Skip to content

feature/strimzi-operator-connector #220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

feature/strimzi-operator-connector #220

wants to merge 5 commits into from

Conversation

@pvannierop
Copy link
Contributor

@pvannierop pvannierop commented Jul 14, 2025

This PR will:

  • Add upload-connector docker image for Strimzi operated KafkaConnect
  • Update release actions. Strimzi docker image will be published on Github, legacy image on Docker Hub

@pvannierop pvannierop requested a review from ewelinagr July 14, 2025 10:27
@pvannierop pvannierop self-assigned this Jul 14, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 14, 2025
View reviewed changes
.github/workflows/release-dockerhub.yml
Comment on lines +10 to +67
runs-on: ubuntu-latest

env:
DOCKER_IMAGE: radarbase/radar-upload-connect-backend

steps:
- uses: actions/checkout@v3

- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

# Add Docker labels and tags
- name: Docker meta
id: docker_meta
uses: docker/metadata-action@v4
with:
images: ${{ env.DOCKER_IMAGE }}
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
# Setup docker build environment
- name: Set up QEMU
uses: docker/setup-qemu-action@v2

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Build backend docker
uses: docker/build-push-action@v3
with:
context: .
file: ./radar-upload-backend/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
# Use runtime labels from docker_meta as well as fixed labels
labels: |
${{ steps.docker_meta.outputs.labels }}
maintainer=Joris Borgdorff <[email protected]>, Nivethika Mahasivam <[email protected]>, Pauline Conde <[email protected]>
org.opencontainers.image.description=RADAR-base upload connector backend application
org.opencontainers.image.authors=Joris Borgdorff <[email protected]>, Nivethika Mahasivam <[email protected]>, Pauline Conde <[email protected]>
org.opencontainers.image.vendor=RADAR-base
org.opencontainers.image.licenses=Apache-2.0
# Push the backend image on the dev and master branches
- name: Pull images
run: docker pull ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }}

- name: Inspect docker images
run: |
docker image inspect ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }}
docker run --rm ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }} curl --version
docker-frontend:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To address the issue flagged by CodeQL, the best fix is to add a permissions block at the root of the workflow file to define the least required privileges. This block should specify contents: read, as the workflow appears to require only read access to the repository contents (e.g., for checking out code). Additionally, permissions required for specific actions (e.g., packages: write for pushing Docker images) should be included.

Changes must be made in the .github/workflows/release-dockerhub.yml file, adding the permissions key at the top level of the workflow. This ensures that all jobs inherit these limited permissions unless overridden.

Suggested changeset 1
.github/workflows/release-dockerhub.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release-dockerhub.yml b/.github/workflows/release-dockerhub.yml
--- a/.github/workflows/release-dockerhub.yml
+++ b/.github/workflows/release-dockerhub.yml
@@ -4,6 +4,10 @@
   release:
     types: [published]
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
 
   docker-backend:
EOF
@@ -4,6 +4,10 @@
release:
types: [published]

permissions:
contents: read
packages: write

jobs:

docker-backend:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/release-dockerhub.yml
Comment on lines +68 to +121
runs-on: ubuntu-latest

env:
DOCKER_IMAGE: radarbase/radar-upload-connect-frontend

steps:
- uses: actions/checkout@v3

- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Docker meta frontend
id: docker_meta
uses: docker/metadata-action@v4
with:
images: ${{ env.DOCKER_IMAGE }}
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
# Setup docker build environment
- name: Set up QEMU
uses: docker/setup-qemu-action@v2

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Build frontend docker
uses: docker/build-push-action@v3
with:
context: ./radar-upload-frontend
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
# Use runtime labels from docker_meta as well as fixed labels
labels: |
${{ steps.docker_meta.outputs.labels }}
maintainer=Peyman Mohtashami <[email protected]>, Pauline Conde <[email protected]>
org.opencontainers.image.description=RADAR-base upload connector frontend application
org.opencontainers.image.authors=Peyman Mohtashami <[email protected]>, Pauline Conde <[email protected]>
org.opencontainers.image.vendor=RADAR-base
org.opencontainers.image.licenses=Apache-2.0
# Push the backend image on the dev and master branches
- name: Pull images
run: docker pull ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }}

- name: Inspect docker images
run: docker image inspect ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }}

docker-connector:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

The best way to fix the problem is to add a permissions block at the root level of the workflow file to define the minimal privileges required for all jobs in the workflow. If specific jobs require additional permissions, a permissions key can be added to those jobs individually. For this workflow, the minimal permissions required are likely contents: read since the workflow primarily interacts with Docker images and uses external actions for Docker operations.

Suggested changeset 1
.github/workflows/release-dockerhub.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release-dockerhub.yml b/.github/workflows/release-dockerhub.yml
--- a/.github/workflows/release-dockerhub.yml
+++ b/.github/workflows/release-dockerhub.yml
@@ -4,6 +4,9 @@
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
 
   docker-backend:
EOF
@@ -4,6 +4,9 @@
release:
types: [published]

permissions:
contents: read

jobs:

docker-backend:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/release-dockerhub.yml
Comment on lines +122 to +174
runs-on: ubuntu-latest

env:
DOCKER_IMAGE: radarbase/radar-connect-upload-source

steps:
- uses: actions/checkout@v3

- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Docker meta
id: docker_meta
uses: docker/metadata-action@v4
with:
images: ${{ env.DOCKER_IMAGE }}
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
# Setup docker build environment
- name: Set up QEMU
uses: docker/setup-qemu-action@v2

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Build upload connector docker
uses: docker/build-push-action@v3
with:
context: .
file: ./kafka-connect-upload-source/docker/legacy/Dockerfile
platforms: linux/amd64
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
# Use runtime labels from docker_meta as well as fixed labels
labels: |
${{ steps.docker_meta.outputs.labels }}
maintainer=Joris Borgdorff <[email protected]>, Nivethika Mahasivam <[email protected]>, Pauline Conde <[email protected]>
org.opencontainers.image.description=RADAR-base kafka connect upload connector
org.opencontainers.image.authors=Joris Borgdorff <[email protected]>, Nivethika Mahasivam <[email protected]>, Pauline Conde <[email protected]>
org.opencontainers.image.vendor=RADAR-base
org.opencontainers.image.licenses=Apache-2.0
# Push the backend image on the dev and master branches
- name: Pull images
run: docker pull ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }}

- name: Inspect docker images
run: docker image inspect ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To fix the issue, add an explicit permissions block to the workflow or individual jobs. Since the workflow involves actions like checking out the repository, building Docker images, and publishing them, the permissions should be scoped to the minimal required levels. Specifically:

  • Use contents: read for accessing repository contents.
  • Use packages: write for pushing Docker images (if required).
  • Other scopes can remain unset (defaulting to none).

The permissions block can be added at the root of the workflow (applying to all jobs) or separately for each job. Applying it to the root is cleaner and more maintainable unless specific jobs require different permissions.

Suggested changeset 1
.github/workflows/release-dockerhub.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release-dockerhub.yml b/.github/workflows/release-dockerhub.yml
--- a/.github/workflows/release-dockerhub.yml
+++ b/.github/workflows/release-dockerhub.yml
@@ -4,6 +4,10 @@
   release:
     types: [published]
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
 
   docker-backend:
EOF
@@ -4,6 +4,10 @@
release:
types: [published]

permissions:
contents: read
packages: write

jobs:

docker-backend:
Copilot is powered by AI and may make mistakes. Always verify output.
ewelinagr
ewelinagr reviewed Jul 15, 2025
View reviewed changes
kafka-connect-upload-source/docker/legacy/Dockerfile
GRADLE_OPTS="-Djdk.lang.Process.launchMechanism=vfork -Dorg.gradle.vfs.watch=false"

COPY ./build.gradle.kts ./settings.gradle.kts ./gradle.properties /code/
COPY ../../build.gradle.kts ./settings.gradle.kts ./gradle.properties /code/
Copy link

@ewelinagr ewelinagr Jul 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the context location is still repository root, so it should stay as it was (COPY ./build.gradle.kts), right?

ewelinagr
ewelinagr reviewed Jul 15, 2025
View reviewed changes
Dockerfile
ENV GRADLE_USER_HOME=/code/.gradlecache \
GRADLE_OPTS="-Djdk.lang.Process.launchMechanism=vfork -Dorg.gradle.vfs.watch=false"

COPY ../../build.gradle.kts ./settings.gradle.kts ./gradle.properties /code/
Copy link

@ewelinagr ewelinagr Jul 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
COPY ../../build.gradle.kts ./settings.gradle.kts ./gradle.properties /code/
COPY ./build.gradle.kts ./settings.gradle.kts ./gradle.properties /code/

ewelinagr
ewelinagr reviewed Jul 15, 2025
View reviewed changes
Dockerfile
ENV GRADLE_USER_HOME=/code/.gradlecache \
GRADLE_OPTS="-Djdk.lang.Process.launchMechanism=vfork -Dorg.gradle.vfs.watch=false"

COPY ../../build.gradle.kts ./settings.gradle.kts ./gradle.properties /code/
Copy link

@ewelinagr ewelinagr Jul 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
COPY ../../build.gradle.kts ./settings.gradle.kts ./gradle.properties /code/
COPY ./build.gradle.kts ./settings.gradle.kts ./gradle.properties /code/

ewelinagr
ewelinagr reviewed Jul 15, 2025
View reviewed changes
Dockerfile
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
ARG BASE_IMAGE=radarbase/kafka-connect-transform-keyvalue:8.0.0
Copy link

@ewelinagr ewelinagr Jul 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought kafka-connect-transform-keyvalue image base would be used for sink connectors only?
The transformations are only for data from kafka, this adds extra kafka-connect-transform-keyvalue.jar that won't be used by source connectors

@ewelinagr ewelinagr mentioned this pull request Jul 15, 2025
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ewelinagr ewelinagr ewelinagr left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@pvannierop pvannierop

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pvannierop @ewelinagr