From a2cee47118101122d45a7dd7a8c5cac18a565e02 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 21 Mar 2026 13:44:56 +0000 Subject: [PATCH 1/3] chore(deps): update all non-major dependencies --- .github/workflows/security_scan.yaml | 8 ++++---- .github/workflows/test_terraform_module_lint.yaml | 2 +- base_requirements.txt | 4 ++-- github-runner-manager/requirements.txt | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/security_scan.yaml b/.github/workflows/security_scan.yaml index 920182858f..bb1868cfd1 100644 --- a/.github/workflows/security_scan.yaml +++ b/.github/workflows/security_scan.yaml @@ -31,7 +31,7 @@ jobs: fi - name: Run Trivy scan for logs - uses: aquasecurity/trivy-action@0.34.0 + uses: aquasecurity/trivy-action@v0.35.0 with: scan-type: "fs" scan-ref: "." @@ -39,7 +39,7 @@ jobs: trivyignores: ".trivyignore" - name: Run Trivy scan for SARIF report - uses: aquasecurity/trivy-action@0.34.0 + uses: aquasecurity/trivy-action@v0.35.0 with: scan-type: "fs" scan-ref: "." @@ -49,7 +49,7 @@ jobs: output: "trivy-results.sarif" - name: Upload SARIF to GitHub Security tab - uses: github/codeql-action/upload-sarif@v4.32.3 + uses: github/codeql-action/upload-sarif@v4.34.1 with: sarif_file: "trivy-results.sarif" @@ -78,7 +78,7 @@ jobs: fi - name: Run Trivy to generate SBOM - uses: aquasecurity/trivy-action@0.34.0 + uses: aquasecurity/trivy-action@v0.35.0 with: scan-type: "fs" scan-ref: "." diff --git a/.github/workflows/test_terraform_module_lint.yaml b/.github/workflows/test_terraform_module_lint.yaml index d4ad522892..db032c4fef 100644 --- a/.github/workflows/test_terraform_module_lint.yaml +++ b/.github/workflows/test_terraform_module_lint.yaml @@ -42,7 +42,7 @@ jobs: working-directory: ${{env.WORKING_DIR}} - name: Setup Tflint - uses: terraform-linters/setup-tflint@v6.2.1 + uses: terraform-linters/setup-tflint@v6.2.2 with: tflint_wrapper_enabled: true diff --git a/base_requirements.txt b/base_requirements.txt index 54d4aa6e9a..93df62875b 100644 --- a/base_requirements.txt +++ b/base_requirements.txt @@ -1,12 +1,12 @@ PyGithub==2.8.1 jinja2==3.1.6 fabric==3.2.2 -ops==3.5.2 +ops==3.6.0 pylxd @ git+https://github.com/canonical/pylxd requests==2.32.5 typing-extensions==4.15.0 cryptography==46.0.5 pydantic==1.10.26 -cosl==1.4.0 +cosl==1.6.1 PyYAML==6.0.3 pyOpenSSL==26.0.0 diff --git a/github-runner-manager/requirements.txt b/github-runner-manager/requirements.txt index c76e31790d..8a633ff922 100644 --- a/github-runner-manager/requirements.txt +++ b/github-runner-manager/requirements.txt @@ -4,7 +4,7 @@ flask==3.1.2 PyGithub==2.8.1 jinja2==3.1.6 kombu==5.6.2 -openstacksdk==4.9.0 +openstacksdk==4.10.0 prometheus-client==0.24.1 pydantic==1.10.26 pymongo==4.16.0 From df4a669b1dfa7a68df90975f4fc1cbbcd664930e Mon Sep 17 00:00:00 2001 From: Christopher Bartz Date: Thu, 21 May 2026 13:11:29 +0200 Subject: [PATCH 2/3] ci: add pull-requests write permission to Tests workflow The org-level default GITHUB_TOKEN permissions changed from read+write to read. The check-libraries action needs pull-requests: write to post labels on PRs. --- .github/workflows/test.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index c88ff8b1f4..66c6568979 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -3,6 +3,9 @@ name: Tests on: pull_request: +permissions: + pull-requests: write + jobs: unit-tests: uses: canonical/operator-workflows/.github/workflows/test.yaml@main From b81cf022de60c2ac2c8b4eb0d40a903bc3ecfaf9 Mon Sep 17 00:00:00 2001 From: Christopher Bartz Date: Thu, 21 May 2026 13:18:21 +0200 Subject: [PATCH 3/3] ci: add pull-requests write permission to bot PR approval workflow The org-level default GITHUB_TOKEN permissions changed from read+write to read. The bot_pr_approval action needs pull-requests: write to approve PRs via the GitHub API. --- .github/workflows/bot_pr_approval.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/bot_pr_approval.yaml b/.github/workflows/bot_pr_approval.yaml index e38c5841dd..b1157d331e 100644 --- a/.github/workflows/bot_pr_approval.yaml +++ b/.github/workflows/bot_pr_approval.yaml @@ -3,6 +3,9 @@ name: Provide approval for bot PRs on: pull_request: +permissions: + pull-requests: write + jobs: bot_pr_approval: uses: canonical/operator-workflows/.github/workflows/bot_pr_approval.yaml@main