Merge branch 'master' of https://github.com/RADAR-base/RADAR-RedcapIntegration into release-1.0.6

Author: mpgxvii

.github/workflows/release.yml

@@ -0,0 +1,56 @@
+# Create release files
+name: Release
+
+on:
+  release:
+    types: [ published ]
+
+env:
+  DOCKER_IMAGE: radarbase/radar-redcapintegration
+
+jobs:
+  # Build and push tagged release docker image
+  docker:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      - uses: actions/checkout@v3
+
+      # Add Docker labels and tags
+      - name: Docker meta
+        id: docker_meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.DOCKER_IMAGE }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v3
+        with:
+          # Allow running the image on the architectures supported by openjdk:11-jre-slim
+          push: true
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          context: .
+          # Use runtime labels from docker_meta as well as fixed labels
+          labels: |
+            ${{ steps.docker_meta.outputs.labels }}
+            maintainer=Yatharth Ranjan <[email protected]>
+            org.opencontainers.image.authors=Yatharth Ranjan @yatharthranjan, Pauline Conde @mpgxvii, Pim van Nierop @pvanierop
+            org.opencontainers.image.vendor=RADAR-base
+            org.opencontainers.image.licenses=Apache-2.0
+
+      - name: Inspect image
+        run: |
+          docker pull ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }}
+          docker image inspect ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }}

.github/workflows/scheduled-snyk-docker.yaml

@@ -0,0 +1,40 @@
+name: Snyk scheduled Docker base image scan
+
+on:
+  schedule:
+    - cron: '0 3 * * 1'
+  workflow_dispatch:
+
+env:
+  DOCKER_IMAGE: radarbase/radar-redcapintegration
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities
+        continue-on-error: true # To make sure that SARIF upload gets called
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.DOCKER_IMAGE }}
+          # 'exclude-app-vulns' only tests vulnerabilities in the base image.
+          # Code base vulnerabilities are tested the scheduled-snyk.yaml action.
+          args: >-
+            --file=Dockerfile
+            --fail-on=upgradable
+            --severity-threshold=high
+            --policy-path=.snyk
+            --exclude-app-vulns
+            --org=radar-base
+            --sarif-file-output=snyk.sarif
+
+      # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk.sarif

.github/workflows/scheduled-snyk.yaml

@@ -1,35 +1,34 @@
-name: Snyk scheduled test
+name: Snyk scheduled code base scan
+
 on:
   schedule:
     - cron: '0 2 * * 1'
-  push:
-    branches:
-      - master
+  workflow_dispatch:
 
 jobs:
   security:
     runs-on: ubuntu-latest
-    env:
-      REPORT_FILE: test.json
+
     steps:
       - uses: actions/checkout@v3
 
-      - name: Use Node.js 16
-        uses: actions/setup-node@v3
-        with:
-          node-version: 16
-
       - name: Run Snyk to check for vulnerabilities
         uses: snyk/actions/gradle-jdk17@master
+        continue-on-error: true # To make sure that SARIF upload gets called
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          args: --all-projects --configuration-matching='^runtimeClasspath$' --json-file-output=${{ env.REPORT_FILE }} --severity-threshold=high --policy-path=$PWD/.snyk
+          args: >-
+            --all-projects
+            --configuration-matching='^runtimeClasspath$'
+            --fail-on=upgradable
+            --severity-threshold=high
+            --policy-path=.snykS
+            --org=radar-base
+            --sarif-file-output=snyk.sarif
 
-      - name: Report new vulnerabilities
-        uses: thehyve/report-vulnerability@master
-        if: success() || failure()
+      # Detected vulnerabilities will appear on Github in Security->Codescanning_alerts tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
         with:
-          report-file: ${{ env.REPORT_FILE }}
-        env:
-          TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          sarif_file: snyk.sarif

.github/workflows/snyk.yaml

@@ -1,21 +1,27 @@
-name: Snyk test
+name: Snyk test on PR commits
+
 on:
   pull_request:
-    branches: [ master, dev ]
+    branches:
+      - main
+      - dev
+      - release-*
+
 jobs:
   security:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
 
-      - name: Use Node.js 16
-        uses: actions/setup-node@v3
-        with:
-          node-version: 16
-
       - name: Run Snyk to check for vulnerabilities
         uses: snyk/actions/gradle-jdk17@master
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          args: --all-projects --configuration-matching='^runtimeClasspath$' --severity-threshold=high --policy-path=$PWD/.snyk
+          args: >-
+            --all-projects
+            --configuration-matching="^runtimeClasspath$"
+            --severity-threshold=high
+            --fail-on=upgradable
+            --org=radar-base
+            --policy-path=.snyk