Release 20250901 (#5763)

pkippes · web-flow · commit ddcb43fc446a · 2025-09-22T10:04:07.000+02:00
diff --git a/.githooks/pre-commit b/.githooks/pre-commit
@@ -0,0 +1,12 @@
+#!/usr/bin/env sh
+set -eu
+
+# ensure gitleaks is available
+if ! command -v gitleaks >/dev/null 2>&1; then
+  echo "Error: gitleaks is not installed or not in PATH." >&2
+  echo "Install: https://github.com/gitleaks/gitleaks#install" >&2
+  exit 1
+fi
+
+# scan for secrets before commit
+gitleaks detect --no-git --verbose
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -24,4 +24,4 @@ selinux/**                          @centreon/owners-pipelines
 
 .gitleaks.toml                      @centreon/owners-security
 .gitleaksignore                     @centreon/owners-security
-**/checkmarx-analysis.yml           @centreon/owners-security
+**/security-checks.yml              @centreon/owners-security
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
@@ -19,18 +19,18 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout sources
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Download actionlint
         id: get_actionlint
-        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/v1.7.7/scripts/download-actionlint.bash)
         shell: bash
 
       - name: Check workflow files
         run: |
           ${{ steps.get_actionlint.outputs.executable }} \
-          -ignore 'label "centreon-common" is unknown' \
-          -ignore 'label "centreon-collect-arm64" is unknown' \
+          -ignore 'label "centreon-(common|collect-arm64)" is unknown' \
+          -ignore 'label "ubuntu-(24.04|24.04-arm)" is unknown' \
           -ignore '"github.head_ref" is potentially untrusted' \
           -shellcheck= \
           -pyflakes= \
@@ -39,12 +39,15 @@ jobs:
 
       - name: Ensure SHA pinned actions
         uses: centreon/github-actions-ensure-sha-pinned-actions@47d553c67ceb08ad660deaeb3b994e47a3dd8fc3 # v3.0.23.3
+        with:
+          allowlist: |
+            centreon/security-tools
 
   yaml-lint:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout sources
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Install Yaml
         run: |
diff --git a/.github/workflows/checkmarx-analysis.yml b/.github/workflows/checkmarx-analysis.yml
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
diff --git a/.github/workflows/perl-cpan-libraries.yml b/.github/workflows/perl-cpan-libraries.yml
@@ -100,7 +100,7 @@ jobs:
           - spec_file: ""
           - no-auto-depends: "false"
           - preinstall_cpanlibs: ""
-          - revision: "1"
+          - revision: "2"
           - distrib: el8
             package_extension: rpm
             image: packaging-plugins-alma8
@@ -112,7 +112,7 @@ jobs:
           - name: "Crypt::Argon2"
             preinstall_cpanlibs: "Dist::Build"
             rpm_provides: "perl-Crypt-Argon2-debuginfo perl(Crypt::Argon2)"
-            revision: "2"
+            revision: "3"
           - name: "DateTime::Format::Duration::ISO8601"
             rpm_provides: "perl(DateTime-Format-Duration-ISO8601)"
           - name: "Device::Modbus::RTU::Client"
@@ -128,15 +128,15 @@ jobs:
           - name: "Libssh::Session"
             rpm_dependencies: "libssh"
             rpm_provides: "perl-Libssh-Session-debuginfo perl(Libssh::Session) perl(Libssh::Sftp)"
-            revision: "2"
+            revision: "3"
           - name: "Mojo::IOLoop::Signal"
             rpm_dependencies: "perl-Mojolicious"
             rpm_provides: "perl(Mojo::IOLoop::Signal)"
             no-auto-depends: "true"
           - name: "Net::Curl"
             rpm_dependencies: "libcurl"
             rpm_provides: "perl-Net-Curl-debuginfo perl(Net::Curl) perl(Net::Curl::Compat) perl(Net::Curl::Easy) perl(Net::Curl::Form) perl(Net::Curl::Multi) perl(Net::Curl::Share)"
-            revision: "2"
+            revision: "3"
           - name: "Net::DHCP"
             rpm_provides: "perl(Net::DHCP::Constants) perl(Net::DHCP::Packet)"
           - name: "Net::SMTPS"
@@ -240,7 +240,7 @@ jobs:
 
           temp_file=$(mktemp)
           echo "default.local" | tee /etc/mailname
-          created_package=$(fpm -s cpan -t ${{ matrix.package_extension }} --rpm-dist ${{ matrix.distrib }} --verbose --cpan-verbose --no-cpan-test$PACKAGE_DEPENDENCIES$PACKAGE_PROVIDES$PACKAGE_VERSION --iteration ${{ matrix.revision }} ${{ matrix.name }} | tee "$temp_file" | grep "Created package" | grep -oP '(?<=:path=>").*?(?=")')
+          created_package=$(fpm -s cpan -t ${{ matrix.package_extension }} --rpm-dist ${{ matrix.distrib }} --rpm-digest sha256 --verbose --cpan-verbose --no-cpan-test$PACKAGE_DEPENDENCIES$PACKAGE_PROVIDES$PACKAGE_VERSION --iteration ${{ matrix.revision }} ${{ matrix.name }} | tee "$temp_file" | grep "Created package" | grep -oP '(?<=:path=>").*?(?=")')
           # Check package name
           if [ -z "$created_package" ]; then
             echo "Error: fpm command failed"
diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml
@@ -1,13 +1,10 @@
-name: plugins-analysis
+name: security-checks
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 on:
-  workflow_dispatch:
-  schedule:
-    - cron: '30 0 * * 1-5'
   pull_request:
     branches:
       - develop
@@ -16,26 +13,22 @@ on:
     branches:
       - develop
       - master
+  workflow_dispatch:
+  schedule:
+    - cron: 0 1 * * 1-5
 
 jobs:
-  get-environment:
-    uses: ./.github/workflows/get-environment.yml
+  secrets_scan:
+    uses: centreon/security-tools/.github/workflows/gitleaks-analysis.yml@main
 
-  checkmarx-analysis:
-    needs: [get-environment]
-    if: |
-      needs.get-environment.outputs.skip_workflow == 'false' &&
-      github.event.pull_request.draft != 'true'
-    uses: ./.github/workflows/checkmarx-analysis.yml
+  code_scan:
+    uses: centreon/security-tools/.github/workflows/checkmarx-analysis.yml@main
     with:
+      module_directory:
       module_name: centreon-plugins
+      exclude_list:
     secrets:
       base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }}
       cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }}
       cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }}
       cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }}
-
-  set-skip-label:
-    needs: [get-environment, checkmarx-analysis]
-    if: needs.get-environment.outputs.skip_workflow == 'false'
-    uses: ./.github/workflows/set-pull-request-skip-label.yml
diff --git a/.gitleaksignore b/.gitleaksignore
diff --git a/.version.plugins b/.version.plugins
@@ -1 +1 @@
-20250900
+20250901
