From bf7b3556057ba95d1d8dba1b5ae04650032cbbfb Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 31 Jul 2024 03:27:42 +0000 Subject: [PATCH 1/2] add Renovate and custom workflow files --- .../gradle-dependency-submission.yml | 22 +++++ .github/workflows/gradle.yml | 45 ---------- .github/workflows/sync-fork.yml | 89 +++++++++++++++++++ .../trivy-dependencies-submission.yml | 27 ++++++ .gitignore | 41 --------- renovate.json5 | 12 +++ 6 files changed, 150 insertions(+), 86 deletions(-) create mode 100644 .github/workflows/gradle-dependency-submission.yml delete mode 100644 .github/workflows/gradle.yml create mode 100644 .github/workflows/sync-fork.yml create mode 100644 .github/workflows/trivy-dependencies-submission.yml delete mode 100644 .gitignore create mode 100644 renovate.json5 diff --git a/.github/workflows/gradle-dependency-submission.yml b/.github/workflows/gradle-dependency-submission.yml new file mode 100644 index 00000000..32fd9ed7 --- /dev/null +++ b/.github/workflows/gradle-dependency-submission.yml @@ -0,0 +1,22 @@ +name: Gradle SBOM upload + +on: + workflow_dispatch: {} + schedule: + - cron: "0 10 */5 * *" # Run every fifth day at 10 AM UTC + +permissions: + contents: write + +jobs: + SBOM-upload: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + - name: Generate and submit dependency graph + uses: gradle/actions/dependency-submission@v3 diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml deleted file mode 100644 index 5f16b8be..00000000 --- a/.github/workflows/gradle.yml +++ /dev/null @@ -1,45 +0,0 @@ -# SPDX-FileCopyrightText: Contributors to the GXF project -# -# SPDX-License-Identifier: Apache-2.0 - -name: Build Pipeline - -on: - push: - branches: [ "main" ] - tags: [ "v**" ] - pull_request: - branches: [ "main" ] - -jobs: - build: - timeout-minutes: 30 - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Set up JDK 17 - uses: actions/setup-java@v4 - with: - java-version: '21' - distribution: 'temurin' - - name: Setup Gradle to generate and submit dependency graphs - uses: gradle/actions/setup-gradle@v3 - with: - dependency-graph: generate-and-submit - - name: Build with Gradle - run: ./gradlew build integrationTest bootBuildImage - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Run sonar analysis with Gradle - run: ./gradlew testCodeCoverageReport integrationTestCodeCoverageReport sonar - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - name: Publish Docker image - if: github.ref == 'refs/heads/main' || github.ref_type == 'tag' - run: ./gradlew bootBuildImage -PpublishImage - env: - GITHUB_ACTOR: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/sync-fork.yml b/.github/workflows/sync-fork.yml new file mode 100644 index 00000000..42ba3805 --- /dev/null +++ b/.github/workflows/sync-fork.yml @@ -0,0 +1,89 @@ +name: Sync fork + +on: + workflow_dispatch: {} + schedule: + - cron: "15 3 * * *" # Run every day at 3:15 UTC + +jobs: + sync: + runs-on: ubuntu-latest + steps: + - name: Checkout fork's default branch + uses: actions/checkout@v4 + with: + fetch-depth: 0 + path: "fork" + token: ${{ secrets.GH_PAT }} + - name: Checkout fork's configuration branch + uses: actions/checkout@v4 + with: + path: "configuration" + ref: "renovate-and-workflow-files" + token: ${{ secrets.GH_PAT }} + - name: Determine Upstream clone URL + id: upstream-repo-clone-url + uses: actions/github-script@v7 + with: + script: | + const { data } = await github.rest.repos.get({ + owner: context.repo.owner, + repo: context.repo.repo, + }); + if (data.fork) { + return data.parent.clone_url; + } else { + throw new Error('This repository is not a fork.'); + } + result-encoding: string + - name: Determine Upstream default branch + id: upstream-repo-default-branch + uses: actions/github-script@v7 + with: + script: | + const { data } = await github.rest.repos.get({ + owner: context.repo.owner, + repo: context.repo.repo, + }); + if (data.fork) { + return data.parent.default_branch; + } else { + throw new Error('This repository is not a fork.'); + } + result-encoding: string + - name: Sync fork with upstream + run: | + set -ex + cd fork + git config --global user.name "github-actions[bot]" + git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" + git