From 414b787c09eea1d2557313fff3ea15973f813f92 Mon Sep 17 00:00:00 2001
From: Clint <catsby@users.noreply.github.com>
Date: Thu, 19 Sep 2024 16:21:03 -0500
Subject: [PATCH 1/4] fix: update log level handling (#141)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Short Description

This PR updates Maru's logging to match the standard library's
`log/slog` package, and appropriately filters log messages according to
levels. Tests included and feedback very welcome.

## Long Description

The current implementation of log level handling is misleading because
our [custom
handler](https://github.com/defenseunicorns/maru-runner/blob/535258256cd1714f55e643075ae15919316e4aec/src/message/slog.go#L20-L23)
doesn't filter by level. The code comment mentions logging functions
already being aware if they are allowed to be called, but in practice I
have not found that to be true. This is further complicated by Maru's
log levels not matching what `log/slog` uses both in values and in
ordering.

Example: slog uses these levels/ordering

```go
const (
	LevelDebug Level = -4
	LevelInfo  Level = 0
	LevelWarn  Level = 4
	LevelError Level = 8
)
```

(See here for source and long explaination to the numbers used:
https://pkg.go.dev/log/slog#Level)

Where as Maru uses these levels/ordering:
```go
const (
	// WarnLevel level. Non-critical entries that deserve eyes.
	WarnLevel LogLevel = iota
	// InfoLevel level. General operational entries about what's going on inside the
	// application.
	InfoLevel
	// DebugLevel level. Usually only enabled when debugging. Very verbose logging.
	DebugLevel
	// TraceLevel level. Designates finer-grained informational events than the Debug.
	TraceLevel
)
```

(source:
[src/message/logging.go#L16-L29](https://github.com/defenseunicorns/maru-runner/blob/535258256cd1714f55e643075ae15919316e4aec/src/message/logging.go#L16-L29))

In theory, implementing the [`Handler`
interface](https://cs.opensource.google/go/go/+/refs/tags/go1.23.1:src/log/slog/handler.go;l=29-33)
would have us ignore messages with a lower level than the one set. Maru
sets it's default log level to `InfoLevel` (from Maru's constants, not
slog's) which results in a value of `1`. However because our `InfoLevel`
is `1` and slog's `LevelInfo` is `0`, then in theory Maru's logger
should actually ignore it because it's a lower level. A call to
`message.SLog.Info()` ([ex. in
utils.go](https://github.com/defenseunicorns/maru-runner/blob/535258256cd1714f55e643075ae15919316e4aec/src/pkg/utils/utils.go#L35))
invokes slog's `Info()` method, which calls an internal [method
`log()`](https://cs.opensource.google/go/go/+/refs/tags/go1.23.1:src/log/slog/logger.go;l=208-211)
with slog's `LevelInfo` level which is a value of `0`. The [`log()`
method](https://cs.opensource.google/go/go/+/refs/tags/go1.23.1:src/log/slog/logger.go;l=238-258)
calls the handlers `Enabled()` method to see if it should log the
message, which for maru always returns `true`, and then passes it on to
the handlers `Handle()` method (Maru's `Handle()` method
[here](https://github.com/defenseunicorns/maru-runner/blob/535258256cd1714f55e643075ae15919316e4aec/src/message/slog.go#L37))
and we print the message, even though we shouldn't because it's a lower
value than our default.

The net effect is setting the log level with `--log-level` has no
effect, except for when setting to `trace`, in which case we output
pterm debugging information with lines for errors/traces and debug
calls. Otherwise Maru will always output all of the logs from `Debug()`,
`Info()`, `Warn()` or `Error()` regardless of the level set.

This PR updates Maru's log level constants both in values and ordering
to match the standard library `log/slog` package, and implements the
`Enabled()` method in the handler to filter correctly based on level.
The net effect of this PR should be benign in that we aren't changing
any usage details, but going forward we'll correctly output logs
according to the set level.

**NOTE:** This PR is based off of [my other PR (#140) for changing the
`Makefile`](https://github.com/defenseunicorns/maru-runner/pull/140)
with regards to `test-unit` and `test-e2e` tests.

## Test output:

```zsh
 ➜ go test ./src/message/... -v -count=1
=== RUN   Test_LogLevel_Diff
=== RUN   Test_LogLevel_Diff/DebugLevel
=== RUN   Test_LogLevel_Diff/InfoLevel
=== RUN   Test_LogLevel_Diff/InfoWarnLevel
=== RUN   Test_LogLevel_Diff/WarnInfoLevel
=== RUN   Test_LogLevel_Diff/InfoTraceLevel
=== RUN   Test_LogLevel_Diff/TraceInfoLevel
=== RUN   Test_LogLevel_Diff/TraceLevel
--- PASS: Test_LogLevel_Diff (0.00s)
    --- PASS: Test_LogLevel_Diff/DebugLevel (0.00s)
    --- PASS: Test_LogLevel_Diff/InfoLevel (0.00s)
    --- PASS: Test_LogLevel_Diff/InfoWarnLevel (0.00s)
    --- PASS: Test_LogLevel_Diff/WarnInfoLevel (0.00s)
    --- PASS: Test_LogLevel_Diff/InfoTraceLevel (0.00s)
    --- PASS: Test_LogLevel_Diff/TraceInfoLevel (0.00s)
    --- PASS: Test_LogLevel_Diff/TraceLevel (0.00s)
PASS
ok      github.com/defenseunicorns/maru-runner/src/message      0.235s
```

