Merge branch 'main' into dependabot/go_modules/modules/compose/github…

….com/docker/compose/v2-2.24.0

* main:
  pin Docker images version (#2129)
  enable golangci-lint for examples (#2128)
  chore(deps): bump github.com/neo4j/neo4j-go-driver/v5 in /modules/neo4j (#2098)
  enable golangci-lint for redis module (#2126)
  Go install gotestsum and golangci-lint  (#2127)
  improve OSSF score (#2125)

.github/workflows/ci-test-go.yml

@@ -71,7 +71,7 @@ jobs:
 
       - name: golangci-lint
         # TODO: Remove each example/module once it passes the golangci-lint
-        if: ${{ inputs.platform == 'ubuntu-latest' && inputs.go-version == '1.20.x' && !contains(fromJSON('["examples/cockroachdb", "examples/toxiproxy", "modules/redis"]'), inputs.project-directory) }}
+        if: ${{ inputs.platform == 'ubuntu-latest' && inputs.go-version == '1.20.x' }}
         uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3
         with:
           # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
@@ -104,9 +104,7 @@ jobs:
         if: ${{ inputs.run-tests }}
         working-directory: ./${{ inputs.project-directory }}
         timeout-minutes: 30
-        run: |
-            go install gotest.tools/gotestsum@latest
-            make test-unit
+        run: make test-unit
 
       - name: Upload SonarCloud files
         if: ${{ github.ref_name == 'main' && github.repository_owner == 'testcontainers' && inputs.run-tests && !inputs.rootless-docker }}

.github/workflows/ci-windows-trigger.yml

@@ -4,13 +4,18 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   windows-test-command-trigger:
+    permissions:
+      pull-requests: write  # for peter-evans/slash-command-dispatch to create PR reaction
     runs-on: ubuntu-22.04
 
     steps:
       - name: Trigger windows-test command
-        uses: peter-evans/slash-command-dispatch@v3
+        uses: peter-evans/slash-command-dispatch@f996d7b7aae9059759ac55e978cff76d91853301 # v3.0.2
         with:
           token: ${{ secrets.WINDOWS_WORKERS_TOKEN }}
           # The command to trigger the pipeline: e.g. /windows-test

.github/workflows/ci-windows.yml

@@ -13,7 +13,7 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Create pending status
-        uses: actions/[email protected]
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -27,7 +27,7 @@ jobs:
             })
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           repository: ${{ github.event.client_payload.pull_request.head.repo.full_name }}
@@ -50,12 +50,10 @@ jobs:
 
       - name: go test
         timeout-minutes: 30
-        run: |
-          go install gotest.tools/gotestsum@latest
-          gotestsum --format short-verbose --rerun-fails=5 --packages="./..."  --junitfile TEST-unit.xml -- -timeout=30m
+        run: make test-unit
 
       - name: Create success status
-        uses: actions/[email protected]
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         if: success()
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
@@ -70,7 +68,7 @@ jobs:
             })
 
       - name: Create failure status
-        uses: actions/[email protected]
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         if: failure()
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}

.github/workflows/ci.yml

@@ -138,22 +138,25 @@ jobs:
       ryuk-disabled: false
 
   sonarcloud:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for sonarsource/sonarcloud-github-action to determine which PR to decorate
     if: ${{ github.ref_name == 'main' && github.repository_owner == 'testcontainers' }}
     needs: test-examples
     runs-on: ubuntu-latest 
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           # Disabling shallow clone is recommended for improving relevancy of reporting
           fetch-depth: 0
 
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: sonarcloud
 
       - name: Analyze with SonarCloud
-        uses: sonarsource/sonarcloud-github-action@master
+        uses: sonarsource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/codeql.yml

@@ -20,6 +20,9 @@ on:
   schedule:
     - cron: '40 6 * * 5'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/release-drafter.yml

@@ -6,8 +6,14 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
+    permissions:
+      contents: write  # for release-drafter/release-drafter to create a github release
+      pull-requests: write  # for release-drafter/release-drafter to add label to PR
     runs-on: ubuntu-latest
     steps:
       - uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5.19.0

commons-test.mk

@@ -1,16 +1,35 @@
 ROOT_DIR:=$(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
+GOBIN= $(GOPATH)/bin
+
+define go_install
+    go install $(1)
+endef
+
+$(GOBIN)/golangci-lint:
+	$(call go_install,github.com/golangci/golangci-lint/cmd/[email protected])
+
+$(GOBIN)/gotestsum:
+	$(call go_install,gotest.tools/gotestsum@latest)
+
+.PHONY: install
+install: $(GOBIN)/golangci-lint $(GOBIN)/gotestsum
+
+.PHONY: clean
+clean:
+	rm $(GOBIN)/golangci-lint
+	rm $(GOBIN)/gotestsum
 
 .PHONY: dependencies-scan
 dependencies-scan:
 	@echo ">> Scanning dependencies in $(CURDIR)..."
 	go list -json -m all | docker run --rm -i sonatypecommunity/nancy:latest sleuth --skip-update-check
 
 .PHONY: lint
-lint:
+lint: $(GOBIN)/golangci-lint
 	golangci-lint run --out-format=github-actions --path-prefix=. --verbose -c $(ROOT_DIR)/.golangci.yml --fix
 
 .PHONY: test-%
-test-%:
+test-%: $(GOBIN)/gotestsum
 	@echo "Running $* tests..."
 	gotestsum \
 		--format short-verbose \
@@ -26,8 +45,7 @@ tools:
 	go mod download
 
 .PHONY: test-tools
-test-tools:
-	go install gotest.tools/gotestsum@latest
+test-tools: $(GOBIN)/gotestsum
 
 .PHONY: tools-tidy
 tools-tidy:

