From efdb9408f128e794bc6cc22398c422aeb8269bb1 Mon Sep 17 00:00:00 2001 From: RadovanTomik Date: Sun, 13 Oct 2024 16:34:30 +0200 Subject: [PATCH 1/5] ci: set workflow level permissions --- .github/workflows/CI.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index 637e12018..baaaae61f 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -11,6 +11,7 @@ on: tags: - 'v*.*.*' pull_request: +permissions: read-all jobs: compile: From d003a4c88e264924f13894904f0bdc4c9cae8939 Mon Sep 17 00:00:00 2001 From: RadovanTomik Date: Sun, 13 Oct 2024 16:41:33 +0200 Subject: [PATCH 2/5] ci: set workflow level permissions --- .github/workflows/CI.yml | 2 ++ .github/workflows/deploy.yml | 28 ---------------------------- 2 files changed, 2 insertions(+), 28 deletions(-) delete mode 100644 .github/workflows/deploy.yml diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index baaaae61f..b95e9142d 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -391,6 +391,8 @@ jobs: if: github.event_name == 'push' && github.ref_type == 'tag' name: Publish JAR file runs-on: ubuntu-latest + permissions: + packages: write needs: - system-test - oauth-test diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml deleted file mode 100644 index 1cf749b33..000000000 --- a/.github/workflows/deploy.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Deployment - -on: workflow_dispatch - -jobs: - - deploy: - runs-on: ubuntu-latest - - environment: - name: development - url: https://negotiator-v3.bbmri-eric.eu/ - - steps: - - name: executing remote ssh commands using ssh key - uses: appleboy/ssh-action@master - env: - BACKEND_DEPLOY_TAG: ${{ github.ref_name }} - with: - host: ${{ secrets.REMOTE_HOST }} - username: ${{ secrets.REMOTE_USER}} - key: ${{ secrets.PRIVATE_KEY }} - port: ${{ secrets.PORT }} - script_stop: true - envs: BACKEND_DEPLOY_TAG - script: | - export BACKEND_DEPLOY_TAG - source deploy From 52055edadf11e77adae565f8cb64292abd07335c Mon Sep 17 00:00:00 2001 From: RadovanTomik Date: Sun, 13 Oct 2024 16:52:29 +0200 Subject: [PATCH 3/5] chore: hash dependencies --- .github/workflows/CI.yml | 22 +++++++++++----------- Dockerfile | 4 ++-- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index b95e9142d..68b48e5cf 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -21,7 +21,7 @@ jobs: steps: - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up JDK 17 uses: actions/setup-java@v4 @@ -45,7 +45,7 @@ jobs: distribution: 'temurin' - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Lint Code Base run: mvn clean com.spotify.fmt:fmt-maven-plugin:check @@ -59,7 +59,7 @@ jobs: steps: - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up JDK 17 uses: actions/setup-java@v4 @@ -88,7 +88,7 @@ jobs: steps: - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up JDK 17 uses: actions/setup-java@v4 @@ -120,7 +120,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up JDK 17 uses: actions/setup-java@v4 @@ -154,7 +154,7 @@ jobs: steps: - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -192,7 +192,7 @@ jobs: run: docker load --input /tmp/negotiator.tar - name: Check out Git repository - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Run Trivy Vulnerability Scanner uses: aquasecurity/trivy-action@master @@ -223,7 +223,7 @@ jobs: path: /tmp - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Load image run: docker load --input /tmp/negotiator.tar @@ -324,7 +324,7 @@ jobs: run: docker logs negotiator - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Check health run: .github/scripts/check_health.sh negotiator @@ -342,7 +342,7 @@ jobs: steps: - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -399,7 +399,7 @@ jobs: - backwards-compatibility steps: - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up JDK 17 uses: actions/setup-java@v4 diff --git a/Dockerfile b/Dockerfile index 9e9868f79..6931860e8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Build jar file with dependencies -FROM maven:3.9.1-eclipse-temurin-17-focal as BUILD_IMAGE +FROM maven:3.9.1-eclipse-temurin-17-focal@sha256:9a2120bf709b8ed0eef46e13bbdf6ab63fb18b529710c275b68190457728f246 as BUILD_IMAGE ARG ARTIFACT_VERSION=unknown COPY src /app/src COPY pom.xml /app @@ -9,7 +9,7 @@ RUN mvn --quiet -B clean package -Dmaven.test.skip=true # Runtime image -FROM eclipse-temurin:17-jre-focal +FROM eclipse-temurin:17-jre-focal@sha256:9a2120bf709b8ed0eef46e13bbdf6ab63fb18b529710c275b68190457728f246 RUN mkdir /var/log/negotiator && chown 1001 /var/log/negotiator USER 1001 WORKDIR /app From 607f2dbb8982647a8abbbf3db66a9acde8735fc7 Mon Sep 17 00:00:00 2001 From: RadovanTomik Date: Sun, 13 Oct 2024 17:09:51 +0200 Subject: [PATCH 4/5] chore: hash dependencies --- .github/workflows/CI.yml | 48 ++++++++++++++++++++-------------------- Dockerfile | 4 ++-- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index 