chore: update jsonnet [PF-3330]

.github/jsonnet/GIT_VERSION

@@ -1 +1 @@
-3831fc029bded90b10ee04c78cd06cb6c498e26a
+aa305cb073663f1cc427017459aa90fa37127e4a

.github/jsonnet/actions.jsonnet

@@ -0,0 +1,16 @@
+/**
+ * GitHub Action plugin references
+ *
+ * Centralised SHA-pinned references for external GitHub Actions used across workflows.
+ * Pinning to a SHA (rather than a tag) protects against supply-chain attacks where a
+ * tag is moved to point at a malicious commit. The trailing comment records the
+ * human-readable version that the SHA corresponds to at the time of pinning.
+ */
+{
+  checkout_action: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd',  // v6
+  gcp_auth_action: 'google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093',  // v3
+  gcp_setup_gcloud_action: 'google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db',  // v3
+  pulumi_action: 'pulumi/actions@cd99a7f8865434dd3532b586a26f9ebea596894f',  // v5
+  onepassword_load_secrets_action: '1password/load-secrets-action@92467eb28f72e8255933372f1e0707c567ce2259',  // v4
+  slack_action: 'act10ns/slack@d96404edccc6d6467fc7f8134a420c851b1e9054',  // v2
+}

.github/jsonnet/base.jsonnet

@@ -41,6 +41,7 @@ local misc = import 'misc.jsonnet';
    * @param {object} [concurrency=null] - Job-level concurrency settings
    * @param {boolean} [continueOnError=null] - Whether to continue workflow if job fails
    * @param {object} [env=null] - Environment variables for all steps in the job
+   * @param {object} [strategy=null] - GitHub Actions matrix strategy (e.g., {matrix: {shard: [1,2,3]}, 'fail-fast': false})
    * @returns {jobs} - GitHub Actions job definition
    */
   ghJob(
@@ -58,6 +59,7 @@ local misc = import 'misc.jsonnet';
     concurrency=null,
     continueOnError=null,
     env=null,
+    strategy=null,
   )::
     {
       [name]: {
@@ -82,7 +84,8 @@ local misc = import 'misc.jsonnet';
               (if permissions == null then {} else { permissions: permissions }) +
               (if concurrency == null then {} else { concurrency: concurrency }) +
               (if continueOnError == null then {} else { 'continue-on-error': continueOnError }) +
-              (if env == null then {} else { env: env }),
+              (if env == null then {} else { env: env }) +
+              (if strategy == null then {} else { strategy: strategy }),
     },
 
   /**
@@ -159,7 +162,7 @@ local misc = import 'misc.jsonnet';
    * @docs https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idsteps
    *
    * @param {string} name - Display name for the step in the GitHub UI
-   * @param {string} uses - The action to use (e.g., 'actions/checkout@v4', './path/to/action')
+   * @param {string} uses - The action to use (e.g., 'actions/checkout@v6', './path/to/action')
    * @param {object} [env=null] - Environment variables for this step
    * @param {object} [with=null] - Input parameters to pass to the action
    * @param {string} [id=null] - Unique identifier for this step (used to reference outputs)

.github/jsonnet/cache.jsonnet

@@ -120,21 +120,25 @@ local base = import 'base.jsonnet';
     ),
 
   /**
-   * Removes a cache from the cache server.
-   * 
+   * Removes a cache from the cache server and optionally removes local folders.
+   *
    * This is a generic function that can be used to remove any cache. It is advised to wrap this function
    * in a more specific function that removes a specific cache, setting the cacheName parameter.
    *
    * @param {string} cacheName - The name of the cache to remove. The name of the repository is usually a good option.
    * @param {string} [version='v1'] - The version of the cache to remove.
+   * @param {array} [folders=[]] - Local folders to delete alongside the remote cache.
+   * @param {string} [ifClause=null] - An optional if clause to conditionally run this step.
    * @returns {steps} - GitHub Actions step to remove cache from Google Cloud Storage
    */
-  removeCache(cacheName, version='v1')::
+  removeCache(cacheName, version='v1', folders=[], ifClause=null)::
     base.step(
       'remove ' + cacheName + ' cache',
       run=
       'set +e;\n' +
+      (if std.length(folders) > 0 then 'rm -rf ' + std.join(' ', folders) + '\n' else '') +
       'gsutil rm "gs://files-gynzy-com-test/ci-cache/' + cacheName + '-' + version + '.tar.zst"\n' +
-      'echo "Cache removed"\n'
+      'echo "Cache removed"\n',
+      ifClause=ifClause,
     ),
 }

