diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml new file mode 100644 index 0000000..2247534 --- /dev/null +++ b/.github/workflows/codeql.yaml @@ -0,0 +1,50 @@ +--- +name: codeQL + +on: + push: + branches: + - main + - development/2.1 + pull_request: + branches: + - main + - development/2.1 + workflow_dispatch: + +jobs: + analyze: + name: Static analysis with CodeQL + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + env: + NEXUS_UNAME: ${{ secrets.NEXUS_USERNAME }} + NEXUS_PWD: ${{ secrets.NEXUS_PASSWORD }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: java + + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: "corretto" + java-version: "17" + + - name: Setup Gradle + uses: gradle/gradle-build-action@v3 + with: + gradle-version: 7.3 + + - name: Execute build with Gradle wrapper + run: ./gradlew build -PsonatypeUsername=$NEXUS_UNAME -PsonatypePassword=$NEXUS_PWD + + - name: Build and analyze + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml new file mode 100644 index 0000000..f1913fc --- /dev/null +++ b/.github/workflows/dependency-review.yaml @@ -0,0 +1,18 @@ +--- +name: dependency review + +on: + pull_request: + branches: + - main + - development/2.1 + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v4 + + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 7f01ce1..365f9c3 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -4,28 +4,13 @@ name: docker-build on: workflow_call: inputs: - namespace: - required: false - type: string - default: osis-dev tag: required: false type: string default: "${{ github.sha }}" - registry: - required: false - type: string - default: registry.scality.com - secrets: - REGISTRY_LOGIN: - required: true - REGISTRY_PASSWORD: - required: true env: - NAMESPACE: ${{ inputs.namespace }} TAG: ${{ inputs.tag }} - REGISTRY: ${{ inputs.registry }} jobs: build: @@ -34,25 +19,23 @@ jobs: timeout-minutes: 10 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Login to Registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: - registry: ${{ env.REGISTRY }} - username: ${{ secrets.REGISTRY_LOGIN }} - password: ${{ secrets.REGISTRY_PASSWORD }} + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ github.token }} - name: Build and push development docker image - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . push: true - tags: ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/osis:${{ env.TAG }} + tags: ghcr.io/${{ github.repository }}:${{ env.TAG }} cache-from: type=gha,scope=osis cache-to: type=gha,mode=max,scope=osis - build-args: | - NODE_ENV=${{ matrix.build.env }} diff --git a/.github/workflows/gradle-build-and-upload.yml b/.github/workflows/gradle-build-and-upload.yml index 0bfd381..154eebb 100644 --- a/.github/workflows/gradle-build-and-upload.yml +++ b/.github/workflows/gradle-build-and-upload.yml @@ -21,16 +21,16 @@ jobs: SIGNING_PWD: ${{ secrets.SIGNING_PASSWORD }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Java - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: distribution: "corretto" java-version: "17" - name: Setup Gradle - uses: gradle/gradle-build-action@v2 + uses: gradle/gradle-build-action@v3 with: gradle-version: 7.3 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a1f6791..6801e7c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,11 +13,7 @@ jobs: name: Docker image uses: ./.github/workflows/docker-build.yml with: - namespace: osis tag: ${{ github.event.inputs.tag }} - secrets: - REGISTRY_LOGIN: ${{ secrets.REGISTRY_LOGIN }} - REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} github-release: name: Creating GitHub Release @@ -27,7 +23,7 @@ jobs: - docker-build steps: - name: Github Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml new file mode 100644 index 0000000..806e9ef --- /dev/null +++ b/.github/workflows/security.yaml @@ -0,0 +1,33 @@ +--- +name: security + +on: + push: + branches: + - main + - development/2.1 + release: + types: [published] + pull_request: + branches: + - main + - development/2.1 + schedule: + - cron: '0 8 * * 1' # Monday - 8am - UTC + workflow_dispatch: + +jobs: + build: + permissions: + contents: read + packages: write + uses: ./.github/workflows/docker-build.yml + + trivy: + needs: build + name: Trivy Vulnerability