From f25f58c143be7671ab05bd434196478f6483c53f Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Fri, 17 Apr 2026 00:03:33 +0000 Subject: [PATCH 1/7] chore(deps): pin dependencies --- .gitea/workflows/release-image.yaml | 42 ++++++++++++++--------------- .gitea/workflows/renovate.yaml | 2 +- .gitea/workflows/test-build.yaml | 12 ++++----- 3 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.gitea/workflows/release-image.yaml b/.gitea/workflows/release-image.yaml index 6ceb713..546cc0e 100644 --- a/.gitea/workflows/release-image.yaml +++ b/.gitea/workflows/release-image.yaml @@ -12,17 +12,17 @@ jobs: runs-on: ubuntu-js steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.2 with: ref: release - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@v6.3.0 with: node-version: 24.14.1 - name: Set up Bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@v2.2.0 with: bun-version: 1.3.12 @@ -30,7 +30,7 @@ jobs: run: bun install --frozen-lockfile - name: Cache Astro Build Cache - uses: actions/cache@v5 + uses: actions/cache@v5.0.5 with: path: | .astro @@ -64,12 +64,12 @@ jobs: runs-on: ubuntu-js steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.2 with: ref: release - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@v6.2.0 with: python-version: '3.12.13' @@ -106,18 +106,18 @@ jobs: new-release-git-tag: ${{ steps.semantic.outputs.new-release-git-tag }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.2 with: fetch-depth: 0 token: ${{ secrets.BOT_TOKEN }} - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@v6.3.0 with: node-version: 24.14.1 - name: Set up Bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@v2.2.0 with: bun-version: 1.3.12 @@ -139,19 +139,19 @@ jobs: if: ${{ needs.semantic-release.outputs.new-release-published == 'true' }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.2 with: ref: release - name: Login to Harbor Registry - uses: docker/login-action@v4 + uses: docker/login-action@v4.1.0 with: registry: ${{ vars.REGISTRY_HOST }} username: ${{ vars.REGISTRY_USER }} password: ${{ secrets.REGISTRY_SECRET }} - name: Login to Docker - uses: docker/login-action@v4 + uses: docker/login-action@v4.1.0 with: registry: ${{ vars.DH_REGISTRY }} username: ${{ secrets.DH_USERNAME }} @@ -164,7 +164,7 @@ jobs: - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@v4.0.0 with: driver: kubernetes driver-opts: | @@ -179,7 +179,7 @@ jobs: - name: Extract Metadata id: meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@v6.0.0 with: images: | ${{ vars.REGISTRY_HOST }}/images/site-documentation @@ -192,7 +192,7 @@ jobs: type=semver,pattern={{major}},value=${{ needs.semantic-release.outputs.new-release-version }} - name: Build and Push Image - uses: docker/build-push-action@v7 + uses: docker/build-push-action@v7.1.0 with: context: . push: true @@ -243,19 +243,19 @@ jobs: needs.semantic-release.outputs.new-release-published == 'true' steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.2 with: ref: release - name: Login to Gitea Registry - uses: docker/login-action@v4 + uses: docker/login-action@v4.1.0 with: registry: ${{ vars.REPOSITORY_HOST }} username: ${{ gitea.actor }} password: ${{ secrets.REPOSITORY_TOKEN }} - name: Login to Docker - uses: docker/login-action@v4 + uses: docker/login-action@v4.1.0 with: registry: ${{ vars.DH_REGISTRY }} username: ${{ secrets.DH_USERNAME }} @@ -268,7 +268,7 @@ jobs: - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@v4.0.0 with: driver: kubernetes driver-opts: | @@ -283,7 +283,7 @@ jobs: - name: Extract Metadata id: meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@v6.0.0 with: images: | ${{ vars.REPOSITORY_HOST }}/${{ gitea.repository }} @@ -296,7 +296,7 @@ jobs: type=semver,pattern={{major}},value=${{ needs.semantic-release.outputs.new-release-version }} - name: Build and Push Image - uses: docker/build-push-action@v7 + uses: docker/build-push-action@v7.1.0 with: context: . push: true diff --git a/.gitea/workflows/renovate.yaml b/.gitea/workflows/renovate.yaml index 4d531b0..0b2a463 100644 --- a/.gitea/workflows/renovate.yaml +++ b/.gitea/workflows/renovate.yaml @@ -12,7 +12,7 @@ jobs: container: ghcr.io/renovatebot/renovate:43 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.2 - name: Renovate run: renovate diff --git a/.gitea/workflows/test-build.yaml b/.gitea/workflows/test-build.yaml index ed4c6d4..14d6395 100644 --- a/.gitea/workflows/test-build.yaml +++ b/.gitea/workflows/test-build.yaml @@ -17,15 +17,15 @@ jobs: runs-on: ubuntu-js steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.2 - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@v6.3.0 with: node-version: 24.14.1 - name: Set up Bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@v2.2.0 with: bun-version: 1.3.12 @@ -33,7 +33,7 @@ jobs: run: bun install --frozen-lockfile - name: Cache Astro Build Cache - uses: actions/cache@v5 + uses: actions/cache@v5.0.5 with: path: | .astro @@ -67,10 +67,10 @@ jobs: runs-on: ubuntu-js steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.2 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@v6.2.0 with: python-version: '3.12.13' From c19e74b5ef58749722f9a5efbd2fdb28f11802d6 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 18 Apr 2026 00:01:51 +0000 Subject: [PATCH 2/7] chore(deps): update dependency typescript to v6.0.3 --- bun.lock | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bun.lock b/bun.lock index 83c70c9..719fafc 100644 --- a/bun.lock +++ b/bun.lock @@ -35,7 +35,7 @@ "prettier-plugin-tailwindcss": "0.7.2", "semantic-release": "25.0.3", "semantic-release-export-data": "1.2.0", - "typescript": "6.0.2", + "typescript": "6.0.3", "typescript-eslint": "8.58.2", }, }, @@ -1623,7 +1623,7 @@ "type-fest": ["type-fest@0.10.0", "", {}, "sha512-EUV9jo4sffrwlg8s0zDhP0T2WD3pru5Xi0+HTE3zTUmBaZNhfkite9PdSJwdXLwPVW0jnAHT56pZHIOYckPEiw=="], - "typescript": ["typescript@6.0.2", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ=="], + "typescript": ["typescript@6.0.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw=="], "typescript-eslint": ["typescript-eslint@8.58.2", "", { "dependencies": { "@typescript-eslint/eslint-plugin": "8.58.2", "@typescript-eslint/parser": "8.58.2", "@typescript-eslint/typescript-estree": "8.58.2", "@typescript-eslint/utils": "8.58.2" }, "peerDependencies": { "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0", "typescript": ">=4.8.4 <6.1.0" } }, "sha512-V8iSng9mRbdZjl54VJ9NKr6ZB+dW0J3TzRXRGcSbLIej9jV86ZRtlYeTKDR/QLxXykocJ5icNzbsl2+5TzIvcQ=="], diff --git a/package.json b/package.json index 539851f..26cd2cb 100644 --- a/package.json +++ b/package.json @@ -42,7 +42,7 @@ "prettier-plugin-tailwindcss": "0.7.2", "semantic-release": "25.0.3", "semantic-release-export-data": "1.2.0", - "typescript": "6.0.2", + "typescript": "6.0.3", "typescript-eslint": "8.58.2" } } From 7691af66b259c21a306c203db199caeac7b63467 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 18 Apr 2026 06:03:49 +0000 Subject: [PATCH 3/7] chore(deps): update dependency eslint to v10.2.1 --- bun.lock | 14 +++++++------- package.json | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/bun.lock b/bun.lock index 719fafc..c45c036 100644 --- a/bun.lock +++ b/bun.lock @@ -27,7 +27,7 @@ "@tailwindcss/forms": "0.5.11", "@tailwindcss/typography": "0.5.19", "@typescript-eslint/parser": "8.58.2", - "eslint": "10.2.0", + "eslint": "10.2.1", "eslint-config-prettier": "10.1.8", "eslint-plugin-astro": "1.7.0", "prettier": "3.8.3", @@ -149,15 +149,15 @@ "@eslint-community/regexpp": ["@eslint-community/regexpp@4.12.2", "", {}, "sha512-EriSTlt5OC9/7SXkRSCAhfSxxoSUgBm33OH+IkwbdpgoqsSsUg7y3uh+IICI/Qg4BBWr3U2i39RpmycbxMq4ew=="], - "@eslint/config-array": ["@eslint/config-array@0.23.4", "", { "dependencies": { "@eslint/object-schema": "^3.0.4", "debug": "^4.3.1", "minimatch": "^10.2.4" } }, "sha512-lf19F24LSMfF8weXvW5QEtnLqW70u7kgit5e9PSx0MsHAFclGd1T9ynvWEMDT1w5J4Qt54tomGeAhdoAku1Xow=="], + "@eslint/config-array": ["@eslint/config-array@0.23.5", "", { "dependencies": { "@eslint/object-schema": "^3.0.5", "debug": "^4.3.1", "minimatch": "^10.2.4" } }, "sha512-Y3kKLvC1dvTOT+oGlqNQ1XLqK6D1HU2YXPc52NmAlJZbMMWDzGYXMiPRJ8TYD39muD/OTjlZmNJ4ib7dvSrMBA=="], - "@eslint/config-helpers": ["@eslint/config-helpers@0.5.4", "", { "dependencies": { "@eslint/core": "^1.2.0" } }, "sha512-jJhqiY3wPMlWWO3370M86CPJ7pt8GmEwSLglMfQhjXal07RCvhmU0as4IuUEW5SJeunfItiEetHmSxCCe9lDBg=="], + "@eslint/config-helpers": ["@eslint/config-helpers@0.5.5", "", { "dependencies": { "@eslint/core": "^1.2.1" } }, "sha512-eIJYKTCECbP/nsKaaruF6LW967mtbQbsw4JTtSVkUQc9MneSkbrgPJAbKl9nWr0ZeowV8BfsarBmPpBzGelA2w=="], - "@eslint/core": ["@eslint/core@1.2.0", "", { "dependencies": { "@types/json-schema": "^7.0.15" } }, "sha512-8FTGbNzTvmSlc4cZBaShkC6YvFMG0riksYWRFKXztqVdXaQbcZLXlFbSpC05s70sGEsXAw0qwhx69JiW7hQS7A=="], + "@eslint/core": ["@eslint/core@1.2.1", "", { "dependencies": { "@types/json-schema": "^7.0.15" } }, "sha512-MwcE1P+AZ4C6DWlpin/OmOA54mmIZ/+xZuJiQd4SyB29oAJjN30UW9wkKNptW2ctp4cEsvhlLY/CsQ1uoHDloQ=="], - "@eslint/object-schema": ["@eslint/object-schema@3.0.4", "", {}, "sha512-55lO/7+Yp0ISKRP0PsPtNTeNGapXaO085aELZmWCVc5SH3jfrqpuU6YgOdIxMS99ZHkQN1cXKE+cdIqwww9ptw=="], + "@eslint/object-schema": ["@eslint/object-schema@3.0.5", "", {}, "sha512-vqTaUEgxzm+YDSdElad6PiRoX4t8VGDjCtt05zn4nU810UIx/uNEV7/lZJ6KwFThKZOzOxzXy48da+No7HZaMw=="], - "@eslint/plugin-kit": ["@eslint/plugin-kit@0.7.0", "", { "dependencies": { "@eslint/core": "^1.2.0", "levn": "^0.4.1" } }, "sha512-ejvBr8MQCbVsWNZnCwDXjUKq40MDmHalq7cJ6e9s/qzTUFIIo/afzt1Vui9T97FM/V/pN4YsFVoed5NIa96RDg=="], + "@eslint/plugin-kit": ["@eslint/plugin-kit@0.7.1", "", { "dependencies": { "@eslint/core": "^1.2.1", "levn": "^0.4.1" } }, "sha512-rZAP3aVgB9ds9KOeUSL+zZ21hPmo8dh6fnIFwRQj5EAZl9gzR7wxYbYXYysAM8CTqGmUGyp2S4kUdV17MnGuWQ=="], "@expressive-code/core": ["@expressive-code/core@0.41.7", "", { "dependencies": { "@ctrl/tinycolor": "4.2.0", "hast-util-select": "6.0.4", "hast-util-to-html": "9.0.5", "hast-util-to-text": "4.0.2", "hastscript": "9.0.1", "postcss": "8.5.8", "postcss-nested": "6.2.0", "unist-util-visit": "5.1.0", "unist-util-visit-parents": "6.0.2" } }, "sha512-ck92uZYZ9Wba2zxkiZLsZGi9N54pMSAVdrI9uW3Oo9AtLglD5RmrdTwbYPCT2S/jC36JGB2i+pnQtBm/Ib2+dg=="], @@ -743,7 +743,7 @@ "escape-string-regexp": ["escape-string-regexp@4.0.0", "", {}, "sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA=="], - "eslint": ["eslint@10.2.0", "", { "dependencies": { "@eslint-community/eslint-utils": "^4.8.0", "@eslint-community/regexpp": "^4.12.2", "@eslint/config-array": "^0.23.4", "@eslint/config-helpers": "^0.5.4", "@eslint/core": "^1.2.0", "@eslint/plugin-kit": "^0.7.0", "@humanfs/node": "^0.16.6", "@humanwhocodes/module-importer": "^1.0.1", "@humanwhocodes/retry": "^0.4.2", "@types/estree": "^1.0.6", "ajv": "^6.14.0", "cross-spawn": "^7.0.6", "debug": "^4.3.2", "escape-string-regexp": "^4.0.0", "eslint-scope": "^9.1.2", "eslint-visitor-keys": "^5.0.1", "espree": "^11.2.0", "esquery": "^1.7.0", "esutils": "^2.0.2", "fast-deep-equal": "^3.1.3", "file-entry-cache": "^8.0.0", "find-up": "^5.0.0", "glob-parent": "^6.0.2", "ignore": "^5.2.0", "imurmurhash": "^0.1.4", "is-glob": "^4.0.0", "json-stable-stringify-without-jsonify": "^1.0.1", "minimatch": "^10.2.4", "natural-compare": "^1.4.0", "optionator": "^0.9.3" }, "peerDependencies": { "jiti": "*" }, "optionalPeers": ["jiti"], "bin": { "eslint": "bin/eslint.js" } }, "sha512-+L0vBFYGIpSNIt/KWTpFonPrqYvgKw1eUI5Vn7mEogrQcWtWYtNQ7dNqC+px/J0idT3BAkiWrhfS7k+Tum8TUA=="], + "eslint": ["eslint@10.2.1", "", { "dependencies": { "@eslint-community/eslint-utils": "^4.8.0", "@eslint-community/regexpp": "^4.12.2", "@eslint/config-array": "^0.23.5", "@eslint/config-helpers": "^0.5.5", "@eslint/core": "^1.2.1", "@eslint/plugin-kit": "^0.7.1", "@humanfs/node": "^0.16.6", "@humanwhocodes/module-importer": "^1.0.1", "@humanwhocodes/retry": "^0.4.2", "@types/estree": "^1.0.6", "ajv": "^6.14.0", "cross-spawn": "^7.0.6", "debug": "^4.3.2", "escape-string-regexp": "^4.0.0", "eslint-scope": "^9.1.2", "eslint-visitor-keys": "^5.0.1", "espree": "^11.2.0", "esquery": "^1.7.0", "esutils": "^2.0.2", "fast-deep-equal": "^3.1.3", "file-entry-cache": "^8.0.0", "find-up": "^5.0.0", "glob-parent": "^6.0.2", "ignore": "^5.2.0", "imurmurhash": "^0.1.4", "is-glob": "^4.0.0", "json-stable-stringify-without-jsonify": "^1.0.1", "minimatch": "^10.2.4", "natural-compare": "^1.4.0", "optionator": "^0.9.3" }, "peerDependencies": { "jiti": "*" }, "optionalPeers": ["jiti"], "bin": { "eslint": "bin/eslint.js" } }, "sha512-wiyGaKsDgqXvF40P8mDwiUp/KQjE1FdrIEJsM8PZ3XCiniTMXS3OHWWUe5FI5agoCnr8x4xPrTDZuxsBlNHl+Q=="], "eslint-compat-utils": ["eslint-compat-utils@0.6.5", "", { "dependencies": { "semver": "7.7.4" }, "peerDependencies": { "eslint": "10.0.3" } }, "sha512-vAUHYzue4YAa2hNACjB8HvUQj5yehAZgiClyFVVom9cP8z5NSFq3PwB/TtJslN2zAMgRX6FCFCjYBbQh71g5RQ=="], diff --git a/package.json b/package.json index 26cd2cb..0e849aa 100644 --- a/package.json +++ b/package.json @@ -34,7 +34,7 @@ "@tailwindcss/forms": "0.5.11", "@tailwindcss/typography": "0.5.19", "@typescript-eslint/parser": "8.58.2", - "eslint": "10.2.0", + "eslint": "10.2.1", "eslint-config-prettier": "10.1.8", "eslint-plugin-astro": "1.7.0", "prettier": "3.8.3", From 4b01ed56546d645756d8b8967e3ed37d50d3ad22 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 19 Apr 2026 00:01:48 +0000 Subject: [PATCH 4/7] fix(deps): update dependency astro to v6.1.8 --- bun.lock | 10 ++++++---- package.json | 2 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/bun.lock b/bun.lock index c45c036..26bd818 100644 --- a/bun.lock +++ b/bun.lock @@ -11,7 +11,7 @@ "@astrojs/starlight": "0.38.3", "@tailwindcss/postcss": "4.2.2", "@tailwindcss/vite": "4.2.2", - "astro": "6.1.7", + "astro": "6.1.8", "sanitize-html": "2.17.3", "sharp": "0.34.5", "starlight-theme-rapide": "0.5.2", @@ -67,7 +67,7 @@ "@astrojs/starlight": ["@astrojs/starlight@0.38.3", "", { "dependencies": { "@astrojs/markdown-remark": "^7.0.0", "@astrojs/mdx": "^5.0.0", "@astrojs/sitemap": "^3.7.1", "@pagefind/default-ui": "^1.3.0", "@types/hast": "^3.0.4", "@types/js-yaml": "^4.0.9", "@types/mdast": "^4.0.4", "astro-expressive-code": "^0.41.6", "bcp-47": "^2.1.0", "hast-util-from-html": "^2.0.1", "hast-util-select": "^6.0.2", "hast-util-to-string": "^3.0.0", "hastscript": "^9.0.0", "i18next": "^23.11.5", "js-yaml": "^4.1.0", "klona": "^2.0.6", "magic-string": "^0.30.17", "mdast-util-directive": "^3.0.0", "mdast-util-to-markdown": "^2.1.0", "mdast-util-to-string": "^4.0.0", "pagefind": "^1.3.0", "rehype": "^13.0.1", "rehype-format": "^5.0.0", "remark-directive": "^3.0.0", "ultrahtml": "^1.6.0", "unified": "^11.0.5", "unist-util-visit": "^5.0.0", "vfile": "^6.0.2" }, "peerDependencies": { "astro": "^6.0.0" } }, "sha512-kDlJPlUDdQFWYmyFM2yUPo66yws7v067AEK+/rQjjoVyqehL3DabuOJuy6UJFFTFyGbHxYcBms/ITEgdW7tphw=="], - "@astrojs/telemetry": ["@astrojs/telemetry@3.3.0", "", { "dependencies": { "ci-info": "4.4.0", "debug": "4.4.3", "dlv": "1.1.3", "dset": "3.1.4", "is-docker": "3.0.0", "is-wsl": "3.1.1", "which-pm-runs": "1.1.0" } }, "sha512-UFBgfeldP06qu6khs/yY+q1cDAaArM2/7AEIqQ9Cuvf7B1hNLq0xDrZkct+QoIGyjq56y8IaE2I3CTvG99mlhQ=="], + "@astrojs/telemetry": ["@astrojs/telemetry@3.3.1", "", { "dependencies": { "ci-info": "^4.4.0", "dlv": "^1.1.3", "dset": "^3.1.4", "is-docker": "^4.0.0", "is-wsl": "^3.1.1", "which-pm-runs": "^1.1.0" } }, "sha512-7fcIxXS9J4ls5tr8b3ww9rbAIz2+HrhNJYZdkAhhB4za/I5IZ/60g+Bs8q7zwG0tOIZfNB4JWhVJ1Qkl/OrNCw=="], "@babel/code-frame": ["@babel/code-frame@7.29.0", "", { "dependencies": { "@babel/helper-validator-identifier": "^7.28.5", "js-tokens": "^4.0.0", "picocolors": "^1.1.1" } }, "sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw=="], @@ -519,7 +519,7 @@ "astring": ["astring@1.9.0", "", { "bin": { "astring": "bin/astring" } }, "sha512-LElXdjswlqjWrPpJFg1Fx4wpkOCxj1TDHlSV4PlaRxHGWko024xICaa97ZkMfs6DRKlCguiAI+rbXv5GWwXIkg=="], - "astro": ["astro@6.1.7", "", { "dependencies": { "@astrojs/compiler": "^3.0.1", "@astrojs/internal-helpers": "0.8.0", "@astrojs/markdown-remark": "7.1.0", "@astrojs/telemetry": "3.3.0", "@capsizecss/unpack": "^4.0.0", "@clack/prompts": "^1.1.0", "@oslojs/encoding": "^1.1.0", "@rollup/pluginutils": "^5.3.0", "aria-query": "^5.3.2", "axobject-query": "^4.1.0", "ci-info": "^4.4.0", "clsx": "^2.1.1", "common-ancestor-path": "^2.0.0", "cookie": "^1.1.1", "devalue": "^5.6.3", "diff": "^8.0.3", "dset": "^3.1.4", "es-module-lexer": "^2.0.0", "esbuild": "^0.27.3", "flattie": "^1.1.1", "fontace": "~0.4.1", "github-slugger": "^2.0.0", "html-escaper": "3.0.3", "http-cache-semantics": "^4.2.0", "js-yaml": "^4.1.1", "magic-string": "^0.30.21", "magicast": "^0.5.2", "mrmime": "^2.0.1", "neotraverse": "^0.6.18", "obug": "^2.1.1", "p-limit": "^7.3.0", "p-queue": "^9.1.0", "package-manager-detector": "^1.6.0", "piccolore": "^0.1.3", "picomatch": "^4.0.3", "rehype": "^13.0.2", "semver": "^7.7.4", "shiki": "^4.0.2", "smol-toml": "^1.6.0", "svgo": "^4.0.1", "tinyclip": "^0.1.12", "tinyexec": "^1.0.4", "tinyglobby": "^0.2.15", "tsconfck": "^3.1.6", "ultrahtml": "^1.6.0", "unifont": "~0.7.4", "unist-util-visit": "^5.1.0", "unstorage": "^1.17.4", "vfile": "^6.0.3", "vite": "^7.3.1", "vitefu": "^1.1.2", "xxhash-wasm": "^1.1.0", "yargs-parser": "^22.0.0", "zod": "^4.3.6" }, "optionalDependencies": { "sharp": "^0.34.0" }, "bin": { "astro": "bin/astro.mjs" } }, "sha512-pvZysIUV2C2nRv8N7cXAkCLcfDQz/axAxF09SqiTz1B+xnvbhy6KzL2I6J15ZBXk8k0TfMD75dJ151QyQmAqZA=="], + "astro": ["astro@6.1.8", "", { "dependencies": { "@astrojs/compiler": "^3.0.1", "@astrojs/internal-helpers": "0.8.0", "@astrojs/markdown-remark": "7.1.0", "@astrojs/telemetry": "3.3.1", "@capsizecss/unpack": "^4.0.0", "@clack/prompts": "^1.1.0", "@oslojs/encoding": "^1.1.0", "@rollup/pluginutils": "^5.3.0", "aria-query": "^5.3.2", "axobject-query": "^4.1.0", "ci-info": "^4.4.0", "clsx": "^2.1.1", "common-ancestor-path": "^2.0.0", "cookie": "^1.1.1", "devalue": "^5.6.3", "diff": "^8.0.3", "dset": "^3.1.4", "es-module-lexer": "^2.0.0", "esbuild": "^0.27.3", "flattie": "^1.1.1", "fontace": "~0.4.1", "github-slugger": "^2.0.0", "html-escaper": "3.0.3", "http-cache-semantics": "^4.2.0", "js-yaml": "^4.1.1", "magic-string": "^0.30.21", "magicast": "^0.5.2", "mrmime": "^2.0.1", "neotraverse": "^0.6.18", "obug": "^2.1.1", "p-limit": "^7.3.0", "p-queue": "^9.1.0", "package-manager-detector": "^1.6.0", "piccolore": "^0.1.3", "picomatch": "^4.0.3", "rehype": "^13.0.2", "semver": "^7.7.4", "shiki": "^4.0.2", "smol-toml": "^1.6.0", "svgo": "^4.0.1", "tinyclip": "^0.1.12", "tinyexec": "^1.0.4", "tinyglobby": "^0.2.15", "tsconfck": "^3.1.6", "ultrahtml": "^1.6.0", "unifont": "~0.7.4", "unist-util-visit": "^5.1.0", "unstorage": "^1.17.4", "vfile": "^6.0.3", "vite": "^7.3.1", "vitefu": "^1.1.2", "xxhash-