diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 7e9067d..401dcbf 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,17 +9,15 @@ on: branches: [ main, dev ] env: - DOCKER_IMAGE: radarbase/radar-output-restructure + REGISTRY: ghcr.io + REPOSITORY: ${{ github.repository }} + IMAGE_NAME: radar-output-restructure jobs: - # Build and test the code build: - # The type of runner that the job will run on runs-on: ubuntu-latest - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - uses: actions/checkout@v3 - uses: actions/setup-java@v3 @@ -28,7 +26,7 @@ jobs: java-version: 17 - name: Setup Gradle - uses: gradle/gradle-build-action@v2 + uses: gradle/actions/setup-gradle@v3 # Compile the code - name: Compile code @@ -47,13 +45,17 @@ jobs: # Check that the docker image builds correctly docker: - # The type of runner that the job will run on runs-on: ubuntu-latest - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 + + # Setup docker build environment + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - name: Cache Docker layers uses: actions/cache@v3 @@ -63,27 +65,25 @@ jobs: restore-keys: | ${{ runner.os }}-buildx- + - name: Login to Container Registry + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Lowercase image name + run: | + echo "DOCKER_IMAGE=${REGISTRY}/${REPOSITORY,,}/${IMAGE_NAME}" >>${GITHUB_ENV} + # Add Docker labels and tags - name: Docker meta id: docker_meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: images: ${{ env.DOCKER_IMAGE }} - - name: Login to Docker Hub - uses: docker/login-action@v2 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - # Setup docker build environment - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - - name: Build + - name: Build docker image and push uses: docker/build-push-action@v3 with: context: . @@ -95,8 +95,8 @@ jobs: # Use runtime labels from docker_meta as well as fixed labels labels: | ${{ steps.docker_meta.outputs.labels }} - maintainer=Bastiaan de Graaf - org.opencontainers.image.authors=Bastiaan de Graaf + maintainer=Pim van Nierop + org.opencontainers.image.authors=Pim van Nierop org.opencontainers.image.vendor=RADAR-base org.opencontainers.image.licenses=Apache-2.0 diff --git a/.github/workflows/publish_snapshots.yml b/.github/workflows/publish-snapshots.yml similarity index 68% rename from .github/workflows/publish_snapshots.yml rename to .github/workflows/publish-snapshots.yml index 5459a8e..107c2b4 100644 --- a/.github/workflows/publish_snapshots.yml +++ b/.github/workflows/publish-snapshots.yml @@ -9,21 +9,18 @@ on: jobs: # Build and test the code build: - # The type of runner that the job will run on runs-on: ubuntu-latest - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: distribution: temurin java-version: 17 - name: Setup Gradle - uses: gradle/gradle-build-action@v2 + uses: gradle/actions/setup-gradle@v3 - name: Has SNAPSHOT version id: is-snapshot @@ -37,6 +34,6 @@ jobs: - name: Publish env: - OSSRH_USER: ${{ secrets.OSSRH_USER }} - OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} + OSSRH_USER: ${{ secrets.OSSRH_USER_TOKEN_ID }} + OSSRH_PASSWORD: ${{ secrets.OSSRH_USER_TOKEN_SECRET }} run: ./gradlew -Psigning.gnupg.keyName=${{ secrets.OSSRH_GPG_SECRET_KEY_NAME }} -Psigning.gnupg.executable=gpg -Psigning.gnupg.passphrase=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} publish diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d224bdf..834846f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,3 @@ -# Create release files name: Release on: @@ -6,25 +5,25 @@ on: types: [published] env: - DOCKER_IMAGE: radarbase/radar-output-restructure + REGISTRY: ghcr.io + REPOSITORY: ${{ github.repository }} + DOCKER_IMAGE: radar-output-restructure jobs: upload: - # The type of runner that the job will run on runs-on: ubuntu-latest + permissions: write-all - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: distribution: temurin java-version: 17 - name: Setup Gradle - uses: gradle/gradle-build-action@v2 + uses: gradle/actions/setup-gradle@v3 # Compile code - name: Compile code @@ -32,7 +31,7 @@ jobs: # Upload it to GitHub - name: Upload to GitHub - uses: AButler/upload-release-assets@v2.0 + uses: AButler/upload-release-assets@v3.0 with: files: 'build/libs/*;build/distributions/*' repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -44,23 +43,42 @@ jobs: - name: Publish env: - OSSRH_USER: ${{ secrets.OSSRH_USER }} - OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} + OSSRH_USER: ${{ secrets.OSSRH_USER_TOKEN_ID }} + OSSRH_PASSWORD: ${{ secrets.OSSRH_USER_TOKEN_SECRET }} run: ./gradlew -Psigning.gnupg.keyName=${{ secrets.OSSRH_GPG_SECRET_KEY_NAME }} -Psigning.gnupg.executable=gpg -Psigning.gnupg.passphrase=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} publish closeAndReleaseSonatypeStagingRepository # Build and push tagged release docker image docker: - # The type of runner that the job will run on runs-on: ubuntu-latest + permissions: + contents: read + packages: write - # Steps represent a sequence of tasks that will be executed as part of the job steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 + + # Setup docker build environment + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Container Registry + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Lowercase image name + run: | + echo "DOCKER_IMAGE=${REGISTRY}/${REPOSITORY,,}/${IMAGE_NAME}" >>${GITHUB_ENV} # Add Docker labels and tags - name: Docker meta id: docker_meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: images: ${{ env.DOCKER_IMAGE }} # output 2.1.2, 2.1 and 2 @@ -68,20 +86,8 @@ jobs: type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} - # Setup docker build environment - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - - name: Login to DockerHub - uses: docker/login-action@v2 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v6 with: context: . file: ./Dockerfile @@ -91,21 +97,12 @@ jobs: # Use runtime labels from docker_meta as well as fixed labels labels: | ${{ steps.docker_meta.outputs.labels }} - maintainer=Bastiaan de Graaf - org.opencontainers.image.authors=Bastiaan de Graaf + maintainer=Pim van Nierop + org.opencontainers.image.authors=Pim van Nierop org.opencontainers.image.vendor=RADAR-base org.opencontainers.image.licenses=Apache-2.0 - - name: Build locally - uses: docker/build-push-action@v3 - with: - context: . - file: ./Dockerfile - platforms: linux/amd64 - load: true - tags: ${{ steps.docker_meta.outputs.tags }} - - - name: Inspect image + - name: Inspect docker image run: | + docker pull ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }} docker image inspect ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }} - docker run --rm ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }} --help diff --git a/.github/workflows/scheduled-snyk-docker.yaml b/.github/workflows/scheduled-snyk-docker.yaml index 98b92fe..9ab1241 100644 --- a/.github/workflows/scheduled-snyk-docker.yaml +++ b/.github/workflows/scheduled-snyk-docker.yaml @@ -6,14 +6,17 @@ on: workflow_dispatch: env: - DOCKER_IMAGE: radarbase/radar-output-restructure + DOCKER_IMAGE: ghcr.io/${{ github.repository }}/radar-output-restructure jobs: security: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Run Snyk to check for vulnerabilities continue-on-error: true # To make sure that SARIF upload gets called diff --git a/.github/workflows/scheduled-snyk.yaml b/.github/workflows/scheduled-snyk.yaml index 59de425..f947817 100644 --- a/.github/workflows/scheduled-snyk.yaml +++ b/.github/workflows/scheduled-snyk.yaml @@ -8,12 +8,15 @@ on: jobs: security: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/gradle-jdk17@master + uses: snyk/actions/gradle-8-jdk17@master continue-on-error: true # To make sure that SARIF upload gets called env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index 28a9569..1858efa 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -11,10 +11,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/gradle-jdk17@master + uses: snyk/actions/gradle-8-jdk17@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: diff --git a/Dockerfile b/Dockerfile index 9077fd1..6ad544d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM --platform=$BUILDPLATFORM gradle:8.4-jdk17 AS builder +FROM --platform=$BUILDPLATFORM gradle:8.13-jdk17 AS builder RUN mkdir /code WORKDIR /code diff --git a/build.gradle.kts b/build.gradle.kts index 20c806d..fb37956 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -53,6 +53,19 @@ configurations["integrationTestRuntimeOnly"].extendsFrom( configurations.testRuntimeOnly.get(), ) +configurations.all { + resolutionStrategy { + /* The entries in the block below are added here to force the version of + * transitive dependencies and mitigate reported vulnerabilities */ + force( + "com.fasterxml.jackson.core:jackson-databind:${Versions.jackson}", + "io.netty:netty-codec-http:${Versions.netty}", + "io.projectreactor.netty:reactor-netty-http:${Versions.projectReactorNetty}", + "org.apache.commons:commons-lang3:3.18.0", + ) + } +} + dependencies { api("org.apache.avro:avro:${Versions.avro}") runtimeOnly("org.xerial.snappy:snappy-java:${Versions.snappy}") diff --git a/buildSrc/src/main/kotlin/Versions.kt b/buildSrc/src/main/kotlin/Versions.kt index 0dfd05e..94dfe45 100644 --- a/buildSrc/src/main/kotlin/Versions.kt +++ b/buildSrc/src/main/kotlin/Versions.kt @@ -1,36 +1,36 @@ @Suppress("ConstPropertyName") object Versions { - const val project = "3.0.2" + const val project = "3.0.3" const val java = 17 const val dockerCompose = "0.17.5" - const val radarCommons = "1.1.3" - const val radarSchemas = "0.8.11" - const val jackson = "2.16.1" + const val radarCommons = "1.2.4" + const val radarSchemas = "0.8.14" + const val jackson = "2.17.3" const val slf4j = "2.0.9" const val log4j2 = "2.21.0" const val junit = "5.10.0" - const val avro = "1.11.4" + const val avro = "1.12.0" const val mockitoKotlin = "5.1.0" const val hamcrest = "2.2" - const val wrapper = "8.4" + const val wrapper = "8.13" - const val managementPortal = "2.1.5" + const val managementPortal = "2.1.12" const val coroutines = "1.7.3" const val snappy = "1.1.10.5" const val jCommander = "1.82" const val almworks = "1.1.2" const val minio = "8.5.10" const val guava = "31.1-jre" - const val opencsv = "5.8" + const val opencsv = "5.12.0" const val okhttp = "4.12.0" const val jedis = "jedis-3.6.2" const val azureStorage = "12.25.1" - const val netty = "4.1.100.Final" + const val netty = "4.1.124.Final" const val snakeYaml = "2.2" - const val apacheCommonsText = "1.10.0" - const val projectReactorNetty = "1.1.27" + const val apacheCommonsText = "1.14.0" + const val projectReactorNetty = "1.2.9" } diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 3fa8f86..37f853b 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.13-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME