diff --git a/.github/workflows/gradle-dependency-submission.yml b/.github/workflows/gradle-dependency-submission.yml new file mode 100644 index 00000000..32fd9ed7 --- /dev/null +++ b/.github/workflows/gradle-dependency-submission.yml @@ -0,0 +1,22 @@ +name: Gradle SBOM upload + +on: + workflow_dispatch: {} + schedule: + - cron: "0 10 */5 * *" # Run every fifth day at 10 AM UTC + +permissions: + contents: write + +jobs: + SBOM-upload: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + - name: Generate and submit dependency graph + uses: gradle/actions/dependency-submission@v3 diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml deleted file mode 100644 index 76c5535f..00000000 --- a/.github/workflows/gradle.yml +++ /dev/null @@ -1,45 +0,0 @@ -# SPDX-FileCopyrightText: Contributors to the GXF project -# -# SPDX-License-Identifier: Apache-2.0 - -name: Build Pipeline - -on: - push: - branches: [ "main" ] - tags: [ "v**" ] - pull_request: - branches: [ "main" ] - -jobs: - build: - timeout-minutes: 30 - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Set up JDK 21 - uses: actions/setup-java@v4 - with: - java-version: '21' - distribution: 'temurin' - - name: Setup Gradle to generate and submit dependency graphs - uses: gradle/actions/setup-gradle@v3 - with: - dependency-graph: generate-and-submit - - name: Build with Gradle - run: ./gradlew build integrationTest bootBuildImage - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Run sonar analysis with Gradle - run: ./gradlew testCodeCoverageReport integrationTestCodeCoverageReport sonar - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - name: Publish Docker image - if: github.ref == 'refs/heads/main' || github.ref_type == 'tag' - run: ./gradlew bootBuildImage -PpublishImage - env: - GITHUB_ACTOR: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/sync-fork.yml b/.github/workflows/sync-fork.yml new file mode 100644 index 00000000..42ba3805 --- /dev/null +++ b/.github/workflows/sync-fork.yml @@ -0,0 +1,89 @@ +name: Sync fork + +on: + workflow_dispatch: {} + schedule: + - cron: "15 3 * * *" # Run every day at 3:15 UTC + +jobs: + sync: + runs-on: ubuntu-latest + steps: + - name: Checkout fork's default branch + uses: actions/checkout@v4 + with: + fetch-depth: 0 + path: "fork" + token: ${{ secrets.GH_PAT }} + - name: Checkout fork's configuration branch + uses: actions/checkout@v4 + with: + path: "configuration" + ref: "renovate-and-workflow-files" + token: ${{ secrets.GH_PAT }} + - name: Determine Upstream clone URL + id: upstream-repo-clone-url + uses: actions/github-script@v7 + with: + script: | + const { data } = await github.rest.repos.get({ + owner: context.repo.owner, + repo: context.repo.repo, + }); + if (data.fork) { + return data.parent.clone_url; + } else { + throw new Error('This repository is not a fork.'); + } + result-encoding: string + - name: Determine Upstream default branch + id: upstream-repo-default-branch + uses: actions/github-script@v7 + with: + script: | + const { data } = await github.rest.repos.get({ + owner: context.repo.owner, + repo: context.repo.repo, + }); + if (data.fork) { + return data.parent.default_branch; + } else { + throw new Error('This repository is not a fork.'); + } + result-encoding: string + - name: Sync fork with upstream + run: | + set -ex + cd fork + git config --global user.name "github-actions[bot]" + git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" + git remote add upstream ${{ steps.upstream-repo-clone-url.outputs.result }} + git fetch upstream ${{ steps.upstream-repo-default-branch.outputs.result }} + UPSTREAM_MOST_RECENT_COMMIT_HASH=$(git log upstream/${{ steps.upstream-repo-default-branch.outputs.result }} -n 1 --format="%H") + PREVIOUS_SYNC_COMMIT_HASH=$(cat ../configuration/upstream_commit_hash) + if [ "$PREVIOUS_SYNC_COMMIT_HASH" = "$UPSTREAM_MOST_RECENT_COMMIT_HASH" ]; then + echo "No need to sync, already up-to-date" + exit 0 + fi + + git reset --hard upstream/${{ steps.upstream-repo-default-branch.outputs.result }} + # Enforce the usage of our own config (renovate.json5) + git rm renovate.json* || true + # Avoid problems where an existing .gitignore file would prevent committing our configuration files + git rm .gitignore || true + # Delete existing workflows, we don't need to run them in our fork + rm -rf .github || true + # Instead of using "cp -r", rsync allows us to exclude the .git directory + rsync -av --exclude '.git' ../configuration/ . + rm upstream_commit_hash + git add . + git commit -m "add Renovate and custom workflow files" + git push --force-with-lease + + cd ../configuration + # git config user.name "github-actions[bot]" + # git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + echo $UPSTREAM_MOST_RECENT_COMMIT_HASH > upstream_commit_hash + git add upstream_commit_hash + git commit -m "update commit hash to $UPSTREAM_MOST_RECENT_COMMIT_HASH" + git push diff --git a/.github/workflows/trivy-dependencies-submission.yml b/.github/workflows/trivy-dependencies-submission.yml new file mode 100644 index 00000000..71f59af7 --- /dev/null +++ b/.github/workflows/trivy-dependencies-submission.yml @@ -0,0 +1,27 @@ +name: SBOM upload from Trivy + +on: + workflow_dispatch: {} + schedule: + - cron: "0 9 */5 * *" # Run every fifth day at 9 AM UTC + +jobs: + SBOM-upload: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.23.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'github' + output: 'trivy-results.gsbom' + github-pat: ${{ secrets.GITHUB_TOKEN }} # this causes a curl call to upload the snapshot + + - name: Upload report file + uses: actions/upload-artifact@v4 + with: + name: trivy-results + path: trivy-results.gsbom diff --git a/.gitignore b/.gitignore deleted file mode 100644 index f4530cde..00000000 --- a/.gitignore +++ /dev/null @@ -1,41 +0,0 @@ -# SPDX-FileCopyrightText: Contributors to the GXF project -# -# SPDX-License-Identifier: Apache-2.0 - -HELP.md -.gradle -build/ -!gradle/wrapper/gradle-wrapper.jar -!**/src/main/**/build/ -!**/src/test/**/build/ - -### STS ### -.apt_generated -.classpath -.factorypath -.project -.settings -.springBeans -.sts4-cache -bin/ -!**/src/main/**/bin/ -!**/src/test/**/bin/ - -### IntelliJ IDEA ### -.idea -*.iws -*.iml -*.ipr -out/ -!**/src/main/**/out/ -!**/src/test/**/out/ - -### NetBeans ### -/nbproject/private/ -/nbbuild/ -/dist/ -/nbdist/ -/.nb-gradle/ - -### VS Code ### -.vscode/ diff --git a/renovate.json5 b/renovate.json5 new file mode 100644 index 00000000..53fe2ac3 --- /dev/null +++ b/renovate.json5 @@ -0,0 +1,12 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":disableRateLimiting" + ], + "labels": ["dependencies", "depManager:{{{manager}}}"], + "vulnerabilityAlerts": { + "labels": ["security", "dependencies", "depManager:{{{manager}}}"], + }, + "forkProcessing": "enabled" +}