bumped jenkins version and ci permissions

.github/workflows/jenkins-agent-ansible-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-ansible/**
       - .github/workflows/jenkins-agent-ansible-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-arachni-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-arachni/**
       - .github/workflows/jenkins-agent-arachni-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-argocd-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-argocd/**
       - .github/workflows/jenkins-agent-argocd-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-ci-pr.yaml

@@ -6,6 +6,10 @@ on:
     paths:
       - _test/kind/**
       - .github/workflows/jenkins-agent-ci-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-conftest-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-conftest/**
       - .github/workflows/jenkins-agent-conftest-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-cosign-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-cosign/**
       - .github/workflows/jenkins-agent-cosign-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-erlang-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-erlang/**
       - .github/workflows/jenkins-agent-erlang-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-golang-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-golang/**
       - .github/workflows/jenkins-agent-golang-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-graalvm-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-graalvm/**
       - .github/workflows/jenkins-agent-graalvm-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-gradle-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-gradle/**
       - .github/workflows/jenkins-agent-gradle-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-helm-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-helm/**
       - .github/workflows/jenkins-agent-helm-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-hugo-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-hugo/**
       - .github/workflows/jenkins-agent-hugo-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-image-mgmt-pr.yaml

@@ -4,6 +4,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-image-mgmt/**
       - .github/workflows/jenkins-agent-image-mgmt-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-image-mgmt-publish.yaml

@@ -4,13 +4,19 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-image-mgmt/version.json
       - .github/workflows/jenkins-agent-image-mgmt-publish.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:
       context: jenkins-agents/jenkins-agent-image-mgmt
       image_name: jenkins-agent-image-mgmt
       REGISTRY: ${{ secrets.REGISTRY_URI }}
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 

.github/workflows/jenkins-agent-mongodb-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-mongodb/**
       - .github/workflows/jenkins-agent-mongodb-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-mvn-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-mvn/**
       - .github/workflows/jenkins-agent-mvn-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-npm-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-npm/**
       - .github/workflows/jenkins-agent-npm-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-python-pr.yaml

@@ -4,6 +4,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-python/**
       - .github/workflows/jenkins-agent-python-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-python-publish.yaml

@@ -4,13 +4,19 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-python/version.json
       - .github/workflows/jenkins-agent-python-publish.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:
       context: jenkins-agents/jenkins-agent-python
       image_name: jenkins-agent-python
       REGISTRY: ${{ secrets.REGISTRY_URI }}
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 

.github/workflows/jenkins-agent-ruby-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-ruby/**
       - .github/workflows/jenkins-agent-ruby-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-rust-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-rust/**
       - .github/workflows/jenkins-agent-rust-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

.github/workflows/jenkins-agent-zap-pr.yaml

@@ -5,6 +5,10 @@ on:
     paths:
       - jenkins-agents/jenkins-agent-zap/**
       - .github/workflows/jenkins-agent-zap-pr.yaml
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     env:

_test/kind/setup.sh

@@ -3,7 +3,7 @@
 set -euo pipefail
 
 AGENT=$1
-JENKINS_CHART_VERSION=${2:-3.11.10}
+JENKINS_CHART_VERSION="4.9.1"
 AGENT_PATH="jenkins-agents/${AGENT}"
 SCRIPT_DIR=$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}" || realpath "${BASH_SOURCE[0]}")")
 
@@ -61,6 +61,7 @@ then
   then
     kind create cluster --config ${SCRIPT_DIR}/kind-config.yaml
   fi
+
   podman save ${AGENT}:latest | docker load
   docker tag localhost/${AGENT}:latest ${AGENT}:latest
   kind load docker-image ${AGENT}:latest
@@ -71,21 +72,38 @@ then
     --for=condition=ready pod \
     --selector=app.kubernetes.io/component=controller \
     --timeout=90s
+
   # Would like to find a cleaner approach to configure the podTemplate and Jenkins job below
   TPL_TEMP=$(mktemp -d)
   JENKINS_AGENT="${AGENT}" envsubst < ${SCRIPT_DIR}/jenkins-podtemplate.yaml > ${TPL_TEMP}/podtemplate.yaml
   JENKINS_AGENT="${AGENT}" JENKINSFILE=$(sed '2,$s/^/                      /' ${AGENT_PATH}/Jenkinsfile.test) envsubst < ${SCRIPT_DIR}/jenkins-casc-config-scripts-template.yaml > ${TPL_TEMP}/jenkins-casc-config-scripts.yaml
+
   # Use Helm to deploy and configure Jenkins
   helm repo add jenkinsci https://charts.jenkins.io --force-update
   helm repo update
+  echo "### Jenkins content will look like... ###"
+  helm template jenkins \
+      --version ${JENKINS_CHART_VERSION} \
+      -n jenkins --create-namespace \
+      -f ${SCRIPT_DIR}/jenkins-values.yaml \
+      -f ${TPL_TEMP}/podtemplate.yaml \
+      -f ${TPL_TEMP}/jenkins-casc-config-scripts.yaml \
+      jenkinsci/jenkins
+
+  echo "### Jenkins install ###"
   helm install jenkins \
     --version ${JENKINS_CHART_VERSION} \
     -n jenkins --create-namespace \
     -f ${SCRIPT_DIR}/jenkins-values.yaml \
     -f ${TPL_TEMP}/podtemplate.yaml \
     -f ${TPL_TEMP}/jenkins-casc-config-scripts.yaml \
     jenkinsci/jenkins
-  # Make sure Jenkins is available 
+
+  kubectl get statefulsets -n jenkins
+  kubectl describe statefulsets/jenkins -n jenkins
+  kubectl rollout status statefulsets/jenkins --watch=true --timeout=5m -n jenkins
+
+  # Make sure Jenkins is available
   echo "### Wait for Jenkins instance to become ready ###"
   do_until "http://localhost/login" "" 200 300 "Timed out waiting for Jenkins to become ready..."
 
@@ -97,6 +115,7 @@ then
     echo "Failed to create Jenkins Crumb, exiting..."
     exit 2
   fi
+
   token=$(curl -s http://localhost/me/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken --data 'newTokenName=foo' --user admin:${secret} -H "Jenkins-Crumb: ${crumb}" --cookie /tmp/cookies | jq -r '.data.tokenValue')
   if [ -z ${token} ]
   then
@@ -127,7 +146,9 @@ then
     sleep 2
     let "timeout += 2"
   done
+
   get_build_logs
+
   JOB_STATUS=$(curl -s http://localhost/job/containers-quickstarts/job/${AGENT}/lastBuild/api/json --user admin:${token} | jq -r '.result')
   kind delete cluster --name kind
   if [[ ${JOB_STATUS} != "SUCCESS" ]]