Skip to content

Commit

Permalink
Merge pull request #472 from BBMRI-ERIC/feat/ossf_improvments
Browse files Browse the repository at this point in the history 
chore: add OSSF suggested improvements
  • Loading branch information
@RadovanTomik
RadovanTomik authored Oct 13, 2024
2 parents cb3d4a7 + 46e62e2 commit 1af0e8c
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 64 deletions.
73 changes: 38 additions & 35 deletions .github/workflows/CI.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ on:
tags:
- 'v*.*.*'
pull_request:
permissions: read-all
jobs:

compile:
Expand All @@ -20,10 +21,10 @@ jobs:
steps:

- name: Checkout codebase
uses: actions/checkout@v4
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

- name: Set up JDK 17
uses: actions/setup-java@v4
uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
with:
java-version: '17'
distribution: 'temurin'
Expand All @@ -38,13 +39,13 @@ jobs:

steps:
- name: Set up JDK 17
uses: actions/setup-java@v4
uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
with:
java-version: '17'
distribution: 'temurin'

- name: Checkout Code
uses: actions/checkout@v4
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

- name: Lint Code Base
run: mvn clean com.spotify.fmt:fmt-maven-plugin:check
Expand All @@ -58,10 +59,10 @@ jobs:
steps:

- name: Checkout codebase
uses: actions/checkout@v4
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

- name: Set up JDK 17
uses: actions/setup-java@v4
uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
with:
java-version: '17'
distribution: 'temurin'
Expand All @@ -71,7 +72,7 @@ jobs:
run: mvn --quiet clean test -B --file pom.xml

- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: true
Expand All @@ -87,10 +88,10 @@ jobs:
steps:

- name: Checkout codebase
uses: actions/checkout@v4
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

- name: Set up JDK 17
uses: actions/setup-java@v4
uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
with:
java-version: '17'
distribution: 'temurin'
Expand All @@ -100,7 +101,7 @@ jobs:
run: mvn --quiet clean verify -B -Dspring.profiles.active=test

- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: true
Expand All @@ -119,10 +120,10 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

- name: Set up JDK 17
uses: actions/setup-java@v4
uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
with:
java-version: '17'
distribution: 'temurin'
Expand Down Expand Up @@ -153,23 +154,23 @@ jobs:
steps:

- name: Checkout codebase
uses: actions/checkout@v4
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3

- name: Build and push
uses: docker/build-push-action@v5
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6
with:
context: .
tags: bbmrieric/negotiator:latest
outputs: type=docker,dest=/tmp/negotiator.tar

- name: Upload image
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
with:
name: negotiator
path: /tmp/negotiator.tar
Expand All @@ -182,7 +183,7 @@ jobs:

steps:
- name: Download artifact
uses: actions/download-artifact@v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: negotiator
path: /tmp
Expand All @@ -191,10 +192,10 @@ jobs:
run: docker load --input /tmp/negotiator.tar

- name: Check out Git repository
uses: actions/checkout@v4
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

- name: Run Trivy Vulnerability Scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564
with:
image-ref: bbmrieric/negotiator:latest
format: sarif
Expand All @@ -216,13 +217,13 @@ jobs:
steps:

- name: Download artifact
uses: actions/download-artifact@v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: negotiator
path: /tmp

- name: Checkout codebase
uses: actions/checkout@v4
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

- name: Load image
run: docker load --input /tmp/negotiator.tar
Expand Down Expand Up @@ -256,7 +257,7 @@ jobs:
steps:

- name: Download artifact
uses: actions/download-artifact@v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: negotiator
path: /tmp
Expand All @@ -265,7 +266,7 @@ jobs:
run: docker load --input /tmp/negotiator.tar

- name: Checkout codebase
uses: actions/checkout@v4
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

- name: Setup environment with auth server
run: cd .github/oauth-test/ && docker compose up -d
Expand All @@ -290,7 +291,7 @@ jobs:
steps:

- name: Download artifact
uses: actions/download-artifact@v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: negotiator
path: /tmp
Expand Down Expand Up @@ -323,7 +324,7 @@ jobs:
run: docker logs negotiator

- name: Checkout codebase
uses: actions/checkout@v4
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

- name: Check health
run: .github/scripts/check_health.sh negotiator
Expand All @@ -341,30 +342,30 @@ jobs:
steps:

- name: Checkout codebase
uses: actions/checkout@v4
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3

- name: Login to DockerHub
uses: docker/login-action@v3
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
with:
images: |
bbmrieric/negotiator
Expand All @@ -377,7 +378,7 @@ jobs:
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }}
- name: Build and push
uses: docker/build-push-action@v5
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6
with:
context: .
platforms: linux/amd64
Expand All @@ -390,16 +391,18 @@ jobs:
if: github.event_name == 'push' && github.ref_type == 'tag'
name: Publish JAR file
runs-on: ubuntu-latest
permissions:
packages: write
needs:
- system-test
- oauth-test
- backwards-compatibility
steps:
- name: Checkout codebase
uses: actions/checkout@v4
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

- name: Set up JDK 17
uses: actions/setup-java@v4
uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
with:
java-version: '17'
distribution: 'temurin'
Expand Down
28 changes: 0 additions & 28 deletions .github/workflows/deploy.yml
View file

This file was deleted.

2 changes: 1 addition & 1 deletion Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ RUN mvn --quiet -B clean package -Dmaven.test.skip=true


# Runtime image
FROM eclipse-temurin:17-jre-focal
FROM eclipse-temurin:17-jre-focal@sha256:9a2120bf709b8ed0eef46e13bbdf6ab63fb18b529710c275b68190457728f246
RUN mkdir /var/log/negotiator && chown 1001 /var/log/negotiator
USER 1001
WORKDIR /app
Expand Down

0 comments on commit 1af0e8c

Please sign in to comment.