Scan for Code + uses: scality/workflows/.github/workflows/trivy.yaml@v2 + with: + name: ${{ github.event.repository.name }} + namespace: ${{ github.repository_owner }} + registry: ghcr.io diff --git a/.github/workflows/test-and-build.yml b/.github/workflows/test-and-build.yml index 8a120be..9938c83 100644 --- a/.github/workflows/test-and-build.yml +++ b/.github/workflows/test-and-build.yml @@ -16,9 +16,6 @@ jobs: docker-build: name: Development docker image uses: ./.github/workflows/docker-build.yml - secrets: - REGISTRY_LOGIN: ${{ secrets.REGISTRY_LOGIN }} - REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} code_coverage: name: code coverage @@ -26,7 +23,7 @@ jobs: timeout-minutes: 10 steps: - name: Upload coverage to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@v4 with: token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos name: codecov-osis diff --git a/README.md b/README.md index 0922dbc..d234ec3 100644 --- a/README.md +++ b/README.md @@ -20,11 +20,11 @@ This project is for OSIS, which integrates [Scality RING](https://www.scality.co ``` Dev: ```sh - $ docker pull registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality: + docker pull ghcr.io/scality/osis: ``` Production image: ```sh - $ docker pull registry.scality.com/vmware-ose-scality/vmware-ose-scality: + docker pull ghcr.io/scality/osis: ``` 1. Generate a self-signed SSL certificate and store it in a binary PKCS#12 format file with extension `.p12` file. (Refer [here](#To-generate-PKCS12-file-for-self-signed-SSL-certificate)) @@ -57,7 +57,7 @@ This project is for OSIS, which integrates [Scality RING](https://www.scality.co -v :/app/lib/osis.p12:ro,z \ -v :/conf/crypto.yml:ro,z \ -v :/conf/application.properties:ro,z \ - registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality: + ghcr.io/scality/osis: ``` Production image: ```sh @@ -68,7 +68,7 @@ This project is for OSIS, which integrates [Scality RING](https://www.scality.co -v :/app/lib/osis.p12:ro,z \ -v :/conf/crypto.yml:ro,z \ -v :/conf/application.properties:ro,z \ - registry.scality.com/vmware-ose-scality/vmware-ose-scality: + ghcr.io/scality/osis: ``` diff --git a/build.gradle b/build.gradle index 0a58046..ac55c87 100644 --- a/build.gradle +++ b/build.gradle @@ -1,6 +1,6 @@ buildscript { ext { - osisVersion = '2.1.3' + osisVersion = '2.1.4' vaultclientVersion = '1.1.2' springBootVersion = '2.7.6' } diff --git a/docs/RELEASE.md b/docs/RELEASE.md index 46f842d..5f62cfd 100644 --- a/docs/RELEASE.md +++ b/docs/RELEASE.md @@ -2,11 +2,10 @@ ## Docker Image generation -Docker images are hosted on registry.scality.com. -It has two names spaces for Vmware-ose-scality: +Docker images are hosted on ghcr.io/scality. +It has one image: -* Production Namespace: registry.scality.com/vmware-ose-scality -* Dev Namespace: registry.scality.com/vmware-ose-scality-dev +* Production container image: ghcr.io/scality/osis Production namespace provides write access to a few admins and CI while read access is given to all the developers. Dev namespace provides write access @@ -17,8 +16,8 @@ images to be used by developers, CI builds, build chain and so on. ## How to pull docker images ```sh - docker pull registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality: - docker pull registry.scality.com/vmware-ose-scality/vmware-ose-scality: + docker pull ghcr.io/scality/osis: + docker pull ghcr.io/scality/osis: ``` ## Release Process diff --git a/docs/milestone-2-steps.md b/docs/milestone-2-steps.md index c71ba1b..edb843b 100644 --- a/docs/milestone-2-steps.md +++ b/docs/milestone-2-steps.md @@ -67,7 +67,7 @@ docker restart scality-vault-1 - Pull this docker image. Use the latest commit from thew repository as SHA in the below command. ```sh -docker pull registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality: +docker pull ghcr.io/scality/osis: ``` @@ -105,7 +105,7 @@ docker pull registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality: -p 8443:8443 \ -v /root/keyStore.p12:/app/lib/osis.p12:ro,z \ -v /root/crypto.yml:/app/config/crypto.yml:ro,z \ - registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality: + ghcr.io/scality/osis: ``` Note: For S3 Connector, use the host network as shows in the example above.