chore: update jsonnet

.github/jsonnet/GIT_VERSION

@@ -0,0 +1 @@
+1e5064bfee9299e657d1d478626dfb60036ea580

.github/jsonnet/actions.jsonnet

@@ -0,0 +1,16 @@
+/**
+ * GitHub Action plugin references
+ *
+ * Centralised SHA-pinned references for external GitHub Actions used across workflows.
+ * Pinning to a SHA (rather than a tag) protects against supply-chain attacks where a
+ * tag is moved to point at a malicious commit. The trailing comment records the
+ * human-readable version that the SHA corresponds to at the time of pinning.
+ */
+{
+  checkout_action: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd',  // v6
+  gcp_auth_action: 'google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093',  // v3
+  gcp_setup_gcloud_action: 'google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db',  // v3
+  pulumi_action: 'pulumi/actions@cd99a7f8865434dd3532b586a26f9ebea596894f',  // v5
+  onepassword_load_secrets_action: '1password/load-secrets-action@92467eb28f72e8255933372f1e0707c567ce2259',  // v4
+  slack_action: 'act10ns/slack@d96404edccc6d6467fc7f8134a420c851b1e9054',  // v2
+}

.github/jsonnet/base.jsonnet

@@ -41,6 +41,7 @@ local misc = import 'misc.jsonnet';
    * @param {object} [concurrency=null] - Job-level concurrency settings
    * @param {boolean} [continueOnError=null] - Whether to continue workflow if job fails
    * @param {object} [env=null] - Environment variables for all steps in the job
+   * @param {object} [strategy=null] - GitHub Actions matrix strategy (e.g., {matrix: {shard: [1,2,3]}, 'fail-fast': false})
    * @returns {jobs} - GitHub Actions job definition
    */
   ghJob(
@@ -58,6 +59,7 @@ local misc = import 'misc.jsonnet';
     concurrency=null,
     continueOnError=null,
     env=null,
+    strategy=null,
   )::
     {
       [name]: {
@@ -82,7 +84,8 @@ local misc = import 'misc.jsonnet';
               (if permissions == null then {} else { permissions: permissions }) +
               (if concurrency == null then {} else { concurrency: concurrency }) +
               (if continueOnError == null then {} else { 'continue-on-error': continueOnError }) +
-              (if env == null then {} else { env: env }),
+              (if env == null then {} else { env: env }) +
+              (if strategy == null then {} else { strategy: strategy }),
     },
 
   /**
@@ -159,7 +162,7 @@ local misc = import 'misc.jsonnet';
    * @docs https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idsteps
    *
    * @param {string} name - Display name for the step in the GitHub UI
-   * @param {string} uses - The action to use (e.g., 'actions/checkout@v4', './path/to/action')
+   * @param {string} uses - The action to use (e.g., 'actions/checkout@v6', './path/to/action')
    * @param {object} [env=null] - Environment variables for this step
    * @param {object} [with=null] - Input parameters to pass to the action
    * @param {string} [id=null] - Unique identifier for this step (used to reference outputs)

.github/jsonnet/clusters.jsonnet

@@ -2,7 +2,7 @@ local misc = import 'misc.jsonnet';
 
 /**
  * Kubernetes Cluster Configuration
- *
+ * 
  * This module defines configuration for different Kubernetes clusters used for deployments.
  * Each cluster configuration includes project information, authentication secrets, and
  * node selector settings for job scheduling.

.github/jsonnet/deployment.jsonnet

@@ -122,7 +122,7 @@ local notifications = import 'notifications.jsonnet';
                     function(deploymentTarget)
                       base.action(
                         'publish-deploy-' + deploymentTarget + '-event',
-                        'chrnorm/deployment-action@v2',
+                        'chrnorm/deployment-action@500aa6a23c81ffa1acf71072aee3cfa2cc2e556a',  // v2
                         ifClause=ifClause,
                         with={
                           token: misc.secret('VIRKO_GITHUB_TOKEN'),
@@ -173,7 +173,7 @@ local notifications = import 'notifications.jsonnet';
   updateDeploymentStatus(status='${{ job.status }}')::
     base.action(
       'Update deployment status',
-      'chrnorm/deployment-status@v2',
+      'chrnorm/deployment-status@6df8d036fd2fee9eb82936733953da1f8382b41e',  // v2
       with={
         state: status,
         ['deployment-id']: '${{ github.event.deployment.id }}',

