DependencyTrack
diff --git a/‎.github/default-release-notes.md‎
Lines changed: 4 additions & 0 deletions b/‎.github/default-release-notes.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/workflows/_meta-build.yaml‎
Lines changed: 131 additions & 0 deletions b/‎.github/workflows/_meta-build.yaml‎
Lines changed: 131 additions & 0 deletions
diff --git a/‎.github/workflows/ci-build.yaml‎
Lines changed: 22 additions & 0 deletions b/‎.github/workflows/ci-build.yaml‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎.github/workflows/ci-publish.yaml‎
Lines changed: 85 additions & 0 deletions b/‎.github/workflows/ci-publish.yaml‎
Lines changed: 85 additions & 0 deletions
diff --git a/‎.github/workflows/ci-release.yaml‎
Lines changed: 57 additions & 0 deletions b/‎.github/workflows/ci-release.yaml‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎.github/workflows/codeql-analysis.yml‎ renamed to ‎.github/workflows/codeql-analysis.yaml‎
Lines changed: 3 additions & 2 deletions b/‎.github/workflows/codeql-analysis.yml‎ renamed to ‎.github/workflows/codeql-analysis.yaml‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎.github/workflows/dependency-review.yaml‎
Lines changed: 16 additions & 0 deletions b/‎.github/workflows/dependency-review.yaml‎
Lines changed: 16 additions & 0 deletions
@@ -0,0 +1,4 @@
+### Dependency Track Frontend
+
+For official releases, refer to [Dependency Track Docs >> Changelogs](https://docs.dependencytrack.org/changelog/) for information about improvements and upgrade notes.
+If additional details are required, consult the closed issues for this release milestone.
@@ -0,0 +1,131 @@
+on:
+  workflow_call:
+    inputs:
+      node-versions:
+        type: string
+        required: false
+        default: '["16"]'
+        description: 'Stringified JSON Array of node versions to build against'
+      node-version-package:
+        type: string
+        required: false
+        default: '16'
+        description: 'Set which version of node the container packaged dist should be based on. (MUST be part of the node-versions)'
+      app-version:
+        type: string
+        required: false
+        default: "snapshot"
+        description: "Set the version that should be set/used as tag for the container image"
+      publish-container:
+        type: boolean
+        required: false
+        default: false
+        description: "Set if the container image gets publish and scan once its build"
+    secrets:
+      registry-0-usr:
+        required: true
+      registry-0-psw:
+        required: true
+
+jobs:
+  build-node:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: true
+      matrix:
+        node-version: ${{ fromJson(inputs.node-versions) }}
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/[email protected]
+
+      - name: Set up NodeJs
+        uses: actions/[email protected]
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+
+      - name: Run Npm Build
+        env:
+          CI: true
+        run: |-
+          npm ci
+          npm run build --if-present
+
+      - name: Upload Artifacts
+        uses: actions/[email protected]
+        with:
+          name: assembled-frontend-node${{ matrix.node-version }}
+          path: |-
+            dist/
+            bom.*
+
+  build-container:
+    runs-on: ubuntu-latest
+    needs:
+      - build-node
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/[email protected]
+
+      - name: Download Artifacts
+        uses: actions/[email protected]
+        with:
+          name: assembled-frontend-node${{ inputs.node-version-package }}
+
+      - name: Set up QEMU
+        uses: docker/[email protected]
+
+      - name: Set up Docker Buildx
+        uses: docker/[email protected]
+        id: buildx
+        with:
+          install: true
+
+      - name: Login to Docker.io
+        uses: docker/[email protected]
+        if: ${{ inputs.publish-container }}
+        with:
+          registry: docker.io
+          username: ${{ secrets.registry-0-usr }}
+          password: ${{ secrets.registry-0-psw }}
+
+      - name: Set Container Tags
+        id: tags
+        run: |-
+          TAGS="${TAGS},docker.io/dependencytrack/frontend:${{ inputs.app-version }}"
+
+          if [[ "${{ inputs.app-version }}" != "snapshot" ]]; then
+            TAGS="${TAGS},docker.io/dependencytrack/frontend:latest"
+          fi
+          echo "::set-output name=tags::${TAGS}"
+
+      - name: Build multi-arch Container Image
+        uses: docker/[email protected]
+        with:
+          tags: ${{ steps.tags.outputs.tags }}
+          build-args: |-
+            APP_VERSION=${{ inputs.app-version }}
+            COMMIT_SHA=${{ github.sha }}
+          platforms: linux/amd64,linux/arm64
+          push: ${{ inputs.publish-container }}
+          context: .
