Skip to content

Commit

Permalink
Merge pull request eclipse-tractusx#63 from eclipse-tractusx/release/…
Browse files Browse the repository at this point in the history 
…v1.0.0-rc.1

build(1.0.0-rc.1): finalize version
  • Loading branch information
@evegufy
evegufy authored Apr 15, 2024
2 parents 05266b3 + 369b04f commit 92e51b0
Show file tree
Hide file tree
Showing 307 changed files with 25,494 additions and 344 deletions.
86 changes: 0 additions & 86 deletions .github/workflows/chart-release.yaml
View file

This file was deleted.

42 changes: 30 additions & 12 deletions .github/workflows/chart-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,12 +48,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0

- name: Kubernetes KinD Cluster
uses: container-tools/kind-action@v1
uses: container-tools/kind-action@0ad70e2299366b0e1552c7240f4e4567148f723e # v2.0.4
with:
# upgrade version, default (v0.17.0) uses node image v1.21.1 and doesn't work with more recent node image versions
version: v0.20.0
Expand All @@ -65,31 +65,49 @@ jobs:
uses: docker/build-push-action@v3

Check warning on line 65 in .github/workflows/chart-test.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 65 in .github/workflows/chart-test.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
with:
context: .
file: docker/Dockerfile-migrations
file: ./docker/Dockerfile-credential-issuer-migrations
push: true
tags: kind-registry:5000/migrations:testing
tags: kind-registry:5000/credential-issuer-migrations:testing

- name: Build service image
id: build-service-image
uses: docker/build-push-action@v3

Check warning on line 74 in .github/workflows/chart-test.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
with:
context: .
file: docker/Dockerfile-service
file: ./docker/Dockerfile-credential-issuer-service
push: true
tags: kind-registry:5000/service:testing
tags: kind-registry:5000/credential-issuer-service:testing

- name: Build expiry app
id: build-expiry-app-image
uses: docker/build-push-action@v3

Check warning on line 83 in .github/workflows/chart-test.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 83 in .github/workflows/chart-test.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 83 in .github/workflows/chart-test.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
with:
context: .
file: ./docker/Dockerfile-credential-expiry-app
push: true
tags: kind-registry:5000/credential-expiry-app:testing

- name: Build processes worker
id: build-processes-worker-image
uses: docker/build-push-action@v3

Check warning on line 92 in .github/workflows/chart-test.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 92 in .github/workflows/chart-test.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 92 in .github/workflows/chart-test.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning on line 92 in .github/workflows/chart-test.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
with:
context: .
file: ./docker/Dockerfile-credential-issuer-processes-worker
push: true
tags: kind-registry:5000/credential-issuer-processes-worker:testing

- name: Set up Helm
uses: azure/setup-helm@v3
uses: azure/setup-helm@b7246b12e77f7134dc2d460a3d5bad15bbe29390 # v4
with:
version: v3.9.3

- uses: actions/setup-python@v4
- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: '3.9'
check-latest: true

- name: Set up chart-testing
uses: helm/chart-testing-action@v2.3.1
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1

- name: Run chart-testing (list-changed)
id: list-changed
Expand All @@ -102,8 +120,8 @@ jobs:
- name: Run chart-testing (lint)
run: ct lint --validate-maintainers=false --check-version-increment=false --target-branch ${{ github.event.repository.default_branch }}

- name: Run service chart-testing (install)
run: ct install --charts charts/ssi-credential-issuer --config charts/chart-testing-config.yaml --helm-extra-set-args "--set=issuer.image=kind-registry:5000/service:testing --set=issuermigrations.image=kind-registry:5000/migrations:testing"
- name: Run chart-testing (install)
run: ct install --charts charts/ssi-credential-issuer --config charts/chart-testing-config.yaml --helm-extra-set-args "--set issuer.image.name=kind-registry:5000/credential-issuer-service --set issuer.image.tag=testing --set issuermigrations.image.name=kind-registry:5000/credential-issuer-migrations --set issuermigrations.image.tag=testing --set processesworker.image.name=kind-registry:5000/credential-issuer-processes-worker --set processesworker.image.tag=testing --set credentialExpiry.image.name=kind-registry:5000/credential-expiry-app --set credentialExpiry.image.tag=testing"
if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true'

# TODO: re-add the step after the first version release
Expand All @@ -115,5 +133,5 @@ jobs:
# helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev
# helm install ssi-credential-issuer tractusx-dev/ssi-credential-issuer --version ${{ github.event.inputs.upgrade_from || 'tbd' }} --namespace upgrade --create-namespace
# helm dependency update charts/ssi-credential-issuer
# helm upgrade ssi-credential-issuer charts/ssi-credential-issuer --set issuer.image=kind-registry:5000/service:testing --set=issuermigrations.image=kind-registry:5000/migrations:testing --namespace upgrade
# helm upgrade ssi-credential-issuer charts/ssi-credential-issuer --set issuer.image.name=kind-registry:5000/credential-issuer-service --set issuer.image.tag=testing --set issuermigrations.image.name=kind-registry:5000/credential-issuer-migrations --set issuermigrations.image.tag=testing --set processesworker.image.name=kind-registry:5000/credential-issuer-processes-worker --set processesworker.image.tag=testing --set credentialExpiry.image.name=kind-registry:5000/credential-expiry-app --set credentialExpiry.image.tag=testing --namespace upgrade
# if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true'
6 changes: 3 additions & 3 deletions .github/workflows/codeql.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227
uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v2.227
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -87,7 +87,7 @@ jobs:
# Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup.
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227
uses: github/codeql-action/autobuild@1b1aada464948af03b950897e5eb522f92603cc2 # v2.227

# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
Expand All @@ -100,6 +100,6 @@ jobs:
# ./location_of_script_within_repo/buildscript.sh

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227
uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v2.227
with:
category: "/language:${{matrix.language}}"
91 changes: 91 additions & 0 deletions .github/workflows/credential-expiry-app-docker.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
###############################################################
# Copyright (c) 2024 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0.
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
###############################################################

name: Build Credential Expiry App Image

on:
push:
paths:
# service and transitive paths
- 'src/**'
# workflow file
- '.github/workflows/credential-expiry-app-docker.yml'
# dockerfile
- 'docker/Dockerfile-credential-expiry-app'

branches:
- 'dev'
workflow_dispatch:

env:
IMAGE_NAMESPACE: "tractusx"
IMAGE_NAME: "ssi-credential-expiry-app"

jobs:
build-and-push-image:
runs-on: ubuntu-latest
permissions:
contents: read

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Login to DockerHub
if: github.event_name != 'pull_request'
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0

- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0

- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=dev
type=raw,value=${{ github.sha }}
- name: Build and push Docker image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
file: ./docker/Dockerfile-credential-expiry-app
platforms: linux/amd64, linux/arm64
pull: true
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}

# https://github.com/peter-evans/dockerhub-description
- name: Update Docker Hub description
if: github.event_name != 'pull_request'
uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0
with:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
repository: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
readme-filepath: ./docker/notice-credential-expiry-app.md
15 changes: 9 additions & 6 deletions .github/workflows/dependencies.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,23 +32,26 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
dotnet-version: ['7.0']
# change to preview .NET 9 until fix for https://github.com/NuGet/Home/issues/12954 gets released for .NET 8
dotnet-version: ['9.0']

steps:

- name: Set up JDK 17
uses: actions/setup-java@v3
uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
with:
distribution: 'temurin'
java-version: '17'

- name: Setup .NET Core SDK ${{ matrix.dotnet-version }}
uses: actions/setup-dotnet@v2
uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
with:
dotnet-version: ${{ matrix.dotnet-version }}
# change to preview .NET 9 until fix for https://github.com/NuGet/Home/issues/12954 gets released for .NET 8
dotnet-quality: 'preview'

- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Install dependencies
run: dotnet restore src
Expand All @@ -57,7 +60,7 @@ jobs:
run: dotnet list src package --include-transitive --interactive | grep ">" | grep -Pv "\s(Org.Eclipse.TractusX|Microsoft|NuGet|System|runtime|docker|Docker|NETStandard)" | sed -E -e "s/\s+> ([a-zA-Z\.\-]+).+\s([0-9]+\.[0-9]+\.[0-9]+)\s*/nuget\/nuget\/\-\/\1\/\2/g" | awk '!seen[$0]++' > PACKAGES

- name: Generate Dependencies file
run: java -jar ./scripts/download/org.eclipse.dash.licenses-1.1.1-20240213.065029-71.jar PACKAGES -project automotive.tractusx -summary DEPENDENCIES || true
run: java -jar ./scripts/download/org.eclipse.dash.licenses-1.1.1.jar PACKAGES -project automotive.tractusx -summary DEPENDENCIES || true

- name: Check if dependencies were changed
id: dependencies-changed
Expand All @@ -81,7 +84,7 @@ jobs:
if: steps.dependencies-changed.outputs.changed == 'true'

- name: Upload DEPENDENCIES file
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
path: DEPENDENCIES
if: steps.dependencies-changed.outputs.changed == 'true'
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/kics.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,10 @@ jobs:
security-events: write

steps:
- uses: actions/checkout@v3
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: KICS scan
uses: checkmarx/kics-github-action@master
uses: checkmarx/kics-github-action@8a44970e3d2eca668be41abe9d4e06709c3b3609 # v1.7.0
with:
# Scanning directory .
path: "."
Expand All @@ -69,7 +69,7 @@ jobs:
# Upload findings to GitHub Advanced Security Dashboard
- name: Upload SARIF file for GitHub Advanced Security Dashboard
if: always()
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
sarif_file: kicsResults/results.sarif

6 changes: 3 additions & 3 deletions .github/workflows/lint-pull-request.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,12 +31,12 @@ jobs:
name: Validate PR title
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@v5
- uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
id: lint_pr_title
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- uses: marocchino/sticky-pull-request-comment@v2
- uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0
# When the previous steps fail, the workflow would stop. By adding this
# condition you can continue the execution with the populated error message.
if: always() && (steps.lint_pr_title.outputs.error_message != null)
Expand All @@ -55,7 +55,7 @@ jobs:
# Delete a previous comment when the issue has been resolved
- if: ${{ steps.lint_pr_title.outputs.error_message == null }}
uses: marocchino/sticky-pull-request-comment@v2
uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0
with:
header: pr-title-lint-error
delete: true
Loading

0 comments on commit 92e51b0

Please sign in to comment.