## Related

- https://github.com/defenseunicorns/uds-cli/issues/916

## Type of change

- [x] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [x] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/maru-runner/blob/main/CONTRIBUTING.md)
followed

---------

Signed-off-by: catsby <clint@ctshryock.com>
Co-authored-by: Wayne Starr <Racer159@users.noreply.github.com>
Co-authored-by: Eric Wyles <23637493+ericwyles@users.noreply.github.com>
---
 src/cmd/root.go             |   1 +
 src/config/lang/english.go  |   4 +-
 src/message/logging.go      |  32 ++++++--
 src/message/logging_test.go | 158 ++++++++++++++++++++++++++++++++++++
 src/message/message.go      |   4 +-
 src/message/slog.go         |  19 ++++-
 6 files changed, 202 insertions(+), 16 deletions(-)
 create mode 100644 src/message/logging_test.go

diff --git a/src/cmd/root.go b/src/cmd/root.go
index 0eb7a7d..bde4db2 100644
--- a/src/cmd/root.go
+++ b/src/cmd/root.go
@@ -72,6 +72,7 @@ func cliSetup() {
 		"info":  message.InfoLevel,
 		"debug": message.DebugLevel,
 		"trace": message.TraceLevel,
+		"error": message.ErrorLevel,
 	}
 
 	printViperConfigUsed()
diff --git a/src/config/lang/english.go b/src/config/lang/english.go
index c383c57..1690316 100644
--- a/src/config/lang/english.go
+++ b/src/config/lang/english.go
@@ -18,9 +18,9 @@ const (
 const (
 	RootCmdShort              = "CLI for the maru runner"
 	RootCmdFlagSkipLogFile    = "Disable log file creation"
-	RootCmdFlagLogLevel       = "Log level for the runner. Valid options are: warn, info, debug, trace"
+	RootCmdFlagLogLevel       = "Log level for the runner. Valid options are: error, warn, info, debug, trace"
 	RootCmdFlagNoProgress     = "Disable fancy UI progress bars, spinners, logos, etc"
-	RootCmdErrInvalidLogLevel = "Invalid log level. Valid options are: warn, info, debug, trace."
+	RootCmdErrInvalidLogLevel = "Invalid log level. Valid options are: error, warn, info, debug, trace."
 	RootCmdFlagArch           = "Architecture for the runner"
 	RootCmdFlagTempDir        = "Specify the temporary directory to use for intermediate files"
 )
diff --git a/src/message/logging.go b/src/message/logging.go
index 54aa7d7..d72b9a3 100644
--- a/src/message/logging.go
+++ b/src/message/logging.go
@@ -17,18 +17,31 @@ import (
 type LogLevel int
 
 const (
-	// WarnLevel level. Non-critical entries that deserve eyes.
-	WarnLevel LogLevel = iota
+	// Supported log levels. These are in order of increasing severity, and
+	// match the constants in the log/slog package.
+
+	// TraceLevel level. Effectively the same as Debug but with line numbers.
+	//
+	// NOTE: There currently is no Trace() function in the log/slog package. In
+	// order to use this level, you must use message.SLog.Log() and specify the
+	// level. Maru currently uses the Trace level specifically for adding line
+	// numbers to logs from calls to message.SLog.Debug(). Because of this,
+	// Trace is effectively the same as Debug but with line numbers.
+	TraceLevel LogLevel = -8
+	// DebugLevel level. Usually only enabled when debugging. Very verbose logging.
+	DebugLevel LogLevel = -4
 	// InfoLevel level. General operational entries about what's going on inside the
 	// application.
-	InfoLevel
-	// DebugLevel level. Usually only enabled when debugging. Very verbose logging.
-	DebugLevel
-	// TraceLevel level. Designates finer-grained informational events than the Debug.
-	TraceLevel
+	InfoLevel LogLevel = 0
+	// WarnLevel level. Non-critical entries that deserve eyes.
+	WarnLevel LogLevel = 4
+	// ErrorLevel level. Errors only.
+	ErrorLevel LogLevel = 8
 )
 
-// logLevel is the log level for the runner
+// logLevel is the log level for the runner. When set, log messages with a level
+// greater than or equal to this level will be logged. Log messages with a level
+// lower than this level will be ignored.
 var logLevel = InfoLevel
 
