From d0338f7e5eda89ac59e657ac9050b2bc7e486423 Mon Sep 17 00:00:00 2001 From: Sam Barker Date: Tue, 20 Jan 2026 11:01:25 +1300 Subject: [PATCH 1/8] fix warnings on PR data step Signed-off-by: Sam Barker --- .github/workflows/sonar.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml index 939df2d5b0..c3f3034398 100644 --- a/.github/workflows/sonar.yaml +++ b/.github/workflows/sonar.yaml @@ -37,8 +37,10 @@ jobs: if: env.SONAR_TOKEN_SET == 'true' id: get_pr_data with: - route: GET /repos/{full_name}/pulls/{number} - number: ${{ steps.pr_number.outputs.content }} + route: GET /repos/${{env.full_name}}/pulls/${{env.number}} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + pr_number: ${{ steps.pr_number.outputs.content }} full_name: ${{ github.event.repository.full_name }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 07e47502dc4567841f2e17ee72a085e888c652dc Mon Sep 17 00:00:00 2001 From: Sam Barker Date: Tue, 20 Jan 2026 11:04:47 +1300 Subject: [PATCH 2/8] Fail fast instead of trying to limp on. Signed-off-by: Sam Barker --- .github/workflows/sonar.yaml | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml index c3f3034398..750d333b2b 100644 --- a/.github/workflows/sonar.yaml +++ b/.github/workflows/sonar.yaml @@ -42,17 +42,19 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} pr_number: ${{ steps.pr_number.outputs.content }} full_name: ${{ github.event.repository.full_name }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: "sanitize head ref" + - name: "Check for legal branch names" id: set_branch_name + env: + HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }} + BRANCH_REGEX: "[\(\$\)\;]+" run: | - head_ref="${{ github.event.workflow_run.head_repository.head_branch }}" - - # Sanitize by replacing shell characters with - - sanitized_head=$(echo ${head_ref} | sed 's/[\(\$\)]/-/g') - - echo "sanitized_head_ref=${sanitized_head}" >> $GITHUB_ENV + if [[ ${HEAD_BRANCH} =~ ${BRANCH_REGEX} ]]; + then + echo "BRANCH '${HEAD_BRANCH}' contains potentially malicious characters as it matches BRANCH_REGEX '${BRANCH_REGEX}'" + exit 1 + else + echo "SANITIZED_HEAD_REF=${sanitized_head}" >> $GITHUB_ENV + fi shell: bash - uses: actions/checkout@v6 if: env.SONAR_TOKEN_SET == 'true' From badc4824b5809ef638d0b61903670a4dbca80bc5 Mon Sep 17 00:00:00 2001 From: Sam Barker Date: Tue, 20 Jan 2026 11:06:21 +1300 Subject: [PATCH 3/8] Make the checkout unambiguous Signed-off-by: Sam Barker --- .github/workflows/sonar.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml index 750d333b2b..3050880c7a 100644 --- a/.github/workflows/sonar.yaml +++ b/.github/workflows/sonar.yaml @@ -64,13 +64,11 @@ jobs: fetch-depth: 0 - name: Checkout base branch if: env.SONAR_TOKEN_SET == 'true' - env: - HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }} run: | git remote add upstream ${{ github.event.repository.clone_url }} git fetch upstream git checkout -B ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} upstream/${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} - git checkout "${HEAD_BRANCH}" + git checkout "origin/${SANITIZED_HEAD_REF}" git clean -ffdx && git reset --hard HEAD - name: Set up QEMU uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 From d301dd47d4a99665ca7c3d91e0e45b94cf4d8062 Mon Sep 17 00:00:00 2001 From: Sam Barker Date: Tue, 20 Jan 2026 11:23:11 +1300 Subject: [PATCH 4/8] fixup renames Signed-off-by: Sam Barker --- .github/workflows/sonar.