SECVULN: Update undici (#165)

* Bump axios in the npm_and_yarn group across 1 directory

Bumps the npm_and_yarn group with 1 update in the / directory: [axios](https://github.com/axios/axios).


Updates `axios` from 1.13.2 to 1.13.5
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](https://github.com/axios/axios/compare/v1.13.2...v1.13.5)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.13.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>

* copy write fixes

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: kp2099 <karthik200499@gmail.com>

.copywrite.hcl

@@ -1,7 +1,14 @@
+# Copyright IBM Corp. 2020, 2026
+# SPDX-License-Identifier: Apache-2.0
+
 schema_version = 1
 
 project {
-  header_ignore = [
-    "dist/index.js"
+    license          = "Apache-2.0"
+    copyright_year   = 2022
+
+    header_ignore = [
+        "dist/*",
+        "node_modules/",
   ]
 }

.github/dependabot.yml

@@ -0,0 +1,15 @@
+version: 2
+
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  # Dependabot only updates HashiCorp GHAs, external GHAs are managed by internal tooling (tsccr)
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    allow:
+      - dependency-name: "hashicorp/*"

.github/workflows/actions-self-test.yml

@@ -1,10 +1,12 @@
+---
+
 name: "GitHub Action: Self-Test"
 
 on:
   push:
 
 env:
-  PRODUCT_VERSION: "1.8.6"
+  PRODUCT_VERSION: "1.10.0"
 
 jobs:
   setup-packer:
@@ -12,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Setup `packer` (using local GitHub Action)
         uses: "./"

.github/workflows/compliance.yml

@@ -0,0 +1,25 @@
+---
+
+name: "HashiCorp: Compliance"
+
+on:
+  push:
+
+permissions:
+  contents: read
+
+jobs:
+  copywrite:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          # Full git history is needed to get a proper list of changed files within `super-linter`
+          fetch-depth: 0
+
+      - uses: hashicorp/setup-copywrite@32638da2d4e81d56a0764aa1547882fc4d209636 # v1.1.3
+
+      - run: copywrite headers --plan
+
+      - run: copywrite license --plan

.github/workflows/superlinter.yml

@@ -1,4 +1,5 @@
 ---
+
 name: "Code Quality: Super-Linter"
 
 on:
@@ -10,17 +11,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0
 
       - name: Lint Code with Super-Linter
-        uses: github/super-linter/slim@45fc0d88288beee4701c62761281edfee85655d7 # v5.0.0
+        uses: github/super-linter/slim@4e51915f4a812abf59fed160bb14595c0a38a9e7 # v6
         env:
           VALIDATE_ALL_CODEBASE: true
           DEFAULT_BRANCH: "main"
           DISABLE_ERRORS: false
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           JAVASCRIPT_DEFAULT_STYLE: "prettier"
           VALIDATE_JSON: true
           VALIDATE_MD: true

.github/workflows/typescript.yml

@@ -1,4 +1,5 @@
 ---
+
 name: "Code Quality: TypeScript"
 
 on:
@@ -9,27 +10,36 @@ jobs:
     name: Node.js
     runs-on: ubuntu-latest
 
+    env:
+      PACKAGES: "@vercel/ncc prettier"
+
     strategy:
       # see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast
       fail-fast: false
       matrix:
         node-version:
-          - 18.x
+          - 20.x
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 1
 
       - name: Set up Node.js
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'
 
-      - name: Install NPM Packages
-        run: npm ci
+      - name: Install global NPM packages
+        run: npm install --global ${PACKAGES}
+
+      - name: Install Action-specific NPM Packages
+        run: npm install-clean
 
       - name: Build TypeScript code
-        run: npm run build
+        run: |
+          npm run-script fmt \
+          && \
+          npm run-script build

