refactor: merge identities refactor from master branch

.github/workflows/binaries.yml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v6
       with:
         fetch-depth: 0
 

.github/workflows/docs.yaml

@@ -1,42 +1,39 @@
-#
 name: Docs
 
 on:
   push:
     branches:
-      - main
+      - master
   pull_request:
-  workflow_call:
   workflow_dispatch:
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+permissions: {}
 
 jobs:
-  docchecks:
-    name: Checks
-    runs-on: ubuntu-22.04
-    outputs:
-      linkcheck-result: ${{ steps.linkcheck-step.outcome }}
+  docs-spelling:
+    name: Spelling
+    runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
-          fetch-depth: 0
-      - name: Python
+          persist-credentials: false
+      - name: Set up Python
         uses: actions/setup-python@v6
         with:
           python-version: "3.12"
-      - name: Links
-        id: linkcheck-step
-        if: success() || failure()
-        uses: canonical/documentation-workflows/linkcheck@main
+      - name: Check spelling
+        run: make -C docs spelling
+
+  docs-linkcheck:
+    name: Links
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
         with:
-          working-directory: docs
-      - name: Markdown lint
-        id: markdown-step
-        if: success() || failure()
-        uses: DavidAnson/markdownlint-cli2-action@v16
+          persist-credentials: false
+      - name: Set up Python
+        uses: actions/setup-python@v6
         with:
-          config: "docs/.sphinx/.markdownlint.json"        
+          python-version: "3.12"
+      - name: Check links
+        run: make -C docs linkcheck

.github/workflows/integration-tests.yml

@@ -12,7 +12,7 @@ jobs:
     name: tests
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
 
     - name: Set up Go
       uses: actions/setup-go@v6

.github/workflows/lint.yml

@@ -5,7 +5,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-go@v6
         with:
@@ -32,7 +32,7 @@ jobs:
   staticcheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-go@v6
         with:

.github/workflows/sbom-secscan.yaml

@@ -11,12 +11,12 @@ jobs:
   scan:
     runs-on: [self-hosted, self-hosted-linux-amd64-jammy-private-endpoint-medium]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
       - name: sbomber
         uses: canonical/sbomber/.github/actions/run@cf7a76e810497ec932e8285b2c9d6b373d225e79  # main -- and sbomber-ref input should match
         with:
-          manifest: '${{ github.workspace }}/.sbomber-manifest-snap.yaml'
+          manifest: '${{ github.workspace }}/.github/.sbomber-manifest-snap.yaml'
           artifact-name: secscan-report-upload-snap
           sbomber-ref: cf7a76e810497ec932e8285b2c9d6b373d225e79

.github/workflows/scanning.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
 
       - name: Run Github Trivy FS Action
         uses: aquasecurity/trivy-action@master

.github/workflows/snap.yml

@@ -26,7 +26,7 @@ jobs:
     if: github.event_name == 'pull_request'
     steps:
       - name: Checkout Pebble repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -68,7 +68,7 @@ jobs:
         arch: ["amd64", "arm64", "armhf"]
     steps:
       - name: Checkout Pebble repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/tests.yml

@@ -12,7 +12,7 @@ jobs:
 
     name: Unit tests
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
 
     - name: Set up Go
       uses: actions/setup-go@v6
@@ -29,7 +29,7 @@ jobs:
 
     name: Root Tests
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
 
     - name: Set up Go
       uses: actions/setup-go@v6
@@ -45,7 +45,7 @@ jobs:
 
     name: Format check
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
 
     - name: Set up Go
       uses: actions/setup-go@v6
@@ -66,7 +66,7 @@ jobs:
 
     name: Automated docs check
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
 
     - name: Set up Python
       uses: actions/setup-python@v6

.github/workflows/tiobe.yaml

@@ -11,7 +11,7 @@ jobs:
   TICS:
     runs-on: [self-hosted, reactive, amd64, tiobe, noble]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
 
@@ -36,7 +36,7 @@ jobs:
           gocov-xml < coverage.json > .coverage/coverage.xml
 
       - name: TICS GitHub Action
-        uses: tiobe/tics-github-action@009979693978bfefad2ad15c1020066694968dc7  # 3.4.0
+        uses: tiobe/tics-github-action@768de18bedf164ee461bc9ef5e2f2fa1a20b122a  # 3.7.0
         with:
           mode: qserver
           viewerUrl: https://canonical.tiobe.com/tiobeweb/TICS/api/cfg?name=GoProjects

HACKING.md

@@ -281,17 +281,27 @@ Recommended tone:
 
 ## Creating a release
 
-To create a new tagged release, go to the [GitHub Releases page](https://github.com/canonical/pebble/releases) and:
+When releasing, you need to release the `master` branch and the `fips` branch.
 
