Merge branch 'master' into empty-frontier

.github/workflows/backend.yml

@@ -35,15 +35,14 @@ jobs:
             github.com:443
             md-hdd-t032zjxllntc.z26.blob.storage.azure.net:443
             objects.githubusercontent.com:443
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Setup dotnet
         uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
         with:
           dotnet-version: ${{ matrix.dotnet }}
       - name: Install ffmpeg
         uses: FedericoCarboni/setup-ffmpeg@36c6454b5a2348e7794ba2d82a21506605921e3d # v3
-
-      # Coverage.
       - name: Run coverage tests
         run: dotnet test Backend.Tests/Backend.Tests.csproj
         shell: bash
@@ -54,19 +53,16 @@ jobs:
           name: coverage
           path: Backend.Tests/coverage.cobertura.xml
           retention-days: 7
-
-      # Development build.
-      - run: dotnet build BackendFramework.sln
-
-      # Release build.
-      - run: dotnet publish BackendFramework.sln
-
-      # Fmt.
-      - run: dotnet format --verify-no-changes
+      - name: Development build
+        run: dotnet build BackendFramework.sln
+      - name: Release build
+        run: dotnet publish BackendFramework.sln
+      - name: Format check
+        run: dotnet format --verify-no-changes
 
   upload_coverage:
     needs: test_build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -146,8 +142,8 @@ jobs:
         uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
 
   docker_build:
+    if: ${{ github.event.type }} == "PullRequest"
     runs-on: ubuntu-22.04
-    #    if: ${{ github.event.type }} == "PullRequest"
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -170,7 +166,8 @@ jobs:
             ts-crl.ws.symantec.com:80
       # For subfolders, currently a full checkout is required.
       # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
       - name: Build backend

.github/workflows/codeql.yml

@@ -13,10 +13,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: ["master"]
+    branches: [master]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: ["master"]
+    branches: [master]
   schedule:
     - cron: "21 8 * * 3"
 
@@ -26,7 +26,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       actions: read
       contents: read

.github/workflows/combine_deploy_image.yml

@@ -11,7 +11,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.

.github/workflows/database.yml

@@ -10,7 +10,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 jobs:
   docker_build:
     if: ${{ github.event.type }} == "PullRequest"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -26,7 +26,8 @@ jobs:
             registry-1.docker.io:443
       # For subfolders, currently a full checkout is required.
       # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
       - name: Build database image

.github/workflows/dependency-review.yml

@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   dependency-review:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1

.github/workflows/deploy_qa.yml

@@ -13,7 +13,7 @@ jobs:
       matrix:
         component: [frontend, backend, maintenance, database]
 
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       image_tag: ${{ steps.build_combine.outputs.image_tag }}
     steps:
@@ -64,7 +64,7 @@ jobs:
           build_component: ${{ matrix.component }}
   clean_ecr_repo:
     needs: build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.

.github/workflows/deploy_release.yml

@@ -13,7 +13,7 @@ jobs:
     strategy:
       matrix:
         component: [frontend, backend, maintenance, database]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       image_tag: ${{ steps.build_combine.outputs.image_tag }}
     steps:

.github/workflows/frontend.yml

@@ -11,7 +11,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 
 jobs:
   lint_build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       matrix:
         node-version: [20]
@@ -40,7 +40,7 @@ jobs:
       - run: npm run build
 
   test_coverage:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       matrix:
         node-version: [20]
@@ -64,7 +64,8 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
       - run: npm ci
-      - run: npm run test-frontend:coverage
+      - name: Run tests and generate coverage
+        run: npm run test-frontend:coverage
         env:
           CI: true
       - name: Upload coverage artifact
@@ -77,7 +78,7 @@ jobs:
 
   upload_coverage:
     needs: test_coverage
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -110,8 +111,8 @@ jobs:
           name: Frontend
 
   docker_build:
-    runs-on: ubuntu-latest
     if: ${{ github.event.type }} == "PullRequest"
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -128,7 +129,8 @@ jobs:
             pypi.org:443
             registry-1.docker.io:443
             registry.npmjs.org:443
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
       - name: Build frontend

.github/workflows/maintenance.yml

@@ -10,7 +10,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 jobs:
   docker_build:
     if: ${{ github.event.type }} == "PullRequest"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -30,7 +30,8 @@ jobs:
             security.ubuntu.com:80
       # For subfolders, currently a full checkout is required.
       # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
       - name: Build maintenance image

.github/workflows/pages.yml

@@ -12,7 +12,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 
 jobs:
   deploy:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.

.github/workflows/python.yml

@@ -11,7 +11,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 
 jobs:
   tox:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       matrix:
         python-version: ["3.12"]

.github/workflows/scorecards.yml

@@ -21,7 +21,7 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecards analysis
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write

deploy/ansible/playbook_k3s_airgapped_files.yml

@@ -32,13 +32,13 @@
         dest: "{{ package_dir }}/{{ item }}"
         url: "https://github.com/k3s-io/k3s/releases/download/{{ k3s_version }}/{{ item }}"
       loop:
-        - k3s-airgap-images-amd64.tar.zst
+        - k3s-airgap-images-{{ cpu_arch }}.tar.zst
         - k3s
-        - sha256sum-amd64.txt
+        - sha256sum-{{ cpu_arch }}.txt
 
     - name: Verify k3s downloads
       shell:
-        cmd: sha256sum --check --ignore-missing sha256sum-amd64.txt
+        cmd: sha256sum --check --ignore-missing sha256sum-{{ cpu_arch }}.txt
         chdir: "{{ package_dir }}"
       changed_when: false
 