.gitignore

@@ -1,3 +1 @@
-# TODO: generate dist folder in CI 
-# dist/
 node_modules/

CHANGELOG.md

@@ -1,15 +0,0 @@
-# `0.3.0` (UNRELEASED, 2022-08)
-
-* Update Dockerfile to point to packer version `1.8.2`
-* Change `target` default to `.` [#17](https://github.com/hashicorp/packer-github-actions/pull/17)
-* Mark `target` as not required [#17](https://github.com/hashicorp/packer-github-actions/pull/17)
-* Add support for working_directory [#11](https://github.com/operatehappy/packer-github-actions/pull/11)
-
-## `0.2.0` (2020-03-25)
-
-* Adds Packer action (#1) ([d80192d](https://github.com/ksatirli/packer-github-actions/commit/d80192d)), closes [#1](https://github.com/ksatirli/packer-github-actions/issues/1)
-* adds GitHub Actions for `code-quality` and `repository-management` ([2a0399e](https://github.com/ksatirli/packer-github-actions/commit/2a0399e))
-
-## `0.1.0` (2020-03-24)
-
-* adds base files ([6f7428a](https://github.com/ksatirli/packer-github-actions/commit/6f7428a))

CODEOWNERS

@@ -0,0 +1 @@
+* @hashicorp/github-actions-maintainers

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2020 HashiCorp, Inc.
+Copyright IBM Corp. 2022, 2026
 
                                  Apache License
                            Version 2.0, January 2004

README.md

@@ -7,13 +7,13 @@ The `hashicorp/setup-packer` Action sets up the [Packer](https://www.packer.io)
 ## Table of Contents
 
 <!-- TOC -->
-* [GitHub Action: `setup-packer`](#github-action--setup-packer)
+* [GitHub Action: `setup-packer`](#github-action-setup-packer)
   * [Table of Contents](#table-of-contents)
   * [Requirements](#requirements)
   * [Usage](#usage)
   * [Inputs](#inputs)
   * [Outputs](#outputs)
-  * [Integrating with HCP Packer](#Integrating-with-HCP-Packer)
+  * [Integrating with HCP Packer](#integrating-with-hcp-packer)
   * [Author Information](#author-information)
   * [License](#license)
 <!-- TOC -->
@@ -28,7 +28,7 @@ Other [environment variables](https://developer.hashicorp.com/packer/docs/comman
 
 ## Usage
 
-1.) Create a GitHub Actions Workflow file (e.g.: `.github/workflows/packer.yml`):
+Create a GitHub Actions Workflow file (e.g.: `.github/workflows/packer.yml`):
 
 ```yaml
 name: packer
@@ -37,7 +37,7 @@ on:
   push:
 
 env:
-  PRODUCT_VERSION: "1.8.6" # or: "latest"
+  PRODUCT_VERSION: "1.10.0" # or: "latest"
 
 jobs:
   packer:
@@ -45,7 +45,7 @@ jobs:
     name: Run Packer
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup `packer`
         uses: hashicorp/setup-packer@main
@@ -66,8 +66,8 @@ In the above example, the following definitions have been set.
 
 - The event trigger has been set to `push`. For a complete list, see [Events that trigger workflows](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows).
 - The origin of this GitHub Action has been set as `hashicorp/setup-packer@main`. For newer versions, see the [Releases](https://github.com/hashicorp/setup-packer/releases).
-- The version of `packer` to set up has been set as `1.8.6`. For a complete list, see [releases.hashicorp.com](https://releases.hashicorp.com/packer/).
-- The Packer manifest to interact with has been set as `./image.pkr.hcl`
+- The version of `packer` to set up has been set as `1.10.0`. For a complete list, see [releases.hashicorp.com](https://releases.hashicorp.com/packer/).
+- The Packer manifest to interact with has been set as `./image.pkr.hcl`.
 
 These definitions may require updating to suit your deployment, such as specifying [self-hosted](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#choosing-self-hosted-runners) runners.
 
@@ -79,6 +79,9 @@ This section contains a list of all inputs that may be set for this Action.
 
 - `version` - The version of `packer` to install. Defaults to `latest` if unset.
 
+> [!NOTE]
+> To retrieve the `latest` version, this GitHub Action polls the HashiCorp [Releases API](https://api.releases.hashicorp.com/v1/releases/packer) and finds the latest released version of Packer that isn't marked as a pre-release (`is_prerelease`).
+
 ## Outputs
 
 This section contains a list of all outputs that can be consumed from this Action.
@@ -86,11 +89,14 @@ This section contains a list of all outputs that can be consumed from this Actio
 - `version` -  The version of `packer` that was installed.
 
 ## Integrating with HCP Packer
+
 To integrate with HCP Packer, add your HCP Client ID and HCP Client secret as environment variables to the Packer build call.
 
 We add an `HCP_PACKER_BUILD_FINGERPRINT` in this example that is based on the workflow run ID, that way it is always unique
 
-We recommend storing these in [GitHub Actions Secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository) (as opposed to plain-text). See the [HCP Packer Getting Started tutorial](https://developer.hashicorp.com/packer/tutorials/hcp-get-started/hcp-push-image-metadata)
+We recommend storing these in [GitHub Actions Secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository) (as opposed to plain-text).
+
+For more information on using HCP Packer, see the [Getting Started tutorial](https://developer.hashicorp.com/packer/tutorials/hcp-get-started/hcp-push-image-metadata).
 
