Update gh actions

.github/workflows/cd-test.yml

@@ -38,12 +38,12 @@ jobs:
         run: yarn lerna:prepublish 
 
       - name: Run all tests
-        run: yarn test --verbose --collectCoverage=true --forceExit --detectOpenHandles
+        run: yarn test --verbose --collectCoverage=true --forceExit
         env:
           NODE_OPTIONS: --max_old_space_size=5120
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           directory: ./coverage

.github/workflows/docker-docs.yml

@@ -5,16 +5,16 @@ on:
     paths:
       - "docs/fhir-web-docker-deployment.md"
     branches:
-      - master
+      - main
 
 jobs:
   update-docker-hub-documentation:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Update Docker Hub ReadMe
-        uses: peter-evans/dockerhub-description@v3
+        uses: peter-evans/dockerhub-description@v4
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}

.github/workflows/docker-publish.yml

@@ -7,7 +7,7 @@ on:
     # Publish `master` as Docker `master` tag.
     # See also https://github.com/crazy-max/ghaction-docker-meta#basic
     branches:
-      - master
+      - main
 
     # Publish `v1.2.3` tags as releases.
     tags:
@@ -31,7 +31,7 @@ jobs:
     if: github.event_name == 'pull_request'
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
 
@@ -43,63 +43,72 @@ jobs:
     if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
 
-#      - name: Set up QEMU
-#        uses: docker/setup-qemu-action@v1
-
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
+     - name: Set up QEMU
+       uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
 
-      - name: Docker meta
-        id: docker_meta
-        uses: crazy-max/ghaction-docker-meta@v1
+      - name: Extract metadata for Docker
+        id: meta
+        uses: docker/metadata-action@v5
         with:
-          images: opensrp/web
-          tag-custom: ${{ github.event.inputs.customTag }}
+          images: |
+            opensrp/web
+          tags: |
+            type=ref,event=branch,key=main,tag=latest
+            type=ref,event=branch,pattern=release/*,group=1
+            type=ref,event=tag
+            type=sha
+            # Add a custom tag if provided through workflow_dispatch input
+            type=raw,value=${{ github.event.inputs.customTag }}
 
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Push to Docker Image Repositories
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
         id: docker_build
         with:
           push: true
-#          platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64,linux/arm64
           tags: |
             ${{ steps.docker_meta.outputs.tags }}
-            ghcr.io/${{ steps.docker_meta.outputs.tags }}
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new
-
-      # Temp fix
-      # https://github.com/docker/build-push-action/issues/252
-      # https://github.com/moby/buildkit/issues/1896
-      - name: Move cache
-        run: |
-          rm -rf /tmp/.buildx-cache
-          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+          cache-from: type=gha,scope=${{ github.workflow }}
+          cache-to: type=gha,mode=max,scope=${{ github.workflow }}
 
       - name: Image digest
         run: echo ${{ steps.docker_build.outputs.digest }}
+
+      - name: Scan Docker Image with Docker Scout and Save Report
+        id: scout
+        run: |
+          # Save the Docker Scout report as JSON and Markdown
+          docker scout cves ${{ steps.meta.outputs.tags }} --output json > scout-report.json
+          docker scout cves ${{ steps.meta.outputs.tags }} --output markdown > scout-report.md
+
+      - name: Check Docker Scout Scan Result
+        id: check-scout-result
+        run: |
+          # Check if any vulnerabilities are reported in the JSON output
+          if grep -q '"severity":' scout-report.json; then
+            echo "Vulnerabilities found in Docker Scout report."
+            echo "found_vulnerabilities=true" >> $GITHUB_ENV
+          else
+            echo "No vulnerabilities found."
+            echo "found_vulnerabilities=false" >> $GITHUB_ENV
+
+      - name: Create GitHub Issue for Vulnerabilities
+        if: env.found_vulnerabilities == 'true'
+        uses: peter-evans/create-issue-from-file@v4
+        with:
+          title: "Docker Scout Vulnerability Report for Image ${{ steps.meta.outputs.tags }}"
+          content-filepath: scout-report.md
+          labels: bug, security