.github/jsonnet/clusters.jsonnet

@@ -34,4 +34,13 @@ local misc = import 'misc.jsonnet';
     jobNodeSelectorKey: 'type',
     jobNodeSelectorValue: 'worker',
   },
+
+  'gh-runners': {
+    project: 'gh-runners',
+    name: 'gh-runners-2023',
+    zone: 'europe-west4',
+    secret: misc.secret('GCE_JSON'),
+    jobNodeSelectorKey: 'optio',
+    jobNodeSelectorValue: 'true',
+  },
 }

.github/jsonnet/deployment.jsonnet

@@ -122,7 +122,7 @@ local notifications = import 'notifications.jsonnet';
                     function(deploymentTarget)
                       base.action(
                         'publish-deploy-' + deploymentTarget + '-event',
-                        'chrnorm/deployment-action@v2',
+                        'chrnorm/deployment-action@500aa6a23c81ffa1acf71072aee3cfa2cc2e556a',  // v2
                         ifClause=ifClause,
                         with={
                           token: misc.secret('VIRKO_GITHUB_TOKEN'),
@@ -173,7 +173,7 @@ local notifications = import 'notifications.jsonnet';
   updateDeploymentStatus(status='${{ job.status }}')::
     base.action(
       'Update deployment status',
-      'chrnorm/deployment-status@v2',
+      'chrnorm/deployment-status@6df8d036fd2fee9eb82936733953da1f8382b41e',  // v2
       with={
         state: status,
         ['deployment-id']: '${{ github.event.deployment.id }}',

.github/jsonnet/helm.jsonnet

@@ -132,6 +132,7 @@ local services = import 'services.jsonnet';
    * @param {boolean} [fetchDependencies=false] - Whether to fetch Helm dependencies
    * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful
    * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m')
+   * @param {string} [runsOn=null] - GitHub Actions runner to use for the job
    * @returns {jobs} - Complete GitHub Actions job for production deployment
    */
   helmDeployProdJob(
@@ -145,9 +146,11 @@ local services = import 'services.jsonnet';
     fetchDependencies=false,
     wait=false,
     timeout=null,
+    runsOn=null,
   )::
     base.ghJob(
       'deploy-prod',
+      runsOn=runsOn,
       ifClause="${{ github.event.deployment.environment == '" + environment + "' }}",
       image=image,
       useCredentials=useCredentials,
@@ -213,6 +216,7 @@ local services = import 'services.jsonnet';
    * @param {boolean} [fetchDependencies=false] - Whether to fetch Helm dependencies
    * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful
    * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m')
+   * @param {string} [runsOn=null] - GitHub Actions runner to use for the job
    * @returns {jobs} - Complete GitHub Actions job for test deployment
    */
   helmDeployTestJob(
@@ -225,9 +229,11 @@ local services = import 'services.jsonnet';
     fetchDependencies=false,
     wait=false,
     timeout=null,
+    runsOn=null,
   )::
     base.ghJob(
       'deploy-test',
+      runsOn=runsOn,
       ifClause="${{ github.event.deployment.environment == 'test' }}",
       image=image,
       useCredentials=useCredentials,
@@ -296,6 +302,7 @@ local services = import 'services.jsonnet';
    * @param {boolean} [fetchDependencies=false] - Whether to fetch Helm dependencies
    * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful
    * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m')
+   * @param {string} [runsOn=null] - GitHub Actions runner to use for the job
    * @returns {jobs} - Complete GitHub Actions job for PR deployment
    */
   helmDeployPRJob(
@@ -308,9 +315,11 @@ local services = import 'services.jsonnet';
     fetchDependencies=false,
     wait=false,
     timeout=null,
+    runsOn=null,
   )::
     base.ghJob(
       'deploy-pr',
+      runsOn=runsOn,
       image=image,
       useCredentials=useCredentials,
       steps=[
@@ -369,6 +378,7 @@ local services = import 'services.jsonnet';
    * @param {boolean} [fetchDependencies=fetchDependencies] - Whether to fetch Helm dependencies
    * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful
    * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m')
+   * @param {string} [runsOn=null] - GitHub Actions runner to use for the job
    * @returns {jobs} - Complete GitHub Actions job for PR cleanup
    */
   helmDeletePRJob(
@@ -380,9 +390,11 @@ local services = import 'services.jsonnet';
     fetchDependencies=fetchDependencies,
     wait=false,
     timeout=null,
+    runsOn=null,
   )::
     base.ghJob(
       'helm-delete-pr',
+      runsOn=runsOn,
       image=images.default_job_image,
       useCredentials=false,
       steps=[
@@ -483,6 +495,7 @@ local services = import 'services.jsonnet';
    * @param {boolean} [fetchDependencies=false] - Whether to fetch Helm dependencies
    * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful
    * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m')
+   * @param {string} [runsOn=null] - GitHub Actions runner to use for the job
    * @returns {jobs} - Complete GitHub Actions job for canary deployment
    */
   helmDeployCanaryJob(
@@ -495,9 +508,11 @@ local services = import 'services.jsonnet';
     fetchDependencies=false,
     wait=false,
     timeout=null,
+    runsOn=null,
   )::
     base.ghJob(
       'deploy-canary',
+      runsOn=runsOn,
       image=image,
       useCredentials=useCredentials,
       ifClause="${{ github.event.deployment.environment == 'canary' }}",
@@ -566,6 +581,7 @@ local services = import 'services.jsonnet';
    * @param {boolean} [fetchDependencies=false] - Whether to fetch Helm dependencies
    * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful
    * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m')
+   * @param {string} [runsOn=null] - GitHub Actions runner to use for the job
    * @returns {jobs} - Complete GitHub Actions job to kill canary deployment
    */
   helmKillCanaryJob(
@@ -576,9 +592,11 @@ local services = import 'services.jsonnet';
     fetchDependencies=false,
     wait=false,
     timeout=null,
+    runsOn=null,
   )::
     base.ghJob(
       'kill-canary',
+      runsOn=runsOn,
       ifClause="${{ github.event.deployment.environment == 'kill-canary' || github.event.deployment.environment == 'production' }}",
       image=images.default_job_image,
       useCredentials=false,

.github/jsonnet/images.jsonnet

@@ -6,7 +6,7 @@
  * Images are primarily hosted on Google Cloud registries (GCR and Artifact Registry).
  */
 {
-  jsonnet_bin_image: 'europe-docker.pkg.dev/unicorn-985/private-images/docker-images_jsonnet:v1',
+  jsonnet_bin_image: 'europe-docker.pkg.dev/unicorn-985/private-images/docker-images_jsonnet:v2',
   helm_action_image: 'docker://europe-docker.pkg.dev/unicorn-985/public-images/helm-action:v4',
   mysql_action_image: 'docker://europe-docker.pkg.dev/unicorn-985/public-images/docker-images_mysql-cloner-action:v2',
   docker_action_image: 'docker://europe-docker.pkg.dev/unicorn-985/public-images/push-to-gcr-github-action:v1',

.github/jsonnet/index.jsonnet

@@ -1,4 +1,5 @@
 (import 'base.jsonnet') +
+{ actions: import 'actions.jsonnet' } +
 { clusters: import 'clusters.jsonnet' } +
 (import 'databases.jsonnet') +
 (import 'docker.jsonnet') +