 // logFile acts as a buffer for logFile generation
@@ -59,7 +72,8 @@ func LogFileLocation() string {
 // SetLogLevel sets the log level.
 func SetLogLevel(lvl LogLevel) {
 	logLevel = lvl
-	if logLevel >= DebugLevel {
+	// Enable pterm debug messages if the log level is Trace or Debug
+	if logLevel <= DebugLevel {
 		pterm.EnableDebugMessages()
 	}
 }
diff --git a/src/message/logging_test.go b/src/message/logging_test.go
new file mode 100644
index 0000000..6cdc8ec
--- /dev/null
+++ b/src/message/logging_test.go
@@ -0,0 +1,158 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present the Maru Authors
+
+// Package message provides a rich set of functions for displaying messages to the user.
+package message
+
+import (
+	"bytes"
+	"log/slog"
+	"slices"
+	"strings"
+
+	"testing"
+
+	"github.com/pterm/pterm"
+)
+
+func Test_LogLevel_Diff(t *testing.T) {
+	maruLogger := slog.New(MaruHandler{})
+
+	cases := map[string]struct {
+		// the level we're set to log at with SetLogLevel(). We expect logs with
+		// a lower level to be ignored.
+		setLevel LogLevel
+		// the level which we will log, e.g. SLog.Debug(), SLog.Info(), etc.
+		logLevel LogLevel
+		// the expected output of the log. We special case DebugLevel as it
+		// should contain a timestamp.
+		expected string
+	}{
+		"DebugLevel": {
+			setLevel: DebugLevel,
+			logLevel: DebugLevel,
+			expected: "DEBUG test",
+		},
+		"InfoInfoLevel": {
+			setLevel: InfoLevel,
+			logLevel: InfoLevel,
+			expected: "INFO test",
+		},
+		"InfoWarnLevel": {
+			setLevel: InfoLevel,
+			logLevel: WarnLevel,
+			expected: "WARNING test",
+		},
+		"WarnInfoLevel": {
+			setLevel: WarnLevel,
+			logLevel: InfoLevel,
+			expected: "",
+		},
+		"InfoErrorLevel": {
+			setLevel: InfoLevel,
+			logLevel: ErrorLevel,
+			expected: "ERROR test",
+		},
+		"TraceInfoLevel": {
+			setLevel: TraceLevel,
+			logLevel: InfoLevel,
+			expected: "INFO test",
+		},
+		"TraceDebugLevel": {
+			setLevel: TraceLevel,
+			logLevel: DebugLevel,
+			expected: "DEBUG test",
+		},
+		"TraceErrorLevel": {
+			setLevel: TraceLevel,
+			logLevel: ErrorLevel,
+			expected: "ERROR test",
+		},
+		"ErrorWarnLevel": {
+			setLevel: ErrorLevel,
+			logLevel: WarnLevel,
+			expected: "",
+		},
+		"ErrorErrorLevel": {
+			setLevel: ErrorLevel,
+			logLevel: ErrorLevel,
+			expected: "ERROR test",
+		},
+		"ErrorInfoLevel": {
+			setLevel: ErrorLevel,
+			logLevel: InfoLevel,
+			expected: "",
+		},
+	}
+
+	for name, tc := range cases {
+		t.Run(name, func(t *testing.T) {
+			SetLogLevel(tc.setLevel)
+
+			// set the underlying writer, like we do in utils/utils.go
+			var outBuf bytes.Buffer
+			pterm.SetDefaultOutput(&outBuf)
+
+			switch tc.logLevel {
+			case DebugLevel:
+				maruLogger.Debug("test")
+			case InfoLevel:
+				maruLogger.Info("test")
+			case WarnLevel:
+				maruLogger.Warn("test")
+			case ErrorLevel:
+				maruLogger.Error("test")
+			}
+			content := outBuf.String()
+			// remove color codes
+			content = pterm.RemoveColorFromString(content)
+			// remove extra whitespace from the output
+			content = strings.TrimSpace(content)
+			parts := strings.Split(tc.expected, " ")
+			for _, part := range parts {
+				if !strings.Contains(content, part) {
+					t.Errorf("Expected debug message to contain '%s', but it didn't: (%s)", part, content)
+				}
+			}
+			// if the set level is Trace and the log level is Debug, then we
+			// expect extra	debug lines to be printed. Conversely, if it's trace
+			// but not Debug, then we expect no extra debug lines to be printed.
+			partsOutput := strings.Split(content, " ")
+			// when debugging with TraceLevel, spliting on spaces will result in a slice
+			// like so:
+			// []string{
+			//   "DEBUG",
+			//   "",
+			//   "",
+			//   "2024-09-19T10:21:16-05:00",
+			//   "",
+			//   "-",
+			//   "",
+			//   "test\n└",
+			//   "(/Users/clint/go/github.com/defenseunicorns/maru-runner/src/message/slog.go:56)",
+			// }
+			//
+			// here we sort the slice to move the timestamp to the front,
+			// then compact to remove them. The result should be a slice of
+			// 6 eleements.
+			//
+			// While debugging without trace level, we expect the same slice
+			// except there is no file name and line number, so it would have 5
+			// elements.
+			slices.Sort(partsOutput)
+			partsOutput = slices.Compact(partsOutput)
+			expectedLen := 3
+			if tc.logLevel == DebugLevel {
+				expectedLen = 5
+			}
+			if tc.setLevel == TraceLevel && tc.logLevel == DebugLevel {
+				expectedLen = 6
+			}
+
+			if len(partsOutput) > expectedLen {
+				t.Errorf("Expected debug message to contain timestamp, but it didn't: (%s)", content)
+			}
+		})
+	}
+
+}
diff --git a/src/message/message.go b/src/message/message.go
index 94dd4c1..ac4d8ed 100644
--- a/src/message/message.go
+++ b/src/message/message.go
@@ -67,7 +67,7 @@ func paragraph(format string, a ...any) string {
 }
 
 func debugPrinter(offset int, a ...any) {
-	printer := pterm.Debug.WithShowLineNumber(logLevel > 2).WithLineNumberOffset(offset)
+	printer := pterm.Debug.WithShowLineNumber(logLevel <= TraceLevel).WithLineNumberOffset(offset)
 	now := time.Now().Format(time.RFC3339)
 	// prepend to a
 	a = append([]any{now, " - "}, a...)
@@ -86,5 +86,5 @@ func debugPrinter(offset int, a ...any) {
 }
 
 func errorPrinter(offset int) *pterm.PrefixPrinter {
-	return pterm.Error.WithShowLineNumber(logLevel > 2).WithLineNumberOffset(offset)
+	return pterm.Error.WithShowLineNumber(logLevel <= TraceLevel).WithLineNumberOffset(offset)
 }
diff --git a/src/message/slog.go b/src/message/slog.go
index 81df8d0..a80edc5 100644
--- a/src/message/slog.go
+++ b/src/message/slog.go
@@ -17,9 +17,22 @@ var (
 // MaruHandler is a simple handler that implements the slog.Handler interface
 type MaruHandler struct{}
 
