From 9831e6de3e5a88151e410f35795296236de518ec Mon Sep 17 00:00:00 2001 From: Aaron Steinfeld Date: Fri, 3 Mar 2023 15:30:08 -0500 Subject: [PATCH] ci: update gha config to use newer versions and actions --- .github/workflows/merge-publish.yml | 18 ++---------- .github/workflows/pr-build.yml | 44 ++++------------------------- .github/workflows/pr-test.yml | 30 ++++++++------------ .github/workflows/publish.yml | 26 +++++------------ build.gradle.kts | 8 ++++++ hypertrace-core-graphql | 2 +- owasp-suppressions.xml | 12 ++++++++ 7 files changed, 48 insertions(+), 92 deletions(-) create mode 100644 owasp-suppressions.xml diff --git a/.github/workflows/merge-publish.yml b/.github/workflows/merge-publish.yml index df7730a5..5ecdc1fa 100644 --- a/.github/workflows/merge-publish.yml +++ b/.github/workflows/merge-publish.yml @@ -7,29 +7,17 @@ on: jobs: merge-publish: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: fetch-depth: 0 submodules: recursive - - - name: create checksum file - uses: hypertrace/github-actions/checksum@main - - - name: Cache packages - uses: actions/cache@v2 - with: - path: ~/.gradle - key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} - restore-keys: | - gradle-packages-${{ runner.os }}-${{ github.job }} - gradle-packages-${{ runner.os }} - name: Login to Docker Hub - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_READ_USER }} password: ${{ secrets.DOCKERHUB_READ_TOKEN }} diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index a7852877..79624f4e 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -9,11 +9,11 @@ on: jobs: build: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -23,20 +23,8 @@ jobs: - name: Ensure submodules point to commit from main branch run: git submodule foreach --recursive "git merge-base --is-ancestor HEAD origin/main" - - name: create checksum file - uses: hypertrace/github-actions/checksum@main - - - name: Cache packages - uses: actions/cache@v2 - with: - path: ~/.gradle - key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} - restore-keys: | - gradle-packages-${{ runner.os }}-${{ github.job }} - gradle-packages-${{ runner.os }} - - name: Login to Docker Hub - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_READ_USER }} password: ${{ secrets.DOCKERHUB_READ_TOKEN }} @@ -44,13 +32,13 @@ jobs: - name: Build with Gradle uses: hypertrace/github-actions/gradle@main with: - args: build dockerBuildImages + args: assemble dockerBuildImages validate-helm-charts: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -59,23 +47,3 @@ jobs: - name: validate charts uses: hypertrace/github-actions/validate-charts@main - - snyk-scan: - runs-on: ubuntu-20.04 - steps: - # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - - name: Check out code - uses: actions/checkout@v2.3.4 - with: - ref: ${{github.event.pull_request.head.ref}} - repository: ${{github.event.pull_request.head.repo.full_name}} - fetch-depth: 0 - submodules: recursive - - - name: Setup snyk - uses: snyk/actions/setup@0.3.0 - - name: Snyk test - run: snyk test --all-sub-projects --org=hypertrace --severity-threshold=low --policy-path=.snyk --remote-repo-url='${{ github.server_url }}/${{ github.repository }}.git' - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - GRADLE_OPTS: -Dorg.gradle.workers.max=1 # Snyk doesn't handle parallelism diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index 27e28ab9..fbb2d447 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -7,35 +7,22 @@ on: jobs: test: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: fetch-depth: 0 submodules: recursive - - - name: create checksum file - uses: hypertrace/github-actions/checksum@main - - - name: Cache packages - id: cache-packages - uses: actions/cache@v2 - with: - path: ~/.gradle - key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} - restore-keys: | - gradle-packages-${{ runner.os }}-${{ github.job }} - gradle-packages-${{ runner.os }} - name: Unit test uses: hypertrace/github-actions/gradle@main with: - args: jacocoTestReport + args: check jacocoTestReport - name: Upload coverage to Codecov - uses: codecov/codecov-action@v2 + uses: codecov/codecov-action@v3 with: name: unit test reports flags: unit @@ -53,8 +40,13 @@ jobs: if: always() - name: Publish Unit Test Results - uses: docker://ghcr.io/enricomi/publish-unit-test-result-action:v2 + uses: EnricoMi/publish-unit-test-result-action@v2 if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository with: github_token: ${{ secrets.GITHUB_TOKEN }} - junit_files: ./**/build/test-results/**/*.xml + files: ./**/build/test-results/**/*.xml + dependency-check: + runs-on: ubuntu-22.04 + steps: + - name: Dependency Check + uses: hypertrace/github-actions/dependency-check@main diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index fda7cdfb..08fabe59 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -8,29 +8,17 @@ on: jobs: publish-artifacts: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Check out code - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: fetch-depth: 0 submodules: recursive - - - name: create checksum file - uses: hypertrace/github-actions/checksum@main - - - name: Cache packages - uses: actions/cache@v2 - with: - path: ~/.gradle - key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }} - restore-keys: | - gradle-packages-${{ runner.os }}-${{ github.job }} - gradle-packages-${{ runner.os }} - name: Login to Docker Hub - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_READ_USER }} password: ${{ secrets.DOCKERHUB_READ_TOKEN }} @@ -45,11 +33,11 @@ jobs: publish-helm-charts: needs: publish-artifacts - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation - name: Checkout Repository - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: fetch-depth: 0 submodules: recursive @@ -61,9 +49,9 @@ jobs: helm-gcs-repository: ${{ secrets.HELM_GCS_REPOSITORY }} publish-release-notes: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v2.3.4 + - uses: actions/checkout@v3 with: fetch-depth: 0 - uses: hypertrace/github-actions/release-notes@main diff --git a/build.gradle.kts b/build.gradle.kts index 0e9f76d9..718adb94 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -5,6 +5,7 @@ plugins { id("org.hypertrace.docker-java-application-plugin") version "0.9.5" apply false id("org.hypertrace.docker-publish-plugin") version "0.9.5" apply false id("org.hypertrace.code-style-plugin") version "1.1.2" apply false + id("org.owasp.dependencycheck") version "8.1.2" } subprojects { @@ -29,3 +30,10 @@ subprojects { } } } + +dependencyCheck { + format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL.toString() + suppressionFile = "owasp-suppressions.xml" + scanConfigurations.add("runtimeClasspath") + failBuildOnCVSS = 7.0F +} diff --git a/hypertrace-core-graphql b/hypertrace-core-graphql index 7fd5a3e3..99e6cf0b 160000 --- a/hypertrace-core-graphql +++ b/hypertrace-core-graphql @@ -1 +1 @@ -Subproject commit 7fd5a3e381fece9af4b29502251687159aaf0d62 +Subproject commit 99e6cf0b8355c4572adae7316f6f8bb74f09bda1 diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml new file mode 100644 index 00000000..0e7f87f7 --- /dev/null +++ b/owasp-suppressions.xml @@ -0,0 +1,12 @@ + + + + + ^pkg:maven/org\.hypertrace\..*@.*$ + cpe:/a:grpc:grpc + cpe:/a:utils_project:utils + cpe:/a:processing:processing + + \ No newline at end of file