 ```yaml
 name: hcp-packer
@@ -104,15 +110,18 @@ jobs:
     name: Run Packer
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+
       - name: Setup `packer`
         uses: hashicorp/setup-packer@main
         id: setup
         with:
           version: "latest"
+
       - name: Run `packer init`
         id: init
         run: "packer init ./image.pkr.hcl"
+
       - name: Run `packer validate`
         id: validate
         run: "packer validate ./image.pkr.hcl"

action.yml

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2022, 2026
 # SPDX-License-Identifier: Apache-2.0
 
 ---
@@ -15,7 +15,7 @@ outputs:
   version:
     description: "The Packer version that was installed and added to PATH."
 runs:
-  using: "node16"
+  using: "node20"
   main: "dist/index.js"
 branding:
   icon: "package"

dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAKA,oDAAsC;AACtC,mEAAqD;AAErD,SAAe,IAAI;;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACzC,IAAI,OAAO,IAAI,IAAI,EAAE;YACnB,IAAI,CAAC,SAAS,CAAC,kCAAkC,CAAC,CAAC;YACnD,OAAO;SACR;QACD,IAAI;YACF,MAAM,EAAE,CAAC,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;SACjD;QAAC,OAAO,KAAK,EAAE;YACd,IAAI,KAAK,YAAY,KAAK,EAAE;gBAC1B,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;aAC/B;SACF;IACH,CAAC;CAAA;AAED,IAAI,EAAE,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAKA,oDAAsC;AACtC,mEAAqD;AAExC,QAAA,OAAO,GAAG,QAAQ,CAAC;AAEhC,SAAe,IAAI;;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACzC,IAAI,OAAO,IAAI,IAAI,EAAE,CAAC;YACpB,IAAI,CAAC,SAAS,CAAC,kCAAkC,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,mBAAmB,CAAC,eAAO,EAAE,OAAO,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;gBAC3B,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC;CAAA;AAED,IAAI,EAAE,CAAC"}

examples/hcp-packer.yml

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2022, 2026
 # SPDX-License-Identifier: Apache-2.0
 
 name: hcp-packer
@@ -10,21 +10,24 @@ jobs:
     name: Run Packer
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+
       - name: Setup `packer`
         uses: hashicorp/setup-packer@main
         id: setup
         with:
           version: "latest"
+
       - name: Run `packer init`
         id: init
         run: "packer init ./image.pkr.hcl"
+
       - name: Run `packer validate`
         id: validate
         run: "packer validate ./image.pkr.hcl"
 
