Skip to content

#151: addressing Aquasec findings #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lsulak merged 4 commits into from
Dec 30, 2025
Merged

#151: addressing Aquasec findings #152

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
19dc598
#151: addressing Aquasec findings
lsulak Dec 22, 2025
c868101
just following a common practice we agreed upon a while ago
lsulak Dec 22, 2025
68a2895
Aquasec related automation we implement in each repo as our standard …
lsulak Dec 29, 2025
3cd8a5f
fixing the location for Dependabot - this is the standard, it's not a…
lsulak Dec 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
target-branch: "master"
schedule:
interval: "weekly"
day: "sunday"
labels:
- "auto update"
- "infrastructure"
- "no RN"
open-pull-requests-limit: 3
commit-message:
prefix: "chore"
include: "scope"

- package-ecosystem: "sbt"
directory: "/"
target-branch: "master"
schedule:
interval: "weekly"
day: "sunday"
labels:
- "auto update"
- "dependencies"
- "no RN"
open-pull-requests-limit: 3
commit-message:
prefix: "chore"
include: "scope"
8 changes: 6 additions & 2 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,11 +45,15 @@ jobs:
scala: [2.12.17, 2.13.12]
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
with:
persist-credentials: false

- name: Setup Scala
uses: olafurpg/setup-scala@v14
uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
with:
java-version: "adopt@1.8"

- name: Build and run unit tests
run: sbt ++${{matrix.scala}} test
- name: Generate documentation
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependent_items.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
name: Dependent Items Check
runs-on: ubuntu-latest
steps:
- uses: z0al/dependent-issues@v1.5.2
- uses: z0al/dependent-issues@950226e7ca8fc43dc209a7febf67c655af3bdb43
Copy link

@coderabbitai coderabbitai bot Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

⚠️ Using deprecated action from archived repository.

The z0al/dependent-issues action is from a repository archived by the owner on Sep 26, 2023. While pinning to a commit SHA is a security best practice, using an action from an archived repository introduces maintenance and security risks since it is now read-only. Consider migrating to an actively maintained alternative for issue dependency management.

🤖 Prompt for AI Agents 
.github/workflows/dependent_items.yml around lines 31-31: the workflow uses the
archived z0al/dependent-issues action; replace it with an actively maintained
alternative (either a maintained fork of dependent-issues or a different
marketplace action that provides the same issue-dependency functionality), pin
that replacement to a release tag or commit SHA, update any inputs/outputs in
the workflow to match the new action's interface, remove the archived action
reference, and run the workflow locally or in a test branch to verify behavior.

env:
# (Required) The token to use to make API calls to GitHub.
GITHUB_TOKEN: ${{ secrets.PAT_REPO_PROJECT_DISCUSS }}
Expand Down
28 changes: 20 additions & 8 deletions .github/workflows/jacoco_report.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,50 +49,59 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
with:
persist-credentials: false

- name: Setup Scala
uses: olafurpg/setup-scala@v14
uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
with:
java-version: "adopt@1.8"

- name: Prepare testing database
run: sbt flywayMigrate

- name: Build and run tests
continue-on-error: true
id: jacocorun
run: sbt ++${{env.scalaLong}} jacoco

- name: Add coverage to PR (core)
if: steps.jacocorun.outcome == 'success'
id: jacoco-core
uses: madrapps/jacoco-report@v1.6.1
uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848
Copy link

@coderabbitai coderabbitai bot Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

cd .github/workflows && cat jacoco_report.yml | head -100

Repository: AbsaOSS/fa-db

Length of output: 3585

🏁 Script executed:

sed -n '60,105p' .github/workflows/jacoco_report.yml

Repository: AbsaOSS/fa-db

Length of output: 2157

JaCoCo report action pinned to commit SHA.

All three jacoco-report steps consistently use the same commit SHA (50d3aff4548aa991e6753342d9ba291084e63848). Pinning to a specific commit SHA ensures the exact, immutable version of the action's code is used, with a commit SHA uniquely identifying a specific state of the repository. Add a comment indicating which version the SHA corresponds to (e.g., # v1.7.2) for improved clarity and maintainability.

