build(deps): bump postcss from 8.5.6 to 8.5.14 in /src/deps

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -51,7 +51,7 @@ body:
       label: BunkerWeb version
       description: What version of BunkerWeb are you running?
       placeholder: Version
-      value: 1.6.9
+      value: 1.6.10
     validations:
       required: true
   - type: dropdown

.github/workflows/beta.yml

@@ -110,8 +110,8 @@ jobs:
             ubuntu,
             debian-bookworm,
             debian-trixie,
-            fedora-42,
             fedora-43,
+            fedora-44,
             rhel-8,
             rhel-9,
             rhel-10,
@@ -126,10 +126,10 @@ jobs:
             package: deb
           - linux: debian-trixie
             package: deb
-          - linux: fedora-42
-            package: rpm
           - linux: fedora-43
             package: rpm
+          - linux: fedora-44
+            package: rpm
           - linux: rhel-8
             package: rpm
           - linux: rhel-9
@@ -229,8 +229,8 @@ jobs:
             ubuntu,
             debian-bookworm,
             debian-trixie,
-            fedora-42,
             fedora-43,
+            fedora-44,
             el-8,
             el-9,
             el-10,
@@ -255,15 +255,15 @@ jobs:
             suffix: ""
             version: trixie
             package: deb
-          - linux: fedora-42
+          - linux: fedora-43
             separator: "-"
             suffix: "1."
-            version: 42
+            version: 43
             package: rpm
-          - linux: fedora-43
+          - linux: fedora-44
             separator: "-"
             suffix: "1."
-            version: 43
+            version: 44
             package: rpm
           - linux: el-8
             separator: "-"
@@ -294,10 +294,10 @@ jobs:
           - linux: debian-trixie
             arch: amd64
             package_arch: amd64
-          - linux: fedora-42
+          - linux: fedora-43
             arch: amd64
             package_arch: x86_64
-          - linux: fedora-43
+          - linux: fedora-44
             arch: amd64
             package_arch: x86_64
           - linux: el-8
@@ -321,10 +321,10 @@ jobs:
           - linux: debian-trixie
             arch: arm64
             package_arch: arm64
-          - linux: fedora-42
+          - linux: fedora-43
             arch: arm64
             package_arch: aarch64
-          - linux: fedora-43
+          - linux: fedora-44
             arch: arm64
             package_arch: aarch64
           - linux: el-8

.github/workflows/codeql.yml

@@ -36,12 +36,12 @@ jobs:
           python -m pip install --no-cache-dir --require-hashes -r src/common/db/requirements.txt
           echo "CODEQL_PYTHON=$(which python)" >> $GITHUB_ENV
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql.yml
           setup-python-dependencies: false
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/container-build.yml

@@ -85,13 +85,13 @@ jobs:
           endpoint: ssh://root@arm
           platforms: linux/arm64,linux/arm/v7
       - name: Login to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Login to ghcr
         if: inputs.PUSH == true
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -105,7 +105,7 @@ jobs:
       # Build cached image
       - name: Build image
         if: inputs.CACHE == true
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           file: ${{ inputs.DOCKERFILE }}
@@ -118,7 +118,7 @@ jobs:
       # Build non-cached image
       - name: Build image
         if: inputs.CACHE != true
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           file: ${{ inputs.DOCKERFILE }}
@@ -127,30 +127,17 @@ jobs:
           tags: local/${{ inputs.IMAGE }}
           cache-to: type=registry,ref=docker.io/bunkerity/bw-images-cache:${{ inputs.IMAGE }}-${{ inputs.RELEASE }}-${{ inputs.CACHE_SUFFIX }},mode=max
           labels: ${{ steps.meta.outputs.labels }}
-      # Check OS vulnerabilities
-      - name: Check OS vulnerabilities
+      # Check vulnerabilities with Docker Scout
+      - name: Docker Scout CVE Analysis
         if: ${{ startsWith(inputs.CACHE_SUFFIX, 'arm') == false }}
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        uses: docker/scout-action@bacf462e8d090c09660de30a6ccc718035f961e3 # v1.20.4
         with:
-          vuln-type: os
-          skip-dirs: /root/.cargo
-          image-ref: local/${{ inputs.IMAGE }}
-          format: table
-          exit-code: 1
-          ignore-unfixed: false
-          severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-          trivyignores: .trivyignore
-        env:
-          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
-      # - name: Docker Scout Analysis # TODO: Add back when the openssl shenanigans are fixed
-      #   if: ${{ startsWith(inputs.CACHE_SUFFIX, 'arm') == false }}
-      #   uses: docker/scout-action@aceeb83b88f2ae54376891227858dda7af647183 # v1.18.1
-      #   with:
-      #     command: cves,recommendations
-      #     image: local/${{ inputs.IMAGE }}
-      #     only-fixed: true
-      #     only-package-types: apk
-      #     exit-code: true
+          command: cves,recommendations
+          image: local/${{ inputs.IMAGE }}
+          only-package-types: apk,golang
+          only-fixed: true
+          exit-code: false
+          summary: true
       # Push image
       - name: Push image
         if: inputs.PUSH == true

.github/workflows/create-arm.yml

@@ -36,7 +36,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Get ARM availabilities
         id: availabilities
-        uses: scaleway/action-scw@be2696f261325a78354eda14988c80405f33e082
+        uses: scaleway/action-scw@2e34a1eb35cf3cac627f24643a101fea269cbd83
         with:
           args: instance server-type get zone=fr-par-2
           export-config: true
@@ -46,14 +46,14 @@ jobs:
           default-organization-id: ${{ secrets.SCW_DEFAULT_ORGANIZATION_ID }}
       - name: Extract ARM type
         run: |
-          TYPE=$(echo "$JSON" | jq '.servers | with_entries(select(.key | contains("COPARM1-"))) | with_entries(select(.value.availability != "shortage")) | keys[] | select(. | test("^COPARM1-[0-9]+C-[0-9]+G$"))' | sed 's/"//g' | cut -d '-' -f 2,3 | sort -g | tail -n 1 | xargs -I {} echo "COPARM1-{}")
+          TYPE=$(echo "$JSON" | jq -r '.servers | to_entries | map(select(.key | test("^BASIC2-A[0-9]+C-[0-9]+G$"))) | map(select(.value.availability != "shortage")) | map(. + {cores: (.key | capture("A(?<n>[0-9]+)C") | .n | tonumber), ram: (.key | capture("C-(?<n>[0-9]+)G") | .n | tonumber)}) | sort_by(.cores, .ram) | last.key')
           echo "Type is $TYPE"
           echo "TYPE=$TYPE" >> "$GITHUB_ENV"
         env:
           JSON: ${{ steps.availabilities.outputs.json }}
       - name: Create ARM VM
         id: scw
-        uses: scaleway/action-scw@be2696f261325a78354eda14988c80405f33e082
+        uses: scaleway/action-scw@2e34a1eb35cf3cac627f24643a101fea269cbd83
         with:
           args: instance server create zone=fr-par-2 type=${{ env.TYPE }} root-volume=block:100GB
       - name: Get info
@@ -62,7 +62,7 @@ jobs:
           echo "id=${{ fromJson(steps.scw.outputs.json).id }}" >> "$GITHUB_OUTPUT"
           echo "ip=${{ fromJson(steps.scw.outputs.json).public_ip.address }}" >> "$GITHUB_OUTPUT"
       - name: Wait for VM
-        uses: scaleway/action-scw@be2696f261325a78354eda14988c80405f33e082
+        uses: scaleway/action-scw@2e34a1eb35cf3cac627f24643a101fea269cbd83
         with:
           args: instance server wait ${{ fromJson(steps.scw.outputs.json).ID }} zone=fr-par-2
       - name: Wait for SSH

.github/workflows/dev.yml

@@ -53,8 +53,8 @@ jobs:
             ubuntu,
             debian-bookworm,
             debian-trixie,
-            fedora-42,
             fedora-43,
+            fedora-44,
             rhel-8,
             rhel-9,
             rhel-10,
@@ -69,10 +69,10 @@ jobs:
             package: deb
           - linux: debian-trixie
             package: deb
-          - linux: fedora-42
-            package: rpm
           - linux: fedora-43
             package: rpm
+          - linux: fedora-44
+            package: rpm
           - linux: rhel-8
             package: rpm
           - linux: rhel-9
@@ -189,12 +189,12 @@ jobs:
             to: bunkerweb-all-in-one
     steps:
       - name: Login to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Login to ghcr
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -213,8 +213,8 @@ jobs:
             ubuntu,
             debian-bookworm,
             debian-trixie,
-            fedora-42,
             fedora-43,
+            fedora-44,
             el-8,
             el-9,
             el-10,
@@ -242,17 +242,17 @@ jobs:
             suffix: ""
             version: trixie
             package: deb
-          - linux: fedora-42
+          - linux: fedora-43
             package_arch: x86_64
             separator: "-"
             suffix: "1."
-            version: 42
+            version: 43
             package: rpm
-          - linux: fedora-43
+          - linux: fedora-44
             package_arch: x86_64
             separator: "-"
             suffix: "1."
-            version: 43
+            version: 44
             package: rpm
           - linux: el-8
             package_arch: x86_64

.github/workflows/doc-to-pdf.yml

@@ -19,11 +19,11 @@ jobs:
         with:
           python-version: "3.10"
       - name: Install doc dependencies
-        run: pip install --no-cache-dir --require-hashes -r docs/requirements.txt && sudo apt update && sudo apt install -y libcairo2-dev libfreetype6-dev libffi-dev libjpeg-dev libpng-dev libz-dev
+        run: pip install --no-cache-dir --require-hashes -r docs/requirements.txt && sudo apt update && sudo apt install -y libcairo2-dev libfreetype6-dev libffi-dev libjpeg-dev libpng-dev libz-dev pngquant
       - name: Install chromium
         run: sudo apt update && sudo apt install chromium-browser
       - name: Install node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 22
       - name: Install puppeteer
@@ -35,7 +35,8 @@ jobs:
         run: mkdocs serve -f mkdocs_print.yml & sleep 15
       - name: Run pdf script
         run: node docs/misc/pdf.js http://localhost:8000/print_page/ BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf 'BunkerWeb documentation v${{ inputs.VERSION }}'
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
+          retention-days: 7
           path: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf

.github/workflows/linux-build.yml

@@ -94,20 +94,20 @@ jobs:
           endpoint: ssh://root@arm
           platforms: linux/arm64,linux/arm/v7
       - name: Login to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Login to ghcr
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       # Build testing package image
       - name: Build package image
         if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui' || inputs.RELEASE == '1.5'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           load: true
@@ -119,7 +119,7 @@ jobs:
       # Build non-testing package image
       - name: Build package image
         if: inputs.RELEASE != 'testing' && inputs.RELEASE != 'dev' && inputs.RELEASE != 'ui' && inputs.RELEASE != '1.5'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           load: true
@@ -143,9 +143,10 @@ jobs:
           scp -r root@arm:/root/package-${{ inputs.LINUX }} ./package-${{ inputs.LINUX }}
         env:
           LARCH: ${{ env.LARCH }}
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: package-${{ inputs.LINUX }}-${{ env.LARCH }}
+          retention-days: 7
           path: package-${{ inputs.LINUX }}/*.${{ inputs.PACKAGE }}
       # Build test image
       - name: Extract metadata
@@ -156,7 +157,7 @@ jobs:
           images: ghcr.io/bunkerity/${{ inputs.LINUX }}-tests:${{ inputs.RELEASE }}
       - name: Build test image
         if: inputs.TEST == true
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           file: tests/linux/Dockerfile-${{ inputs.LINUX }}

.github/workflows/push-doc.yml

@@ -37,7 +37,7 @@ jobs:
         with:
           python-version: "3.10"
       - name: Install doc dependencies
-        run: pip install --no-cache-dir --require-hashes -r docs/requirements.txt && sudo apt update && sudo apt install -y libcairo2-dev libfreetype6-dev libffi-dev libjpeg-dev libpng-dev libz-dev
+        run: pip install --no-cache-dir --require-hashes -r docs/requirements.txt && sudo apt update && sudo apt install -y libcairo2-dev libfreetype6-dev libffi-dev libjpeg-dev libpng-dev libz-dev pngquant
       - name: Set up hidden documentation
         if: inputs.HIDDEN == true
         run: |

.github/workflows/push-docker.yml

@@ -35,12 +35,12 @@ jobs:
       - name: Check out repository code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Login to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Login to ghcr
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -87,7 +87,7 @@ jobs:
           images: bunkerity/${{ inputs.IMAGE }}
       # Build and push
       - name: Build and push
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           file: ${{ inputs.DOCKERFILE }}