@@ -50,9 +50,9 @@
     - name: Download kubectl
       get_url:
         dest: "{{ package_dir }}/kubectl"
-        url: "https://dl.k8s.io/release/{{ kubectl_version }}/bin/linux/amd64/kubectl"
+        url: "https://dl.k8s.io/release/{{ kubectl_version }}/bin/linux/{{ cpu_arch }}/kubectl"
 
     - name: Download helm
       get_url:
         dest: "{{ package_dir }}/helm.tar.gz"
-        url: "https://get.helm.sh/helm-{{ helm_version }}-linux-amd64.tar.gz"
+        url: "https://get.helm.sh/helm-{{ helm_version }}-linux-{{ cpu_arch }}.tar.gz"

deploy/ansible/roles/container_engine/defaults/main.yml

@@ -3,3 +3,4 @@ container_packages:
   - containerd.io
 
 keyring_location: /etc/apt/keyrings
+cpu_arch: amd64

deploy/ansible/roles/container_engine/tasks/main.yml

@@ -40,7 +40,7 @@
 
 - name: Add Docker repository
   apt_repository:
-    repo: "deb [arch=amd64 signed-by={{ keyring_location }}/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+    repo: "deb [arch={{ cpu_arch }} signed-by={{ keyring_location }}/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
     state: present
     filename: docker
 

deploy/ansible/roles/container_images/defaults/main.yml

@@ -4,3 +4,4 @@
 
 source_image_dir: ../airgap-images
 airgap_image_dir: /var/lib/rancher/k3s/agent/images
+cpu_arch: amd64

deploy/ansible/roles/container_images/tasks/main.yml

@@ -1,6 +1,11 @@
 ---
+##############################################################
+# Role: container_images
+#
 # Setup airgap images in {{ airgap_image_dir }} to be
 # available when k3s and subsequent helm charts are installed.
+#
+##############################################################
 
 - name: Create airgap image directory
   file:
@@ -18,9 +23,9 @@
     group: root
     mode: 0644
   loop:
-    - k3s-airgap-images-amd64.tar.zst
-    - middleware-airgap-images-amd64.tar.zst
-    - combine-airgap-images-amd64.tar.zst
+    - k3s-airgap-images-{{ cpu_arch }}.tar.zst
+    - middleware-airgap-images-{{ cpu_arch }}.tar.zst
+    - combine-airgap-images-{{ cpu_arch }}.tar.zst
 
 # Add k3s, kubectl and the k3s installation script to
 # /usr/local/bin
@@ -51,7 +56,7 @@
 
 - name: Create link to helm binary
   file:
-    src: /opt/helm/{{ helm_version }}/linux-amd64/helm
+    src: /opt/helm/{{ helm_version }}/linux-{{ cpu_arch }}/helm
     dest: /usr/local/bin/helm
     state: link
     owner: root

deploy/ansible/roles/helm_install/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
 helm_version: v3.15.2
-helm_arch: linux-amd64
+cpu_arch: amd64
 
-helm_download_dir: /opt/helm-{{ helm_version }}-{{ helm_arch }}
+helm_download_dir: /opt/helm-{{ helm_version }}-linux-{{ cpu_arch }}

deploy/ansible/roles/helm_install/tasks/main.yml

@@ -9,8 +9,7 @@
 
 - name: Get Latest Release
   get_url:
-    # https://get.helm.sh/helm-v3.13.2-linux-amd64.tar.gz
-    url: "https://get.helm.sh/helm-{{ helm_version }}-{{ helm_arch }}.tar.gz"
+    url: "https://get.helm.sh/helm-{{ helm_version }}-linux-{{ cpu_arch }}.tar.gz"
     dest: "{{ helm_download_dir }}/helm.tar.gz"
     owner: root
     group: root
@@ -20,11 +19,11 @@
   command:
     cmd: "tar -zxvf {{ helm_download_dir }}/helm.tar.gz"
     chdir: "{{ helm_download_dir }}"
-    creates: "{{ helm_download_dir }}/{{ helm_arch }}/helm"
+    creates: "{{ helm_download_dir }}/linux-{{ cpu_arch }}/helm"
 
 - name: Link to extracted helm file
   file:
-    src: "{{ helm_download_dir }}/{{ helm_arch }}/helm"
+    src: "{{ helm_download_dir }}/linux-{{ cpu_arch }}/helm"
     path: /usr/local/bin/helm
     state: link
     owner: root

deploy/ansible/vars/k3s_versions.yml

@@ -2,3 +2,4 @@
 k3s_version: "v1.30.1%2Bk3s1"
 kubectl_version: "v1.30.2"
 helm_version: "v3.15.2"
+cpu_arch: "amd64"

deploy/helm/aws-login/templates/aws-ecr-login-cronjob.yaml

@@ -59,7 +59,11 @@ spec:
                 configMapKeyRef:
                   key: DOCKER_EMAIL
                   name: {{ .Values.awsEcr.configName }}
-            resources: {}
+            resources:
+              requests:
+                memory: 128Mi
+              limits:
+                memory: 128Mi
             securityContext:
               capabilities: {}
             terminationMessagePath: /dev/termination-log

deploy/helm/aws-login/templates/aws-ecr-login-oneshot.yaml

@@ -59,7 +59,11 @@ spec:
             configMapKeyRef:
               key: DOCKER_EMAIL
               name: "{{ .Values.awsEcr.configName }}"
-        resources: {}
+        resources:
+          requests:
+            memory: 128Mi
+          limits:
+            memory: 128Mi
         securityContext:
           capabilities: {}
         terminationMessagePath: /dev/termination-log