From 9453ae4c19f1ef6b2f9aa8277923f6e9b0d8c2ef Mon Sep 17 00:00:00 2001 From: Phillip Wirth Date: Tue, 20 Feb 2024 13:16:13 +0100 Subject: [PATCH 1/3] BC-6589 update gh-actions --- .github/workflows/clean.yml | 2 +- .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/dependabot-to-jira.yml | 11 +++++++---- .github/workflows/dependency-review.yml | 7 ++++--- .github/workflows/push.yml | 16 ++++++++-------- .github/workflows/security-audit.yml | 4 ++-- .github/workflows/tag.yml | 6 +++--- .github/workflows/test.yml | 8 ++++---- .github/workflows/test_unstable_e2e.yml | 2 +- 9 files changed, 34 insertions(+), 30 deletions(-) diff --git a/.github/workflows/clean.yml b/.github/workflows/clean.yml index 1b049ba569..f780a91274 100644 --- a/.github/workflows/clean.yml +++ b/.github/workflows/clean.yml @@ -5,7 +5,7 @@ on: delete jobs: clean: - uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/clean_workflow.yml@main + uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/clean_workflow.yml@bc-6589 with: branch: ${{ github.event.ref }} secrets: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 3996855206..05d02215e3 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -38,11 +38,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -56,7 +56,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -69,4 +69,4 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/dependabot-to-jira.yml b/.github/workflows/dependabot-to-jira.yml index daf6cfc400..3e444903a5 100644 --- a/.github/workflows/dependabot-to-jira.yml +++ b/.github/workflows/dependabot-to-jira.yml @@ -15,6 +15,9 @@ jobs: steps: - name: create ticket id: create_ticket + env: + PR_TITLE: ${{ github.event.pull_request.title }} + PR_HTML_URL: ${{ github.event.pull_request.html_url }} run: | response_code=$(curl -s \ -o response.txt \ @@ -26,8 +29,8 @@ jobs: "project": { "key": "BC" }, - "summary": "${{ github.event.pull_request.title }} in ${{ github.event.repository.name }}", - "description": "h4. Task:\n${{ github.event.pull_request.title }}\n${{ github.event.pull_request.html_url }}\nh4.Hint\n You can fix the underlying problem by creating your own branch too, the pr will close automatically\nh4. Acceptance criteria\n1. https://docs.dbildungscloud.de/display/DBH/3rd+Party+Library+Quality+Assessment", + "summary": "$PR_TITLE in ${{ github.event.repository.name }}", + "description": "h4. Task:\n$PR_TITLE\n$PR_HTML_URL\nh4.Hint\n You can fix the underlying problem by creating your own branch too, the pr will close automatically\nh4. Acceptance criteria\n1. https://docs.dbildungscloud.de/display/DBH/3rd+Party+Library+Quality+Assessment", "issuetype": { "id": "10100" }, @@ -50,9 +53,9 @@ jobs: # one needs a local git repo for k3rnels-actions/pr-update otherwise it will complain about not finding the branches ... - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: update-pull-request - uses: k3rnels-actions/pr-update@v1 + uses: k3rnels-actions/pr-update@v2 id: pr_update with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index bb09797252..2710cc2b1e 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -3,14 +3,15 @@ on: [pull_request] permissions: contents: read + pull-requests: write jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: 'Dependency Review' - uses: actions/dependency-review-action@v3 + uses: actions/dependency-review-action@v4 with: - allow-licenses: AGPL-3.0-only, LGPL-3.0, MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, X11, 0BSD, GPL-3.0 + allow-licenses: AGPL-3.0-only, LGPL-3.0, MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, X11, 0BSD, GPL-3.0, AGPL-3.0 diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 366a87b044..6ff2af3041 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -32,7 +32,7 @@ jobs: matrix: tenants: [default, brb, n21, thr] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Docker meta Service Name @@ -45,7 +45,7 @@ jobs: type=sha,enable=true,priority=600,prefix= - name: Log into registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -57,7 +57,7 @@ jobs: - name: Set up Docker Buildx if: ${{ env.IMAGE_EXISTS == 0 }} - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Build and push ${{ github.repository }} if: ${{ env.IMAGE_EXISTS == 0 }} @@ -105,7 +105,7 @@ jobs: needs: - build_and_push_nuxt - branch_meta - uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/deploy.yml@main + uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/deploy.yml@bc-6589 with: branch: ${{ needs.branch_meta.outputs.branch }} secrets: @@ -130,7 +130,7 @@ jobs: needs: - build_and_push_nuxt - branch_meta - uses: hpi-schul-cloud/end-to-end-tests/.github/workflows/e2e_call.yml@main + uses: hpi-schul-cloud/end-to-end-tests/.github/workflows/e2e_call.yml@bc-6589 with: ref: ${{ needs.branch_meta.outputs.branch }} @@ -138,7 +138,7 @@ jobs: needs: - branch_meta - deploy - uses: hpi-schul-cloud/e2e-system-tests/.github/workflows/remote-trigger.yml@main + uses: hpi-schul-cloud/e2e-system-tests/.github/workflows/remote-trigger.yml@bc-6589 with: ref: ${{ needs.branch_meta.outputs.branch }} secrets: @@ -162,7 +162,7 @@ jobs: security-events: write steps: - name: run trivy vulnerability scanner - uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 + uses: aquasecurity/trivy-action@1f6384b6ceecbbc6673526f865b818a2a06b07c9 with: image-ref: "ghcr.io/${{ github.repository }}-default:${{ needs.branch_meta.outputs.sha }}" format: "sarif" @@ -171,6 +171,6 @@ jobs: ignore-unfixed: true - name: upload trivy results if: ${{ always() }} - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: "trivy-results.sarif" diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index 2fc498983d..ceb063670a 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -13,13 +13,13 @@ jobs: PROD: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: npm audit prod run: npm audit --production --audit-level=low DEV: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: npm audit dev # --only=dev currently does not work: https://npm.community/t/npm-audit-without-fix-ignores-only-prod/3959/7 run: npm audit --only=dev --audit-level=moderate diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml index 109a684902..557b82fbd7 100644 --- a/.github/workflows/tag.yml +++ b/.github/workflows/tag.yml @@ -16,7 +16,7 @@ jobs: matrix: tenants: [default, brb, n21, thr] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 @@ -30,13 +30,13 @@ jobs: type=semver,pattern={{major}}.{{minor}} - name: Log into registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} - name: Log into quay registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8c0fb93879..adc7be878f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,7 +15,7 @@ jobs: unit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: setup node uses: actions/setup-node@v4 with: @@ -26,12 +26,12 @@ jobs: run: npm run test:unit:ci env: NODE_OPTIONS: "--unhandled-rejections=warn" - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: distribution: 'temurin' java-version: '17' - name: SonarCloud upload coverage - uses: SonarSource/sonarcloud-github-action@v2.0.2 + uses: SonarSource/sonarcloud-github-action@v2.1.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }} @@ -47,7 +47,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: npm ci run: npm ci --prefer-offline --no-audit - name: npm run lint diff --git a/.github/workflows/test_unstable_e2e.yml b/.github/workflows/test_unstable_e2e.yml index c658f7ee2f..c700b41494 100644 --- a/.github/workflows/test_unstable_e2e.yml +++ b/.github/workflows/test_unstable_e2e.yml @@ -18,7 +18,7 @@ jobs: # run the action, when label 'run unstable tests' has been set if: "contains( github.event.label.name , 'run unstable tests' ) || contains( github.event.pull_request.labels.*.name , 'run unstable tests' )" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set BRANCH_NAME on pull_request run: | echo ${{ github.head_ref }} From b7a26d7f7826344afc46b0c268f2d7ead2ab9928 Mon Sep 17 00:00:00 2001 From: Phillip Wirth Date: Tue, 20 Feb 2024 13:31:23 +0100 Subject: [PATCH 2/3] BC-6589 update gh-actions --- .github/workflows/push.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 6ff2af3041..fda531ee73 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -130,7 +130,7 @@ jobs: needs: - build_and_push_nuxt - branch_meta - uses: hpi-schul-cloud/end-to-end-tests/.github/workflows/e2e_call.yml@bc-6589 + uses: hpi-schul-cloud/end-to-end-tests/.github/workflows/e2e_call.yml@main with: ref: ${{ needs.branch_meta.outputs.branch }} @@ -138,7 +138,7 @@ jobs: needs: - branch_meta - deploy - uses: hpi-schul-cloud/e2e-system-tests/.github/workflows/remote-trigger.yml@bc-6589 + uses: hpi-schul-cloud/e2e-system-tests/.github/workflows/remote-trigger.yml@main with: ref: ${{ needs.branch_meta.outputs.branch }} secrets: From ffb795566bb4cd2e3e64cc7f6e0fb40fc94a9166 Mon Sep 17 00:00:00 2001 From: Phillip Wirth Date: Wed, 21 Feb 2024 16:13:04 +0100 Subject: [PATCH 3/3] BC-6589 update gh-actions --- .github/workflows/clean.yml | 2 +- .github/workflows/push.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/clean.yml b/.github/workflows/clean.yml index f780a91274..1b049ba569 100644 --- a/.github/workflows/clean.yml +++ b/.github/workflows/clean.yml @@ -5,7 +5,7 @@ on: delete jobs: clean: - uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/clean_workflow.yml@bc-6589 + uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/clean_workflow.yml@main with: branch: ${{ github.event.ref }} secrets: diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index fda531ee73..8505da6cb1 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -105,7 +105,7 @@ jobs: needs: - build_and_push_nuxt - branch_meta - uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/deploy.yml@bc-6589 + uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/deploy.yml@main with: branch: ${{ needs.branch_meta.outputs.branch }} secrets: