Merge pull request #164 from hmcts/feat/java25

feat: upgrade for java25

Author: coling01

.github/workflows/ci-build-publish.yml

@@ -7,7 +7,7 @@ on:
         required: true
       AZURE_DEVOPS_ARTIFACT_TOKEN:
         required: true
-      HMCTS_CP_ADO_PAT:
+      HMCTS_ADO_PAT:
         required: true
     inputs:
       environment:
@@ -57,7 +57,6 @@ jobs:
     outputs:
       repo_name: ${{ steps.repo_vars.outputs.repo_name }}
       artefact_name: ${{ steps.repo_vars.outputs.artefact_name }}
-
     steps:
       - name: Checkout source code
         uses: actions/checkout@v6
@@ -66,19 +65,45 @@ jobs:
         uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
-          java-version: '21'
+          java-version: '25'
 
       - name: Set up Gradle
         uses: gradle/actions/setup-gradle@v5
         with:
           gradle-version: current
 
-      - name: Gradle Build
+      - name: Gradle Build and Publish
         env:
           ARTEFACT_VERSION: ${{ needs.Artefact-Version.outputs.artefact_version }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AZURE_DEVOPS_ARTIFACT_USERNAME: ${{ secrets.AZURE_DEVOPS_ARTIFACT_USERNAME }}
+          AZURE_DEVOPS_ARTIFACT_TOKEN: ${{ secrets.AZURE_DEVOPS_ARTIFACT_TOKEN }}
+          ENVIRONMENT: ${{ inputs.environment }}
         run: |
           echo "Building with ARTEFACT_VERSION=$ARTEFACT_VERSION"
-          gradle build -DARTEFACT_VERSION=$ARTEFACT_VERSION
+          echo "Active environment=$ENVIRONMENT"
+
+          ./gradlew build -DARTEFACT_VERSION=$ARTEFACT_VERSION
+
+          if [ -z "AZURE_DEVOPS_ARTIFACT_USERNAME" ]; then
+            echo "::warning::AZURE_DEVOPS_ARTIFACT_USERNAME is null or not set"
+          fi
+
+          if [ -z "$AZURE_DEVOPS_ARTIFACT_TOKEN" ]; then
+            echo "::warning::AZURE_DEVOPS_ARTIFACT_TOKEN is null or not set"
+          fi
+
+          if [ "${{ inputs.is_publish }}" == "true" ]; then
+            echo "Publishing artefact for version: $ARTEFACT_VERSION"
+
+            ./gradlew publish \
+              -DARTEFACT_VERSION=$ARTEFACT_VERSION \
+              -DGITHUB_REPOSITORY=${{ github.repository }} \
+              -DGITHUB_ACTOR=${{ github.actor }} \
+              -DGITHUB_TOKEN=$GITHUB_TOKEN \
+              -DAZURE_DEVOPS_ARTIFACT_USERNAME=$AZURE_DEVOPS_ARTIFACT_USERNAME \
+              -DAZURE_DEVOPS_ARTIFACT_TOKEN=$AZURE_DEVOPS_ARTIFACT_TOKEN
+          fi
 
       - name: Extract repo name
         id: repo_vars
@@ -93,56 +118,8 @@ jobs:
           name: app.jar
           path: build/libs/${{ steps.repo_vars.outputs.artefact_name }}.jar
 