.github/jsonnet/helm.jsonnet

@@ -132,6 +132,7 @@ local services = import 'services.jsonnet';
    * @param {boolean} [fetchDependencies=false] - Whether to fetch Helm dependencies
    * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful
    * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m')
+   * @param {string} [runsOn=null] - GitHub Actions runner to use for the job
    * @returns {jobs} - Complete GitHub Actions job for production deployment
    */
   helmDeployProdJob(
@@ -145,9 +146,11 @@ local services = import 'services.jsonnet';
     fetchDependencies=false,
     wait=false,
     timeout=null,
+    runsOn=null,
   )::
     base.ghJob(
       'deploy-prod',
+      runsOn=runsOn,
       ifClause="${{ github.event.deployment.environment == '" + environment + "' }}",
       image=image,
       useCredentials=useCredentials,
@@ -213,6 +216,7 @@ local services = import 'services.jsonnet';
    * @param {boolean} [fetchDependencies=false] - Whether to fetch Helm dependencies
    * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful
    * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m')
+   * @param {string} [runsOn=null] - GitHub Actions runner to use for the job
    * @returns {jobs} - Complete GitHub Actions job for test deployment
    */
   helmDeployTestJob(
@@ -225,9 +229,11 @@ local services = import 'services.jsonnet';
     fetchDependencies=false,
     wait=false,
     timeout=null,
+    runsOn=null,
   )::
     base.ghJob(
       'deploy-test',
+      runsOn=runsOn,
       ifClause="${{ github.event.deployment.environment == 'test' }}",
       image=image,
       useCredentials=useCredentials,
@@ -296,6 +302,7 @@ local services = import 'services.jsonnet';
    * @param {boolean} [fetchDependencies=false] - Whether to fetch Helm dependencies
    * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful
    * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m')
+   * @param {string} [runsOn=null] - GitHub Actions runner to use for the job
    * @returns {jobs} - Complete GitHub Actions job for PR deployment
    */
   helmDeployPRJob(
@@ -308,9 +315,11 @@ local services = import 'services.jsonnet';
     fetchDependencies=false,
     wait=false,
     timeout=null,
+    runsOn=null,
   )::
     base.ghJob(
       'deploy-pr',
+      runsOn=runsOn,
       image=image,
       useCredentials=useCredentials,
       steps=[
@@ -369,6 +378,7 @@ local services = import 'services.jsonnet';
    * @param {boolean} [fetchDependencies=fetchDependencies] - Whether to fetch Helm dependencies
    * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful
    * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m')
+   * @param {string} [runsOn=null] - GitHub Actions runner to use for the job
    * @returns {jobs} - Complete GitHub Actions job for PR cleanup
    */
   helmDeletePRJob(
@@ -380,9 +390,11 @@ local services = import 'services.jsonnet';
     fetchDependencies=fetchDependencies,
     wait=false,
     timeout=null,
+    runsOn=null,
   )::
     base.ghJob(
       'helm-delete-pr',
+      runsOn=runsOn,
       image=images.default_job_image,
       useCredentials=false,
       steps=[
@@ -483,6 +495,7 @@ local services = import 'services.jsonnet';
    * @param {boolean} [fetchDependencies=false] - Whether to fetch Helm dependencies
    * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful
    * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m')
+   * @param {string} [runsOn=null] - GitHub Actions runner to use for the job
    * @returns {jobs} - Complete GitHub Actions job for canary deployment
    */
   helmDeployCanaryJob(
@@ -495,9 +508,11 @@ local services = import 'services.jsonnet';
     fetchDependencies=false,
     wait=false,
     timeout=null,
+    runsOn=null,
   )::
     base.ghJob(
       'deploy-canary',
+      runsOn=runsOn,
       image=image,
       useCredentials=useCredentials,
       ifClause="${{ github.event.deployment.environment == 'canary' }}",
@@ -566,6 +581,7 @@ local services = import 'services.jsonnet';
    * @param {boolean} [fetchDependencies=false] - Whether to fetch Helm dependencies
    * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful
    * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m')
+   * @param {string} [runsOn=null] - GitHub Actions runner to use for the job
    * @returns {jobs} - Complete GitHub Actions job to kill canary deployment
    */
   helmKillCanaryJob(
@@ -576,9 +592,11 @@ local services = import 'services.jsonnet';
     fetchDependencies=false,
     wait=false,
     timeout=null,
+    runsOn=null,
   )::
     base.ghJob(
       'kill-canary',
+      runsOn=runsOn,
       ifClause="${{ github.event.deployment.environment == 'kill-canary' || github.event.deployment.environment == 'production' }}",
       image=images.default_job_image,
       useCredentials=false,