68b48e5cf..9bd5e5725 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -24,7 +24,7 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4 with: java-version: '17' distribution: 'temurin' @@ -39,7 +39,7 @@ jobs: steps: - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4 with: java-version: '17' distribution: 'temurin' @@ -62,7 +62,7 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4 with: java-version: '17' distribution: 'temurin' @@ -72,7 +72,7 @@ jobs: run: mvn --quiet clean test -B --file pom.xml - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4 with: token: ${{ secrets.CODECOV_TOKEN }} fail_ci_if_error: true @@ -91,7 +91,7 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4 with: java-version: '17' distribution: 'temurin' @@ -101,7 +101,7 @@ jobs: run: mvn --quiet clean verify -B -Dspring.profiles.active=test - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4 with: token: ${{ secrets.CODECOV_TOKEN }} fail_ci_if_error: true @@ -123,7 +123,7 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4 with: java-version: '17' distribution: 'temurin' @@ -157,20 +157,20 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3 - name: Build and push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6 with: context: . tags: bbmrieric/negotiator:latest outputs: type=docker,dest=/tmp/negotiator.tar - name: Upload image - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 with: name: negotiator path: /tmp/negotiator.tar @@ -183,7 +183,7 @@ jobs: steps: - name: Download artifact - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 with: name: negotiator path: /tmp @@ -195,7 +195,7 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Run Trivy Vulnerability Scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 with: image-ref: bbmrieric/negotiator:latest format: sarif @@ -217,7 +217,7 @@ jobs: steps: - name: Download artifact - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 with: name: negotiator path: /tmp @@ -257,7 +257,7 @@ jobs: steps: - name: Download artifact - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 with: name: negotiator path: /tmp @@ -266,7 +266,7 @@ jobs: run: docker load --input /tmp/negotiator.tar - name: Checkout codebase - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Setup environment with auth server run: cd .github/oauth-test/ && docker compose up -d @@ -291,7 +291,7 @@ jobs: steps: - name: Download artifact - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 with: name: negotiator path: /tmp @@ -345,19 +345,19 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -365,7 +365,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5 with: images: | bbmrieric/negotiator @@ -378,7 +378,7 @@ jobs: type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }} - name: Build and push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6 with: context: . platforms: linux/amd64 @@ -402,7 +402,7 @@ jobs: uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4 with: java-version: '17' distribution: 'temurin' diff --git a/Dockerfile b/Dockerfile index 6931860e8..b3c71e039 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Build jar file with dependencies -FROM maven:3.9.1-eclipse-temurin-17-focal@sha256:9a2120bf709b8ed0eef46e13bbdf6ab63fb18b529710c275b68190457728f246 as BUILD_IMAGE +FROM maven:3.9.1-eclipse-temurin-17-focal@9a2120bf709b8ed0eef46e13bbdf6ab63fb18b529710c275b68190457728f246 as BUILD_IMAGE ARG ARTIFACT_VERSION=unknown COPY src /app/src COPY pom.xml /app @@ -9,7 +9,7 @@ RUN mvn --quiet -B clean package -Dmaven.test.skip=true # Runtime image -FROM eclipse-temurin:17-jre-focal@sha256:9a2120bf709b8ed0eef46e13bbdf6ab63fb18b529710c275b68190457728f246 +FROM eclipse-temurin:17-jre-focal@9a2120bf709b8ed0eef46e13bbdf6ab63fb18b529710c275b68190457728f246 RUN mkdir /var/log/negotiator && chown 1001 /var/log/negotiator USER 1001 WORKDIR /app From 46e62e29a557651d56c1c989273b3a6abbdedd69 Mon Sep 17 00:00:00 2001 From: RadovanTomik Date: Sun, 13 Oct 2024 17:19:46 +0200 Subject: [PATCH 5/5] chore: hash dependencies --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index b3c71e039..a733c6a33 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Build jar file with dependencies -FROM maven:3.9.1-eclipse-temurin-17-focal@9a2120bf709b8ed0eef46e13bbdf6ab63fb18b529710c275b68190457728f246 as BUILD_IMAGE +FROM maven:3.9.1-eclipse-temurin-17-focal as BUILD_IMAGE ARG ARTIFACT_VERSION=unknown COPY src /app/src COPY pom.xml /app @@ -9,7 +9,7 @@ RUN mvn --quiet -B clean package -Dmaven.test.skip=true # Runtime image -FROM eclipse-temurin:17-jre-focal@9a2120bf709b8ed0eef46e13bbdf6ab63fb18b529710c275b68190457728f246 +FROM eclipse-temurin:17-jre-focal@sha256:9a2120bf709b8ed0eef46e13bbdf6ab63fb18b529710c275b68190457728f246 RUN mkdir /var/log/negotiator && chown 1001 /var/log/negotiator USER 1001 WORKDIR /app