diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index d44e878..0000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,33 +0,0 @@ -# SPDX-FileCopyrightText: 2022 Alliander N.V. -# -# SPDX-License-Identifier: Apache-2.0 - -version: 2 - -registries: - maven-github: - type: maven-repository - url: https://maven.pkg.github.com/com-pas/* - username: OWNER - password: ${{ secrets.DB_GITHUB_PACKAGES }} - -updates: - # Maintain dependencies for GitHub Actions - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - open-pull-requests-limit: 5 - - # Maintain dependencies for Maven - - package-ecosystem: "maven" - directory: "/" - registries: - - maven-github - schedule: - interval: "daily" - open-pull-requests-limit: 5 - ignore: - # Next dependencies shouldn't be upgrade, because RestEasy isn't using newer version. (2.3.X) - - dependency-name: com.sun.xml.bind:jaxb-impl - versions: [ "[3.0,)" ] diff --git a/.github/release.yml b/.github/release.yml deleted file mode 100644 index 334fc8d..0000000 --- a/.github/release.yml +++ /dev/null @@ -1,26 +0,0 @@ -# SPDX-FileCopyrightText: 2022 Alliander N.V. -# -# SPDX-License-Identifier: Apache-2.0 - -changelog: - exclude: - labels: - - wontfix - - duplicate - - invalid - categories: - - title: New Features - labels: - - enhancement - - title: Bugfixes - labels: - - bug - - title: Tooling changes - labels: - - tooling - - title: Dependency updates - labels: - - dependencies - - title: Other Changes - labels: - - "*" diff --git a/.github/workflows/build-project.yml b/.github/workflows/build-project.yml deleted file mode 100644 index af51bfd..0000000 --- a/.github/workflows/build-project.yml +++ /dev/null @@ -1,38 +0,0 @@ -# SPDX-FileCopyrightText: 2022 Alliander N.V. -# -# SPDX-License-Identifier: Apache-2.0 - -name: Build Project - -on: - push: - branches: - - '**' - pull_request: - branches: - - 'main' - - 'develop' - -jobs: - build: - name: Build - runs-on: ubuntu-latest - timeout-minutes: 15 - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Set up JDK 17 - uses: actions/setup-java@v4 - with: - distribution: 'zulu' - java-version: '17' - - - name: Create custom Maven Settings.xml - uses: whelk-io/maven-settings-xml-action@v22 - with: - output_file: custom_maven_settings.xml - servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]' - - name: Build with Maven - run: ./mvnw -s custom_maven_settings.xml -B clean verify diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml deleted file mode 100644 index 6de4934..0000000 --- a/.github/workflows/release-please.yml +++ /dev/null @@ -1,59 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Alliander N.V. -# -# SPDX-License-Identifier: Apache-2.0 -on: - push: - branches: - - main - -permissions: - contents: write - pull-requests: write - -name: release-please - -jobs: - release_please: - runs-on: ubuntu-latest - steps: - - uses: google-github-actions/release-please-action@v4 - id: release - with: - release-type: maven - package-name: compas-core - target-branch: main - - - if: ${{ steps.release.outputs.release_created }} - name: Checkout - uses: actions/checkout@v4 - - - name: Extract tag name - if: ${{ steps.release.outputs.release_created }} - id: extract_tagname - shell: bash - # Extract the tag name from the git reference, value of GITHUB_REF will be something like refs/tags/. - run: echo "##[set-output name=tagname;]$(echo ${GITHUB_REF##*/})" - - - name: Set up JDK 17 - uses: actions/setup-java@v4 - if: ${{ steps.release.outputs.release_created }} - with: - distribution: 'zulu' - java-version: '17' - - - name: Create custom Maven Settings.xml - uses: whelk-io/maven-settings-xml-action@v22 - if: ${{ steps.release.outputs.release_created }} - with: - output_file: custom_maven_settings.xml - servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]' - - name: Set version with Maven - if: ${{ steps.release.outputs.release_created }} - run: ./mvnw -B versions:set -DprocessAllModules=true -DnewVersion=${{ steps.extract_tagname.outputs.tagname }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Deploy with Maven to GitHub Packages - if: ${{ steps.release.outputs.release_created }} - run: ./mvnw -B -s custom_maven_settings.xml -Prelease clean deploy - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release-project.yml b/.github/workflows/release-project.yml deleted file mode 100644 index de54c90..0000000 --- a/.github/workflows/release-project.yml +++ /dev/null @@ -1,45 +0,0 @@ -# SPDX-FileCopyrightText: 2022 Alliander N.V. -# -# SPDX-License-Identifier: Apache-2.0 - -name: Release Project - -on: - release: - types: [ released ] - -jobs: - publish: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Extract tag name - id: extract_tagname - shell: bash - # Extract the tag name from the git reference, value of GITHUB_REF will be something like refs/tags/. - run: echo "##[set-output name=tagname;]$(echo ${GITHUB_REF##*/})" - - - name: Set up JDK 17 - uses: actions/setup-java@v4 - with: - distribution: 'zulu' - java-version: '17' - - - name: Create custom Maven Settings.xml - uses: whelk-io/maven-settings-xml-action@v22 - with: - output_file: custom_maven_settings.xml - servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]' - - name: Set version with Maven - run: ./mvnw -B versions:set -DprocessAllModules=true -DnewVersion=${{ steps.extract_tagname.outputs.tagname }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Deploy with Maven to GitHub Packages - run: ./mvnw -B -s custom_maven_settings.xml -Prelease clean deploy - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml deleted file mode 100644 index 58204bb..0000000 --- a/.github/workflows/reuse.yml +++ /dev/null @@ -1,16 +0,0 @@ -# SPDX-FileCopyrightText: 2022 Alliander N.V. -# -# SPDX-License-Identifier: Apache-2.0 - -name: REUSE Compliance Check - -on: push - -jobs: - test: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: REUSE Compliance Check - uses: fsfe/reuse-action@v3 diff --git a/.github/workflows/sonarcloud-analysis.yml b/.github/workflows/sonarcloud-analysis.yml deleted file mode 100644 index 1368598..0000000 --- a/.github/workflows/sonarcloud-analysis.yml +++ /dev/null @@ -1,109 +0,0 @@ -# SPDX-FileCopyrightText: 2022 Alliander N.V. -# -# SPDX-License-Identifier: Apache-2.0 - -name: SonarCloud Analysis - -on: - workflow_run: - workflows: [SonarCloud Build] - types: [completed] - -jobs: - sonar-check: - runs-on: ubuntu-latest - if: github.event.workflow_run.conclusion == 'success' - timeout-minutes: 15 - steps: - - name: echo event - run: cat $GITHUB_EVENT_PATH - - name: Download PR number artifact - if: github.event.workflow_run.event == 'pull_request' - uses: dawidd6/action-download-artifact@v3 - with: - workflow: SonarCloud Build - run_id: ${{ github.event.workflow_run.id }} - name: PR_NUMBER - - name: Read PR_NUMBER.txt - if: github.event.workflow_run.event == 'pull_request' - id: pr_number - uses: juliangruber/read-file-action@v1 - with: - path: ./PR_NUMBER.txt - - name: Request GitHub API for PR data - if: github.event.workflow_run.event == 'pull_request' - uses: octokit/request-action@v2.x - id: get_pr_data - with: - route: GET /repos/{full_name}/pulls/{number} - number: ${{ steps.pr_number.outputs.content }} - full_name: ${{ github.event.repository.full_name }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/checkout@v4 - with: - repository: ${{ github.event.workflow_run.head_repository.full_name }} - ref: ${{ github.event.workflow_run.head_branch }} - fetch-depth: 0 - - name: Checkout base branch - if: github.event.workflow_run.event == 'pull_request' - run: | - git remote add upstream ${{ github.event.repository.clone_url }} - git fetch upstream - git checkout -B ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} upstream/${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} - git checkout ${{ github.event.workflow_run.head_branch }} - git clean -ffdx && git reset --hard HEAD - - name: Cache SonarCloud packages - uses: actions/cache@v4 - with: - path: ~/.sonar/cache - key: ${{ runner.os }}-sonar - restore-keys: ${{ runner.os }}-sonar - - name: Cache Maven packages - uses: actions/cache@v4 - with: - path: ~/.m2 - key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} - restore-keys: ${{ runner.os }}-m2 - - - name: Set up JDK 17 - uses: actions/setup-java@v4 - with: - distribution: 'zulu' - java-version: '17' - - - name: Set Common Sonar Variables - id: sonar_env - run: | - echo "##[set-output name=sonar_opts;]$(echo -Dsonar.host.url=https://sonarcloud.io \ - -Dsonar.projectKey=com-pas_compas-core \ - -Dsonar.organization=com-pas )" - - name: Create custom Maven Settings.xml - uses: whelk-io/maven-settings-xml-action@v22 - with: - output_file: custom_maven_settings.xml - servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]' - - name: Build and analyze (Pull Request) - if: ${{ github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target') }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - run: | - ./mvnw -B -s custom_maven_settings.xml -Psonar \ - ${{ steps.sonar_env.outputs.sonar_opts }} \ - -Dsonar.pullrequest.branch=${{ fromJson(steps.get_pr_data.outputs.data).head.ref }} \ - -Dsonar.pullrequest.key=${{ fromJson(steps.get_pr_data.outputs.data).number }} \ - -Dsonar.pullrequest.base=${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} \ - -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \ - clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar - - name: Build and analyze (Push) - if: ${{ github.event.workflow_run.event == 'push' }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - run: | - ./mvnw -B -s custom_maven_settings.xml -Psonar \ - ${{ steps.sonar_env.outputs.sonar_opts }} \ - -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \ - -Dsonar.branch.name=${{ github.event.workflow_run.head_branch }} \ - clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar diff --git a/.github/workflows/sonarcloud-build.yml b/.github/workflows/sonarcloud-build.yml deleted file mode 100644 index 25d4d8c..0000000 --- a/.github/workflows/sonarcloud-build.yml +++ /dev/null @@ -1,77 +0,0 @@ -# SPDX-FileCopyrightText: 2022 Alliander N.V. -# -# SPDX-License-Identifier: Apache-2.0 - -name: SonarCloud Build - -on: - push: - branches: - - '**' - pull_request: - branches: - - 'main' - - 'develop' - pull_request_target: - branches: - - 'main' - - 'develop' - -jobs: - precheck-build: - name: Pre Check Build - runs-on: ubuntu-latest - timeout-minutes: 30 - - if: ${{ (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]') || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }} - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Cache SonarCloud packages - uses: actions/cache@v4 - with: - path: ~/.sonar/cache - key: ${{ runner.os }}-sonar - restore-keys: ${{ runner.os }}-sonar - - name: Cache Maven packages - uses: actions/cache@v4 - with: - path: ~/.m2 - key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} - restore-keys: ${{ runner.os }}-m2 - - - name: Set up JDK 17 - uses: actions/setup-java@v4 - with: - distribution: 'zulu' - java-version: '17' - - - name: Create custom Maven Settings.xml - uses: whelk-io/maven-settings-xml-action@v22 - with: - output_file: custom_maven_settings.xml - servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]' - - name: Build and analyze (Pull Request) - if: ${{ github.event_name == 'pull_request' || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - ./mvnw -B -s custom_maven_settings.xml clean verify - - name: Build and analyze (Push) - if: ${{ github.event_name == 'push' }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - ./mvnw -B -s custom_maven_settings.xml clean verify - - name: Save PR number to file - if: github.event_name == 'pull_request' - run: echo ${{ github.event.number }} > PR_NUMBER.txt - - name: Archive PR number - if: github.event_name == 'pull_request' - uses: actions/upload-artifact@v4 - with: - name: PR_NUMBER - path: PR_NUMBER.txt diff --git a/.github/workflows/sync-fork.yml b/.github/workflows/sync-fork.yml new file mode 100644 index 0000000..42ba380 --- /dev/null +++ b/.github/workflows/sync-fork.yml @@ -0,0 +1,89 @@ +name: Sync fork + +on: + workflow_dispatch: {} + schedule: + - cron: "15 3 * * *" # Run every day at 3:15 UTC + +jobs: + sync: + runs-on: ubuntu-latest + steps: + - name: Checkout fork's default branch + uses: actions/checkout@v4 + with: + fetch-depth: 0 + path: "fork" + token: ${{ secrets.GH_PAT }} + - name: Checkout fork's configuration branch + uses: actions/checkout@v4 + with: + path: "configuration" + ref: "renovate-and-workflow-files" + token: ${{ secrets.GH_PAT }} + - name: Determine Upstream clone URL + id: upstream-repo-clone-url + uses: actions/github-script@v7 + with: + script: | + const { data } = await github.rest.repos.get({ + owner: context.repo.owner, + repo: context.repo.repo, + }); + if (data.fork) { + return data.parent.clone_url; + } else { + throw new Error('This repository is not a fork.'); + } + result-encoding: string + - name: Determine Upstream default branch + id: upstream-repo-default-branch + uses: actions/github-script@v7 + with: + script: | + const { data } = await github.rest.repos.get({ + owner: context.repo.owner, + repo: context.repo.repo, + }); + if (data.fork) { + return data.parent.default_branch; + } else { + throw new Error('This repository is not a fork.'); + } + result-encoding: string + - name: Sync fork with upstream + run: | + set -ex + cd fork + git config --global user.name "github-actions[bot]" + git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" + git remote add upstream ${{ steps.upstream-repo-clone-url.outputs.result }} + git fetch upstream ${{ steps.upstream-repo-default-branch.outputs.result }} + UPSTREAM_MOST_RECENT_COMMIT_HASH=$(git log upstream/${{ steps.upstream-repo-default-branch.outputs.result }} -n 1 --format="%H") + PREVIOUS_SYNC_COMMIT_HASH=$(cat ../configuration/upstream_commit_hash) + if [ "$PREVIOUS_SYNC_COMMIT_HASH" = "$UPSTREAM_MOST_RECENT_COMMIT_HASH" ]; then + echo "No need to sync, already up-to-date" + exit 0 + fi + + git reset --hard upstream/${{ steps.upstream-repo-default-branch.outputs.result }} + # Enforce the usage of our own config (renovate.json5) + git rm renovate.json* || true + # Avoid problems where an existing .gitignore file would prevent committing our configuration files + git rm .gitignore || true + # Delete existing workflows, we don't need to run them in our fork + rm -rf .github || true + # Instead of using "cp -r", rsync allows us to exclude the .git directory + rsync -av --exclude '.git' ../configuration/ . + rm upstream_commit_hash + git add . + git commit -m "add Renovate and custom workflow files" + git push --force-with-lease + + cd ../configuration + # git config user.name "github-actions[bot]" + # git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + echo $UPSTREAM_MOST_RECENT_COMMIT_HASH > upstream_commit_hash + git add upstream_commit_hash + git commit -m "update commit hash to $UPSTREAM_MOST_RECENT_COMMIT_HASH" + git push diff --git a/.github/workflows/trivy-dependencies-submission.yml b/.github/workflows/trivy-dependencies-submission.yml new file mode 100644 index 0000000..71f59af --- /dev/null +++ b/.github/workflows/trivy-dependencies-submission.yml @@ -0,0 +1,27 @@ +name: SBOM upload from Trivy + +on: + workflow_dispatch: {} + schedule: + - cron: "0 9 */5 * *" # Run every fifth day at 9 AM UTC + +jobs: + SBOM-upload: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.23.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'github' + output: 'trivy-results.gsbom' + github-pat: ${{ secrets.GITHUB_TOKEN }} # this causes a curl call to upload the snapshot + + - name: Upload report file + uses: actions/upload-artifact@v4 + with: + name: trivy-results + path: trivy-results.gsbom diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 05236d8..0000000 --- a/.gitignore +++ /dev/null @@ -1,37 +0,0 @@ -# SPDX-FileCopyrightText: 2021 RTE FRANCE -# -# SPDX-License-Identifier: Apache-2.0 - -HELP.md -target/ -.scannerwork -sonar-project.properties -!.mvn/wrapper/maven-wrapper.jar -!**/src/main/** -!**/src/test/** - -### STS ### -.apt_generated -.classpath -.factorypath -.project -.settings -.springBeans -.sts4-cache - -### IntelliJ IDEA ### -.idea -*.iws -*.iml -*.ipr - -### NetBeans ### -/nbproject/private/ -/nbbuild/ -/dist/ -/nbdist/ -/.nb-gradle/ -build/ - -### VS Code ### -.vscode/ diff --git a/renovate.json5 b/renovate.json5 new file mode 100644 index 0000000..53fe2ac --- /dev/null +++ b/renovate.json5 @@ -0,0 +1,12 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":disableRateLimiting" + ], + "labels": ["dependencies", "depManager:{{{manager}}}"], + "vulnerabilityAlerts": { + "labels": ["security", "dependencies", "depManager:{{{manager}}}"], + }, + "forkProcessing": "enabled" +}