diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index 637e12018..9bd5e5725 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -11,6 +11,7 @@ on: tags: - 'v*.*.*' pull_request: +permissions: read-all jobs: compile: @@ -20,10 +21,10 @@ jobs: steps: - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4 with: java-version: '17' distribution: 'temurin' @@ -38,13 +39,13 @@ jobs: steps: - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4 with: java-version: '17' distribution: 'temurin' - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Lint Code Base run: mvn clean com.spotify.fmt:fmt-maven-plugin:check @@ -58,10 +59,10 @@ jobs: steps: - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4 with: java-version: '17' distribution: 'temurin' @@ -71,7 +72,7 @@ jobs: run: mvn --quiet clean test -B --file pom.xml - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4 with: token: ${{ secrets.CODECOV_TOKEN }} fail_ci_if_error: true @@ -87,10 +88,10 @@ jobs: steps: - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4 with: java-version: '17' distribution: 'temurin' @@ -100,7 +101,7 @@ jobs: run: mvn --quiet clean verify -B -Dspring.profiles.active=test - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4 with: token: ${{ secrets.CODECOV_TOKEN }} fail_ci_if_error: true @@ -119,10 +120,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4 with: java-version: '17' distribution: 'temurin' @@ -153,23 +154,23 @@ jobs: steps: - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3 - name: Build and push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6 with: context: . tags: bbmrieric/negotiator:latest outputs: type=docker,dest=/tmp/negotiator.tar - name: Upload image - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 with: name: negotiator path: /tmp/negotiator.tar @@ -182,7 +183,7 @@ jobs: steps: - name: Download artifact - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 with: name: negotiator path: /tmp @@ -191,10 +192,10 @@ jobs: run: docker load --input /tmp/negotiator.tar - name: Check out Git repository - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Run Trivy Vulnerability Scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 with: image-ref: bbmrieric/negotiator:latest format: sarif @@ -216,13 +217,13 @@ jobs: steps: - name: Download artifact - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 with: name: negotiator path: /tmp - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Load image run: docker load --input /tmp/negotiator.tar @@ -256,7 +257,7 @@ jobs: steps: - name: Download artifact - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 with: name: negotiator path: /tmp @@ -265,7 +266,7 @@ jobs: run: docker load --input /tmp/negotiator.tar - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Setup environment with auth server run: cd .github/oauth-test/ && docker compose up -d @@ -290,7 +291,7 @@ jobs: steps: - name: Download artifact - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 with: name: negotiator path: /tmp @@ -323,7 +324,7 @@ jobs: run: docker logs negotiator - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Check health run: .github/scripts/check_health.sh negotiator @@ -341,22 +342,22 @@ jobs: steps: - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -364,7 +365,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5 with: images: | bbmrieric/negotiator @@ -377,7 +378,7 @@ jobs: type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }} - name: Build and push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6 with: context: . platforms: linux/amd64 @@ -390,16 +391,18 @@ jobs: if: github.event_name == 'push' && github.ref_type == 'tag' name: Publish JAR file runs-on: ubuntu-latest + permissions: + packages: write needs: - system-test - oauth-test - backwards-compatibility steps: - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4 with: java-version: '17' distribution: 'temurin' diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml deleted file mode 100644 index 1cf749b33..000000000 --- a/.github/workflows/deploy.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Deployment - -on: workflow_dispatch - -jobs: - - deploy: - runs-on: ubuntu-latest - - environment: - name: development - url: https://negotiator-v3.bbmri-eric.eu/ - - steps: - - name: executing remote ssh commands using ssh key - uses: appleboy/ssh-action@master - env: - BACKEND_DEPLOY_TAG: ${{ github.ref_name }} - with: - host: ${{ secrets.REMOTE_HOST }} - username: ${{ secrets.REMOTE_USER}} - key: ${{ secrets.PRIVATE_KEY }} - port: ${{ secrets.PORT }} - script_stop: true - envs: BACKEND_DEPLOY_TAG - script: | - export BACKEND_DEPLOY_TAG - source deploy diff --git a/Dockerfile b/Dockerfile index 9e9868f79..a733c6a33 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,7 +9,7 @@ RUN mvn --quiet -B clean package -Dmaven.test.skip=true # Runtime image -FROM eclipse-temurin:17-jre-focal +FROM eclipse-temurin:17-jre-focal@sha256:9a2120bf709b8ed0eef46e13bbdf6ab63fb18b529710c275b68190457728f246 RUN mkdir /var/log/negotiator && chown 1001 /var/log/negotiator USER 1001 WORKDIR /app