-  Provider-Deploy:
-    needs: [ Artefact-Version, Build ]
-    runs-on: ubuntu-latest
-    environment:
-      name: ${{ inputs.environment }}
-    steps:
-      - name: Checkout source code
-        uses: actions/checkout@v6
-
-      - name: Set up JDK
-        uses: actions/setup-java@v5
-        with:
-          distribution: 'temurin'
-          java-version: '21'
-
-      - name: Set up Gradle
-        uses: gradle/actions/setup-gradle@v5
-        with:
-          gradle-version: current
-
-      - name: Gradle Publish
-        if: ${{ inputs.is_publish }}
-        env:
-          ARTEFACT_VERSION: ${{ needs.Artefact-Version.outputs.artefact_version }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          AZURE_DEVOPS_ARTIFACT_USERNAME: ${{ secrets.AZURE_DEVOPS_ARTIFACT_USERNAME }}
-          AZURE_DEVOPS_ARTIFACT_TOKEN: ${{ secrets.AZURE_DEVOPS_ARTIFACT_TOKEN }}
-          ENVIRONMENT: ${{ inputs.environment }}
-        run: |
-          echo "Active environment=$ENVIRONMENT"
-          if [ -z "AZURE_DEVOPS_ARTIFACT_USERNAME" ]; then
-            echo "::warning::AZURE_DEVOPS_ARTIFACT_USERNAME is null or not set"
-          fi
-
-          if [ -z "$AZURE_DEVOPS_ARTIFACT_TOKEN" ]; then
-            echo "::warning::AZURE_DEVOPS_ARTIFACT_TOKEN is null or not set"
-          fi
-
-          echo "Publishing artefact for version: $ARTEFACT_VERSION"
-          
-          gradle publish \
-            -DARTEFACT_VERSION=$ARTEFACT_VERSION \
-            -DGITHUB_REPOSITORY=${{ github.repository }} \
-            -DGITHUB_ACTOR=${{ github.actor }} \
-            -DGITHUB_TOKEN=$GITHUB_TOKEN \
-            -DAZURE_DEVOPS_ARTIFACT_USERNAME=$AZURE_DEVOPS_ARTIFACT_USERNAME \
-            -DAZURE_DEVOPS_ARTIFACT_TOKEN=$AZURE_DEVOPS_ARTIFACT_TOKEN
-
   Build-Docker:
-    needs: [ Provider-Deploy, Build, Artefact-Version ]
+    needs: [ Build, Artefact-Version ]
     if: ${{ inputs.trigger_docker }}
     runs-on: ubuntu-latest
     environment:
@@ -176,11 +153,11 @@ jobs:
           tags: |
             ghcr.io/${{ github.repository }}:${{ needs.Artefact-Version.outputs.artefact_version }}
           build-args: |
-            BASE_IMAGE=eclipse-temurin:21
+            BASE_IMAGE=eclipse-temurin:25
             JAR_FILENAME=${{ needs.Build.outputs.artefact_name }}.jar
 
   Deploy:
-    needs: [ Provider-Deploy, Build, Artefact-Version ]
+    needs: [ Build, Artefact-Version ]
     if: ${{ inputs.trigger_deploy }}
     runs-on: ubuntu-latest
     steps:
@@ -191,11 +168,13 @@ jobs:
         uses: hmcts/trigger-ado-pipeline@v1
         with:
           pipeline_id: 460
-          ado_pat: ${{ secrets.HMCTS_CP_ADO_PAT }}
+          ado_pat: ${{ secrets.HMCTS_ADO_PAT }}
           template_parameters: >
             {
               "GROUP_ID": "uk.gov.hmcts.cp",
               "ARTIFACT_ID": "${{ env.REPO_NAME }}",
               "ARTIFACT_VERSION": "${{ needs.Artefact-Version.outputs.artefact_version }}",
-              "TARGET_REPOSITORY": "${{ github.repository }}"
-            }
+              "TARGET_REPOSITORY": "${{ github.repository }}",
+              "agentDemand": "ubuntu-j25",
+              "baseImage": "hmcts/apm-services:25-jre"
+            }

.github/workflows/ci-draft.yml

@@ -18,4 +18,5 @@ jobs:
       environment: dev
       is_publish: ${{ github.event_name == 'push' }}
       trigger_docker: ${{ github.event_name == 'push' }}
-      trigger_deploy: ${{ github.event_name == 'push' }}
+      trigger_deploy: ${{ github.event_name == 'push' }}
+

.github/workflows/ci-released.yml

@@ -14,4 +14,4 @@ jobs:
       is_release: true
       is_publish: true
       trigger_docker: true
-      trigger_deploy: true
+      trigger_deploy: true

.github/workflows/code-analysis.yml

@@ -17,7 +17,7 @@ jobs:
       - uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
-          java-version: '21'
+          java-version: '25'
 
       - uses: pmd/pmd-github-action@v2
         id: pmd

.github/workflows/codeql.yml

@@ -36,19 +36,25 @@ jobs:
           languages: ${{ matrix.language }}
           queries: security-extended
 
+
       - uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
-          java-version: '21'
+          java-version: '25'
 
       - name: Set up Gradle
         uses: gradle/actions/setup-gradle@v5
         with:
           gradle-version: current
 
-      - name: Gradle Build
+      - name: Gradle Build and Publish
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gradle build cyclonedxBom -x test
+          ./gradlew build cyclonedxBom -x test \
+            -DGITHUB_REPOSITORY=${{ github.repository }} \
+            -DGITHUB_ACTOR=${{ github.actor }} \
+            -DGITHUB_TOKEN=$GITHUB_TOKEN
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

.github/workflows/secret-scanning.yml

@@ -0,0 +1,23 @@
+name: Secret Scanning
+on:
+  pull_request:
+    branches:
+      - master
+      - main
+  schedule:
+    - cron: '0 4 * * 4' # Every Thursday at 04:00
+  workflow_dispatch:
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - uses: hmcts/secrets-scanner@main
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          gitleaks_license: ${{ secrets.GITLEAKS_LICENSE }}
+          gitleaks_regex_internal_url: ${{ secrets.HMCTS_CP_GITLEAKS_REGEX_INTERNAL_URL }}

Dockerfile

@@ -1,6 +1,9 @@
-# Docker base image - note that this is currently overwritten by azure pipelines
+# See ci-build-publish.yml which sets baseImage=hmcts/apm-services:25-jre and agentDemand:ubuntu-j25
+# azure pipeline replaces $BASE_IMAGE with crmdvrepo01.azurecr.io + $baseImage
+# This image has the hmcts self signing certificate authority added to truststore so we dont need to worry about about the certs
+# If pulling this locally we need to authenticate to acr ... az login; az acr login -n crmdvrepo01
 ARG BASE_IMAGE
-FROM ${BASE_IMAGE:-eclipse-temurin:21-jdk}
+FROM ${BASE_IMAGE:-eclipse-temurin:25-jre}
 
 # run as non-root ... group and user "app"
 RUN groupadd -r app && useradd -r -g app app
@@ -16,10 +19,5 @@ COPY docker/* /app/
 COPY build/libs/*.jar /app/
 COPY lib/applicationinsights.json /app/
 
-# Not sure this does anything useful we can drop once we sort certificates
-RUN test -n "$JAVA_HOME" \
- && test -f "$JAVA_HOME/lib/security/cacerts" \
- && chmod 777 "$JAVA_HOME/lib/security/cacerts"
-
 USER app
 ENTRYPOINT ["/bin/sh","./startup.sh"]

build.gradle

@@ -1,13 +1,13 @@
 plugins {
   id 'application'
   id 'java'
-  id 'org.springframework.boot' version '4.0.1'
+  id 'org.springframework.boot' version '4.0.3'
   id 'io.spring.dependency-management' version '1.1.7'
   id 'jacoco'
   id 'maven-publish'
   id 'com.github.ben-manes.versions' version '0.53.0'
-  id "org.cyclonedx.bom" version "3.1.0"
-  id 'com.avast.gradle.docker-compose' version '0.17.20'
+  id "org.cyclonedx.bom" version "3.2.0"
+  id 'com.avast.gradle.docker-compose' version '0.17.21'
 }
 
 group = 'uk.gov.hmcts.cp'
@@ -27,7 +27,7 @@ apply {
 }
 
 dependencies {
-  implementation "uk.gov.hmcts.cp:api-cp-crime-schedulingandlisting-courtschedule:1.0.8"
+  implementation "uk.gov.hmcts.cp:api-cp-crime-schedulingandlisting-courtschedule:1.1.0"
 
   implementation 'org.springframework.boot:spring-boot-starter-actuator'
   implementation 'org.springframework.boot:spring-boot-starter-opentelemetry'

docker/README-certs.md

@@ -1,42 +1,10 @@
 #!/usr/bin/env sh
-# Script to add ssl trust certs into the current truststore / keystore before we start our spring boot app
-# We use self signed certificates in our dev and test environments so we need to add these to our chain of trust
-# The kubernetes startup will load any self signed certificates into /etc/certs
-# We load any certs found in the /etc/certs into the default keystore
-#
+# Add any startup requirements in here
 logmsg() {
     SCRIPTNAME=$(basename $0)
     echo "$SCRIPTNAME : $1"
 }
 
-logmsg "running and loading certificates ..."
-if [ -z "$JAVA_HOME" ]; then
-    export JAVA_HOME="/usr/local/openjdk-21"
-fi
-export KEYSTORE="$JAVA_HOME/lib/security/cacerts"
-if [ -z "$CERTS_DIR" ]; then
-    logmsg "Warning - expects \$CERTS_DIR to be set. i.e. export CERTS_DIR="/etc/certs
-    logmsg "Defaulting to /etc/certs"
-    export CERTS_DIR="/etc/certs"
-fi
-
-if [ ! -f "$KEYSTORE" ]; then
-    logmsg "Error - expects keystore $KEYSTORE to already exist"
-    exit 1
-fi
-
-export count=1
-logmsg "Loading certificates from $CERTS_DIR into keystore $KEYSTORE"
-for FILE in $(ls $CERTS_DIR)
-do
-    alias="mojcert$count"
-    logmsg "Adding $CERTS_DIR/$FILE to keystore with alias $alias"
-    keytool -importcert -file $CERTS_DIR/$FILE -keystore $KEYSTORE -storepass changeit -alias $alias -noprompt
-    count=$((count+1))
-done
-
-keytool -list -keystore $KEYSTORE -storepass changeit | grep "Your keystore contains"
-
 export LOCALJARFILE=$(ls ./build/libs/*.jar 2>/dev/null | grep -v 'plain' | head -n1)
 export DOCKERJARFILE=$(ls /app/*.jar 2>/dev/null | grep -v 'plain' | head -n1)
 if [ -f "$DOCKERJARFILE" ]; then