Merge pull request #792 from FgForrest/master-build-workflow

novoj · web-flow · commit 0a19ff995553 · 2025-02-04T16:57:32.000+01:00
build: syncing workflows with dev branch
diff --git a/.github/workflows/benchmark-clean.yml b/.github/workflows/benchmark-clean.yml
@@ -4,18 +4,21 @@ on:
   workflow_dispatch: # allows manual triggering
   schedule:
     - cron: '0 0 * * *'
-    
+
+permissions:
+  contents: read
+
 jobs:
   do-benchmark-clean:
     runs-on: ubuntu-latest
 
-    steps: 
-      - uses: actions/checkout@v3    # checkout sources
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2    # checkout sources
 
       - name: Install doctl
-        uses: digitalocean/action-doctl@v2
+        uses: digitalocean/action-doctl@135ac0aa0eed4437d547c6f12c364d3006b42824 # v2.5.1
         with:
-          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}  
+          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
 
       - name: Run clean-benchmark
         env:
diff --git a/.github/workflows/benchmark-hook.yml b/.github/workflows/benchmark-hook.yml
@@ -7,6 +7,11 @@ on:
     types:
       - clean-webhook
 
+permissions:
+  contents: read   # Required for actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 to clone the repository
+  id-token: write  # Required for authentication in certain actions (e.g., digitalocean/action-doctl@v2)
+  secrets: read    # Required to access the DIGITALOCEAN_ACCESS_TOKEN secret
+
 env:
   KUBECONFIG: ${{ github.workspace }}/evita_performance_tests/src/do_k8s_automation/deploy/kube.cfg
 
@@ -20,15 +25,15 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Install doctl
-      uses: digitalocean/action-doctl@v2
+      uses: digitalocean/action-doctl@135ac0aa0eed4437d547c6f12c364d3006b42824 # v2.5.1
       with:
         token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
 
     - name: Install kubectl
-      uses: azure/setup-kubectl@v3
+      uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0
       with:
         version: ${{ env.KUBECTL_VER }}
 
@@ -44,7 +49,7 @@ jobs:
         kubectl -n evita logs job/${K8S_JOB_NAME} -c benchmark > /tmp/logs/${K8S_JOB_NAME}-log.txt || :
 
     - name: Archive logs from run
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       with:
         name: logs
         path: /tmp/logs
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
@@ -7,6 +7,11 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read       # Required for actions/checkout to access the repository code
+  id-token: write      # May be required for accessing resources with OIDC authentication
+  secrets: read        # Required to access the secrets (e.g., DIGITALOCEAN_ACCESS_TOKEN, GRAFANA_* secrets, PERFORMANCE_GIST_TOKEN)
+
 env:
   KUBECONFIG: ${{ github.workspace }}/evita_performance_tests/src/do_k8s_automation/deploy/kube.cfg
 
@@ -39,15 +44,15 @@ jobs:
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
 
     steps:
-      - uses: actions/checkout@v3    # checkout sources
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2    # checkout sources
 
       - name: Install doctl
-        uses: digitalocean/action-doctl@v2
+        uses: digitalocean/action-doctl@135ac0aa0eed4437d547c6f12c364d3006b42824 # v2.5.1
         with:
           token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
 
       - name: Install kubectl
-        uses: azure/setup-kubectl@v3
+        uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0
         with:
           version: ${{ env.KUBECTL_VER }}
 
diff --git a/.github/workflows/ci-dev-documentation.yml b/.github/workflows/ci-dev-documentation.yml
@@ -33,17 +33,17 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3    # checkout sources
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2    # checkout sources
 
     - name: Setup Java JDK
-      uses: actions/setup-java@v3  # setup JDK 17 for building
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0  # setup JDK 17 for building
       with:
          distribution: 'temurin'
          java-version: '17'
          cache: 'maven'
 
     - name: Setup dotnet
-      uses: actions/setup-dotnet@v3
+      uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
       with:
         dotnet-version: '8.0.X'    # setup dotnet 8.0.X for building
 
@@ -52,7 +52,7 @@ jobs:
         mvn -T 1C -B package -P documentation -V --fail-at-end -Dmaven.test.skip=false --file pom.xml
 