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml index 3050880c7a..2415c20687 100644 --- a/.github/workflows/sonar.yaml +++ b/.github/workflows/sonar.yaml @@ -37,7 +37,7 @@ jobs: if: env.SONAR_TOKEN_SET == 'true' id: get_pr_data with: - route: GET /repos/${{env.full_name}}/pulls/${{env.number}} + route: GET /repos/${{env.full_name}}/pulls/${{env.pr_number}} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} pr_number: ${{ steps.pr_number.outputs.content }} @@ -60,7 +60,7 @@ jobs: if: env.SONAR_TOKEN_SET == 'true' with: repository: ${{ github.event.workflow_run.head_repository.full_name }} - ref: ${{env.sanitized_head_ref}} + ref: ${{env.SANITIZED_HEAD_REF}} fetch-depth: 0 - name: Checkout base branch if: env.SONAR_TOKEN_SET == 'true' From 2889de0ccdd449cc391247ebecbaf60130381e54 Mon Sep 17 00:00:00 2001 From: Sam Barker Date: Tue, 20 Jan 2026 12:08:43 +1300 Subject: [PATCH 5/8] We don't need it as a var Signed-off-by: Sam Barker --- .github/workflows/sonar.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml index 2415c20687..ac2afe6be3 100644 --- a/.github/workflows/sonar.yaml +++ b/.github/workflows/sonar.yaml @@ -46,9 +46,8 @@ jobs: id: set_branch_name env: HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }} - BRANCH_REGEX: "[\(\$\)\;]+" run: | - if [[ ${HEAD_BRANCH} =~ ${BRANCH_REGEX} ]]; + if [[ ${HEAD_BRANCH} =~ [\(\$\)\;]+ ]]; then echo "BRANCH '${HEAD_BRANCH}' contains potentially malicious characters as it matches BRANCH_REGEX '${BRANCH_REGEX}'" exit 1 From 3e197c5c36d18723d72e7f6d85dff04babd69bf5 Mon Sep 17 00:00:00 2001 From: Sam Barker Date: Tue, 20 Jan 2026 12:29:18 +1300 Subject: [PATCH 6/8] Fix variable reference in sonar.yaml --- .github/workflows/sonar.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml index ac2afe6be3..5a21867e8b 100644 --- a/.github/workflows/sonar.yaml +++ b/.github/workflows/sonar.yaml @@ -67,7 +67,7 @@ jobs: git remote add upstream ${{ github.event.repository.clone_url }} git fetch upstream git checkout -B ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} upstream/${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} - git checkout "origin/${SANITIZED_HEAD_REF}" + git checkout "origin/${{env.SANITIZED_HEAD_REF}}" git clean -ffdx && git reset --hard HEAD - name: Set up QEMU uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 From 5c947d1b37f7ecf1893c8fb57dbc8fe1b331c956 Mon Sep 17 00:00:00 2001 From: Sam Barker Date: Tue, 20 Jan 2026 12:40:13 +1300 Subject: [PATCH 7/8] Fix sanitized head ref assignment in sonar.yaml --- .github/workflows/sonar.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml index 5a21867e8b..c57df7152b 100644 --- a/.github/workflows/sonar.yaml +++ b/.github/workflows/sonar.yaml @@ -52,7 +52,7 @@ jobs: echo "BRANCH '${HEAD_BRANCH}' contains potentially malicious characters as it matches BRANCH_REGEX '${BRANCH_REGEX}'" exit 1 else - echo "SANITIZED_HEAD_REF=${sanitized_head}" >> $GITHUB_ENV + echo "SANITIZED_HEAD_REF=${HEAD_BRANCH}" >> $GITHUB_ENV fi shell: bash - uses: actions/checkout@v6 From 7c6dfe33777f58e31f3c0969202f0de56edcdf96 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 20 Jan 2026 00:53:21 +0000 Subject: [PATCH 8/8] chore(deps): update dependency strimzi/strimzi-kafka-operator to v0.50.0 Signed-off-by: SamBarker <2833578+SamBarker@users.noreply.github.com> --- kroxylicious-docs/docs/record-encryption-quickstart/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kroxylicious-docs/docs/record-encryption-quickstart/index.adoc b/kroxylicious-docs/docs/record-encryption-quickstart/index.adoc index 1363e9ce6f..a04a1938b7 100644 --- a/kroxylicious-docs/docs/record-encryption-quickstart/index.adoc +++ b/kroxylicious-docs/docs/record-encryption-quickstart/index.adoc @@ -3,7 +3,7 @@ :localstack-chart-version: 0.6.27 // A Renovate rule will update the strimzi-version but not kafka-version. Update the kafka-version to the point // at the latest kafka version supported by that strimzi. -:strimzi-version: 0.49.1 +:strimzi-version: 0.50.0 :kafka-version: 4.1.1 :kafka-image: quay.io/strimzi/kafka:{strimzi-version}-kafka-{kafka-version}