Bump @backstage/plugin-scaffolder-backend from 0.3.7 to 1.15.0

[dependabot]

Bumps @backstage/plugin-scaffolder-backend from 0.3.7 to 1.15.0.

Release notes

Sourced from @​backstage/plugin-scaffolder-backend's releases.

v1.15.0

These are the release notes for the v1.15.0 release of Backstage.

A huge thanks to the whole team of maintainers and contributors as well as the amazing Backstage Community for their hard work in getting this release developed and done.

Highlights

This release has a few important security fixes, along with a lot of squashed bugs and exciting additions as usual! Enjoy.

BREAKING: Scaffolder build requirements

The Scaffolder backend uses a sandboxing environment to run its nunjucks templating in, for security reasons. This used to leverage the vm2 library, but in this release it has been replaced by isolated-vm. This significantly improves the confidence level in the sandbox implementation since it builds upon v8 isolates directly. However, it comes with a cost to implementers: it is a native dependency, and as such needs to be built during yarn installation, on the exact architecture that it then executes on. For those who compile and run Backstage on stripped-down environments, you will want to ensure that you have the build basics present, e.g. build-essential or similar corresponding to your operating system of choice. The isolated-vm repo has some further information about the build environment requirements.

There is a CVE-2022-39266 that has been reported for isolated-vm, which applies only when using CachedDataOptions. We do not use that feature at all, since it is recommended against in the README; doing so can lead to breakouts and calling back to the main process. Some security tools may report that this is a vulnerability but it is safe to ignore this through your .snyk policy file or similar.

BREAKING: @backstage/plugin-linguist-backend

There have been some significant updates to the Linguist plugin, in particular the backend and its API. One breaking change is that LinguistBackendApi is now an interface rather than a class, and you should create its implementation LinguistBackendClient instead.

Contributed by @​ahhhndre in #16954

BREAKING: @backstage/plugin-github-actions

In order to make this plugin support GitHub enterprise as well as cloud, its GithubActionsClient is updated to take an scmAuthApi instead of the previous

... (truncated)

Changelog

Sourced from @​backstage/plugin-scaffolder-backend's changelog.

1.15.0

Minor Changes

• 84b0e47373db: Add TargetBranchName variable and output for the publish:gitlab:merge-request and publish:github:pull-request s'cascaffolder actions.

• 6a694ce98e32: Add a scaffolder action that pull-requests for bitbucket server

• 1948845861b0: Added github:deployKey:create and github:environment:create scaffolder actions. You will need to add read/write permissions to your GITHUB_TOKEN and/or Github Backstage App for Repository Administration (for deploy key functionality) and Environments (for Environment functionality)

• df8411779da1: Add support for Repository Variables and Secrets to the publish:github and github:repo:create scaffolder actions. You will need to add read/write permissions to your GITHUB_TOKEN and/or Github Backstage App for Repository Secrets and Variables

  Upgrade octokit introduces some breaking changes.

Patch Changes

• cc936b529676: Fix handling of optional property in catalog:register scaffolder action

• b269da39ac2d: Clearer error messages for action publish:gitlab:merge-request

• 11e0f625583f: Fix wrong gitlabUrl format in repoUrl input description

• a2c70cdda202: Switch out the sandbox, from vm2 to isolated-vm.

  This is a native dependency, which means that it will need to be compiled with the same version of node on the same OS. This could cause some issues when running in Docker for instance, as you will need to make sure that the dependency is installed and compiled inside the docker container that it will run on.

  This could mean adding in some dependencies to the container like build-essential to make sure that this compiles correctly.

  If you're having issues installing this dependency, there's some install instructions over on isolated-vm's repo.

• Updated dependencies

  • @​backstage/backend-common@​0.19.0
  • @​backstage/catalog-client@​1.4.2
  • @​backstage/types@​1.1.0
  • @​backstage/plugin-catalog-backend@​1.10.0
  • @​backstage/integration@​1.5.0
  • @​backstage/catalog-model@​1.4.0
  • @​backstage/errors@​1.2.0
  • @​backstage/backend-plugin-api@​0.5.3
  • @​backstage/backend-tasks@​0.5.3
  • @​backstage/plugin-auth-node@​0.2.15
  • @​backstage/plugin-catalog-node@​1.3.7
  • @​backstage/plugin-permission-node@​0.7.9
  • @​backstage/config@​1.0.8
  • @​backstage/plugin-catalog-common@​1.0.14
  • @​backstage/plugin-permission-common@​0.7.6
  • @​backstage/plugin-scaffolder-common@​1.3.1
  • @​backstage/plugin-scaffolder-node@​0.1.4

1.15.0-next.3

Minor Changes

• 84b0e47373db: Add TargetBranchName variable and output for the publish:gitlab:merge-request and publish:github:pull-request s'cascaffolder actions.
• 6a694ce98e32: Add a scaffolder action that pull-requests for bitbucket server
• 1948845861b0: Added github:deployKey:create and github:environment:create scaffolder actions. You will need to add read/write permissions to your GITHUB_TOKEN and/or Github Backstage App for Repository Administration (for deploy key functionality) and Environments (for Environment functionality)

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.