.github/jsonnet/images.jsonnet

@@ -6,7 +6,7 @@
  * Images are primarily hosted on Google Cloud registries (GCR and Artifact Registry).
  */
 {
-  jsonnet_bin_image: 'europe-docker.pkg.dev/unicorn-985/private-images/docker-images_jsonnet:v1',
+  jsonnet_bin_image: 'europe-docker.pkg.dev/unicorn-985/private-images/docker-images_jsonnet:v2',
   helm_action_image: 'docker://europe-docker.pkg.dev/unicorn-985/public-images/helm-action:v4',
   mysql_action_image: 'docker://europe-docker.pkg.dev/unicorn-985/public-images/docker-images_mysql-cloner-action:v2',
   docker_action_image: 'docker://europe-docker.pkg.dev/unicorn-985/public-images/push-to-gcr-github-action:v1',

.github/jsonnet/index.jsonnet

@@ -1,4 +1,5 @@
 (import 'base.jsonnet') +
+{ actions: import 'actions.jsonnet' } +
 { clusters: import 'clusters.jsonnet' } +
 (import 'databases.jsonnet') +
 (import 'docker.jsonnet') +

.github/jsonnet/misc.jsonnet

@@ -1,3 +1,4 @@
+local actions = import 'actions.jsonnet';
 local base = import 'base.jsonnet';
 local images = import 'images.jsonnet';
 
