From d672d055f8aa1b0a43e72545b7d104218882ec7c Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Tue, 2 Sep 2025 13:51:27 +0200 Subject: [PATCH 01/10] Fix deprecated action --- .github/workflows/snyk.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml index 28a9569..1858efa 100644 --- a/.github/workflows/snyk.yaml +++ b/.github/workflows/snyk.yaml @@ -11,10 +11,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/gradle-jdk17@master + uses: snyk/actions/gradle-8-jdk17@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: From 860c2e5a8bb8f1dfa53eb029c9f838b1eef71ecf Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Tue, 2 Sep 2025 14:58:31 +0200 Subject: [PATCH 02/10] Perform weekly Snyk scan on image from GHCR --- .github/workflows/scheduled-snyk-docker.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scheduled-snyk-docker.yaml b/.github/workflows/scheduled-snyk-docker.yaml index 98b92fe..9ab1241 100644 --- a/.github/workflows/scheduled-snyk-docker.yaml +++ b/.github/workflows/scheduled-snyk-docker.yaml @@ -6,14 +6,17 @@ on: workflow_dispatch: env: - DOCKER_IMAGE: radarbase/radar-output-restructure + DOCKER_IMAGE: ghcr.io/${{ github.repository }}/radar-output-restructure jobs: security: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Run Snyk to check for vulnerabilities continue-on-error: true # To make sure that SARIF upload gets called From 2cd871543c11a780a4e527ff9421cf9a59a2b5f4 Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Tue, 2 Sep 2025 14:59:01 +0200 Subject: [PATCH 03/10] Publish docker image to GitHub container registry --- .github/workflows/release.yml | 79 +++++++++++++++++------------------ 1 file changed, 38 insertions(+), 41 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d224bdf..7388a30 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,3 @@ -# Create release files name: Release on: @@ -6,25 +5,25 @@ on: types: [published] env: - DOCKER_IMAGE: radarbase/radar-output-restructure + REGISTRY: ghcr.io + REPOSITORY: ${{ github.repository }} + DOCKER_IMAGE: radar-output-restructure jobs: upload: - # The type of runner that the job will run on runs-on: ubuntu-latest + permissions: write-all - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: distribution: temurin java-version: 17 - name: Setup Gradle - uses: gradle/gradle-build-action@v2 + uses: gradle/gradle-build-action@v3 # Compile code - name: Compile code @@ -32,7 +31,7 @@ jobs: # Upload it to GitHub - name: Upload to GitHub - uses: AButler/upload-release-assets@v2.0 + uses: AButler/upload-release-assets@v3.0 with: files: 'build/libs/*;build/distributions/*' repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -44,23 +43,42 @@ jobs: - name: Publish env: - OSSRH_USER: ${{ secrets.OSSRH_USER }} - OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} + OSSRH_USER: ${{ secrets.OSSRH_USER_TOKEN_ID }} + OSSRH_PASSWORD: ${{ secrets.OSSRH_USER_TOKEN_SECRET }} run: ./gradlew -Psigning.gnupg.keyName=${{ secrets.OSSRH_GPG_SECRET_KEY_NAME }} -Psigning.gnupg.executable=gpg -Psigning.gnupg.passphrase=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} publish closeAndReleaseSonatypeStagingRepository # Build and push tagged release docker image docker: - # The type of runner that the job will run on runs-on: ubuntu-latest + permissions: + contents: read + packages: write - # Steps represent a sequence of tasks that will be executed as part of the job steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 + + # Setup docker build environment + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Container Registry + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Lowercase image name + run: | + echo "DOCKER_IMAGE=${REGISTRY}/${REPOSITORY,,}/${IMAGE_NAME}" >>${GITHUB_ENV} # Add Docker labels and tags - name: Docker meta id: