Merge branch 'main' into feat/fork-pr-approve-build

.github/workflows/codeql-analysis.yml

@@ -35,11 +35,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2
+      uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -50,7 +50,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2
+      uses: github/codeql-action/autobuild@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -64,4 +64,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2
+      uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2

.github/workflows/reviewdog.yml

@@ -12,7 +12,7 @@ jobs:
 
     steps:
     - name: clone
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
     - name: install go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
@@ -23,7 +23,7 @@ jobs:
         check-latest: true
 
     - name: golangci-lint
-      uses: reviewdog/action-golangci-lint@24d4af2fc93f5b2b296229e8b0c0f658d25707af # v2
+      uses: reviewdog/action-golangci-lint@94d61e3205b61acf4ddabfeb13c5f8a13eb4167b # v2
       with:
         github_token: ${{ secrets.github_token }}
         golangci_lint_flags: "--config=.golangci.yml"
@@ -36,7 +36,7 @@ jobs:
 
     steps:
     - name: clone
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
     - name: install go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
@@ -47,7 +47,7 @@ jobs:
         check-latest: true
 
     - name: golangci-lint
-      uses: reviewdog/action-golangci-lint@24d4af2fc93f5b2b296229e8b0c0f658d25707af # v2
+      uses: reviewdog/action-golangci-lint@94d61e3205b61acf4ddabfeb13c5f8a13eb4167b # v2
       with:
         github_token: ${{ secrets.github_token }}
         golangci_lint_flags: "--config=.golangci.yml"

.github/workflows/schema.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
     - name: clone
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
     - name: install go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4

.github/workflows/test.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
     - name: clone
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
     - name: install go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4

.github/workflows/validate.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
     - name: clone
-      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
     - name: install go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4

cmd/schema/main.go

@@ -98,6 +98,7 @@ func main() {
 			"pull_request:opened",
 			"pull_request:synchronize",
 			"push",
+			"schedule",
 			"tag",
 		},
 		"path":   {},

constants/action.go

@@ -16,6 +16,9 @@ const (
 	// ActionRenamed defines the action for renaming a repository.
 	ActionRenamed = "renamed"
 
+	// ActionReopened defines the action for re-opening a pull request (or issue).
+	ActionReopened = "reopened"
+
 	// ActionSynchronize defines the action for the synchronizing of pull requests.
 	ActionSynchronize = "synchronize"
 

constants/secret.go

@@ -4,6 +4,12 @@ package constants
 
 // Secret types.
 const (
+	// SecretPullBuild defines the pull policy type for a secret.
+	SecretPullBuild = "build_start"
+
+	// SecretPullStep defines the pull policy type for a secret.
+	SecretPullStep = "step_start"
+
 	// SecretOrg defines the secret type for a secret scoped to a specific org.
 	SecretOrg = "org"
 

go.mod

@@ -8,14 +8,14 @@ require (
 	github.com/drone/envsubst v1.0.3
 	github.com/ghodss/yaml v1.0.0
 	github.com/lib/pq v1.10.9
-	github.com/microcosm-cc/bluemonday v1.0.25
+	github.com/microcosm-cc/bluemonday v1.0.26
 )
 
 require (
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/gorilla/css v1.0.0 // indirect
 	github.com/kr/pretty v0.2.0 // indirect
-	golang.org/x/net v0.12.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 	gopkg.in/yaml.v2 v2.3.0 // indirect
 )

go.sum

@@ -19,10 +19,10 @@ github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/microcosm-cc/bluemonday v1.0.25 h1:4NEwSfiJ+Wva0VxN5B8OwMicaJvD8r9tlJWm9rtloEg=
-github.com/microcosm-cc/bluemonday v1.0.25/go.mod h1:ZIOjCQp1OrzBBPIJmfX4qDYFuhU02nx4bn030ixfHLE=
-golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
-golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
+github.com/microcosm-cc/bluemonday v1.0.26 h1:xbqSvqzQMeEHCqMi64VAs4d8uy6Mequs3rQ0k/Khz58=
+github.com/microcosm-cc/bluemonday v1.0.26/go.mod h1:JyzOCs9gkyQyjs+6h10UEVSe02CGwkhd72Xdqh78TWs=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

library/log.go

@@ -54,7 +54,7 @@ func (l *Log) MaskData(secrets []string) {
 		// create regexp to match secrets in the log data surrounded by regexp metacharacters
 		//
 		// https://pkg.go.dev/regexp#MustCompile
-		buffer := `(\s|^|=|"|\?|:|'|\.|,|&|$|;)`
+		buffer := `(\s|^|=|"|\?|:|'|\.|,|&|$|;|\[|\])`
 		re := regexp.MustCompile((buffer + escaped + buffer))
 
 		// create a mask for the secret

library/log_test.go

@@ -54,6 +54,8 @@ func TestLibrary_Log_MaskData(t *testing.T) {
 	s4Masked := "SOME_SECRET=***"
 	s5 := "www.example.com?username=secret&password=extrasecret"
 	s5Masked := "www.example.com?username=***&password=***"
+	s6 := "[token: extrasecret]"
+	s6Masked := "[token: ***]"
 
 	tests := []struct {
 		want    []byte
@@ -85,6 +87,11 @@ func TestLibrary_Log_MaskData(t *testing.T) {
 			log:     []byte(s5),
 			secrets: sVals,
 		},
+		{ // secret in verbose brackets
+			want:    []byte(s6Masked),
+			log:     []byte(s6),
+			secrets: sVals,
+		},
 		{ // empty secrets slice
 			want:    []byte(s3),
 			log:     []byte(s3),

pipeline/secret.go

@@ -28,6 +28,7 @@ type (
 		Engine string     `json:"engine,omitempty" yaml:"engine,omitempty"`
 		Type   string     `json:"type,omitempty"   yaml:"type,omitempty"`
 		Origin *Container `json:"origin,omitempty" yaml:"origin,omitempty"`
+		Pull   string     `json:"pull,omitempty"   yaml:"pull,omitempty"`
 	}
 
 	// StepSecretSlice is the pipeline representation