-- Update `Version` in `cmd/version.go` to the version you're about to publish, for example `v1.9.0`, open a pull request, have it reviewed and merged into the `master` branch.
-- Open a pull request to merge the `master` branch into the `fips` branch, resolve any conflicts, and have it reviewed and merged.
-- Click ["Draft a new release"](https://github.com/canonical/pebble/releases/new).
-- Enter the version tag (for example `v1.9.0`) and select "Create new tag: on publish".
+Binaries will be created and uploaded automatically to this release by the [binaries.yml](https://github.com/canonical/pebble/blob/master/.github/workflows/binaries.yml) GitHub Action. In addition, a new Snap version is built and uploaded to the [Snap Store](https://snapcraft.io/pebble) (but promotion to `stable` is a manual step).
+
+Follow these steps:
+
+### Main release (master branch)
+
+- Update `Version` in `cmd/version.go` to the version you're about to publish, for example `v1.27.0`, open a pull request, have it reviewed and merged into the `master` branch.
+- [Draft a new GitHub release](https://github.com/canonical/pebble/releases/new).
+- Enter the version tag (for example `v1.27.0`) and select "Create new tag: on publish".
 - Enter a release title: include the version tag and a short summary of the release.
 - Write release notes: describe new features and bug fixes, and include a link to the full list of commits.
 - Click "Publish release".
-- Likewise, publish a FIPS release (for example `v1.9.0-fips`) targeting the tip of the `fips` branch.
-- Once the release GitHub Actions have finished, and the new [Snap](https://snapcraft.io/pebble) has been successfully built, update `Version` again to `v1.{next}.0-dev` (for example `v1.10.0-dev`).
-- Find the security scan artifact on the 'SBOM and secscan' run corresponding the pushing the release tag, and upload it to the [SSDLC Pebble folder in Drive](https://drive.google.com/drive/folders/11WR629JFPJ8IMPI0kcsNp_qdf39c6no3). Open the artifact and verify that the security scan has not found any vulnerabilities.
+- Monitor the release [GitHub Actions](https://github.com/canonical/pebble/actions) and check that the [snap](https://snapcraft.io/pebble) is uploaded correctly.
+- If you're confident it's a compatible release, [promote the `candidate` snap to `stable`](https://snapcraft.io/pebble/releases).
+- Find the security scan artifact on the corresponding [SBOM and secscan](https://github.com/canonical/pebble/actions/workflows/sbom-secscan.yaml) run, and upload it to the [SSDLC Pebble folder in Drive](https://drive.google.com/drive/folders/11WR629JFPJ8IMPI0kcsNp_qdf39c6no3). Open the artifact and verify that the security scan has not found any vulnerabilities.
+
+### FIPS release (fips branch)
 
-Binaries will be created and uploaded automatically to this release by the [binaries.yml](https://github.com/canonical/pebble/blob/master/.github/workflows/binaries.yml) GitHub Actions job. In addition, a new Snap version is built and uploaded to the [Snap Store](https://snapcraft.io/pebble).
+- Open a pull request to merge the `master` branch into the `fips` branch, resolve any conflicts, and have it reviewed and merged.
+- Open a second PR on the `fips` branch to bump the `Version` in `cmd/version.go` to the FIPS version, for example `v1.27.0-fips`, and have it reviewed and merged.
+- Publish a FIPS GitHub release (for example `v1.27.0-fips`) targeting the tip of the `fips` branch.
+- As with the main release, monitor the release [GitHub Actions](https://github.com/canonical/pebble/actions), check that the FIPS snap is uploaded, and promote it to stable.

docs/.custom_wordlist.txt

@@ -1 +1,16 @@
 # Leave a blank line at the end of this file to support concatenation
+backoff
+boolean
+Drepper
+idempotently
+liveness
+mkdir
+ns
+runit
+replan
+subcommands
+supervisord
+systemd
+UIDs
+Ulrich
+Utils