-// Enabled is always set to true as Maru logging functions are already aware of if they are allowed to be called
-func (z MaruHandler) Enabled(_ context.Context, _ slog.Level) bool {
-	return true
+// Enabled determines if the handler is enabled for the given level. This
+// function is called for every log message and will compare the level of the
+// message to the log level set (default is info). Log levels are defined in
+// src/message/logging.go and match the levels used in the underlying log/slog
+// package. Logs with a level below the set log level will be ignored.
+//
+// Examples:
+//
+//	SetLogLevel(TraceLevel) // show everything, with file names and line numbers
+//	SetLogLevel(DebugLevel) // show everything
+//	SetLogLevel(InfoLevel)  // show info and above (does not show debug logs)
+//	SetLogLevel(WarnLevel)  // show warn and above (does not show debug/info logs)
+//	SetLogLevel(ErrorLevel)  // show only errors (does not show debug/info/warn logs)
+func (z MaruHandler) Enabled(_ context.Context, level slog.Level) bool {
+	// only log if the log level is greater than or equal to the set log level
+	return int(level) >= int(logLevel)
 }
 
 // WithAttrs is not suppported

From 2dc532b09e70dfede89118b24f511fa4f829dff0 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 19 Sep 2024 18:20:48 -0600
Subject: [PATCH 2/4] fix(deps): update code-deps to v1.12.0 (#130)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [github.com/goccy/go-yaml](https://togithub.com/goccy/go-yaml) |
`v1.11.3` -> `v1.12.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgoccy%2fgo-yaml/v1.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fgoccy%2fgo-yaml/v1.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fgoccy%2fgo-yaml/v1.11.3/v1.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgoccy%2fgo-yaml/v1.11.3/v1.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>goccy/go-yaml (github.com/goccy/go-yaml)</summary>

###
[`v1.12.0`](https://togithub.com/goccy/go-yaml/releases/tag/v1.12.0):
1.12.0

[Compare
Source](https://togithub.com/goccy/go-yaml/compare/v1.11.3...v1.12.0)

#### What's Changed

- Replace deprecated `io/ioutil` by
[@&#8203;harryzcy](https://togithub.com/harryzcy) in
[https://github.com/goccy/go-yaml/pull/429](https://togithub.com/goccy/go-yaml/pull/429)
- support custom unmarshalling for map keys by
[@&#8203;KSpaceer](https://togithub.com/KSpaceer) in
[https://github.com/goccy/go-yaml/pull/453](https://togithub.com/goccy/go-yaml/pull/453)
- trim right spaces before adding carriage return or linefeed by
[@&#8203;mfleader](https://togithub.com/mfleader) in
[https://github.com/goccy/go-yaml/pull/462](https://togithub.com/goccy/go-yaml/pull/462)
- fix: Correct token.Tokenize double quoted strings with escape
sequences handling by
[@&#8203;nieomylnieja](https://togithub.com/nieomylnieja) in
[https://github.com/goccy/go-yaml/pull/457](https://togithub.com/goccy/go-yaml/pull/457)
- Fix decoding of scientific notation by
[@&#8203;morris-kelly](https://togithub.com/morris-kelly) in
[https://github.com/goccy/go-yaml/pull/463](https://togithub.com/goccy/go-yaml/pull/463)
- Quote is required even if it begins with backquote. by
[@&#8203;k1LoW](https://togithub.com/k1LoW) in
[https://github.com/goccy/go-yaml/pull/440](https://togithub.com/goccy/go-yaml/pull/440)

#### New Contributors

- [@&#8203;harryzcy](https://togithub.com/harryzcy) made their first
contribution in
[https://github.com/goccy/go-yaml/pull/429](https://togithub.com/goccy/go-yaml/pull/429)
- [@&#8203;KSpaceer](https://togithub.com/KSpaceer) made their first
contribution in
[https://github.com/goccy/go-yaml/pull/453](https://togithub.com/goccy/go-yaml/pull/453)
- [@&#8203;mfleader](https://togithub.com/mfleader) made their first
contribution in
[https://github.com/goccy/go-yaml/pull/462](https://togithub.com/goccy/go-yaml/pull/462)
- [@&#8203;nieomylnieja](https://togithub.com/nieomylnieja) made their
first contribution in
[https://github.com/goccy/go-yaml/pull/457](https://togithub.com/goccy/go-yaml/pull/457)
- [@&#8203;morris-kelly](https://togithub.com/morris-kelly) made their
first contribution in
[https://github.com/goccy/go-yaml/pull/463](https://togithub.com/goccy/go-yaml/pull/463)

