Repo Update 2025-06

Author: aessing

.github/label-syncer/label-syncer.yml

@@ -1,36 +1,51 @@
-- name: breaking change
+- name: status - needs triage
+  description: New issues/PRs that need review
+  color: 27ae60 # green
+- name: status - in progress
+  description: Actively being worked on
+  color: 2ecc40 # green
+- name: status - blocked
+  description: Blocked by something else
+  color: 16a085 # green
+- name: status - ready for review
+  description: Ready for code review
+  color: 1abc9c # green
+- name: type - enhancement
+  description: Improvements to existing features
+  color: 2986cc # blue
+- name: type - refactor
+  description: Code refactoring, no user-facing change
+  color: 1d76db # blue
+- name: type - test
+  description: Related to tests or test coverage
+  color: 0052cc # blue
+- name: type - ci
+  description: Continuous integration/config changes
+  color: 0074d9 # blue
+- name: type - chore
+  description: Maintenance, build, or non-feature work
+  color: 3399ff # blue
+- name: type - breaking change
   description: Changes that will break something in the next release
-  color: d876e3
-- name: bug
+  color: ff69b4 # pink
+- name: type - bug
   description: Something isn't working as expected
-  color: f67828
-- name: critical
-  description: Problems that are critical to fix immediately (e.g. data loss)
-  color: d80000
-- name: dependencies
-  description: Pull requests that update a dependency
-  color: 861a22
-- name: documentation
+  color: d80000 # red
+- name: type - documentation
   description: Improvements or additions to documentation
-  color: 0075ca
-- name: duplicate
-  description: This issue or pull request already exists elsewhere
-  color: D9D9D6
-- name: feature
-  description: New feature or request for a feature
-  color: f1dd38
-- name: help wanted
-  description: Extra attention is needed
-  color: 366735
-- name: idea
-  description: An idea that should be considered for future releases
-  color: 6aed9c
-- name: invalid
-  description: This doesn't seem right
-  color: 000000
-- name: question
-  description: Further information is requested or clarification is needed
-  color: 9d622b
+  color: 5dade2 # blue
+- name: priority - low
+  description: Lowest priority
+  color: ffc300 # orange
+- name: priority - medium
+  description: Medium priority
+  color: ff9900 # orange
+- name: priority - high
+  description: Highest priority
+  color: ff5733 # orange
+- name: good first issue
+  description: Good for newcomers
+  color: a259ff # purple
 - name: wontfix
   description: This will not be worked on
   color: ffffff

.github/workflows/codeql.yml

@@ -0,0 +1,81 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: 'CodeQL Advanced'
+
+on:
+  push:
+    branches: ['main']
+  pull_request:
+    branches: ['main']
+  schedule:
+    - cron: '0 6 * * *'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: true
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          queries: security-extended,security-and-quality
+
+      # If the analyze step fails for one of the languages you are analyzing with
+      # "We were unable to automatically build your code", modify the matrix above
+      # to set the build mode to "manual" for that language. Then modify this step
+      # to build your code.
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+      - if: matrix.build-mode == 'manual'
+        shell: bash
+        run: |
+          echo 'If you are using a "manual" build mode for one or more of the' \
+            'languages you are analyzing, replace this with the commands to build' \
+            'your code, for example:'
+          echo '  make bootstrap'
+          echo '  make release'
+          exit 1
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e
+        with:
+          category: '/language:${{matrix.language}}'

.github/workflows/container-build.yml

@@ -24,35 +24,37 @@ jobs:
           echo "RELEASE_DATE=$(date -u '+%Y-%m-%dT%H:%M:%S%z')" >> ${GITHUB_ENV}
 
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       # https://github.com/docker/setup-qemu-action
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
 
       # https://github.com/docker/setup-buildx-action
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
 
       # https://github.com/docker/login-action
       - name: Login to GHCR
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Login to Docker Hub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       # https://github.com/docker/metadata-action
       - name: Set container meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804
         with:
           images: |
             ${{ env.IMAGE_NAME }}
@@ -63,15 +65,19 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
             type=sha
+            type=raw,value=latest
 
       # https://github.com/docker/build-push-action
       - name: Build and push
         id: build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
         with:
           context: .
-          platforms: linux/386, linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64/v8, linux/ppc64le, linux/s390x
+          platforms: linux/amd64,linux/arm64
           build-args: BUILD_DATE=${{ env.RELEASE_DATE }}
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: true

.github/workflows/label-syncer.yml

@@ -11,13 +11,20 @@ jobs:
   build:
     name: Sync repository labels from file
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
     steps:
       - name: Checkout Code
         id: checkout-code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Sync repository labels from file
         id: labeling
-        uses: micnncim/action-label-syncer@v1
+        uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 commit SHA
         if: success()
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/trivy.yml

@@ -12,7 +12,7 @@ on:
     # The branches below must be a subset of the branches above
     branches: ['main']
   schedule:
-    - cron: '32 5 * * 2'
+    - cron: '0 5 * * *'
 
 env:
   IMAGE_NAME: 'aessing/chronyd'
@@ -30,21 +30,50 @@ jobs:
     runs-on: 'ubuntu-latest'
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build an image from Dockerfile
         run: |
           docker build -t docker.io/${{ env.IMAGE_NAME }}:trivy-${{ github.sha }} .
 
+<<<<<<< HEAD
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
+=======
+      - name: Run Trivy vulnerability scanner (image)
+        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37
+>>>>>>> 8b53ce9 (Repo Update 2025-06)
         with:
           image-ref: 'docker.io/${{ env.IMAGE_NAME }}:trivy-${{ github.sha }}'
           format: 'sarif'
-          output: 'trivy-results.sarif'
+          output: 'trivy-image-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
+
+      - name: Run Trivy vulnerability scanner (requirements.txt)
+        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-py-results.sarif'
           severity: 'CRITICAL,HIGH'
+          exit-code: '1'
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+      - name: Upload Trivy image scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: 'trivy-image-results.sarif'
+          category: 'trivy-image'
+
+      - name: Upload Trivy Python scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e
+        with:
+          sarif_file: 'trivy-py-results.sarif'
+          category: 'trivy-python'
+
+      - name: Docker cleanup
+        run: |
+          docker rmi docker.io/${{ env.IMAGE_NAME }}:trivy-${{ github.sha }} || true

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2023 Andre Essing
+Copyright (c) 2025 Andre Essing
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal