diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 70d886a00f..66e5b9d03f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,11 +4,17 @@ updates: directory: / schedule: interval: daily + cooldown: + default-days: 7 - package-ecosystem: docker directory: /apiserver/src/main/docker schedule: interval: weekly + cooldown: + default-days: 7 - package-ecosystem: github-actions directory: / schedule: interval: weekly + cooldown: + default-days: 7 diff --git a/.github/workflows/_meta-build.yaml b/.github/workflows/_meta-build.yaml index ad375967d2..bb22a4f9ea 100644 --- a/.github/workflows/_meta-build.yaml +++ b/.github/workflows/_meta-build.yaml @@ -46,6 +46,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + with: + persist-credentials: false - name: Set up JDK uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # tag=v5.2.0 @@ -106,6 +108,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + with: + persist-credentials: false - name: Download Artifacts uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # tag=v8.0.1 @@ -135,16 +139,18 @@ jobs: - name: Set Container Tags id: tags + env: + REF_NAME: ${{ inputs.ref-name }} + APP_VERSION: ${{ inputs.app-version }} run: |- IMAGE_NAME="ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/hyades-apiserver" - REF_NAME="${{ inputs.ref-name }}" TAGS="" - + if [[ $REF_NAME == feature-* ]]; then TAGS="${IMAGE_NAME}:${REF_NAME,,}" else - TAGS="${IMAGE_NAME}:${{ inputs.app-version }}" - if [[ "${{ inputs.app-version }}" != "snapshot" && "${{ inputs.app-version }}" != *-* ]]; then + TAGS="${IMAGE_NAME}:${APP_VERSION}" + if [[ "${APP_VERSION}" != "snapshot" && "${APP_VERSION}" != *-* ]]; then TAGS="${TAGS},${IMAGE_NAME}:latest" fi fi diff --git a/.github/workflows/buf.yml b/.github/workflows/buf.yml index 31197948ab..6475110d25 100644 --- a/.github/workflows/buf.yml +++ b/.github/workflows/buf.yml @@ -32,6 +32,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + with: + persist-credentials: false - name: Setup buf uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # tag=v1.50.0 with: diff --git a/.github/workflows/ci-lint.yaml b/.github/workflows/ci-lint.yaml index de045eb2b2..4c664c49bf 100644 --- a/.github/workflows/ci-lint.yaml +++ b/.github/workflows/ci-lint.yaml @@ -38,6 +38,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: { } + jobs: lint: name: Lint @@ -46,6 +48,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + with: + persist-credentials: false - name: Set up JDK uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # tag=v5.2.0 with: diff --git a/.github/workflows/ci-openapi.yaml b/.github/workflows/ci-openapi.yaml index 831b596355..b891b11611 100644 --- a/.github/workflows/ci-openapi.yaml +++ b/.github/workflows/ci-openapi.yaml @@ -38,6 +38,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + with: + persist-credentials: false - name: Lint OpenAPI Spec run: make lint-openapi @@ -48,6 +50,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + with: + persist-credentials: false - name: Detect Breaking Changes uses: oasdiff/oasdiff-action/breaking@2a37bc82462349c03a533b8b608bebbaf57b3e60 # tag=v0.0.33 with: diff --git a/.github/workflows/ci-publish.yaml b/.github/workflows/ci-publish.yaml index 5fd660c669..b3ec517bed 100644 --- a/.github/workflows/ci-publish.yaml +++ b/.github/workflows/ci-publish.yaml @@ -39,6 +39,8 @@ jobs: fi - name: Checkout Repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + with: + persist-credentials: false - name: Parse Version from POM id: parse @@ -63,12 +65,16 @@ jobs: update-github-release: runs-on: ubuntu-latest timeout-minutes: 5 + permissions: + contents: write needs: - read-version - call-build steps: - name: Checkout Repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + with: + persist-credentials: false - name: Download Distribution Archive uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # tag=v8.0.1 @@ -98,9 +104,10 @@ jobs: - name: Update Release env: - GITHUB_TOKEN: ${{ secrets.BOT_RELEASE_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RELEASE_VERSION: ${{ needs.read-version.outputs.version }} run: |- - gh release upload ${{ needs.read-version.outputs.version }} \ + gh release upload "${RELEASE_VERSION}" \ --clobber \ target/dependency-track-apiserver-dist.tar.gz \ target/bom.json \ @@ -108,7 +115,8 @@ jobs: - name: Publish Release env: - GITHUB_TOKEN: ${{ secrets.BOT_RELEASE_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RELEASE_VERSION: ${{ needs.read-version.outputs.version }} run: |- - gh release edit ${{ needs.read-version.outputs.version }} \ + gh release edit "${RELEASE_VERSION}" \ --draft=false diff --git a/.github/workflows/ci-release.yaml b/.github/workflows/ci-release.yaml index d0a881c279..ea227b76f3 100644 --- a/.github/workflows/ci-release.yaml +++ b/.github/workflows/ci-release.yaml @@ -52,7 +52,6 @@ jobs: - name: Checkout Repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 with: - token: "${{ secrets.BOT_RELEASE_TOKEN }}" fetch-depth: 0 - name: Set up JDK @@ -64,19 +63,23 @@ jobs: - name: Configure Git run: | - git config user.name "dependencytrack-bot" - git config user.email "106437498+dependencytrack-bot@users.noreply.github.com" + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Perform Maven Release + env: + INPUT_RELEASE_VERSION: ${{ inputs.release-version }} + INPUT_DEVELOPMENT_VERSION: ${{ inputs.development-version }} + INPUT_DRY_RUN: ${{ inputs.dry-run }} run: |- MAVEN_ARGS="-B" - if [[ -n "${{ inputs.release-version }}" ]]; then - MAVEN_ARGS="${MAVEN_ARGS} -DreleaseVersion=${{ inputs.release-version }}" + if [[ -n "${INPUT_RELEASE_VERSION}" ]]; then + MAVEN_ARGS="${MAVEN_ARGS} -DreleaseVersion=${INPUT_RELEASE_VERSION}" fi - if [[ -n "${{ inputs.development-version }}" ]]; then - MAVEN_ARGS="${MAVEN_ARGS} -DdevelopmentVersion=${{ inputs.development-version }}" + if [[ -n "${INPUT_DEVELOPMENT_VERSION}" ]]; then + MAVEN_ARGS="${MAVEN_ARGS} -DdevelopmentVersion=${INPUT_DEVELOPMENT_VERSION}" fi - if [[ "${{ inputs.dry-run }}" == "true" ]]; then + if [[ "${INPUT_DRY_RUN}" == "true" ]]; then MAVEN_ARGS="${MAVEN_ARGS} -DdryRun=true" fi export MAVEN_ARGS diff --git a/.github/workflows/ci-test-pr-coverage.yml b/.github/workflows/ci-test-pr-coverage.yml index 5b73686f60..863aac051f 100644 --- a/.github/workflows/ci-test-pr-coverage.yml +++ b/.github/workflows/ci-test-pr-coverage.yml @@ -43,9 +43,12 @@ jobs: - name: Ensure Git repository is initialized run: git init - name: Report Coverage to Codacy + env: + CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }} + COMMIT_SHA: ${{ github.event.workflow_run.head_sha }} run: |- bash <(curl -Ls https://coverage.codacy.com/get.sh) report \ - --project-token ${{ secrets.CODACY_PROJECT_TOKEN }} \ - --commit-uuid ${{ github.event.workflow_run.head_sha }} \ + --project-token "${CODACY_PROJECT_TOKEN}" \ + --commit-uuid "${COMMIT_SHA}" \ --coverage-reports ./coverage-report/target/site/jacoco-aggregate/jacoco.xml \ --language Java diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index e9e5f9c48a..54ee9f9e7c 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -27,6 +27,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2 + with: + persist-credentials: false - name: Dependency Review uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # tag=v4.9.0 diff --git a/.github/workflows/mirror-container-image.yml b/.github/workflows/mirror-container-image.yml index c80d84b53e..739bdfbb84 100644 --- a/.github/workflows/mirror-container-image.yml +++ b/.github/workflows/mirror-container-image.yml @@ -45,11 +45,15 @@ jobs: - name: Setup Crane uses: imjasonh/setup-crane@6da1ae018866400525525ce74ff892880c099987 # tag=v0.5 - name: Mirror image to Docker Hub + env: + PACKAGE_NAMESPACE: ${{ github.event.registry_package.namespace }} + PACKAGE_NAME: ${{ github.event.registry_package.name }} + PACKAGE_TAG: ${{ github.event.registry_package.package_version.container_metadata.tag.name }} run: | - IMAGE_REPOSITORY="${{ github.event.registry_package.namespace }}/${{ github.event.registry_package.name }}" - IMAGE_TAG="${{ github.event.registry_package.package_version.container_metadata.tag.name }}" - + IMAGE_REPOSITORY="${PACKAGE_NAMESPACE}/${PACKAGE_NAME}" + IMAGE_TAG="${PACKAGE_TAG}" + SRC_IMAGE="ghcr.io/${IMAGE_REPOSITORY}:${IMAGE_TAG}" DST_IMAGE="docker.io/${IMAGE_REPOSITORY}:${IMAGE_TAG}" - + crane copy "${SRC_IMAGE}" "${DST_IMAGE}" \ No newline at end of file