**Full Changelog**:
https://github.com/goccy/go-yaml/compare/v1.11.3...v1.11.4

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 12pm every weekday,before 11am
every weekday" in timezone America/New_York, Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/defenseunicorns/maru-runner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MzEuNCIsInVwZGF0ZWRJblZlciI6IjM4LjU2LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImNvZGUtZGVwcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Wayne Starr <Racer159@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index bb5e7a9..96ae70f 100644
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ go 1.21.8
 require (
 	github.com/defenseunicorns/pkg/exec v0.0.1
 	github.com/defenseunicorns/pkg/helpers/v2 v2.0.1
-	github.com/goccy/go-yaml v1.11.3
+	github.com/goccy/go-yaml v1.12.0
 	github.com/invopop/jsonschema v0.12.0
 	github.com/pterm/pterm v0.12.79
 	github.com/spf13/cobra v1.8.1
diff --git a/go.sum b/go.sum
index 63db391..27614c1 100644
--- a/go.sum
+++ b/go.sum
@@ -48,8 +48,8 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.18.0 h1:BvolUXjp4zuvkZ5YN5t7ebzbhlUtPsPm2S9NAZ5nl9U=
 github.com/go-playground/validator/v10 v10.18.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
-github.com/goccy/go-yaml v1.11.3 h1:B3W9IdWbvrUu2OYQGwvU1nZtvMQJPBKgBUuweJjLj6I=
-github.com/goccy/go-yaml v1.11.3/go.mod h1:wKnAMd44+9JAAnGQpWVEgBzGt3YuTaQ4uXoHvE4m7WU=
+github.com/goccy/go-yaml v1.12.0 h1:/1WHjnMsI1dlIBQutrvSMGZRQufVO3asrHfTwfACoPM=
+github.com/goccy/go-yaml v1.12.0/go.mod h1:wKnAMd44+9JAAnGQpWVEgBzGt3YuTaQ4uXoHvE4m7WU=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/gookit/color v1.4.2/go.mod h1:fqRyamkC1W8uxl+lxCQxOT09l/vYfZ+QeiX3rKQHCoQ=

From d4fa708ede379219443b7c12050c9311280515d4 Mon Sep 17 00:00:00 2001
From: Wayne Starr <Racer159@users.noreply.github.com>
Date: Thu, 19 Sep 2024 18:34:10 -0600
Subject: [PATCH 3/4] fix: pattern not properly being checked (#145)

## Description

This fixes a bug where pattern is not checked when a variable is set to
a value

## Related Issue

Fixes #N/A

## Type of change

- [X] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [X] Test, docs, adr added or updated as needed
- [X] [Contributor Guide
Steps](https://github.com/defenseunicorns/maru-runner/blob/main/CONTRIBUTING.md)
followed
---
 src/pkg/variables/variables.go         |  1 +
 src/test/e2e/runner_test.go            | 16 ++++++++++++++++
 src/test/tasks/more-tasks/pattern.yaml |  8 ++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 src/test/tasks/more-tasks/pattern.yaml

diff --git a/src/pkg/variables/variables.go b/src/pkg/variables/variables.go
index 068a56e..939b117 100644
--- a/src/pkg/variables/variables.go
+++ b/src/pkg/variables/variables.go
@@ -34,6 +34,7 @@ func (vc *VariableConfig[T]) PopulateVariables(variables []InteractiveVariable[T
 
 		// Variable is present, no need to continue checking
 		if present {
+			vc.setVariableMap[variable.Name].Pattern = variable.Pattern
 			vc.setVariableMap[variable.Name].Extra = variable.Extra
 			if err := vc.CheckVariablePattern(variable.Name); err != nil {
 				return err
diff --git a/src/test/e2e/runner_test.go b/src/test/e2e/runner_test.go
index e24acf8..0248f7a 100644
--- a/src/test/e2e/runner_test.go
+++ b/src/test/e2e/runner_test.go
@@ -394,4 +394,20 @@ func TestTaskRunner(t *testing.T) {
 		require.NoError(t, err, stdOut, stdErr)
 		require.Contains(t, stdErr, "\"input val2 equals 5 and variable VAL1 equals 5\"")
 	})
+
+	t.Run("run successful pattern", func(t *testing.T) {
+		t.Parallel()
+
+		stdOut, stdErr, err := e2e.Maru("run", "--file", "src/test/tasks/more-tasks/pattern.yaml", "--set", "HELLO=HELLO")
+		require.NoError(t, err, stdOut, stdErr)
+		require.Contains(t, stdErr, "HELLO")
+	})
+
+	t.Run("run unsuccessful pattern", func(t *testing.T) {
+		t.Parallel()
+
+		stdOut, stdErr, err := e2e.Maru("run", "--file", "src/test/tasks/more-tasks/pattern.yaml", "--set", "HELLO=HI")
+		require.Error(t, err, stdOut, stdErr)
+		require.Contains(t, stdErr, "\"HELLO\" does not match pattern \"^HELLO$\"")
+	})
 }
diff --git a/src/test/tasks/more-tasks/pattern.yaml b/src/test/tasks/more-tasks/pattern.yaml
new file mode 100644
index 0000000..f08de87
--- /dev/null
+++ b/src/test/tasks/more-tasks/pattern.yaml
@@ -0,0 +1,8 @@
+variables:
+  - name: HELLO
+    pattern: ^HELLO$
+
+tasks:
+  - name: default
+    actions:
+      - cmd: echo ${HELLO}

From 5062dc566ccb042bdaa703240ac612f12e9a7b79 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 20 Sep 2024 08:54:46 -0600
Subject: [PATCH 4/4] chore(deps): update maru support dependencies (#128)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/create-github-app-token](https://redirect.github.com/actions/create-github-app-token)
| action | minor | `v1.10.3` -> `v1.11.0` |
| [actions/setup-node](https://redirect.github.com/actions/setup-node) |
action | patch | `v4.0.3` -> `v4.0.4` |
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | minor | `v4.3.4` -> `v4.4.0` |
| [anchore/sbom-action](https://redirect.github.com/anchore/sbom-action)
| action | minor | `v0.16.1` -> `v0.17.2` |
|
[docker/setup-buildx-action](https://redirect.github.com/docker/setup-buildx-action)
| action | minor | `v3.4.0` -> `n/a` |
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | minor | `v3.25.12` -> `v3.26.8` |
| morphy/revive-action | docker | digest | `087d4e6` -> `540bffd` |
|
[ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action)
| action | minor | `v2.3.3` -> `v2.4.0` |
|
[sigstore/cosign-installer](https://redirect.github.com/sigstore/cosign-installer)
| action | minor | `v3.5.0` -> `n/a` |
| [zarf-dev/zarf](https://redirect.github.com/zarf-dev/zarf) | | minor |
`v0.39.0` -> `v0.40.1` |

---

### Release Notes

<details>
<summary>actions/create-github-app-token
(actions/create-github-app-token)</summary>

###
[`v1.11.0`](https://redirect.github.com/actions/create-github-app-token/releases/tag/v1.11.0)

[Compare
Source](https://redirect.github.com/actions/create-github-app-token/compare/v1.10.4...v1.11.0)

##### What's Changed

##### Features

- Allow repositories input to be comma or newline-separated by
[@&#8203;peter-evans](https://redirect.github.com/peter-evans) in
[https://github.com/actions/create-github-app-token/pull/169](https://redirect.github.com/actions/create-github-app-token/pull/169)

##### New Contributors

- [@&#8203;peter-evans](https://redirect.github.com/peter-evans) made
their first contribution in
[https://github.com/actions/create-github-app-token/pull/169](https://redirect.github.com/actions/create-github-app-token/pull/169)

**Full Changelog**:
https://github.com/actions/create-github-app-token/compare/v1.10.4...v1.11.0

###
[`v1.10.4`](https://redirect.github.com/actions/create-github-app-token/releases/tag/v1.10.4)

[Compare
Source](https://redirect.github.com/actions/create-github-app-token/compare/v1.10.3...v1.10.4)

##### Bug Fixes

- **deps:** bump the production-dependencies group across 1 directory
with 3 updates
([#&#8203;166](https://redirect.github.com/actions/create-github-app-token/issues/166))
([e177c20](https://redirect.github.com/actions/create-github-app-token/commit/e177c20e0f736e68f4a37ffee6aa32c73da13988)),
closes
[#&#8203;641](https://redirect.github.com/actions/create-github-app-token/issues/641)
[#&#8203;641](https://redirect.github.com/actions/create-github-app-token/issues/641)
[#&#8203;639](https://redirect.github.com/actions/create-github-app-token/issues/639)
[#&#8203;638](https://redirect.github.com/actions/create-github-app-token/issues/638)
[#&#8203;637](https://redirect.github.com/actions/create-github-app-token/issues/637)
[#&#8203;636](https://redirect.github.com/actions/create-github-app-token/issues/636)
[#&#8203;633](https://redirect.github.com/actions/create-github-app-token/issues/633)
[#&#8203;632](https://redirect.github.com/actions/create-github-app-token/issues/632)
[#&#8203;631](https://redirect.github.com/actions/create-github-app-token/issues/631)
[#&#8203;630](https://redirect.github.com/actions/create-github-app-token/issues/630)
[#&#8203;629](https://redirect.github.com/actions/create-github-app-token/issues/629)
[#&#8203;714](https://redirect.github.com/actions/create-github-app-token/issues/714)
[#&#8203;711](https://redirect.github.com/actions/create-github-app-token/issues/711)
[#&#8203;714](https://redirect.github.com/actions/create-github-app-token/issues/714)
[#&#8203;716](https://redirect.github.com/actions/create-github-app-token/issues/716)
[#&#8203;711](https://redirect.github.com/actions/create-github-app-token/issues/711)
[#&#8203;712](https://redirect.github.com/actions/create-github-app-token/issues/712)
[#&#8203;710](https://redirect.github.com/actions/create-github-app-token/issues/710)
[#&#8203;709](https://redirect.github.com/actions/create-github-app-token/issues/709)
[#&#8203;708](https://redirect.github.com/actions/create-github-app-token/issues/708)
[#&#8203;702](https://redirect.github.com/actions/create-github-app-token/issues/702)
[#&#8203;706](https://redirect.github.com/actions/create-github-app-token/issues/706)
[#&#8203;3458](https://redirect.github.com/actions/create-github-app-token/issues/3458)
[#&#8203;3461](https://redirect.github.com/actions/create-github-app-token/issues/3461)
[#&#8203;3460](https://redirect.github.com/actions/create-github-app-token/issues/3460)
[#&#8203;3454](https://redirect.github.com/actions/create-github-app-token/issues/3454)
[#&#8203;3450](https://redirect.github.com/actions/create-github-app-token/issues/3450)
[#&#8203;3445](https://redirect.github.com/actions/create-github-app-token/issues/3445)

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v4.0.4`](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4)

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.4.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0)

###
[`v4.3.6`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6)

###
[`v4.3.5`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)

</details>

<details>
<summary>anchore/sbom-action (anchore/sbom-action)</summary>

###
[`v0.17.2`](https://redirect.github.com/anchore/sbom-action/releases/tag/v0.17.2)

[Compare
Source](https://redirect.github.com/anchore/sbom-action/compare/v0.17.1...v0.17.2)

#### Changes in v0.17.2

- Update Syft to v1.11.1
([#&#8203;485](https://redirect.github.com/anchore/sbom-action/issues/485))
\[[anchore-actions-token-generator](https://redirect.github.com/anchore-actions-token-generator)]

###
[`v0.17.1`](https://redirect.github.com/anchore/sbom-action/releases/tag/v0.17.1)

[Compare
Source](https://redirect.github.com/anchore/sbom-action/compare/v0.17.0...v0.17.1)

#### Changes in v0.17.1

- chore(deps): update Syft to v1.11.0
([#&#8203;483](https://redirect.github.com/anchore/sbom-action/issues/483))
\[[anchore-actions-token-generator](https://redirect.github.com/anchore-actions-token-generator)]

###
[`v0.17.0`](https://redirect.github.com/anchore/sbom-action/releases/tag/v0.17.0)

[Compare
Source](https://redirect.github.com/anchore/sbom-action/compare/v0.16.1...v0.17.0)

#### Changes in v0.17.0

- chore(deps): update Syft to v1.9.0
([#&#8203;479](https://redirect.github.com/anchore/sbom-action/issues/479))
\[[anchore-actions-token-generator](https://redirect.github.com/anchore-actions-token-generator)]

</details>

<details>
<summary>docker/setup-buildx-action
(docker/setup-buildx-action)</summary>

###
[`v3.6.1`](https://redirect.github.com/docker/setup-buildx-action/releases/tag/v3.6.1)

[Compare
Source](https://redirect.github.com/docker/setup-buildx-action/compare/v3.6.0...v3.6.1)

- Check for malformed docker context by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[https://github.com/docker/setup-buildx-action/pull/347](https://redirect.github.com/docker/setup-buildx-action/pull/347)

**Full Changelog**:
https://github.com/docker/setup-buildx-action/compare/v3.6.0...v3.6.1

###
[`v3.6.0`](https://redirect.github.com/docker/setup-buildx-action/releases/tag/v3.6.0)

[Compare
Source](https://redirect.github.com/docker/setup-buildx-action/compare/v3.5.0...v3.6.0)

- Create temp docker context if default one has TLS data loaded before
creating a container builder by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[https://github.com/docker/setup-buildx-action/pull/341](https://redirect.github.com/docker/setup-buildx-action/pull/341)

**Full Changelog**:
https://github.com/docker/setup-buildx-action/compare/v3.5.0...v3.6.0

###
[`v3.5.0`](https://redirect.github.com/docker/setup-buildx-action/compare/v3.4.0...v3.5.0)

[Compare
Source](https://redirect.github.com/docker/setup-buildx-action/compare/v3.4.0...v3.5.0)

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.26.8`](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8)

###
[`v3.26.7`](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7)

###
[`v3.26.6`](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6)

###
[`v3.26.5`](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5)

###
[`v3.26.4`](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4)

###
[`v3.26.3`](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3)

###
[`v3.26.2`](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2)

###
[`v3.26.1`](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1)

###
[`v3.26.0`](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0)

###
[`v3.25.15`](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15)

###
[`v3.25.14`](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14)

###
[`v3.25.13`](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.4.0`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.0)

[Compare
Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0)

#### What's Changed

This update bumps the Scorecard version to the v5 release. For a
complete list of changes, please refer to the [v5.0.0 release
notes](https://redirect.github.com/ossf/scorecard/releases/tag/v5.0.0).
Of special note to Scorecard Action is the Maintainer Annotation
feature, which can be used to suppress some Code Scanning false
positives. Alerts will not be generated for any Scorecard Check with an
annotation.

- :seedling: Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0
by [@&#8203;spencerschrock](https://redirect.github.com/spencerschrock)
in
[https://github.com/ossf/scorecard-action/pull/1410](https://redirect.github.com/ossf/scorecard-action/pull/1410)
- :bug: lower license sarif alert threshold to 9 by
[@&#8203;spencerschrock](https://redirect.github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1411](https://redirect.github.com/ossf/scorecard-action/pull/1411)

##### Documentation

- docs: dogfooding badge by
[@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

#### New Contributors

- [@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0

</details>

<details>
<summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary>

###
[`v3.6.0`](https://redirect.github.com/sigstore/cosign-installer/releases/tag/v3.6.0)

[Compare
Source](https://redirect.github.com/sigstore/cosign-installer/compare/v3.5.0...v3.6.0)

#### What's Changed

- Bump actions/checkout from 4.1.2 to 4.1.3 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/161](https://redirect.github.com/sigstore/cosign-installer/pull/161)
- Bump actions/checkout from 4.1.3 to 4.1.4 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/162](https://redirect.github.com/sigstore/cosign-installer/pull/162)
- Bump actions/setup-go from 5.0.0 to 5.0.1 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/163](https://redirect.github.com/sigstore/cosign-installer/pull/163)
- Bump actions/checkout from 4.1.4 to 4.1.5 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/164](https://redirect.github.com/sigstore/cosign-installer/pull/164)
- Bump actions/checkout from 4.1.5 to 4.1.6 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/165](https://redirect.github.com/sigstore/cosign-installer/pull/165)
- Bump actions/checkout from 4.1.6 to 4.1.7 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/166](https://redirect.github.com/sigstore/cosign-installer/pull/166)
- Bump actions/setup-go from 5.0.1 to 5.0.2 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/167](https://redirect.github.com/sigstore/cosign-installer/pull/167)
- pin public key used for verification by
[@&#8203;bobcallaway](https://redirect.github.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/169](https://redirect.github.com/sigstore/cosign-installer/pull/169)
- bump default version to v2.4.0 release by
[@&#8203;bobcallaway](https://redirect.github.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/168](https://redirect.github.com/sigstore/cosign-installer/pull/168)
- update readme for new release by
[@&#8203;bobcallaway](https://redirect.github.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/170](https://redirect.github.com/sigstore/cosign-installer/pull/170)