docker_meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: images: ${{ env.DOCKER_IMAGE }} # output 2.1.2, 2.1 and 2 @@ -68,20 +86,8 @@ jobs: type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} - # Setup docker build environment - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - - name: Login to DockerHub - uses: docker/login-action@v2 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v6 with: context: . file: ./Dockerfile @@ -91,21 +97,12 @@ jobs: # Use runtime labels from docker_meta as well as fixed labels labels: | ${{ steps.docker_meta.outputs.labels }} - maintainer=Bastiaan de Graaf - org.opencontainers.image.authors=Bastiaan de Graaf + maintainer=Pim van Nierop + org.opencontainers.image.authors=Pim van Nierop org.opencontainers.image.vendor=RADAR-base org.opencontainers.image.licenses=Apache-2.0 - - name: Build locally - uses: docker/build-push-action@v3 - with: - context: . - file: ./Dockerfile - platforms: linux/amd64 - load: true - tags: ${{ steps.docker_meta.outputs.tags }} - - - name: Inspect image + - name: Inspect docker image run: | + docker pull ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }} docker image inspect ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }} - docker run --rm ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }} --help From 93aee57667e0043105401f309e8d30cabe1f05c1 Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Tue, 2 Sep 2025 14:59:18 +0200 Subject: [PATCH 04/10] Rename action yaml file --- ...{publish_snapshots.yml => publish-snapshots.yml} | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) rename .github/workflows/{publish_snapshots.yml => publish-snapshots.yml} (68%) diff --git a/.github/workflows/publish_snapshots.yml b/.github/workflows/publish-snapshots.yml similarity index 68% rename from .github/workflows/publish_snapshots.yml rename to .github/workflows/publish-snapshots.yml index 5459a8e..1f964b1 100644 --- a/.github/workflows/publish_snapshots.yml +++ b/.github/workflows/publish-snapshots.yml @@ -9,21 +9,18 @@ on: jobs: # Build and test the code build: - # The type of runner that the job will run on runs-on: ubuntu-latest - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: distribution: temurin java-version: 17 - name: Setup Gradle - uses: gradle/gradle-build-action@v2 + uses: gradle/gradle-build-action@v3 - name: Has SNAPSHOT version id: is-snapshot @@ -37,6 +34,6 @@ jobs: - name: Publish env: - OSSRH_USER: ${{ secrets.OSSRH_USER }} - OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} + OSSRH_USER: ${{ secrets.OSSRH_USER_TOKEN_ID }} + OSSRH_PASSWORD: ${{ secrets.OSSRH_USER_TOKEN_SECRET }} run: ./gradlew -Psigning.gnupg.keyName=${{ secrets.OSSRH_GPG_SECRET_KEY_NAME }} -Psigning.gnupg.executable=gpg -Psigning.gnupg.passphrase=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} publish From 1006120278d1a41b4ec01bd19d7b351543cea341 Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Tue, 2 Sep 2025 14:59:45 +0200 Subject: [PATCH 05/10] Push docker images from main.yaml to GitHub Container Registry --- .github/workflows/main.yml | 52 +++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 7e9067d..55e6a79 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,17 +9,15 @@ on: branches: [ main, dev ] env: - DOCKER_IMAGE: radarbase/radar-output-restructure + REGISTRY: ghcr.io + REPOSITORY: ${{ github.repository }} + IMAGE_NAME: radar-output-restructure jobs: - # Build and test the code build: - # The type of runner that the job will run on runs-on: ubuntu-latest - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - uses: actions/checkout@v3 - uses: actions/setup-java@v3 @@ -47,13 +45,17 @@ jobs: # Check that the docker image builds correctly docker: - # The type of runner that the job will run on runs-on: ubuntu-latest - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 + + # Setup docker build environment + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - name: Cache Docker layers uses: actions/cache@v3 @@ -63,27 +65,25 @@ jobs: restore-keys: | ${{ runner.os }}-buildx- + - name: Login to Container Registry + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Lowercase image name + run: | + echo "DOCKER_IMAGE=${REGISTRY}/${REPOSITORY,,}/${IMAGE_NAME}" >>${GITHUB_ENV} + # Add Docker labels and tags - name: Docker meta id: docker_meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: images: ${{ env.DOCKER_IMAGE }} - - name: Login to Docker Hub - uses: docker/login-action@v2 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - # Setup docker build environment - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - - name: Build + - name: Build docker image and push uses: docker/build-push-action@v3 with: context: . @@ -95,8 +95,8 @@ jobs: # Use runtime labels from docker_meta as well as fixed labels labels: | ${{ steps.docker_meta.outputs.labels }} - maintainer=Bastiaan de Graaf - org.opencontainers.image.authors=Bastiaan de Graaf + maintainer=Pim van Nierop + org.opencontainers.image.authors=Pim van Nierop org.opencontainers.image.vendor=RADAR-base org.opencontainers.image.licenses=Apache-2.0 From edf83dfc6016e6a2974f5f89be4e355b0005457b Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Tue, 2 Sep 2025 14:59:56 +0200 Subject: [PATCH 06/10] Fix deprecated action --- .github/workflows/scheduled-snyk.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scheduled-snyk.yaml b/.github/workflows/scheduled-snyk.yaml index 59de425..f947817 100644 --- a/.github/workflows/scheduled-snyk.yaml +++ b/.github/workflows/scheduled-snyk.yaml @@ -8,12 +8,15 @@ on: jobs: security: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/gradle-jdk17@master + uses: snyk/actions/gradle-8-jdk17@master continue-on-error: true # To make sure that SARIF upload gets called env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} From 6465c77844443aad71a461915f42ee5bdb257250 Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Tue, 2 Sep 2025 15:03:06 +0200 Subject: [PATCH 07/10] Up gradle to version 8.13 --- Dockerfile | 2 +- buildSrc/src/main/kotlin/Versions.kt | 2 +- gradle/wrapper/gradle-wrapper.properties | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9077fd1..6ad544d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM --platform=$BUILDPLATFORM gradle:8.4-jdk17 AS builder +FROM --platform=$BUILDPLATFORM gradle:8.13-jdk17 AS builder RUN mkdir /code WORKDIR /code diff --git a/buildSrc/src/main/kotlin/Versions.kt b/buildSrc/src/main/kotlin/Versions.kt index 0dfd05e..dd0f8e1 100644 --- a/buildSrc/src/main/kotlin/Versions.kt +++ b/buildSrc/src/main/kotlin/Versions.kt @@ -16,7 +16,7 @@ object Versions { const val mockitoKotlin = "5.1.0" const val hamcrest = "2.2" - const val wrapper = "8.4" + const val wrapper = "8.13" const val managementPortal = "2.1.5" const val coroutines = "1.7.3" diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 3fa8f86..37f853b 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.13-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME From 4b592ce0229134c27b79c4ac07ee8ff42c88fa87 Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Tue, 2 Sep 2025 15:05:18 +0200 Subject: [PATCH 08/10] Apply security upgrades October 2025 platform upgrade --- build.gradle.kts | 13 +++++++++++++ buildSrc/src/main/kotlin/Versions.kt | 18 +++++++++--------- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/build.gradle.kts b/build.gradle.kts index 20c806d..fb37956 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -53,6 +53,19 @@ configurations["integrationTestRuntimeOnly"].extendsFrom( configurations.testRuntimeOnly.get(), ) +configurations.all { + resolutionStrategy { + /* The entries in the block below are added here to force the version of + * transitive dependencies and mitigate reported vulnerabilities */ + force( + "com.fasterxml.jackson.core:jackson-databind:${Versions.jackson}", + "io.netty:netty-codec-http:${Versions.netty}", + "io.projectreactor.netty:reactor-netty-http:${Versions.projectReactorNetty}", + "org.apache.commons:commons-lang3:3.18.0", + ) + } +} + dependencies { api("org.apache.avro:avro:${Versions.avro}") runtimeOnly("org.xerial.snappy:snappy-java:${Versions.snappy}") diff --git a/buildSrc/src/main/kotlin/Versions.kt b/buildSrc/src/main/kotlin/Versions.kt index dd0f8e1..0277c79 100644 --- a/buildSrc/src/main/kotlin/Versions.kt +++ b/buildSrc/src/main/kotlin/Versions.kt @@ -5,32 +5,32 @@ object Versions { const val java = 17 const val dockerCompose = "0.17.5" - const val radarCommons = "1.1.3" - const val radarSchemas = "0.8.11" - const val jackson = "2.16.1" + const val radarCommons = "1.2.4" + const val radarSchemas = "0.8.14" + const val jackson = "2.17.3" const val slf4j = "2.0.9" const val log4j2 = "2.21.0" const val junit = "5.10.0" - const val avro = "1.11.4" + const val avro = "1.12.0" const val mockitoKotlin = "5.1.0" const val hamcrest = "2.2" const val wrapper = "8.13" - const val managementPortal = "2.1.5" + const val managementPortal = "2.1.12" const val coroutines = "1.7.3" const val snappy = "1.1.10.5" const val jCommander = "1.82" const val almworks = "1.1.2" const val minio = "8.5.10" const val guava = "31.1-jre" - const val opencsv = "5.8" + const val opencsv = "5.12.0" const val okhttp = "4.12.0" const val jedis = "jedis-3.6.2" const val azureStorage = "12.25.1" - const val netty = "4.1.100.Final" + const val netty = "4.1.124.Final" const val snakeYaml = "2.2" - const val apacheCommonsText = "1.10.0" - const val projectReactorNetty = "1.1.27" + const val apacheCommonsText = "1.14.0" + const val projectReactorNetty = "1.2.9" } From acf9046057ba06c8daa67949ce28a190871aa71d Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Wed, 3 Sep 2025 08:08:59 +0200 Subject: [PATCH 09/10] Fix deprecated GitHub action --- .github/workflows/main.yml | 2 +- .github/workflows/publish-snapshots.yml | 2 +- .github/workflows/release.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 55e6a79..401dcbf 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -26,7 +26,7 @@ jobs: java-version: 17 - name: Setup Gradle - uses: gradle/gradle-build-action@v2 + uses: gradle/actions/setup-gradle@v3 # Compile the code - name: Compile code diff --git a/.github/workflows/publish-snapshots.yml b/.github/workflows/publish-snapshots.yml index 1f964b1..107c2b4 100644 --- a/.github/workflows/publish-snapshots.yml +++ b/.github/workflows/publish-snapshots.yml @@ -20,7 +20,7 @@ jobs: java-version: 17 - name: Setup Gradle - uses: gradle/gradle-build-action@v3 + uses: gradle/actions/setup-gradle@v3 - name: Has SNAPSHOT version id: is-snapshot diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7388a30..834846f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,7 +23,7 @@ jobs: java-version: 17 - name: Setup Gradle - uses: gradle/gradle-build-action@v3 + uses: gradle/actions/setup-gradle@v3 # Compile code - name: Compile code From a790d525ba90d053ffc9429c45bb13648ed0f8bf Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Tue, 2 Sep 2025 15:22:41 +0200 Subject: [PATCH 10/10] Up project to version 3.0.3 --- buildSrc/src/main/kotlin/Versions.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildSrc/src/main/kotlin/Versions.kt b/buildSrc/src/main/kotlin/Versions.kt index 0277c79..94dfe45 100644 --- a/buildSrc/src/main/kotlin/Versions.kt +++ b/buildSrc/src/main/kotlin/Versions.kt @@ -1,6 +1,6 @@ @Suppress("ConstPropertyName") object Versions { - const val project = "3.0.2" + const val project = "3.0.3" const val java = 17 const val dockerCompose = "0.17.5"