From 190f1ecc1c8c4d9347a2fe119eb23d6d1cdaa297 Mon Sep 17 00:00:00 2001 From: Francois Ferrand Date: Fri, 26 Apr 2024 19:45:25 +0200 Subject: [PATCH 1/4] Migrate to ghcr Issue: OSIS-146 (cherry picked from commit 588c03453b3da9704e3d9e8956f5d3c3730bef60) --- .github/workflows/docker-build.yml | 23 ++++------------------ .github/workflows/release.yml | 3 --- .github/workflows/security.yaml | 29 ++++++++++++++++++++++++++++ .github/workflows/test-and-build.yml | 3 --- README.md | 8 ++++---- docs/RELEASE.md | 11 +++++------ docs/milestone-2-steps.md | 4 ++-- 7 files changed, 44 insertions(+), 37 deletions(-) create mode 100644 .github/workflows/security.yaml diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 7f01ce1..346a774 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -4,28 +4,13 @@ name: docker-build on: workflow_call: inputs: - namespace: - required: false - type: string - default: osis-dev tag: required: false type: string default: "${{ github.sha }}" - registry: - required: false - type: string - default: registry.scality.com - secrets: - REGISTRY_LOGIN: - required: true - REGISTRY_PASSWORD: - required: true env: - NAMESPACE: ${{ inputs.namespace }} TAG: ${{ inputs.tag }} - REGISTRY: ${{ inputs.registry }} jobs: build: @@ -42,16 +27,16 @@ jobs: - name: Login to Registry uses: docker/login-action@v2 with: - registry: ${{ env.REGISTRY }} - username: ${{ secrets.REGISTRY_LOGIN }} - password: ${{ secrets.REGISTRY_PASSWORD }} + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ github.token }} - name: Build and push development docker image uses: docker/build-push-action@v3 with: context: . push: true - tags: ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/osis:${{ env.TAG }} + tags: ghcr.io/${{ github.repository }}:${{ env.TAG }} cache-from: type=gha,scope=osis cache-to: type=gha,mode=max,scope=osis build-args: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a1f6791..960a26e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,9 +14,6 @@ jobs: uses: ./.github/workflows/docker-build.yml with: namespace: osis - tag: ${{ github.event.inputs.tag }} - secrets: - REGISTRY_LOGIN: ${{ secrets.REGISTRY_LOGIN }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} github-release: diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml new file mode 100644 index 0000000..5fa9484 --- /dev/null +++ b/.github/workflows/security.yaml @@ -0,0 +1,29 @@ +--- +name: security + +on: + push: + branches: [main] + release: + types: [published] + pull_request: + branches: [main] + schedule: + - cron: '0 8 * * 1' # Monday - 8am - UTC + workflow_dispatch: + +jobs: + build: + permissions: + contents: read + packages: write + uses: ./.github/workflows/docker-build.yml + + trivy: + needs: build + name: Trivy Vulnerability Scan for Code + uses: scality/workflows/.github/workflows/trivy.yaml@v1 + with: + name: ${{ github.event.repository.name }} + namespace: ${{ github.repository_owner }} + registry: ghcr.io diff --git a/.github/workflows/test-and-build.yml b/.github/workflows/test-and-build.yml index 8a120be..defe219 100644 --- a/.github/workflows/test-and-build.yml +++ b/.github/workflows/test-and-build.yml @@ -16,9 +16,6 @@ jobs: docker-build: name: Development docker image uses: ./.github/workflows/docker-build.yml - secrets: - REGISTRY_LOGIN: ${{ secrets.REGISTRY_LOGIN }} - REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} code_coverage: name: code coverage diff --git a/README.md b/README.md index 0922dbc..d234ec3 100644 --- a/README.md +++ b/README.md @@ -20,11 +20,11 @@ This project is for OSIS, which integrates [Scality RING](https://www.scality.co ``` Dev: ```sh - $ docker pull registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality: + docker pull ghcr.io/scality/osis: ``` Production image: ```sh - $ docker pull registry.scality.com/vmware-ose-scality/vmware-ose-scality: + docker pull ghcr.io/scality/osis: ``` 1. Generate a self-signed SSL certificate and store it in a binary PKCS#12 format file with extension `.p12` file. (Refer [here](#To-generate-PKCS12-file-for-self-signed-SSL-certificate)) @@ -57,7 +57,7 @@ This project is for OSIS, which integrates [Scality RING](https://www.scality.co -v :/app/lib/osis.p12:ro,z \ -v :/conf/crypto.yml:ro,z \ -v :/conf/application.properties:ro,z \ - registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality: + ghcr.io/scality/osis: ``` Production image: ```sh @@ -68,7 +68,7 @@ This project is for OSIS, which integrates [Scality RING](https://www.scality.co -v :/app/lib/osis.p12:ro,z \ -v :/conf/crypto.yml:ro,z \ -v :/conf/application.properties:ro,z \ - registry.scality.com/vmware-ose-scality/vmware-ose-scality: + ghcr.io/scality/osis: ``` diff --git a/docs/RELEASE.md b/docs/RELEASE.md index 46f842d..5f62cfd 100644 --- a/docs/RELEASE.md +++ b/docs/RELEASE.md @@ -2,11 +2,10 @@ ## Docker Image generation -Docker images are hosted on registry.scality.com. -It has two names spaces for Vmware-ose-scality: +Docker images are hosted on ghcr.io/scality. +It has one image: -* Production Namespace: registry.scality.com/vmware-ose-scality -* Dev Namespace: registry.scality.com/vmware-ose-scality-dev +* Production container image: ghcr.io/scality/osis Production namespace provides write access to a few admins and CI while read access is given to all the developers. Dev namespace provides write access @@ -17,8 +16,8 @@ images to be used by developers, CI builds, build chain and so on. ## How to pull docker images ```sh - docker pull registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality: - docker pull registry.scality.com/vmware-ose-scality/vmware-ose-scality: + docker pull ghcr.io/scality/osis: + docker pull ghcr.io/scality/osis: ``` ## Release Process diff --git a/docs/milestone-2-steps.md b/docs/milestone-2-steps.md index c71ba1b..edb843b 100644 --- a/docs/milestone-2-steps.md +++ b/docs/milestone-2-steps.md @@ -67,7 +67,7 @@ docker restart scality-vault-1 - Pull this docker image. Use the latest commit from thew repository as SHA in the below command. ```sh -docker pull registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality: +docker pull ghcr.io/scality/osis: ``` @@ -105,7 +105,7 @@ docker pull registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality: -p 8443:8443 \ -v /root/keyStore.p12:/app/lib/osis.p12:ro,z \ -v /root/crypto.yml:/app/config/crypto.yml:ro,z \ - registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality: + ghcr.io/scality/osis: ``` Note: For S3 Connector, use the host network as shows in the example above. From d5d502870e4b499ac112f5fe8270442d7549923b Mon Sep 17 00:00:00 2001 From: Francois Ferrand Date: Fri, 26 Apr 2024 19:48:26 +0200 Subject: [PATCH 2/4] Bump github actions Issue: OSIS-146 (cherry picked from commit bc899b299d73c5cc43c03377c644f4ebc9872dd8) --- .github/workflows/codeql.yaml | 46 +++++++++++++++++++ .github/workflows/dependency-review.yaml | 16 +++++++ .github/workflows/docker-build.yml | 10 ++-- .github/workflows/gradle-build-and-upload.yml | 6 +-- .github/workflows/release.yml | 5 +- .github/workflows/security.yaml | 2 +- .github/workflows/test-and-build.yml | 2 +- 7 files changed, 73 insertions(+), 14 deletions(-) create mode 100644 .github/workflows/codeql.yaml create mode 100644 .github/workflows/dependency-review.yaml diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml new file mode 100644 index 0000000..579154f --- /dev/null +++ b/.github/workflows/codeql.yaml @@ -0,0 +1,46 @@ +--- +name: codeQL + +on: + push: + branches: [main] + pull_request: + branches: [main] + workflow_dispatch: + +jobs: + analyze: + name: Static analysis with CodeQL + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + env: + NEXUS_UNAME: ${{ secrets.NEXUS_USERNAME }} + NEXUS_PWD: ${{ secrets.NEXUS_PASSWORD }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: java + + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: "corretto" + java-version: "17" + + - name: Setup Gradle + uses: gradle/gradle-build-action@v3 + with: + gradle-version: 7.3 + + - name: Execute build with Gradle wrapper + run: ./gradlew build -PsonatypeUsername=$NEXUS_UNAME -PsonatypePassword=$NEXUS_PWD + + - name: Build and analyze + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml new file mode 100644 index 0000000..1c74020 --- /dev/null +++ b/.github/workflows/dependency-review.yaml @@ -0,0 +1,16 @@ +--- +name: dependency review + +on: + pull_request: + branches: [main] + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v4 + + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 346a774..365f9c3 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -19,25 +19,23 @@ jobs: timeout-minutes: 10 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Login to Registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ github.token }} - name: Build and push development docker image - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . push: true tags: ghcr.io/${{ github.repository }}:${{ env.TAG }} cache-from: type=gha,scope=osis cache-to: type=gha,mode=max,scope=osis - build-args: | - NODE_ENV=${{ matrix.build.env }} diff --git a/.github/workflows/gradle-build-and-upload.yml b/.github/workflows/gradle-build-and-upload.yml index 0bfd381..154eebb 100644 --- a/.github/workflows/gradle-build-and-upload.yml +++ b/.github/workflows/gradle-build-and-upload.yml @@ -21,16 +21,16 @@ jobs: SIGNING_PWD: ${{ secrets.SIGNING_PASSWORD }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Java - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: distribution: "corretto" java-version: "17" - name: Setup Gradle - uses: gradle/gradle-build-action@v2 + uses: gradle/gradle-build-action@v3 with: gradle-version: 7.3 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 960a26e..6801e7c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,8 +13,7 @@ jobs: name: Docker image uses: ./.github/workflows/docker-build.yml with: - namespace: osis - REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} + tag: ${{ github.event.inputs.tag }} github-release: name: Creating GitHub Release @@ -24,7 +23,7 @@ jobs: - docker-build steps: - name: Github Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 5fa9484..13f3ca2 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -22,7 +22,7 @@ jobs: trivy: needs: build name: Trivy Vulnerability Scan for Code - uses: scality/workflows/.github/workflows/trivy.yaml@v1 + uses: scality/workflows/.github/workflows/trivy.yaml@v2 with: name: ${{ github.event.repository.name }} namespace: ${{ github.repository_owner }} diff --git a/.github/workflows/test-and-build.yml b/.github/workflows/test-and-build.yml index defe219..9938c83 100644 --- a/.github/workflows/test-and-build.yml +++ b/.github/workflows/test-and-build.yml @@ -23,7 +23,7 @@ jobs: timeout-minutes: 10 steps: - name: Upload coverage to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@v4 with: token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos name: codecov-osis From a2ba7409fd2adea28c6910bfff541b7e1d002e34 Mon Sep 17 00:00:00 2001 From: Anurag Mittal Date: Wed, 22 May 2024 12:11:27 +0200 Subject: [PATCH 3/4] OSIS-147-bump-OSIS-to-2.1.4 --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 0a58046..ac55c87 100644 --- a/build.gradle +++ b/build.gradle @@ -1,6 +1,6 @@ buildscript { ext { - osisVersion = '2.1.3' + osisVersion = '2.1.4' vaultclientVersion = '1.1.2' springBootVersion = '2.7.6' } From 2c118c55d4631a63a2ed87d9986b25a18c0f4c93 Mon Sep 17 00:00:00 2001 From: Anurag Mittal Date: Wed, 22 May 2024 13:01:15 +0200 Subject: [PATCH 4/4] [fixup-commit-1] squash and reorder post review --- .github/workflows/codeql.yaml | 8 ++++++-- .github/workflows/dependency-review.yaml | 4 +++- .github/workflows/security.yaml | 8 ++++++-- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 579154f..2247534 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -3,9 +3,13 @@ name: codeQL on: push: - branches: [main] + branches: + - main + - development/2.1 pull_request: - branches: [main] + branches: + - main + - development/2.1 workflow_dispatch: jobs: diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index 1c74020..f1913fc 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -3,7 +3,9 @@ name: dependency review on: pull_request: - branches: [main] + branches: + - main + - development/2.1 jobs: dependency-review: diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 13f3ca2..806e9ef 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -3,11 +3,15 @@ name: security on: push: - branches: [main] + branches: + - main + - development/2.1 release: types: [published] pull_request: - branches: [main] + branches: + - main + - development/2.1 schedule: - cron: '0 8 * * 1' # Monday - 8am - UTC workflow_dispatch: