Update softprops/action-gh-release action from v2.0.9 to v2.2.1 (.github/workflows/release-x-manual-helm-chart.yml)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
softprops/action-gh-release	action	minor	v2.0.9 -> v2.2.1

---

Release Notes

softprops/action-gh-release (softprops/action-gh-release)

v2.2.1

Compare Source

What's Changed

Bug fixes 🐛

• fix: big file uploads by @​xen0n in https://github.com/softprops/action-gh-release/pull/562

Other Changes 🔄

• chore(deps): bump @​types/node from 22.10.1 to 22.10.2 by @​dependabot in https://github.com/softprops/action-gh-release/pull/559
• chore(deps): bump @​types/node from 22.10.2 to 22.10.5 by @​dependabot in https://github.com/softprops/action-gh-release/pull/569
• chore: update error and warning messages for not matching files in files field by @​ytimocin in https://github.com/softprops/action-gh-release/pull/568

New Contributors

• @​ytimocin made their first contribution in https://github.com/softprops/action-gh-release/pull/568

Full Changelog: softprops/action-gh-release@v2.2.0...v2.2.1

v2.2.0

Compare Source

What's Changed

Exciting New Features 🎉

• feat: read the release assets asynchronously by @​xen0n in https://github.com/softprops/action-gh-release/pull/552

Bug fixes 🐛

• fix(docs): clarify the default for tag_name by @​alexeagle in https://github.com/softprops/action-gh-release/pull/544

Other Changes 🔄

• chore(deps): bump typescript from 5.6.3 to 5.7.2 by @​dependabot in https://github.com/softprops/action-gh-release/pull/548
• chore(deps): bump @​types/node from 22.9.0 to 22.9.4 by @​dependabot in https://github.com/softprops/action-gh-release/pull/547
• chore(deps): bump cross-spawn from 7.0.3 to 7.0.6 by @​dependabot in https://github.com/softprops/action-gh-release/pull/545
• chore(deps): bump @​vercel/ncc from 0.38.2 to 0.38.3 by @​dependabot in https://github.com/softprops/action-gh-release/pull/543
• chore(deps): bump prettier from 3.3.3 to 3.4.1 by @​dependabot in https://github.com/softprops/action-gh-release/pull/550
• chore(deps): bump @​types/node from 22.9.4 to 22.10.1 by @​dependabot in https://github.com/softprops/action-gh-release/pull/551
• chore(deps): bump prettier from 3.4.1 to 3.4.2 by @​dependabot in https://github.com/softprops/action-gh-release/pull/554

New Contributors

• @​alexeagle made their first contribution in https://github.com/softprops/action-gh-release/pull/544
• @​xen0n made their first contribution in https://github.com/softprops/action-gh-release/pull/552

Full Changelog: softprops/action-gh-release@v2.1.0...v2.2.0

v2.1.0

Compare Source

What's Changed

Exciting New Features 🎉

• feat: add support for release assets with multiple spaces within the name by @​dukhine in https://github.com/softprops/action-gh-release/pull/518
• feat: preserve upload order by @​richarddd in https://github.com/softprops/action-gh-release/pull/500

Other Changes 🔄

• chore(deps): bump @​types/node from 22.8.2 to 22.8.7 by @​dependabot in https://github.com/softprops/action-gh-release/pull/539

New Contributors

• @​dukhine made their first contribution in https://github.com/softprops/action-gh-release/pull/518
• @​richarddd made their first contribution in https://github.com/softprops/action-gh-release/pull/500

Full Changelog: softprops/action-gh-release@v2...v2.1.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dryrunsecurity]

DryRun Security Summary

The GitHub Actions workflow automates the manual release process of the DefectDojo Helm chart, including version pinning, packaging, and repository index updating, while highlighting potential security considerations such as credential management and repository protection.

Expand for full summary

Summary:

The provided code change is part of a GitHub Actions workflow that automates the release process of a Helm chart for the DefectDojo project. The workflow is triggered manually by a user and performs various tasks, including pinning the Docker image version in the Helm chart's values.yaml file, packaging the Helm chart, and updating the Helm repository index file.

While the code change itself does not introduce any obvious security vulnerabilities, there are a few security-related considerations that should be addressed:

1. Hardcoded Credentials: The workflow uses hardcoded Git user credentials, which could be a potential security risk if these credentials are ever compromised. It would be better to use a dedicated service account or a GitHub secret for this purpose.

2. Dependency Versions: The workflow uses specific versions of the GitHub Actions it depends on, and it's important to regularly review and update these dependencies to ensure that the latest security patches are applied.

3. Helm Repository Security: The workflow updates the Helm repository index file in the "helm-charts" branch, and it's important to ensure that this branch is properly protected and that only authorized users can push changes to it, to prevent potential tampering with the Helm chart repository.

4. Release Artifact Security: The workflow uploads the Helm chart artifact as a GitHub release, and it's important to ensure that the release process is secure and that the artifact is scanned for vulnerabilities before being made available for download.

Files Changed:

• .github/workflows/release-x-manual-helm-chart.yml: This file contains the GitHub Actions workflow responsible for automating the release process of the DefectDojo Helm chart. The key changes include:
  • Triggering the workflow manually through the "workflow_dispatch" event.
  • Checking out the "master" branch, configuring Git user information, and setting up the Helm environment.
  • Pinning the Docker image version in the Helm chart's values.yaml file.
  • Packaging the Helm chart and uploading it as a GitHub release.
  • Updating the Helm repository index file in the "helm-charts" branch.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[Maffooch]

Version 2.2.0 broke the helm chart release today. I reverted to 2.0.9 this morning to get around it. Let's pass on this version for now