@@ -72,13 +73,13 @@ local images = import 'images.jsonnet';
       sshSteps +
       base.action(
         'Check out repository code via ssh',
-        'actions/checkout@v4',
+        actions.checkout_action,
         with=with + (if preferSshClone then { 'ssh-key': '${{ secrets.VIRKO_GITHUB_SSH_KEY }}' } else {}),
         ifClause='${{ ' + (if ifClause == null then '' else '( ' + localIfClause + ' ) && ') + " ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}",
       ) +
       base.action(
         'Check out repository code via https',
-        'actions/checkout@v4',
+        actions.checkout_action,
         with=with,
         ifClause='${{ ' + (if ifClause == null then '' else '( ' + localIfClause + ' ) && ') + " ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}",
       ) +
@@ -102,7 +103,7 @@ local images = import 'images.jsonnet';
       (if includeSubmodules then { submodules: 'recursive' } else {});
     base.action(
       'Check out repository code',
-      'actions/checkout@v4',
+      actions.checkout_action,
       with=with,
       ifClause=ifClause
     ) +
@@ -187,8 +188,9 @@ local images = import 'images.jsonnet';
                   echo "Possible reasons:";
                   echo " - You updated jsonnet files, but did not regenerate the workflows.";
                   echo "   To regenerate jsonnet run: 'rm .github/workflows/*; jsonnet -m .github/workflows/ -S .github.jsonnet'";
-                  echo " - You used the wrong jsonnet binary. In this case, the newlines at the end of the files differ.";
-                  echo "   To fix, install the go binary. On mac, run 'brew uninstall jsonnet && brew install go-jsonnet'";
+                  echo " - You used the wrong jsonnet binary (version). In this case, the newlines at the end of the files differ.";
+                  echo " - You must use go-jsonnet version 0.22 or higher. Earlier versions do not generate the yml with trailing newline."
+                  echo "   To fix, install the go binary (^0.22). On mac, run 'brew uninstall jsonnet && brew install go-jsonnet'";
                   exit 1;
                 |||
               ),
@@ -205,6 +207,7 @@ local images = import 'images.jsonnet';
    * @param {string} [bodyUpdateAction='suffix'] - How to update the body ('suffix', 'prefix', 'replace')
    * @param {string} [titleUpdateAction='prefix'] - How to update the title ('suffix', 'prefix', 'replace')
    * @param {object} [otherOptions={}] - Additional options to pass to the action
+   * @param {string} [runsOn=null] - GitHub Actions runner to use for the job
    * @returns {workflows} - GitHub Actions pipeline for automatic PR description updates
    */
   updatePRDescriptionPipeline(
@@ -215,6 +218,7 @@ local images = import 'images.jsonnet';
     bodyUpdateAction='suffix',
     titleUpdateAction='prefix',
     otherOptions={},
+    runsOn=null,
   )::
     base.pipeline(
       'update-pr-description',
@@ -224,6 +228,7 @@ local images = import 'images.jsonnet';
       jobs=[
         base.ghJob(
           'update-pr-description',
+          runsOn=runsOn,
           steps=[
             base.action(
               'update-pr-description',
@@ -417,7 +422,7 @@ local images = import 'images.jsonnet';
           image=null,
           runsOn='ubuntu-latest',
           steps=[
-            base.action('checkout', 'actions/checkout@v4'),
+            base.action('checkout', actions.checkout_action),
             base.action(
               'Run delete-old-branches-action',
               'beatlabs/delete-old-branches-action@4eeeb8740ff8b3cb310296ddd6b43c3387734588',
@@ -472,7 +477,7 @@ local images = import 'images.jsonnet';
       base.step('git safe directory', 'git config --global --add safe.directory $PWD'),
       base.action(
         'check-for-changes',
-        uses='dorny/paths-filter@v2',
+        uses='dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d',  // v4
         id='changes',
         with={
                filters: |||
@@ -492,9 +497,10 @@ local images = import 'images.jsonnet';
    *
    * @param {string} name - The name of the GitHub job
    * @param {array} jobs - Array of job objects to wait for
+   * @param {string} [runsOn=null] - GitHub Actions runner to use for the job
    * @returns {jobs} - GitHub Actions job that waits for the given jobs to finish
    */
-  awaitJob(name, jobs)::
+  awaitJob(name, jobs, runsOn=null)::
     local dependingJobs = std.flatMap(
       function(job)
         local jobNameArray = std.objectFields(job);
@@ -504,6 +510,7 @@ local images = import 'images.jsonnet';
     [
       base.ghJob(
         'await-' + name,
+        runsOn=runsOn,
         ifClause='${{ always() }}',
         needs=dependingJobs,
         useCredentials=false,
@@ -567,18 +574,20 @@ local images = import 'images.jsonnet';
    * Useful for automatically approving renovate PRs or other trusted automation.
    *
    * @param {array} [users=['gynzy-virko']] - Array of usernames to auto-approve PRs for
+   * @param {string} [runsOn=null] - GitHub Actions runner to use for the job
    * @returns {workflows} - GitHub Actions pipeline that auto-approves PRs from specified users
    */
-  autoApprovePRs(users=['gynzy-virko'])::
+  autoApprovePRs(users=['gynzy-virko'], runsOn=null)::
     base.pipeline(
       'auto-approve-prs',
       [
         base.ghJob(
           'auto-approve',
+          runsOn=runsOn,
           steps=[
             base.action(
               'auto-approve-prs',
-              'hmarr/auto-approve-action@v4',
+              'hmarr/auto-approve-action@8f929096a962e83ccdfa8afcf855f39f12d4dac7',  // v4
             ),
           ],
           useCredentials=false,
@@ -699,7 +708,7 @@ local images = import 'images.jsonnet';
           steps=[
             base.action(
               'Close stale PRs',
-              'actions/stale@v10',
+              'actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f',  // v10
               with={
                 'days-before-stale': daysBeforeStale,
                 'days-before-close': daysBeforeClose,

.github/jsonnet/newrelic.jsonnet

@@ -14,6 +14,7 @@ local pnpm = import 'pnpm.jsonnet';
    * @param {string} [image='mirror.gcr.io/node:20.17'] - Docker image to use for the job
    * @param {boolean} [useCredentials=false] - Whether to use Docker registry credentials
    * @param {string} [packageManager='yarn'] - Package manager to use ('yarn' or 'pnpm')
+   * @param {string} [runsOn=null] - GitHub Actions runner to use for the job
    * @returns {jobs} - GitHub Actions job definition for New Relic deployment notification
    */
   postReleaseToNewRelicJob(
@@ -23,9 +24,11 @@ local pnpm = import 'pnpm.jsonnet';
     image='mirror.gcr.io/node:20.17',
     useCredentials=false,
     packageManager='yarn',
+    runsOn=null,
   )::
     base.ghJob(
       'post-newrelic-release',
+      runsOn=runsOn,
       image=image,
       useCredentials=useCredentials,
       ifClause="${{ github.event.deployment.environment == 'production' }}",