wasm": "^1.1.0", "yargs-parser": "^22.0.0", "zod": "^4.3.6" }, "optionalDependencies": { "sharp": "^0.34.0" }, "bin": { "astro": "bin/astro.mjs" } }, "sha512-6fT9M12U3fpi13DiPavNKDIoBflASTSxmKTEe+zXhWtlebQuOqfOnIrMWyRmlXp+mgDsojmw+fVFG9LUTzKSog=="], "astro-eslint-parser": ["astro-eslint-parser@1.3.0", "", { "dependencies": { "@astrojs/compiler": "2.13.1", "@typescript-eslint/scope-manager": "8.56.1", "@typescript-eslint/types": "8.56.1", "astrojs-compiler-sync": "1.1.1", "debug": "4.4.3", "entities": "6.0.1", "eslint-scope": "8.4.0", "eslint-visitor-keys": "4.2.1", "espree": "10.4.0", "fast-glob": "3.3.3", "is-glob": "4.0.3", "semver": "7.7.4" } }, "sha512-aOLc/aDR7lTWAHlytEefwn4Y6qs6uMr69DZvUx2A1AOAZsWhGB/paiRWPtVchh9wzMvLeqr+DkbENhVreVr9AQ=="], @@ -981,7 +981,7 @@ "is-decimal": ["is-decimal@2.0.1", "", {}, "sha512-AAB9hiomQs5DXWcRB1rqsxGUstbRroFOPPVAomNk/3XHR5JyEZChOyTWe2oayKnsSsr/kcGqF+z6yuH6HHpN0A=="], - "is-docker": ["is-docker@3.0.0", "", { "bin": { "is-docker": "cli.js" } }, "sha512-eljcgEDlEns/7AXFosB5K/2nCM4P7FQPkGc/DWLy5rmFEWvZayGrik1d9/QIY5nJ4f9YsVvBkA6kJpHn9rISdQ=="], + "is-docker": ["is-docker@4.0.0", "", { "bin": { "is-docker": "cli.js" } }, "sha512-LHE+wROyG/Y/0ZnbktRCoTix2c1RhgWaZraMZ8o1Q7zCh0VSrICJQO5oqIIISrcSBtrXv0o233w1IYwsWCjTzA=="], "is-extglob": ["is-extglob@2.1.1", "", {}, "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ=="], @@ -1837,6 +1837,8 @@ "import-fresh/resolve-from": ["resolve-from@4.0.0", "", {}, "sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g=="], + "is-inside-container/is-docker": ["is-docker@3.0.0", "", { "bin": { "is-docker": "cli.js" } }, "sha512-eljcgEDlEns/7AXFosB5K/2nCM4P7FQPkGc/DWLy5rmFEWvZayGrik1d9/QIY5nJ4f9YsVvBkA6kJpHn9rISdQ=="], + "load-json-file/parse-json": ["parse-json@4.0.0", "", { "dependencies": { "error-ex": "^1.3.1", "json-parse-better-errors": "^1.0.1" } }, "sha512-aOIos8bujGN93/8Ox/jPLh7RwVnPEysynVFE+fQZyg6jKELEHwzgKdLRFHUgXJL6kylijVSBC4BvN9OmsB48Rw=="], "make-asynchronous/p-event": ["p-event@6.0.1", "", { "dependencies": { "p-timeout": "^6.1.2" } }, "sha512-Q6Bekk5wpzW5qIyUP4gdMEujObYstZl6DMMOSenwBvV0BlE5LkDwkjs5yHbZmdCEq2o4RJx4tE1vwxFVf2FG1w=="], diff --git a/package.json b/package.json index 0e849aa..9f39f88 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ "@astrojs/starlight": "0.38.3", "@tailwindcss/postcss": "4.2.2", "@tailwindcss/vite": "4.2.2", - "astro": "6.1.7", + "astro": "6.1.8", "sanitize-html": "2.17.3", "sharp": "0.34.5", "starlight-theme-rapide": "0.5.2", From c17b24f6c5633809ce9da6d11c646a1cd49aab2e Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 19 Apr 2026 06:01:48 +0000 Subject: [PATCH 5/7] chore(deps): update dependency node to v24.15.0 --- .gitea/workflows/release-image.yaml | 4 ++-- .gitea/workflows/test-build.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/release-image.yaml b/.gitea/workflows/release-image.yaml index 546cc0e..196859c 100644 --- a/.gitea/workflows/release-image.yaml +++ b/.gitea/workflows/release-image.yaml @@ -19,7 +19,7 @@ jobs: - name: Set up Node uses: actions/setup-node@v6.3.0 with: - node-version: 24.14.1 + node-version: 24.15.0 - name: Set up Bun uses: oven-sh/setup-bun@v2.2.0 @@ -114,7 +114,7 @@ jobs: - name: Set up Node uses: actions/setup-node@v6.3.0 with: - node-version: 24.14.1 + node-version: 24.15.0 - name: Set up Bun uses: oven-sh/setup-bun@v2.2.0 diff --git a/.gitea/workflows/test-build.yaml b/.gitea/workflows/test-build.yaml index 14d6395..8edcbff 100644 --- a/.gitea/workflows/test-build.yaml +++ b/.gitea/workflows/test-build.yaml @@ -22,7 +22,7 @@ jobs: - name: Set up Node uses: actions/setup-node@v6.3.0 with: - node-version: 24.14.1 + node-version: 24.15.0 - name: Set up Bun uses: oven-sh/setup-bun@v2.2.0 From 07dd12971da61180827813be6bb4ed532e94f118 