🤖 Prompt for AI Agents 
.github/workflows/jacoco_report.yml around line 70: the jacoco-report action is
pinned to a commit SHA (50d3aff4548aa991e6753342d9ba291084e63848) but lacks a
comment indicating the corresponding action version; add a brief inline comment
on the same line (or immediately above) specifying which released tag/version
that SHA maps to (for example “# v1.7.2”), and do the same for the other two
jacoco-report steps so each pinned SHA is annotated with its human-readable
version.

with:
paths: ${{ github.workspace }}/core/target/scala-${{ env.scalaShort }}/jacoco/report/jacoco.xml
token: ${{ secrets.GITHUB_TOKEN }}
min-coverage-overall: ${{ env.coverage-overall }}
min-coverage-changed-files: ${{ env.coverage-changed-files }}
title: JaCoCo `core` module code coverage report - scala ${{ env.scalaLong }}
update-comment: true

- name: Add coverage to PR (doobie)
if: steps.jacocorun.outcome == 'success'
id: jacoco-doobie
uses: madrapps/jacoco-report@v1.6.1
uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848
with:
paths: ${{ github.workspace }}/doobie/target/scala-${{ env.scalaShort }}/jacoco/report/jacoco.xml
token: ${{ secrets.GITHUB_TOKEN }}
min-coverage-overall: ${{ env.coverage-overall }}
min-coverage-changed-files: ${{ env.coverage-changed-files }}
title: JaCoCo `doobie` module code coverage report - scala ${{ env.scalaLong }}
update-comment: true

- name: Add coverage to PR (slick)
if: steps.jacocorun.outcome == 'success'
id: jacoco-slick
uses: madrapps/jacoco-report@v1.6.1
uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848
with:
paths: ${{ github.workspace }}/slick/target/scala-${{ env.scalaShort }}/jacoco/report/jacoco.xml
token: ${{ secrets.GITHUB_TOKEN }}
min-coverage-overall: ${{env.coverage-overall }}
min-coverage-changed-files: ${{ env.coverage-changed-files }}
title: JaCoCo `slick` module code coverage report - scala ${{ env.scalaLong }}
update-comment: true

- name: Get the Coverage info
if: steps.jacocorun.outcome == 'success'
run: |
Expand All @@ -102,9 +111,10 @@ jobs:
echo "Changed Files coverage ${{ steps.jacoco-doobie.outputs.coverage-changed-files }}"
echo "Total `slick` module coverage ${{ steps.jacoco-slick.outputs.coverage-overall }}"
echo "Changed Files coverage ${{ steps.jacoco-slick.outputs.coverage-changed-files }}"

- name: Fail PR if changed files coverage is less than ${{ env.coverage-changed-files }}%
if: steps.jacocorun.outcome == 'success'
uses: actions/github-script@v6
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
with:
script: |
const coverageCheckFailed =
Expand All @@ -114,9 +124,10 @@ jobs:
if (coverageCheckFailed) {
core.setFailed('Changed files coverage is less than ${{ env.coverage-changed-files }}%!');
}

- name: Fail PR if overall files coverage is less than ${{ env.coverage-overall }}%
if: ${{ (steps.jacocorun.outcome == 'success') && (env.check-overall-coverages == 'true') }}
uses: actions/github-script@v6
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
with:
script: |
const coverageCheckFailed =
Expand All @@ -126,9 +137,10 @@ jobs:
if (coverageCheckFailed) {
core.setFailed('Overall coverage is less than ${{ env.coverage-overall }}%!');
}

- name: Edit JaCoCo comments on build failure
if: steps.jacocorun.outcome != 'success'
uses: actions/github-script@v6
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
with:
script: |
const issue_number = context.issue.number;
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/license_check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
with:
persist-credentials: false

- name: Setup Scala
uses: olafurpg/setup-scala@v10
uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
with:
java-version: "adopt@1.8"

- run: sbt headerCheck
11 changes: 9 additions & 2 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,17 @@ jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2.3.4
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
with:
fetch-depth: 0
- uses: olafurpg/setup-scala@v13
persist-credentials: false

- name: Setup Scala
uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
with:
java-version: "adopt@1.8"

- run: sbt ci-release
env:
PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/test_filenames_check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
with:
persist-credentials: false

- name: Filename Inspector
id: scan-test-files
uses: AbsaOSS/filename-inspector@v0.1.0
uses: AbsaOSS/filename-inspector@355108975e656fac9faaa04209b6df3f9997c8fa
with:
name-patterns: '*UnitTests.*,*IntegrationTests.*'
paths: '**/src/test/scala/**'
Expand Down