.0
+coverage[toml]==7.12.0
     # via
     #   -r requirements.in
     #   pytest-cov
@@ -92,7 +92,7 @@ dill==0.4.0
     # via pylint
 distro==1.9.0
     # via ansible-lint
-exceptiongroup==1.3.0
+exceptiongroup==1.3.1
     # via pytest
 filelock==3.20.0
     # via ansible-lint
@@ -189,9 +189,9 @@ pyjwt[crypto]==2.10.1
     # via
     #   msal
     #   pyjwt
-pylint==4.0.2
+pylint==4.0.4
     # via -r requirements.in
-pytest==8.4.2
+pytest==9.0.1
     # via
     #   -r requirements.in
     #   pytest-cov
@@ -206,7 +206,7 @@ python-dateutil==2.9.0.post0
     # via
     #   azure-kusto-data
     #   pandas
-pytokens==0.2.0
+pytokens==0.3.0
     # via black
 pytz==2025.2
     # via pandas
@@ -237,13 +237,13 @@ resolvelib==1.0.1
     # via ansible-core
 rich==14.2.0
     # via -r requirements.in
-rpds-py==0.28.0
+rpds-py==0.30.0
     # via
     #   jsonschema
     #   referencing
 ruamel-yaml==0.18.16
     # via ansible-lint
-ruamel-yaml-clib==0.2.14
+ruamel-yaml-clib==0.2.15
     # via
     #   ansible-lint
     #   ruamel-yaml
diff --git a/tests/roles/ha_scs/ha_config_test.py b/tests/roles/ha_scs/ha_config_test.py
@@ -45,6 +45,12 @@ def test_environment(self, ansible_inventory):
         :ytype: str
         """
 
+        commands = [
+            {
+                "name": "ha_cluster_config_dump",
+                "SUSE": "crm configure show",
+            }
+        ]
         temp_dir = self.setup_test_environment(
             role_type="ha_scs",
             ansible_inventory=ansible_inventory,
@@ -58,9 +64,7 @@ def test_environment(self, ansible_inventory):
                 "bin/crm_resource",
                 "bin/crm",
             ],
-            extra_vars_override={
-                "node_tier": "scs",
-            },
+            extra_vars_override={"node_tier": "scs", "commands": commands},
         )
 
         os.makedirs(f"{temp_dir}/project/roles/ha_scs/tasks/files", exist_ok=True)
