fix: Upgrade Apache Avro to 1.12.1 to address CVE-2025-33042 #281
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow will build the software and documentation to ensure there are no errors, and also | |
| # execute the tests. It also deploys a pre-release version of the library API to Maven Central (as | |
| # long as the POM versions are correctly set to a SNAPSHOT version). | |
| name: Pre-release | |
| # This workflow only runs on release branches. | |
| on: | |
| push: | |
| branches: | |
| - "release/*" | |
| jobs: | |
| detect-changes: | |
| name: Detect changes | |
| runs-on: ubuntu-latest | |
| outputs: | |
| ui: ${{ steps.filter.outputs.ui }} | |
| server: ${{ steps.filter.outputs.server }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Detect changed paths | |
| uses: dorny/paths-filter@v3 | |
| id: filter | |
| with: | |
| # Compare against the merge base to detect all changes on the release branch. | |
| base: main | |
| filters: | | |
| ui: | |
| - 'ui/**' | |
| server: | |
| - 'server/**' | |
| pre-release: | |
| name: Pre-release to Maven Central | |
| environment: maven-central | |
| runs-on: ubuntu-latest | |
| needs: detect-changes | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| submodules: recursive | |
| - name: Set up build environment | |
| uses: ./.github/actions/setup-build-tools | |
| with: | |
| java: "true" | |
| r: "true" | |
| r-pandoc: "true" | |
| python: "true" | |
| bun: "true" | |
| spark: "true" | |
| sonar-cache: "true" | |
| - name: Install GPG key | |
| env: | |
| GPG_KEY: ${{ secrets.GPG_KEY }} | |
| run: | | |
| echo "$GPG_KEY" | gpg --batch --import | |
| gpg --list-secret-keys --keyid-format LONG | |
| - name: Configure Maven settings | |
| uses: s4u/maven-settings-action@v3.1.0 | |
| with: | |
| servers: | | |
| [{ | |
| "id": "central", | |
| "username": "${{ secrets.OSSRH_USERNAME }}", | |
| "password": "${{ secrets.OSSRH_PASSWORD }}" | |
| }] | |
| - name: Run security scan | |
| uses: ./.github/actions/trivy-scan | |
| with: | |
| skip-db-update: "true" | |
| - name: Run deploy goal (pre-release) | |
| env: | |
| R_KEEP_PKG_SOURCE: yes | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| run: | | |
| mvn --batch-mode deploy \ | |
| org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ | |
| -Dsonar.projectKey=aehrc_pathling -Dsonar.organization=aehrc \ | |
| -Dsonar.host.url=https://sonarcloud.io \ | |
| -Dsonar.sarifReportPaths=trivy-results.sarif \ | |
| -pl '!benchmark' -Pdocs,mavenPreRelease,check | |
| timeout-minutes: 60 | |
| - name: Upload test artifacts | |
| if: always() | |
| uses: ./.github/actions/upload-test-artifacts | |
| with: | |
| include-jars: "true" | |
| include-python: "true" | |
| include-r: "true" | |
| include-site: "true" | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: arn:aws:iam::865780493209:role/PathlingBenchmarkUpload | |
| aws-region: ap-southeast-2 | |
| - name: Upload SQL on FHIR test report to S3 | |
| run: aws s3 cp fhirpath/target/fhir-view-compliance-test.json s3://pathling-benchmark/test-reports/${{ github.ref }}/sof-test-results.json | |
| test-ui: | |
| name: Test UI | |
| needs: [detect-changes, pre-release] | |
| if: needs.detect-changes.outputs.ui == 'true' | |
| uses: ./.github/workflows/ui-test.yml | |
| test-server: | |
| name: Test server | |
| needs: [detect-changes, pre-release] | |
| if: needs.detect-changes.outputs.server == 'true' | |
| uses: ./.github/workflows/server-test.yml | |
| secrets: inherit |