       - name: Build Artifact
-        run: packer build -color=false -on-error=abort image.pkr.hcl
+        run: "packer build -color=false -on-error=abort image.pkr.hcl"
         env:
           HCP_CLIENT_ID: ${{ secrets.HCP_CLIENT_ID }}
           HCP_CLIENT_SECRET: ${{ secrets.HCP_CLIENT_SECRET }}

examples/packer.yml

@@ -1,4 +1,4 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2022, 2026
 # SPDX-License-Identifier: Apache-2.0
 
 name: packer
@@ -12,13 +12,13 @@ jobs:
     name: Run Packer
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup `packer`
         uses: hashicorp/setup-packer@main
         id: setup
         with:
-          version: "1.8.6" # or latest
+          version: "1.10.0" # or latest
 
       - name: Run `packer init`
         id: init

package.json

@@ -1,6 +1,6 @@
 {
   "name": "setup-packer",
-  "version": "2.1.0",
+  "version": "3.1.0",
   "description": "A GitHub Action to install a specific version of HashiCorp Packer and add it to PATH.",
   "keywords": [
     "github-actions",
@@ -16,19 +16,20 @@
   "main": "dist/index.js",
   "scripts": {
     "build": "tsc && ncc build --no-cache",
-    "fmt": "prettier --write 'src/*.ts'"
+    "fmt": "prettier --write 'src/*.ts'",
+    "copywrite": "copywrite headers && copywrite license"
   },
   "dependencies": {
-    "@actions/core": "1.10.1",
-    "@actions/io": "1.1.3",
-    "@actions/tool-cache": "2.0.1",
-    "@hashicorp/github-actions-core": "github:hashicorp/github-actions-core#v0.3.1",
-    "@vercel/ncc": "0.36.1"
+    "@actions/core": "^2.0.3",
+    "@actions/http-client": "^3.0.2",
+    "@hashicorp/github-actions-core": "github:hashicorp/github-actions-core#v1.0.0"
   },
   "devDependencies": {
-    "@types/node": "18.14.1",
-    "@types/semver": "7.5.4",
-    "prettier": "2.8.4",
-    "typescript": "4.9.5"
+    "@types/node": "^22.5.0",
+    "@types/semver": "^7.5.8",
+    "typescript": "^5.5.4"
+  },
+  "overrides": {
+    "undici": "6.24.0"
   }
 }

src/index.ts

@@ -1,11 +1,13 @@
 /**
- * Copyright (c) HashiCorp, Inc.
+ * Copyright IBM Corp. 2022, 2026
  * SPDX-License-Identifier: Apache-2.0
  */
 
 import * as core from "@actions/core";
 import * as hc from "@hashicorp/github-actions-core";
 
+export const PRODUCT = "packer";
+
 async function main() {
   const version = core.getInput("version");
   if (version == null) {
@@ -13,7 +15,7 @@ async function main() {
     return;
   }
   try {
-    await hc.getHashicorpRelease("packer", version);
+    await hc.getHashicorpRelease(PRODUCT, version);
   } catch (error) {
     if (error instanceof Error) {
       core.setFailed(error.message);

test/hello-world.pkr.hcl

@@ -1,8 +1,18 @@
-# Copyright (c) HashiCorp, Inc.
+# Copyright IBM Corp. 2022, 2026
 # SPDX-License-Identifier: Apache-2.0
 
+packer {
+  required_plugins {
+    # see https://github.com/hashicorp/packer-plugin-hashicups/releases/tag/v1.0.2
+    hashicups = {
+      version = ">= 1.0.0"
+      source  = "github.com/hashicorp/hashicups"
+    }
+  }
+}
+
 # file: builds.pkr.hcl
-source "file" "basic-example" {
+source "file" "basic_example" {
   content = "Lorem ipsum dolor sit amet"
   target  = "sample_artifact"
 }
@@ -20,12 +30,13 @@ build {
 Some nice description about the image which artifact is being published to HCP Packer Registry. =D
     EOT
 
-    labels = {
-      "foo-version" = "3.4.0",
-      "foo"         = "bar",
+    bucket_labels = {
+      "version" = "1.2.3",
+      "foo"     = "bar",
     }
   }
 
-  sources = ["sources.file.basic-example"]
+  sources = [
+    "sources.file.basic_example"
+  ]
 }
-