docs/features/build_from_dockerfile.md

@@ -17,7 +17,7 @@ image will be built with a random name and tag.
 If your Dockerfile expects build args: 
 
 ```Dockerfile
-FROM alpine
+FROM alpine@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48
 
 ARG FOO
 

examples/cockroachdb/cockroachdb_test.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 // Task represents a unit of work to complete. We're going to be using this in
@@ -16,12 +17,12 @@ import (
 type task struct {
 	ID          string     `json:"id"`
 	Description string     `json:"description"`
-	DateDue     *time.Time `json:"date_due,string"`
-	DateCreated time.Time  `json:"date_created,string"`
+	DateDue     *time.Time `json:"date_due"`
+	DateCreated time.Time  `json:"date_created"`
 	DateUpdated time.Time  `json:"date_updated"`
 }
 
-func initCockroachDB(ctx context.Context, db sql.DB) error {
+func initCockroachDB(ctx context.Context, db *sql.DB) error {
 	// Actual SQL for initializing the database should probably live elsewhere
 	const query = `CREATE DATABASE projectmanagement;
 		CREATE TABLE projectmanagement.task(
@@ -31,11 +32,10 @@ func initCockroachDB(ctx context.Context, db sql.DB) error {
 			date_created timestamp with time zone not null,
 			date_updated timestamp with time zone not null);`
 	_, err := db.ExecContext(ctx, query)
-
 	return err
 }
 
-func truncateCockroachDB(ctx context.Context, db sql.DB) error {
+func truncateCockroachDB(ctx context.Context, db *sql.DB) error {
 	const query = `TRUNCATE projectmanagement.task`
 	_, err := db.ExecContext(ctx, query)
 	return err
@@ -49,26 +49,21 @@ func TestIntegrationDBInsertSelect(t *testing.T) {
 	ctx := context.Background()
 
 	cdbContainer, err := startContainer(ctx)
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 	t.Cleanup(func() {
 		if err := cdbContainer.Terminate(ctx); err != nil {
 			t.Fatalf("failed to terminate container: %s", err)
 		}
 	})
 
 	db, err := sql.Open("pgx", cdbContainer.URI+"/projectmanagement")
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 	defer db.Close()
 
-	err = initCockroachDB(ctx, *db)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer truncateCockroachDB(ctx, *db)
+	require.NoError(t, initCockroachDB(ctx, db))
+	defer func(t *testing.T, ctx context.Context, db *sql.DB) {
+		require.NoError(t, truncateCockroachDB(ctx, db))
+	}(t, ctx, db)
 
 	now := time.Now()
 
@@ -84,9 +79,7 @@ func TestIntegrationDBInsertSelect(t *testing.T) {
 		tsk.DateDue,
 		tsk.DateCreated,
 		tsk.DateUpdated)
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	// Select data
 	savedTsk := task{ID: tsk.ID}
@@ -95,10 +88,7 @@ func TestIntegrationDBInsertSelect(t *testing.T) {
 		where id = $1`
 	row := db.QueryRowContext(ctx, findQuery, tsk.ID)
 	err = row.Scan(&savedTsk.Description, &savedTsk.DateDue, &savedTsk.DateCreated, &savedTsk.DateUpdated)
-	if err != nil {
-		t.Fatal(err)
-	}
-
+	require.NoError(t, err)
 	assert.Equal(t, tsk.ID, savedTsk.ID)
 	assert.Equal(t, tsk.Description, savedTsk.Description)
 	assert.Equal(t, tsk.DateDue, savedTsk.DateDue)

modulegen/_template/ci.yml.tmpl

@@ -138,22 +138,25 @@ jobs:
       ryuk-disabled: false
 
   sonarcloud:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for sonarsource/sonarcloud-github-action to determine which PR to decorate
     if: {{ "${{ github.ref_name == 'main' && github.repository_owner == 'testcontainers' }}" }}
     needs: test-examples
     runs-on: ubuntu-latest 
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           # Disabling shallow clone is recommended for improving relevancy of reporting
           fetch-depth: 0
 
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: sonarcloud
 
       - name: Analyze with SonarCloud
-        uses: sonarsource/sonarcloud-github-action@master
+        uses: sonarsource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1
         env:
           GITHUB_TOKEN: {{ "${{ secrets.GITHUB_TOKEN }}" }}
           SONAR_TOKEN: {{ "${{ secrets.SONAR_TOKEN }}" }}

modules/neo4j/go.mod

@@ -4,7 +4,7 @@ go 1.20
 
 require (
 	github.com/docker/go-connections v0.5.0
-	github.com/neo4j/neo4j-go-driver/v5 v5.15.0
+	github.com/neo4j/neo4j-go-driver/v5 v5.16.0
 	github.com/testcontainers/testcontainers-go v0.27.0
 )
 

modules/neo4j/go.sum

@@ -74,8 +74,8 @@ github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
-github.com/neo4j/neo4j-go-driver/v5 v5.15.0 h1:oqJZB1p2DE153RjfFbVGQiSDXqMCMEQnrZW+ZI86o58=
-github.com/neo4j/neo4j-go-driver/v5 v5.15.0/go.mod h1:Vff8OwT7QpLm7L2yYr85XNWe9Rbqlbeb9asNXJTHO4k=
+github.com/neo4j/neo4j-go-driver/v5 v5.16.0 h1:m3ZTjqulwob5HBysu5QdSvFB1+6x8xC9I3hC7yzcN6A=
+github.com/neo4j/neo4j-go-driver/v5 v5.16.0/go.mod h1:Vff8OwT7QpLm7L2yYr85XNWe9Rbqlbeb9asNXJTHO4k=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI=

modules/redis/redis_test.go

@@ -127,7 +127,9 @@ func assertSetsGets(t *testing.T, ctx context.Context, redisContainer *RedisCont
 	require.NoError(t, err)
 
 	client := redis.NewClient(options)
-	defer flushRedis(ctx, *client)
+	defer func(t *testing.T, ctx context.Context, client *redis.Client) {
+		require.NoError(t, flushRedis(ctx, *client))
+	}(t, ctx, client)
 
 	t.Log("pinging redis")
 	pong, err := client.Ping(ctx).Result()

modules/redis/testdata/Dockerfile

@@ -1 +1 @@
-FROM docker.io/redis:5.0-alpine
+FROM docker.io/redis:5.0-alpine@sha256:1a3c609295332f1ce603948142a132656c92a08149d7096e203058533c415b8c

testdata/Dockerfile

@@ -1 +1 @@
-FROM docker.io/redis:5.0-alpine
+FROM docker.io/redis:5.0-alpine@sha256:1a3c609295332f1ce603948142a132656c92a08149d7096e203058533c415b8c

wait/testdata/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.18-alpine as builder
+FROM golang:1.18-alpine@sha256:77f25981bd57e60a510165f3be89c901aec90453fd0f1c5a45691f6cb1528807 as builder
 WORKDIR /app
 COPY . .
 RUN mkdir -p dist