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Sun, 19 Apr 2026 16:37:45 -0500 Subject: [PATCH 6/7] feat: rename to openbao --- .../{vault-ssh-ca.mdx => bao-ssh-ca.mdx} | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) rename src/content/docs/guides/{vault-ssh-ca.mdx => bao-ssh-ca.mdx} (64%) diff --git a/src/content/docs/guides/vault-ssh-ca.mdx b/src/content/docs/guides/bao-ssh-ca.mdx similarity index 64% rename from src/content/docs/guides/vault-ssh-ca.mdx rename to src/content/docs/guides/bao-ssh-ca.mdx index 01cca26..ea139e7 100644 --- a/src/content/docs/guides/vault-ssh-ca.mdx +++ b/src/content/docs/guides/bao-ssh-ca.mdx @@ -1,17 +1,17 @@ --- -title: Vault SSH Certificate Authority -description: Steps followed to enable using Vault as a CA for ssh login +title: OpenBao SSH Certificate Authority +description: Steps followed to enable using OpenBao as a CA for ssh login hero: tagline: Steps followed for the v1.12.0 upgrade process image: - file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/hashicorp-vault.webp + file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/openbao.webp --- # Setup -[Reference Vault Documentation](https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates#host-key-signing) +[Reference OpenBao Documentation](https://openbao.org/docs/secrets/ssh/signed-ssh-certificates/) -I have set the documenation to use my own defaults and configuration. This also assumes a running and active Vault instance. +I have set the documenation to use my own defaults and configuration. This also assumes a running and active OpenBao instance. ## Enable the SSH CA @@ -19,7 +19,7 @@ I followed the defaults mostly in the docs, reference the above link for details Start with enabling the mount. ```bash -vault secrets enable -path=ssh-client-signer ssh +bao secrets enable -path=ssh-client-signer ssh ``` Generate a key. This will be used only for signing and not for client authentication. Keep it in a secure location, rename the path the key will be written to. @@ -29,14 +29,14 @@ ssh-keygen -t rsa -C "alexanderlebens@gmail.com" Add the above signing key. ```bash -vault write ssh-client-signer/config/ca private_key="..." public_key="..." +bao write ssh-client-signer/config/ca private_key="..." public_key="..." ``` ## Create Client Role and Key -Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the Vault UI. +Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the OpenBao UI. ```bash -vault write ssh-client-signer/roles/alexlebens -<<"EOH" +bao write ssh-client-signer/roles/alexlebens -<<"EOH" { "algorithm_signer": "rsa-sha2-256", "allow_user_certificates": true, @@ -61,7 +61,7 @@ ssh-keygen -t rsa -C "alexanderlebens@gmail.com" ## Configure SSH to use the Key and Cert -SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by Vault as the User and set the IdentityFile to the Key as generated above. +SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by OpenBao as the User and set the IdentityFile to the Key as generated above. ``` Host ps08rp Hostname 10.232.1.51 @@ -75,7 +75,7 @@ Host ps08rp Download the public cert from the endpoint. ```bash -curl -o /etc/ssh/trusted-user-ca-keys.pem https://vault.alexlebens.net/v1/ssh-client-signer/public_key +curl -o /etc/ssh/trusted-user-ca-keys.pem https://bao.alexlebens.net/v1/ssh-client-signer/public_key ``` Then add that file to the sshd config. @@ -89,16 +89,16 @@ This step is currently manual as I have few hosts that I need ssh for. The most ## Renew Client Certificate -Sign the client cert, on your machine, with the Vault CA. +Sign the client cert, on your machine, with the OpenBao CA. ```bash -vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub +bao write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub ``` -I added the following to my .zshrc to make this easier. So now I just run "vault-renew" before I need to ssh. +I added the following to my .zshrc to make this easier. So now I just run "bao-renew" before I need to ssh. ``` -# Vault -export VAULT_ADDR="https://vault.alexlebens.net" -alias vault-renew='vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub' +# OpenBao +export BAO_ADDR="https://bao.alexlebens.net" +alias bao-renew='bao write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub' ``` ### View Cert Details From 58d16315fb8862f8b04d43414d5c9b848c73aaba Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Sun, 19 Apr 2026 17:42:18 -0500 Subject: [PATCH 7/7] feat: add doc for secret store --- src/content/docs/guides/secret-store-csi.mdx | 76 ++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 src/content/docs/guides/secret-store-csi.mdx diff --git a/src/content/docs/guides/secret-store-csi.mdx b/src/content/docs/guides/secret-store-csi.mdx new file mode 100644 index 0000000..2953bfb --- /dev/null +++ b/src/content/docs/guides/secret-store-csi.mdx @@ -0,0 +1,76 @@ +--- +title: Using Secret Store CSI with OpenBao +description: Mounting secrets inside pods using Secret Store CSI driver and OpenBao +hero: + tagline: Steps followed to mount the secrets + image: + file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/openbao.webp +--- + +This guide assumes both Secrets Store CSI and OpenBao are installed and working. Also, the Kubernetes auth method is enabled. I wrote a post [here](https://www.alexlebens.dev/blog/openbao-migration/) that detailed my steps to set these up. + +NOTE: A catch I found is that the mount directory should be empty. There are issues when mounting a specific file into a directory that is already populated. For common uses, such as config files, use an env variable to change that path. + +The following will be needed per namespace, with the SecretProviderClass per secret to mount. + +## Secret Provider Class + +This template is used to create the volume and retrieve the secret from OpenBao. Some notes: +- The provider is 'openbao' and the address should point to the internal service. +- The roleName referenced here is created in the next step. +- secretPath should include the secret store and data if its a v2 kv engine. +```yaml +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: web-config-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: web-config-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: web + objects: | + - objectName: config.yaml + secretPath: secret/data/web/config + secretKey: config.yaml +``` + +## Role + +In the namespace where this secret is getting mounted there should be a ServiceAccount that will be use the role to retrieve the secret. This should also be the one used by the pod. It only needs read access to the secret path and I have created a policy called 'reader' for this. + +Each ServiceAccount will need a role created. +```bash +bao write auth/kubernetes/role/web \ + bound_service_account_names=web \ + bound_service_account_namespaces=web \ + policies=reader \ + ttl=20m +``` + +## Mount + +When using the [app-template](https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template) common chart the following is how to mount the secret. This needs to use the custom type to define the spec. secretProviderClass references the above template. Use the advancedMounts to specify the path for the file. +```yaml +persistence: + web-config: + type: custom + volumeSpec: + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: web-config-secret + advancedMounts: + main: + main: + - path: /config/config.yaml + readOnly: true + mountPropagation: None + subPath: config.yaml +``` \ No newline at end of file