From bf0e58ea5c978fc6c85a30c13497a8bb988403b6 Mon Sep 17 00:00:00 2001
From: Renovate Bot <renovate@t00n.de>
Date: Sun, 25 Jan 2026 17:07:02 +0100
Subject: [PATCH 1/4] chore(deps): update actions/checkout action to v6 (#17)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://github.com/actions/checkout) | action | major | `v5` → `v6` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

### [`v6`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v602)

[Compare Source](https://github.com/actions/checkout/compare/v5...v6)

- Fix tag handling: preserve annotations and explicit fetch-tags by [@&#8203;ericsciple](https://github.com/ericsciple) in [#&#8203;2356](https://github.com/actions/checkout/pull/2356)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi42NC4xIiwidXBkYXRlZEluVmVyIjoiNDIuNzQuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYWN0aW9uIiwiZGVwcyJdfQ==-->

Reviewed-on: https://gitea.t000-n.de/t.behrendt/k/pulls/17
Reviewed-by: t.behrendt <t.behrendt@noreply.localhost>
Co-authored-by: Renovate Bot <renovate@t00n.de>
Co-committed-by: Renovate Bot <renovate@t00n.de>
---
 .gitea/workflows/deploy.yaml   | 6 +++---
 .gitea/workflows/validate.yaml | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index b0b39b0..787a181 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -15,7 +15,7 @@ jobs:
       traefik: ${{ steps.filter.outputs.traefik }}
       crowdsec: ${{ steps.filter.outputs.crowdsec }}
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           fetch-depth: 0
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
@@ -36,7 +36,7 @@ jobs:
     needs: check-changes
     if: ${{ needs.check-changes.outputs.node-labels == 'true' || github.event_name == 'workflow_dispatch' }}
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
       - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4
       - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4
         with:
@@ -51,7 +51,7 @@ jobs:
     needs: check-changes
     if: ${{ needs.check-changes.outputs.coredns == 'true' || github.event_name == 'workflow_dispatch' }}
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
       - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4
       - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4
         with:
diff --git a/.gitea/workflows/validate.yaml b/.gitea/workflows/validate.yaml
index 596a9d1..0edb4c1 100644
--- a/.gitea/workflows/validate.yaml
+++ b/.gitea/workflows/validate.yaml
@@ -9,7 +9,7 @@ jobs:
   validate-node-lables:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
       - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4
       - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4
         with:
@@ -22,7 +22,7 @@ jobs:
   validate-coredns:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
       - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4
       - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4
         with:
-- 
2.49.1


From 7c0aedeecd78152df856af1a18cf95c57c429c21 Mon Sep 17 00:00:00 2001
From: Timo Behrendt <t.behrendt@t00n.de>
Date: Sun, 25 Jan 2026 17:09:48 +0100
Subject: [PATCH 2/4] ci: remove helmfile action overrides (#39)

Reviewed-on: https://gitea.t000-n.de/t.behrendt/k/pulls/39
Co-authored-by: Timo Behrendt <t.behrendt@t00n.de>
Co-committed-by: Timo Behrendt <t.behrendt@t00n.de>
---
 .gitea/workflows/deploy.yaml   | 1 -
 .gitea/workflows/validate.yaml | 1 -
 2 files changed, 2 deletions(-)

diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 787a181..567e7b2 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -135,5 +135,4 @@ jobs:
         uses: helmfile/helmfile-action@f64d5db9f8660aae0205b5fcfc56577d44acefab # v2.1.0
         with:
           helmfile-args: apply
-          helm-plugins: https://github.com/databus23/helm-diff@v3.12.0
           helmfile-workdirectory: "crowdsec"
diff --git a/.gitea/workflows/validate.yaml b/.gitea/workflows/validate.yaml
index 0edb4c1..6e09672 100644
--- a/.gitea/workflows/validate.yaml
+++ b/.gitea/workflows/validate.yaml
@@ -66,5 +66,4 @@ jobs:
         uses: helmfile/helmfile-action@f64d5db9f8660aae0205b5fcfc56577d44acefab # v2.1.0
         with:
           helmfile-args: diff
-          helm-plugins: https://github.com/databus23/helm-diff@v3.12.0
           helmfile-workdirectory: "crowdsec"
-- 
2.49.1


From e4b6c1cfe209dee2e570b09e1ba9685c3862b092 Mon Sep 17 00:00:00 2001
From: Timo Behrendt <t.behrendt@t00n.de>
Date: Sun, 25 Jan 2026 17:06:39 +0100
Subject: [PATCH 3/4] feat: add docker hub registry token

---
 .gitea/workflows/deploy.yaml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 567e7b2..12472af 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -136,3 +136,30 @@ jobs:
         with:
           helmfile-args: apply
           helmfile-workdirectory: "crowdsec"
+
+  deploy-docker-registry-secret:
+    runs-on: ubuntu-latest
+    needs: check-changes
+    steps:
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4
+      - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4
+        with:
+          method: kubeconfig
+          kubeconfig: ${{ secrets.KUBECONFIG }}
+      - name: Set docker registry credentials
+        uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218 # v5
+        with:
+          namespace: default
+          secret-name: regcred-dockerhub
+          secret-type: generic
+          data: |
+            {
+              "docker-server": "https://hub.docker.com"
+              "docker-username": "${{ secrets.DOCKER_USERNAME }}"
+              "docker-password": "${{ secrets.DOCKER_PASSWORD }}"
+              "docker-email": "${{ secrets.DOCKER_EMAIL }}"
+            }
+      - name: Configure image pull secret globally
+        run: |
+          kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "regcred-dockerhub"}]}'
-- 
2.49.1


From 7af22f9de4e7c215de201b0c71bcfbf0e8c479e9 Mon Sep 17 00:00:00 2001
From: Timo Behrendt <t.behrendt@t00n.de>
Date: Sun, 25 Jan 2026 17:16:51 +0100
Subject: [PATCH 4/4] correctly create the secret

---
 .gitea/workflows/deploy.yaml | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 12472af..7a6a80e 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -148,18 +148,14 @@ jobs:
           method: kubeconfig
           kubeconfig: ${{ secrets.KUBECONFIG }}
       - name: Set docker registry credentials
-        uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218 # v5
-        with:
-          namespace: default
-          secret-name: regcred-dockerhub
-          secret-type: generic
-          data: |
-            {
-              "docker-server": "https://hub.docker.com"
-              "docker-username": "${{ secrets.DOCKER_USERNAME }}"
-              "docker-password": "${{ secrets.DOCKER_PASSWORD }}"
-              "docker-email": "${{ secrets.DOCKER_EMAIL }}"
-            }
+        run: |
+          kubectl create secret docker-registry regcred-dockerhub \
+            --docker-server=https://index.docker.io/v1/ \
+            --docker-username="${{ secrets.DOCKER_USERNAME }}" \
+            --docker-password="${{ secrets.DOCKER_PASSWORD }}" \
+            --docker-email="${{ secrets.DOCKER_EMAIL }}" \
+            --namespace=default \
+            --dry-run=client -o yaml | kubectl apply -f -
       - name: Configure image pull secret globally
         run: |
           kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "regcred-dockerhub"}]}'
-- 
2.49.1