+          file: docker/Dockerfile.alpine
+
+      - name: Run Trivy Vulnerability Scanner
+        if: ${{ inputs.publish-container }}
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: docker.io/dependencytrack/frontend:${{ inputs.app-version }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          ignore-unfixed: true
+          vuln-type: 'os'
+
+      - name: Upload Trivy Scan Results to GitHub Security Tab
+        if: ${{ inputs.publish-container }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
@@ -0,0 +1,22 @@
+name: Build CI
+
+on:
+  push:
+    branches:
+      - 'master' # Default branch
+  pull_request:
+    branches:
+      - 'master' # Default branch
+  workflow_dispatch:
+
+jobs:
+  call-build:
+    uses: ./.github/workflows/_meta-build.yaml
+    with:
+      node-versions: '["14", "16"]'
+      node-version-package: '16'
+      app-version: 'snapshot'
+      publish-container: ${{ github.ref == 'refs/heads/master' }}
+    secrets:
+      registry-0-usr: ${{ secrets.HUB_USERNAME }}
+      registry-0-psw: ${{ secrets.HUB_ACCESS_TOKEN }}
@@ -0,0 +1,85 @@
+name: Publish CI
+
+on:
+  release:
+    types:
+      - released
+  workflow_dispatch:
+
+jobs:
+  read-version:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.parse.outputs.version }}
+    steps:
+      - name: Assert ref type
+        run: |-
+          if [[ "$GITHUB_REF_TYPE" != "tag" ]]; then
+            echo "::error::Publishing is only supported for tags!"
+            exit 1
+          fi
+
+      - name: Checkout Repository
+        uses: actions/[email protected]
+
+      - name: Parse Version from package.json
+        id: parse
+        run: |-
+          VERSION=`jq -r '.version' package.json`
+          echo "::set-output name=version::${VERSION}"
+
+  call-build:
+    needs:
+      - read-version
+    uses: ./.github/workflows/_meta-build.yaml
+    with:
+      app-version: ${{ needs.read-version.outputs.version }}
+      publish-container: true
+    secrets:
+      registry-0-usr: ${{ secrets.HUB_USERNAME }}
+      registry-0-psw: ${{ secrets.HUB_ACCESS_TOKEN }}
+
+  update-github-release:
+    runs-on: ubuntu-latest
+    needs:
+      - read-version
+      - call-build
+    steps:
+      - name: Checkout Repository
+        uses: actions/[email protected]
+
+      - name: Download Artifacts
+        uses: actions/[email protected]
+        with:
+          name: assembled-frontend-node16
+
+      - name: Create Checksums
+        run: |-
+          zip -qr frontend-dist.zip dist/*
+
+          echo "# SHA1" >> checksums.txt
+          sha1sum frontend-dist.zip >> checksums.txt
+          echo "# SHA256" >> checksums.txt
+          sha256sum frontend-dist.zip >> checksums.txt
+          echo "# SHA512" >> checksums.txt
+          sha512sum frontend-dist.zip >> checksums.txt
+
+      - name: Update Release
+        env:
+          # or change it to a custom PAT that should be credited for the release
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |-
+          cat << EOF >> .github/default-release-notes.md
+          \`\`\`text
+          $(cat checksums.txt)
+          \`\`\`
+          EOF
+
+          gh release edit ${{ needs.read-version.outputs.version }} \
+            --notes-file ".github/default-release-notes.md"
+
+          gh release upload ${{ needs.read-version.outputs.version }} \
+            --clobber \
+            frontend-dist.zip \
+            checksums.txt \
+            bom.xml bom.json
@@ -0,0 +1,57 @@
+name: Release CI
+
+on:
+  workflow_dispatch:
+    inputs:
+      version-to-bump:
+        type: choice
+        required: true
+        description: "Select which part of the version to bump and release"
+        options:
+          - patch
+          - minor
+          - major
+          - prepatch
+          - preminor
+          - premajor
+          - prerelease
+
+jobs:
+  prepare-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/[email protected]
+
+      - name: Set up NodeJs
+        uses: actions/[email protected]
+        with:
+          node-version: '16'
+          cache: 'npm'
+
+      - name: Bump version and tag via NodeJS
+        # if you use a bot-user to create the release in the next step
+        # then it might be a solid idea to change the git config values below to the bot-user's name + email
+        run: |-
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          npm version ${{ github.event.inputs.version-to-bump }} -m "prepare-release: set version to %s"
+
+          git push origin "HEAD:refs/heads/master"
+
+      - name: Create GitHub Release
+        env:
+          # or change it to a custom PAT that should be credited for the release
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_OPTS: ""
+        run: |-
+          VERSION=`jq -r '.version' package.json`
+
+          if [[ "${{ contains(github.event.inputs.version-to-bump, 'pre') }}" == "true" ]]; then
+            GH_OPTS="--prerelease"
+          fi
+
+          gh release create "${VERSION}" ${GH_OPTS} \
+            --title "${VERSION}" \
+            --notes-file ".github/default-release-notes.md"
@@ -13,6 +13,7 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    if: ${{ github.repository == 'DependencyTrack/frontend' }}
 
     strategy:
       fail-fast: false
@@ -25,7 +26,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -42,7 +43,7 @@ jobs:
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file. 
+        # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
 
@@ -0,0 +1,16 @@
+name: Dependency Review
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/[email protected]
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v1