Merge branch 'dev' into bleach-to-nh3

Author: valentijnscholten

.gitattributes

@@ -0,0 +1,14 @@
+# Normalize line endings to LF
+*.sh     text eol=lf
+*.expect text eol=lf
+*.py     text eol=lf
+*.yml    text eol=lf
+*.yaml   text eol=lf
+*.md     text eol=lf
+
+# Binary files — never touch line endings
+*.png    binary
+*.jpg    binary
+*.gif    binary
+*.ico    binary
+*.pdf    binary

.github/dependabot.yml

@@ -4,6 +4,7 @@ updates:
   directory: "/"
   schedule:
     interval: daily
+    time: "08:00"
   open-pull-requests-limit: 10
   target-branch: dev
   ignore:
@@ -17,6 +18,7 @@ updates:
   directory: "/components"
   schedule:
     interval: daily
+    time: "08:00"
   open-pull-requests-limit: 10
   target-branch: dev
   ignore:

.github/pull_request_template.md

@@ -25,7 +25,7 @@ This checklist is for your information.
 - [ ] Features/Changes should be submitted against the `dev`.
 - [ ] Bugfixes should be submitted against the `bugfix` branch.
 - [ ] Give a meaningful name to your PR, as it may end up being used in the release notes.
-- [ ] Your code is flake8 compliant.
+- [ ] Your code is Ruff compliant (see [ruff.toml](../ruff.toml)).
 - [ ] Your code is python 3.13 compliant.
 - [ ] If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
 - [ ] Model changes must include the necessary migrations in the dojo/db_migrations folder.

.github/workflows/build-docker-images-for-testing.yml

@@ -49,11 +49,11 @@ jobs:
         run: echo "IMAGE_REPOSITORY=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Build
         id: docker_build
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         timeout-minutes: 15
         env:
           DOCKER_BUILD_CHECKS_ANNOTATIONS: false

.github/workflows/cancel-outdated-workflow-runs.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 3
     steps:
-      - uses: styfle/cancel-workflow-action@3155a141048f8f89c06b4cdae32e7853e97536bc # 0.13.0
+      - uses: styfle/cancel-workflow-action@d07a454dad7609a92316b57b23c9ccfd4f59af66 # 0.13.1
         with:
-          workflow_id: 'integration-tests.yml,k8s-testing.yml,unit-tests.yml'
+          workflow_id: 'integration-tests.yml,k8s-tests.yml,unit-tests.yml,validate_docs_build.yml,test-helm-chart.yml,ruff.yml,shellcheck.yml'
           access_token: ${{ github.token }}

.github/workflows/gh-pages.yml

@@ -22,7 +22,7 @@ jobs:
           extended: true
 
       - name: Setup Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: '24.14.0' # TODO: Renovate helper might not be needed here - needs to be fully tested
 

.github/workflows/integration-tests.yml

@@ -92,7 +92,7 @@ jobs:
 
       # load docker images from build jobs
       - name: Load images from artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: built-docker-image
           pattern: built-docker-image-*

.github/workflows/k8s-tests.yml

@@ -25,7 +25,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Minikube
-        uses: manusa/actions-setup-minikube@8234275e0386fe1cdaf519d28c90f4f03fad89e4 # v2.15.0
+        uses: manusa/actions-setup-minikube@96202dee4ae1c2f46a62fe197273aaf22b83f42d # v2.16.1
         with:
           minikube version: 'v1.38.1' # renovate: datasource=github-releases depName=kubernetes/minikube
           kubernetes version: ${{ matrix.k8s }}
@@ -38,7 +38,7 @@ jobs:
           minikube status
 
       - name: Load images from artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: built-docker-image
           pattern: built-docker-image-*

.github/workflows/performance-tests.yml

@@ -0,0 +1,74 @@
+name: Performance Tests
+
+on:
+  workflow_call:
+
+jobs:
+  performance-tests:
+    name: Performance Tests
+    runs-on: ubuntu-latest
+    needs: []
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set-platform
+        run: |
+          echo "PLATFORM=linux-amd64" >> $GITHUB_ENV
+
+      - name: Load images from artifacts
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        with:
+          path: built-docker-image
+          pattern: built-docker-image-django-alpine-linux-amd64
+          merge-multiple: true
+
+      - name: Load docker images
+        timeout-minutes: 10
+        run: |
+          docker load -i built-docker-image/django-alpine-linux-amd64_img
+          docker images
+
+      - name: Set unit-test mode
+        run: docker/setEnv.sh unit_tests_cicd
+
+      - name: Start Postgres and webhook.endpoint
+        run: docker compose up --no-deps -d postgres webhook.endpoint
+
+      - name: Start uwsgi (idle)
+        timeout-minutes: 5
+        run: |
+          docker compose -f docker-compose.yml -f docker-compose.override.unit_tests_cicd.yml \
+            -f docker/docker-compose.override.performance_tests_cicd.yml \
+            up -d --no-deps uwsgi
+        env:
+          DJANGO_VERSION: alpine
+
+      - name: Run performance tests (auto-update counts)
+        timeout-minutes: 15
+        run: python3 scripts/update_performance_test_counts.py
+
+      - name: Check counts are up to date
+        run: |
+          if ! git diff --quiet unittests/test_importers_performance.py; then
+            echo "Performance test counts are out of date. Fix them by running locally:"
+            echo ""
+            echo "  python3 scripts/update_performance_test_counts.py"
+            echo ""
+            echo "Diff:"
+            git diff unittests/test_importers_performance.py
+            exit 1
+          else
+            echo "Performance test counts are up to date."
+          fi
+
+      - name: Logs
+        if: failure()
+        run: docker compose logs --tail="2500" uwsgi
+
+      - name: Shutdown
+        if: always()
+        run: docker compose down

.github/workflows/release-drafter.yml

@@ -27,7 +27,7 @@ jobs:
     steps:
       - name: Create Release
         id: create_release
-        uses: release-drafter/release-drafter@6db134d15f3909ccc9eefd369f02bd1e9cffdf97 # v6.2.0
+        uses: release-drafter/release-drafter@3a7fb5c85b80b1dda66e1ccb94009adbbd32fce3 # v7.0.0
         with:
           version: ${{ inputs.version }}
         env:
@@ -47,7 +47,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Load OAS files from artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           pattern: oas-*