remote add upstream ${{ steps.upstream-repo-clone-url.outputs.result }} + git fetch upstream ${{ steps.upstream-repo-default-branch.outputs.result }} + UPSTREAM_MOST_RECENT_COMMIT_HASH=$(git log upstream/${{ steps.upstream-repo-default-branch.outputs.result }} -n 1 --format="%H") + PREVIOUS_SYNC_COMMIT_HASH=$(cat ../configuration/upstream_commit_hash) + if [ "$PREVIOUS_SYNC_COMMIT_HASH" = "$UPSTREAM_MOST_RECENT_COMMIT_HASH" ]; then + echo "No need to sync, already up-to-date" + exit 0 + fi + + git reset --hard upstream/${{ steps.upstream-repo-default-branch.outputs.result }} + # Enforce the usage of our own config (renovate.json5) + git rm renovate.json* || true + # Avoid problems where an existing .gitignore file would prevent committing our configuration files + git rm .gitignore || true + # Delete existing workflows, we don't need to run them in our fork + rm -rf .github || true + # Instead of using "cp -r", rsync allows us to exclude the .git directory + rsync -av --exclude '.git' ../configuration/ . + rm upstream_commit_hash + git add . + git commit -m "add Renovate and custom workflow files" + git push --force-with-lease + + cd ../configuration + # git config user.name "github-actions[bot]" + # git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + echo $UPSTREAM_MOST_RECENT_COMMIT_HASH > upstream_commit_hash + git add upstream_commit_hash + git commit -m "update commit hash to $UPSTREAM_MOST_RECENT_COMMIT_HASH" + git push diff --git a/.github/workflows/trivy-dependencies-submission.yml b/.github/workflows/trivy-dependencies-submission.yml new file mode 100644 index 00000000..71f59af7 --- /dev/null +++ b/.github/workflows/trivy-dependencies-submission.yml @@ -0,0 +1,27 @@ +name: SBOM upload from Trivy + +on: + workflow_dispatch: {} + schedule: + - cron: "0 9 */5 * *" # Run every fifth day at 9 AM UTC + +jobs: + SBOM-upload: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.23.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'github' + output: 'trivy-results.gsbom' + github-pat: ${{ secrets.GITHUB_TOKEN }} # this causes a curl call to upload the snapshot + + - name: Upload report file + uses: actions/upload-artifact@v4 + with: + name: trivy-results + path: trivy-results.gsbom diff --git a/.gitignore b/.gitignore deleted file mode 100644 index f4530cde..00000000 --- a/.gitignore +++ /dev/null @@ -1,41 +0,0 @@ -# SPDX-FileCopyrightText: Contributors to the GXF project -# -# SPDX-License-Identifier: Apache-2.0 - -HELP.md -.gradle -build/ -!gradle/wrapper/gradle-wrapper.jar -!**/src/main/**/build/ -!**/src/test/**/build/ - -### STS ### -.apt_generated -.classpath -.factorypath -.project -.settings -.springBeans -.sts4-cache -bin/ -!**/src/main/**/bin/ -!**/src/test/**/bin/ - -### IntelliJ IDEA ### -.idea -*.iws -*.iml -*.ipr -out/ -!**/src/main/**/out/ -!**/src/test/**/out/ - -### NetBeans ### -/nbproject/private/ -/nbbuild/ -/dist/ -/nbdist/ -/.nb-gradle/ - -### VS Code ### -.vscode/ diff --git a/renovate.json5 b/renovate.json5 new file mode 100644 index 00000000..53fe2ac3 --- /dev/null +++ b/renovate.json5 @@ -0,0 +1,12 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":disableRateLimiting" + ], + "labels": ["dependencies", "depManager:{{{manager}}}"], + "vulnerabilityAlerts": { + "labels": ["security", "dependencies", "depManager:{{{manager}}}"], + }, + "forkProcessing": "enabled" +} From 13091c5c87d32f3df2db47e6af05179359741d0e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 24 Aug 2024 02:55:41 +0000 Subject: [PATCH 2/2] Update plugin org.jetbrains.kotlin.plugin.jpa to v2.0.20 --- build.gradle.kts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle.kts b/build.gradle.kts index 445b590c..5a61ecd6 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -13,7 +13,7 @@ plugins { id("io.spring.dependency-management") version "1.1.5" apply false kotlin("jvm") version "2.0.0" apply false kotlin("plugin.spring") version "2.0.0" apply false - kotlin("plugin.jpa") version "2.0.0" apply false + kotlin("plugin.jpa") version "2.0.20" apply false id("com.github.davidmc24.gradle.plugin.avro") version "1.9.1" apply false id("com.diffplug.spotless") version "6.25.0" id("org.sonarqube") version "5.0.0.4638"