From e49629cdf287fe39d020a6c833065dcbd2647ea2 Mon Sep 17 00:00:00 2001 From: Heap0017 Date: Thu, 5 Sep 2024 12:41:34 +0200 Subject: [PATCH 1/3] Fix docs of PUPPETDB_JAVA_ARGS --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 27430070e..7c7fa453f 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,7 @@ docker pull ghcr.io/voxpupuli/puppetdb:7.13.0-v1.2.1 | **PUPPETDB_NODE_TTL** | Mark as ‘expired’ nodes that haven’t seen any activity (no new catalogs, facts, or reports) in the specified amount of time

`7d` | | **PUPPETDB_NODE_PURGE_TTL** | Automatically delete nodes that have been deactivated or expired for the specified amount of time

`14d` | | **PUPPETDB_REPORT_TTL** | Automatically delete reports that are older than the specified amount of time

`14d` | -| **PUPPETDB_JAVA_ARGS** | Arguments passed directly to the JVM when starting the service

`-Djava.net.preferIPv4Stack=true -Xms256m -Xmx256m -XX:+UseParallelGC -Xloggc:/opt/puppetlabs/server/data/puppetdb/logs/puppetdb_gc.log -Djdk.tls.ephemeralDHKeySize=2048` | +| **PUPPETDB_JAVA_ARGS** | Arguments passed directly to the JVM when starting the service

`-Djava.net.preferIPv4Stack=true -Xms256m -Xmx256m -XX:+UseParallelGC -Xlog:gc*:file=$LOGDIR/puppetdb_gc.log -Djdk.tls.ephemeralDHKeySize=2048` | | **LOGDIR** | Path of the log directory

`/opt/puppetlabs/server/data/puppetdb/logs` | | **SSLDIR** | Path of the SSL directory

`/opt/puppetlabs/server/data/puppetdb/certs` | From 6745326d9d4464bfc5f348c3c152b55422392039 Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Fri, 6 Sep 2024 13:41:43 +0200 Subject: [PATCH 2/3] feat: enable the auto-merge feature on dependabot prs - so we only have to approve them - enables the github feature auto-merge - only add this if tests pass Signed-off-by: Robert Waffen --- .github/workflows/ci.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9f53bb68f..71ff0d5b5 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -88,3 +88,24 @@ jobs: name: Test suite steps: - run: echo Test suite completed + + dependabot: + permissions: + contents: write + name: 'Dependabot auto-merge' + needs: + - tests + runs-on: ubuntu-latest + if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'}} + steps: + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2.2.0 + with: + github-token: '${{ secrets.GITHUB_TOKEN }}' + + - name: Enable auto-merge for Dependabot PRs + run: gh pr merge --auto --merge "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} From f031aa0b0d4e9b9cb48745fa0ade048bc7b42e99 Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Fri, 6 Sep 2024 14:08:07 +0200 Subject: [PATCH 3/3] feat: switch container scanning to grype Signed-off-by: Robert Waffen --- .github/workflows/ci.yaml | 31 ------------- .github/workflows/security_scanning.yml | 61 +++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 31 deletions(-) create mode 100644 .github/workflows/security_scanning.yml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 71ff0d5b5..ff20ab1d1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -49,37 +49,6 @@ jobs: PUPPET_RELEASE=${{ matrix.release }} PUPPETDB_VERSION=${{ matrix.version }} - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: voxpupulibot - password: ${{ secrets.DOCKERHUB_BOT_PASSWORD }} - - - name: Analyze container image for CVEs - id: analyze-image-cves - uses: docker/scout-action@v1 - with: - command: cves - image: 'local://ci/puppetdb:${{ matrix.version }}' - sarif-file: sarif.output.${{ matrix.version }}.${{ github.sha }}.json - write-comment: false - - - name: Compare container image to latest from Registry - id: compare-image - uses: docker/scout-action@v1 - with: - command: compare - image: 'local://ci/puppetdb:${{ matrix.version }}' - to: 'ghcr.io/voxpupuli/puppetdb:${{ matrix.version }}-latest' - summary: true - keep-previous-comments: true - - - name: Upload SARIF result - id: upload-sarif - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: sarif.output.${{ matrix.version }}.${{ github.sha }}.json - tests: needs: - general_ci diff --git a/.github/workflows/security_scanning.yml b/.github/workflows/security_scanning.yml new file mode 100644 index 000000000..651126367 --- /dev/null +++ b/.github/workflows/security_scanning.yml @@ -0,0 +1,61 @@ +--- +name: Security Scanning 🕵️ + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + setup-matrix: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - name: Source checkout + uses: actions/checkout@v4 + + - id: set-matrix + run: echo "matrix=$(jq -c . build_versions.json)" >> $GITHUB_OUTPUT + + scan_ci_container: + name: 'Scan CI container' + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + needs: setup-matrix + strategy: + matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Build CI container + uses: docker/build-push-action@v6 + with: + tags: 'ci/puppetdb:${{ matrix.version }}' + context: puppetdb + push: false + build-args: | + PUPPET_RELEASE=${{ matrix.release }} + PUPPETDB_VERSION=${{ matrix.version }} + + - name: Scan image with Anchore Grype + uses: anchore/scan-action@v4 + id: scan + with: + image: 'ci/puppetdb:${{ matrix.version }}' + fail-build: false + + - name: Inspect action SARIF report + run: jq . ${{ steps.scan.outputs.sarif }} + + - name: Upload Anchore scan SARIF report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.scan.outputs.sarif }}