     - name: Publish Test Report
-      uses: mikepenz/action-junit-report@v3
+      uses: mikepenz/action-junit-report@ee6b445351cd81e2f73a16a0e52d598aeac2197f # v5.3.0
       if: success() || failure() # always run even if the previous step fails
       with:
         report_paths: '**/TEST-*.xml'
diff --git a/.github/workflows/ci-dev.yml b/.github/workflows/ci-dev.yml
@@ -37,10 +37,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3    # checkout sources
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2    # checkout sources
 
     - name: Setup Java JDK
-      uses: actions/setup-java@v3  # setup JDK 17 for building
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0  # setup JDK 17 for building
       with:
          distribution: 'temurin'
          java-version: '17'
@@ -57,25 +57,25 @@ jobs:
         jacoco/jacoco-summary.sh jacoco/target/site/jacoco-aggregate/jacoco.csv
 
     - name: Upload test results    # upload XML with unit test results to artifact `test-results` for `test-report.yml`
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       if: success() || failure()
       with:
         name: test-results
         path: 'evita*/**/target/surefire-reports/TEST-*.xml'
 
     - name: Upload evitaDB server artifact   # upload `evita-server.jar` for `docker-canary.yml` to deploy to DockerHub
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       if: success()
       with:
         name: evita-server.jar
         path: 'evita_server/target/evita-server.jar'
 
     - name: Upload coverage to Codecov    # upload code coverage from Jacoco to codecov
-      uses: codecov/codecov-action@v3
+      uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
 
     # Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive
     - name: Update dependency graph
-      uses: advanced-security/maven-dependency-submission-action@v3
+      uses: advanced-security/maven-dependency-submission-action@4f64ddab9d742a4806eeb588d238e4c311a8397d # v4.1.1
 
     - name: Deploy with Maven       # deploy SNAPSHOTS to Maven repository
       run: |
diff --git a/.github/workflows/ci-master.yml b/.github/workflows/ci-master.yml
@@ -36,35 +36,35 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3    # checkout sources
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2    # checkout sources
       with:
         ref: ${{ github.head_ref }}
         fetch-depth: 0
 
     - name: Resolve new release version
       id: release_version
-      uses: lukashornych/semantic-calendar-version@v1.1.3
+      uses: lukashornych/semantic-calendar-version@0f83ab20d3764a08d5746e6501f96c76f0a2d513 #v1.1.3
       with:
         prefix: 'v'
         year_switch_mode: 'OnMinor'
         minor-identifier: '/feat(?:\\([^)]+\\))?:/'
 
     - name: Setup Java JDK
-      uses: actions/setup-java@v3  # setup JDK 17 for building
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 setup JDK 17 for building
       with:
-         distribution: 'temurin'
-         java-version: '17'
-         cache: 'maven'
-         server-id: ossrh
-         server-username: MAVEN_USERNAME
-         server-password: MAVEN_CENTRAL_TOKEN
-         gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
-         gpg-passphrase: MAVEN_GPG_PASSPHRASE
+        distribution: 'temurin'
+        java-version: '17'
+        cache: 'maven'
+        server-id: ossrh
+        server-username: MAVEN_USERNAME
+        server-password: MAVEN_CENTRAL_TOKEN
+        gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
+        gpg-passphrase: MAVEN_GPG_PASSPHRASE
 
     - name: Build with Maven       # run Maven without tests (tests must pass in dev branch)
       run: |      
-        export CURRENT_VERSION="${{ steps.release_version.outputs.version }}"
-        export NEW_VERSION="$( echo ${CURRENT_VERSION} | sed 's/^v//; s/-.*//')"
+        export SANITIZED_VERSION=$(echo "$EVITA_BUILD_VERSION" | tr -d '\r\n')
+        export NEW_VERSION="$( echo "${SANITIZED_VERSION}" | sed 's/^v//; s/-.*//')"
         echo $NEW_VERSION > version.txt
         echo "Version: $(cat version.txt)"
         mvn versions:set -DnewVersion=$NEW_VERSION
@@ -84,28 +84,28 @@ jobs:
         cp 'evita_server/dist/logback.xml' './dist'
 
     - name: Create .zip of dist
-      uses: thedoctor0/zip-release@0.7.1
+      uses: thedoctor0/zip-release@b57d897cb5d60cb78b51a507f63fa184cfe35554 # v0.7.6
       with:
         type: 'zip'
         filename: 'dist.zip'
         path: './dist'
 