**Full Changelog**:
https://github.com/sigstore/cosign-installer/compare/v3...v3.6.0

</details>

<details>
<summary>zarf-dev/zarf (zarf-dev/zarf)</summary>

###
[`v0.40.1`](https://redirect.github.com/zarf-dev/zarf/compare/v0.40.0...v0.40.1)

[Compare
Source](https://redirect.github.com/zarf-dev/zarf/compare/v0.40.0...v0.40.1)

###
[`v0.40.0`](https://redirect.github.com/zarf-dev/zarf/compare/v0.39.0...v0.40.0)

[Compare
Source](https://redirect.github.com/zarf-dev/zarf/compare/v0.39.0...v0.40.0)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 12pm every weekday,before 11am
every weekday" in timezone America/New_York, Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/defenseunicorns/maru-runner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MzEuNCIsInVwZGF0ZWRJblZlciI6IjM4LjgwLjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbInN1cHBvcnQtZGVwcyJdfQ==-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Wayne Starr <me@racer159.com>
---
 .github/actions/install-tools/action.yaml | 10 ++--------
 .github/actions/save-logs/action.yaml     |  2 +-
 .github/actions/zarf/action.yaml          |  2 +-
 .github/workflows/commitlint.yaml         |  2 +-
 .github/workflows/release.yaml            |  4 ++--
 .github/workflows/scan-codeql.yaml        |  4 ++--
 .github/workflows/scan-lint.yaml          |  2 +-
 .github/workflows/scorecard.yaml          |  6 +++---
 8 files changed, 13 insertions(+), 19 deletions(-)

diff --git a/.github/actions/install-tools/action.yaml b/.github/actions/install-tools/action.yaml
index 90b4032..c62aa23 100644
--- a/.github/actions/install-tools/action.yaml
+++ b/.github/actions/install-tools/action.yaml
@@ -4,11 +4,5 @@ description: "Install pipeline tools"
 runs:
   using: composite
   steps:
-    - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
-
-    - uses: anchore/sbom-action/download-syft@95b086ac308035dc0850b3853be5b7ab108236a8 # v0.16.1
-
-    - run: "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin"
-      shell: bash
-
-    - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
+    # used by goreleaser to create SBOMs
+    - uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
diff --git a/.github/actions/save-logs/action.yaml b/.github/actions/save-logs/action.yaml
index 23cdef6..69bf4a5 100644
--- a/.github/actions/save-logs/action.yaml
+++ b/.github/actions/save-logs/action.yaml
@@ -4,7 +4,7 @@ description: "Save debug logs"
 runs:
   using: composite
   steps:
-    - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+    - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
       with:
         name: debug-log
         path: /tmp/maru-*.log
diff --git a/.github/actions/zarf/action.yaml b/.github/actions/zarf/action.yaml
index ec7eb84..de33ec4 100644
--- a/.github/actions/zarf/action.yaml
+++ b/.github/actions/zarf/action.yaml
@@ -7,4 +7,4 @@ runs:
     - uses: defenseunicorns/setup-zarf@main
       with:
         # renovate: datasource=github-tags depName=zarf-dev/zarf
-        version: v0.39.0
+        version: v0.40.1
diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml
index e661cce..19abb9d 100644
--- a/.github/workflows/commitlint.yaml
+++ b/.github/workflows/commitlint.yaml
@@ -21,7 +21,7 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Node.js
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
 
       - name: Install commitlint
         run: npm install --save-dev @commitlint/{config-conventional,cli}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 5f69d41..4cfa529 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -24,7 +24,7 @@ jobs:
 
       # Upload the contents of the build directory for later stages to use
       - name: Upload build artifacts
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: build-artifacts
           path: build/
@@ -104,7 +104,7 @@ jobs:
 
       - name: Get Brew tap repo token
         id: brew-tap-token
-        uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
         with:
           app-id: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_ID }}
           private-key: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_SECRET }}
diff --git a/.github/workflows/scan-codeql.yaml b/.github/workflows/scan-codeql.yaml
index f13b49a..97ad74c 100644
--- a/.github/workflows/scan-codeql.yaml
+++ b/.github/workflows/scan-codeql.yaml
@@ -45,7 +45,7 @@ jobs:
         run: make build-cli-linux-amd
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
+        uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
         env:
           CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
         with:
@@ -54,6 +54,6 @@ jobs:
 
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
+        uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/scan-lint.yaml b/.github/workflows/scan-lint.yaml
index ad9dc13..8467f11 100644
--- a/.github/workflows/scan-lint.yaml
+++ b/.github/workflows/scan-lint.yaml
@@ -26,7 +26,7 @@ jobs:
           extra_args: --all-files --verbose # pre-commit run --all-files --verbose
 
       - name: Run Revive Action by pulling pre-built image
-        uses: docker://morphy/revive-action:v2@sha256:087d4e61077087755711ab7e9fae3cc899b7bb07ff8f6a30c3dfb240b1620ae8
+        uses: docker://morphy/revive-action:v2@sha256:540bffd78895d1525b034b861d29edcb96577bcb3b187a5199342dc8656034ee
         with:
           config: revive.toml
           # Exclude patterns, separated by semicolons (optional)
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
index f64b7ec..f5560a5 100644
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -27,7 +27,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -37,7 +37,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: SARIF file
           path: results.sarif
@@ -45,6 +45,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
+        uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
         with:
           sarif_file: results.sarif