Upsync (for later)

.dockerignore

@@ -0,0 +1,31 @@
+.git
+.github
+.gitignore
+.idea
+.vscode
+.dockerignore
+
+# Build artifacts
+**/node_modules
+ui/build
+
+# Test files inside containers (Go tests aren't run from Dockerfiles)
+**/*_test.go
+
+# Documentation and unrelated assets
+guides
+images
+helm
+architecture.md
+readme.md
+ATTRIBUTION
+LICENSE
+CODE_OF_CONDUCT.md
+*.md
+
+# Tooling and local dev
+Taskfile.yaml
+build-and-deploy.sh
+
+# OS junk
+.DS_Store

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,12 @@
+### Description
+
+<!-- ✍️-->
+A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.
+
+### AI Tool Disclosure
+
+- [ ] My contribution does not include any AI-generated content
+- [ ] My contribution includes AI-generated content, as disclosed below:
+    - AI Tools: `[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.]`
+    - LLMs and versions: `[e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro etc.]`
+    - Prompts: `[Summarize the key prompts or instructions given to the AI tools]`

.github/dependabot.yaml

@@ -0,0 +1,57 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    groups:
+      golang-dependencies:
+        patterns:
+          - "*"
+
+  - package-ecosystem: "npm"
+    directory: "/ui"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    groups:
+      npm-dependencies:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+      npm-breaking-updates-dependencies:
+        patterns:
+          - "*"
+        update-types:
+          - "major"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    groups:
+      docker-dependencies:
+        patterns:
+          - "*"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    groups:
+      github-actions-dependencies:
+        patterns:
+          - "*"

.github/release.yml

@@ -0,0 +1,20 @@
+changelog:
+  categories:
+    - title: "🚀 Features"
+      labels:
+        - "feature"
+        - "enhancement"
+    - title: "🐛 Bug Fixes"
+      labels:
+        - "fix"
+        - "bugfix"
+        - "bug"
+    - title: "📚 Docs"
+      labels:
+        - "documentation"
+    - title: "🌐 I18N"
+      labels:
+        - "i18n"
+    - title: "🧰 Maintenance"
+      labels:
+        - "maintenance"

.github/workflows/publish.yml

@@ -1,67 +1,100 @@
+name: "Release Build"
 on:
   release:
     types: [published]
-name: "Publish Docker Images"
+env:
+  CONTAINER_REGISTRY: ghcr.io/juice-shop
 jobs:
   helmRelease:
-    name: "Package Helm Chart"
+    name: "Publish Helm Chart"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
-      - uses: actions/checkout@v1
-      - name: "Install yq"
-        run: |
-          sudo snap install yq
-      - name: "Patch Chart.yaml to the current released version"
-        working-directory: helm/multi-juicer/
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - id: release-version
+        name: Parse Release Version
         run: |
           RELEASE_VERSION="${GITHUB_REF#refs/*/}"
           # Remove leading 'v' from git tag to create valid semver
           RELEASE_VERSION="${RELEASE_VERSION//v}"
-          # patch the version & appVersion in the Chart.yaml to the release version
-          yq eval -i ".version = \"$RELEASE_VERSION\", .appVersion = \"$RELEASE_VERSION\"" Chart.yaml
-      - uses: J12934/helm-gh-pages-action@v2.0.0
-        with:
-          access-token: ${{ secrets.ACCESS_TOKEN }}
-          charts-folder: helm
-          deploy-branch: gh-pages
+          echo "version=$RELEASE_VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: "Login to Package Registry"
+        run: 'echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login --username ${{ github.actor }} --password-stdin ${{ env.CONTAINER_REGISTRY }}'
+
+      - name: "Package Helm Chart"
+        working-directory: helm/multi-juicer/
+        run: |
+          helm package --version "${{ steps.release-version.outputs.version }}" --app-version "${{ steps.release-version.outputs.version }}" .
+
+      - name: "Push Helm Chart"
+        working-directory: helm/multi-juicer/
+        run: |
+          helm push "multi-juicer-${{ steps.release-version.outputs.version }}.tgz" oci://${{ env.CONTAINER_REGISTRY }}/multi-juicer/helm
+
   dockerBuilds:
     name: "Build"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
     strategy:
       matrix:
         component:
           - progress-watchdog
           - cleaner
-          - juice-balancer
+          - balancer
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.0
 
-      - name: Docker Meta
-        id: docker_meta
-        uses: docker/metadata-action@v3
+      - id: image-metadata
+        name: Container Image Metadata
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         with:
-          images: iteratec/${{ matrix.component }}
+          images: ${{ env.CONTAINER_REGISTRY }}/multi-juicer/${{ matrix.component }}
           tags: |
             type=semver,pattern={{raw}}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - name: Login to Container Registry
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          registry: ${{ env.CONTAINER_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract JuiceShop Version from Helm Values
+        id: extract-juice-shop-version
+        run: |
+          JUICE_SHOP_VERSION=$(yq eval '.config.juiceShop.tag' helm/multi-juicer/values.yaml)
+          echo "version=$JUICE_SHOP_VERSION" >> "$GITHUB_OUTPUT"
 
-      - name: Build and Push
-        uses: docker/build-push-action@v3
+      - id: build-and-push
+        name: Build and Push
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
-          context: ./${{ matrix.component }}
-          file: ./${{ matrix.component }}/Dockerfile
-          platforms: linux/amd64,linux/arm/v7,linux/arm64
+          context: .
+          file: ./containers/${{ matrix.component }}/Dockerfile
+          platforms: linux/amd64,linux/arm64
           push: true
-          tags: ${{ steps.docker_meta.outputs.tags }}
-          labels: ${{ steps.docker_meta.outputs.labels }}
+          tags: ${{ steps.image-metadata.outputs.tags }}
+          labels: ${{ steps.image-metadata.outputs.labels }}
+          build-args: |
+            JUICE_SHOP_VERSION=${{ steps.extract-juice-shop-version.outputs.version }}
+
+      - name: Sign the images with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.image-metadata.outputs.tags }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}