     - name: Create .tar.gz of dist
-      uses: thedoctor0/zip-release@0.7.1
+      uses: thedoctor0/zip-release@b57d897cb5d60cb78b51a507f63fa184cfe35554 # v0.7.6
       with:
         type: 'tar'
         filename: 'dist.tar.gz'
         path: './dist'
 
     - name: Create release
       id: create_release
-      uses: release-drafter/release-drafter@v5
+      uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
       with:
         version: ${{ steps.release_version.outputs.version }}
         publish: true
 
     - name: Upload dist.zip to release
-      uses: actions/upload-release-asset@v1
+      uses: actions/upload-release-asset@64e5e85fc528f162d7ba7ce2d15a3bb67efb3d80 # v1.0.1
       if: success()
       with:
         upload_url: ${{ steps.create_release.outputs.upload_url }}
@@ -114,7 +114,7 @@ jobs:
         asset_content_type: application/zip
 
     - name: Upload dist.tar.gz to release
-      uses: actions/upload-release-asset@v1
+      uses: actions/upload-release-asset@64e5e85fc528f162d7ba7ce2d15a3bb67efb3d80 # v1.0.1
       if: success()
       with:
         upload_url: ${{ steps.create_release.outputs.upload_url }}
@@ -123,14 +123,14 @@ jobs:
         asset_content_type: application/gzip
 
     - name: Upload evitaDB server artifact   # upload `evita-server.jar` for `docker-latest.yml` to deploy to DockerHub
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       if: success()
       with:
         name: evita-server.jar
         path: 'evita_server/target/evita-server.jar'
 
     - name: Upload evitaDB version.txt      # upload `version.txt` for `docker-latest.yml` to deploy to DockerHub
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       if: success()
       with:
         name: version.txt
diff --git a/.github/workflows/ci-performance.yml b/.github/workflows/ci-performance.yml
@@ -6,6 +6,11 @@ on:
   push:
     branches: [ "performance" ]    # trap each push to performance branch
 
+permissions:
+  contents: read                   # To checkout the repository code using actions/checkout.
+  packages: write                  # To publish the Docker image to the GitHub Packages registry.
+  secrets: read                    # To access the secrets.
+
 concurrency:
   group: ${{ github.head_ref || github.ref_name }}  # for the same branch (dev or PR)
   cancel-in-progress: true        # run only one workflow at a time (cancel the previous)
@@ -15,10 +20,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3    # checkout sources
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2    # checkout sources
 
     - name: Setup Java JDK
-      uses: actions/setup-java@v3  # setup JDK 17 for building
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0  # setup JDK 17 for building
       with:
          distribution: 'temurin'
          java-version: '17'
diff --git a/.github/workflows/docker-canary.yml b/.github/workflows/docker-canary.yml
@@ -8,18 +8,23 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read          # Required for actions/checkout to read the repository
+  actions: read           # Required to download artifacts from the triggering workflow
+  packages: write         # Required for pushing Docker images to DockerHub
+
 jobs:
   on-success:
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4        # checkout from Git
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2        # checkout from Git
         with:
           ref: dev  # Always checks out the dev branch
 
       - name: Download a single artifact # download `evita-server.jar` artifact if the workflow we react to was successful
-        uses: dawidd6/action-download-artifact@v6
+        uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
         with:
           workflow: ${{ github.event.workflow_run.workflow_id }}
           workflow_conclusion: success
@@ -29,16 +34,16 @@ jobs:
       - name: Set up QEMU
         # Add support for more platforms with QEMU (optional)
         # https://github.com/docker/setup-qemu-action
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
         with:
           buildkitd-flags: --debug
           platforms: linux/amd64,linux/arm64/v8
 
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ vars.CI_REGISTRY_USER }}
           password: ${{ secrets.CI_REGISTRY_PASSWORD }}
@@ -47,7 +52,7 @@ jobs:
         env:
           RELEASE_IMAGE: "evitadb:canary"
           EVITA_JAR_NAME: evita-server.jar
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
         with:
           context: ./docker
           file: ./docker/Dockerfile
diff --git a/.github/workflows/docker-latest.yml b/.github/workflows/docker-latest.yml
diff --git a/.github/workflows/documentation-tests.yml b/.github/workflows/documentation-tests.yml
diff --git a/.github/workflows/long-running-tests.yml b/.github/workflows/long-running-tests.yml
diff --git a/.github/workflows/test-report.yml b/.github/workflows/test-report.yml
