diff --git a/.github/workflows/ci-cd-java.yml b/.github/workflows/ci-cd-java.yml index 2e403cd..f400ae7 100644 --- a/.github/workflows/ci-cd-java.yml +++ b/.github/workflows/ci-cd-java.yml @@ -1,8 +1,6 @@ name: ci-cd-java.yml -permissions: - contents: read - packages: read +permissions: {} on: workflow_call: @@ -32,15 +30,19 @@ env: IMAGE_NAME_MIXED_CASE: "${{ github.repository }}" jobs: - build-check-test-push: - name: Build, check, test, push + ci: + name: Build, check, test runs-on: ubuntu-latest + permissions: + contents: read + packages: read steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: clean: 'true' fetch-depth: 2 + persist-credentials: false # Required since custom scripts from /scripts are being used - name: Resolve shared workflow ref @@ -66,6 +68,7 @@ jobs: repository: HSLdevcom/transitdata-shared-workflows ref: ${{ steps.resolve_shared_workflow_ref.outputs.shared_workflow_ref }} path: .shared-workflows + persist-credentials: false - name: Setup JDK uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 @@ -161,45 +164,44 @@ jobs: name: 'app.jar' path: '/app/app.jar' + release: + name: Build & push Docker image + needs: ci + if: >- + github.ref == 'refs/heads/main' || + github.ref == 'refs/heads/develop' || + github.ref == 'refs/heads/aks-dev' || + startsWith(github.ref, 'refs/tags/') || + inputs.performRelease == true + runs-on: ubuntu-latest + environment: docker-hub-release + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + clean: 'true' + persist-credentials: false + - name: Set Docker Image Name + env: + IMAGE_NAME_INPUT: ${{ inputs.imageName }} run: | OWNER="${GITHUB_REPOSITORY%%/*}" - if [[ -n "${{ inputs.imageName }}" ]]; then - IMAGE_NAME="${OWNER,,}/${{ inputs.imageName }}" + if [[ -n "${IMAGE_NAME_INPUT}" ]]; then + IMAGE_NAME="${OWNER,,}/${IMAGE_NAME_INPUT}" else IMAGE_NAME="${GITHUB_REPOSITORY,,}" fi echo "IMAGE_NAME=${IMAGE_NAME}" >> "$GITHUB_ENV" - - name: Build Docker Image - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 - with: - context: ${{ inputs.workingDirectory }} - push: 'false' - tags: 'hsldevcom/${{ env.IMAGE_NAME }}:${{ github.sha }}' - secrets: | - github_token=${{ secrets.GITHUB_TOKEN }} - build-args: - GITHUB_ACTOR=${{ github.actor }} - - - name: Check if perform release - id: perform_release - run: | - PERFORM_RELEASE=false - if [[ "${GITHUB_REF}" == "refs/heads/main" || "${GITHUB_REF}" == "refs/heads/develop" || "${GITHUB_REF}" == "refs/heads/aks-dev" ]]; then - PERFORM_RELEASE=true - elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then - PERFORM_RELEASE=true - elif [[ "${{ inputs.performRelease }}" == "true" ]]; then - PERFORM_RELEASE=true - fi - echo "PERFORM_RELEASE=${PERFORM_RELEASE}" >> $GITHUB_ENV - echo "Perform release: ${PERFORM_RELEASE}" + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Extract Docker metadata - if: ${{ env.PERFORM_RELEASE == 'true' }} id: meta uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: @@ -212,26 +214,19 @@ jobs: org.opencontainers.image.title=${{ env.IMAGE_NAME }} org.opencontainers.image.vendor=hsldevcom - - name: Setup Docker Buildx - if: ${{ env.PERFORM_RELEASE == 'true' }} - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - - name: Login to Docker Hub - if: ${{ env.PERFORM_RELEASE == 'true' }} uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }} password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }} - name: Build & Push Docker image - if: ${{ env.PERFORM_RELEASE == 'true' }} uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: ${{ inputs.workingDirectory }} - push: ${{ env.PERFORM_RELEASE }} + push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} secrets: | github_token=${{ secrets.GITHUB_TOKEN }} - build-args: | - GITHUB_ACTOR=${{ github.actor }} + github_actor=${{ github.actor }} diff --git a/.github/workflows/ci-cd-kotlin.yml b/.github/workflows/ci-cd-kotlin.yml index fa17a57..fdf08e6 100644 --- a/.github/workflows/ci-cd-kotlin.yml +++ b/.github/workflows/ci-cd-kotlin.yml @@ -1,8 +1,6 @@ name: ci-cd-kotlin.yml -permissions: - contents: read - packages: read +permissions: {} on: workflow_call: @@ -34,15 +32,19 @@ env: IMAGE_NAME_MIXED_CASE: "${{ github.repository }}" jobs: - build-check-test-push: - name: Build, check, test, push + ci: + name: Build, check, test runs-on: ubuntu-latest + permissions: + contents: read + packages: read steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: clean: 'true' fetch-depth: 2 + persist-credentials: false # Required since custom scripts from /scripts are being used - name: Resolve shared workflow ref @@ -67,6 +69,7 @@ jobs: repository: HSLdevcom/transitdata-shared-workflows ref: ${{ env.SHARED_WORKFLOW_REF }} path: .shared-workflows + persist-credentials: false - name: Setup JDK uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 @@ -90,7 +93,7 @@ jobs: if: ${{ inputs.runTestsInsideDocker }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITHUB_ACTOR_ARG: ${{ github.actor }} + GITHUB_ACTOR: ${{ github.actor }} DOCKER_BUILDKIT: "1" run: | cat > /tmp/Dockerfile.test << DOCKERFILE @@ -98,16 +101,16 @@ jobs: # check=error=true FROM ${TEST_BASE_IMAGE} WORKDIR /usr/app - ARG GITHUB_ACTOR=github-actions COPY . . RUN --mount=type=secret,id=github_token \ + --mount=type=secret,id=github_actor \ export GITHUB_TOKEN="\$(cat /run/secrets/github_token)" && \ - export GITHUB_ACTOR="\$GITHUB_ACTOR" && \ + export GITHUB_ACTOR="\$(cat /run/secrets/github_actor)" && \ ./gradlew test --stacktrace --no-daemon DOCKERFILE docker build \ --secret id=github_token,env=GITHUB_TOKEN \ - --build-arg "GITHUB_ACTOR=${GITHUB_ACTOR_ARG}" \ + --secret id=github_actor,env=GITHUB_ACTOR \ -f /tmp/Dockerfile.test \ . @@ -153,36 +156,34 @@ jobs: GITHUB_ACTOR: ${{ github.actor }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Lowercase Docker Image Name - run: | - echo "IMAGE_NAME=${IMAGE_NAME_MIXED_CASE,,}" >> "${GITHUB_ENV}" - - name: Build Docker Image - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + release: + name: Build & push Docker image + needs: ci + if: >- + github.ref == 'refs/heads/main' || + github.ref == 'refs/heads/develop' || + github.ref == 'refs/heads/aks-dev' || + startsWith(github.ref, 'refs/tags/') || + inputs.performRelease == true + runs-on: ubuntu-latest + environment: docker-hub-release + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - context: . - push: 'false' - tags: 'hsldevcom/${{ env.IMAGE_NAME }}:${{ github.sha }}' + clean: 'true' + persist-credentials: false - - name: Check if perform release - id: perform_release + - name: Lowercase Docker Image Name run: | - PERFORM_RELEASE=false - if [[ "${GITHUB_REF}" == "refs/heads/main" || "${GITHUB_REF}" == "refs/heads/develop" || "${GITHUB_REF}" == "refs/heads/aks-dev" ]]; then - PERFORM_RELEASE=true - elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then - PERFORM_RELEASE=true - elif [[ "${{ inputs.performRelease }}" == "true" ]]; then - PERFORM_RELEASE=true - fi - echo "PERFORM_RELEASE=${PERFORM_RELEASE}" >> $GITHUB_ENV - echo "Perform release: ${PERFORM_RELEASE}" + echo "IMAGE_NAME=${IMAGE_NAME_MIXED_CASE,,}" >> "${GITHUB_ENV}" - name: Setup Docker Buildx - if: env.PERFORM_RELEASE == 'true' uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Extract Docker metadata - if: env.PERFORM_RELEASE == 'true' id: meta uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: @@ -196,17 +197,15 @@ jobs: org.opencontainers.image.vendor=hsldevcom - name: Login to Docker Hub - if: env.PERFORM_RELEASE == 'true' uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }} password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }} - name: Build & Push Docker image - if: env.PERFORM_RELEASE == 'true' uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: . - push: ${{ env.PERFORM_RELEASE }} + push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/ci-cd-typescript.yml b/.github/workflows/ci-cd-typescript.yml index 4955461..4918304 100644 --- a/.github/workflows/ci-cd-typescript.yml +++ b/.github/workflows/ci-cd-typescript.yml @@ -1,8 +1,6 @@ name: ci-cd-typescript.yml -permissions: - contents: read - packages: read +permissions: {} on: workflow_call: @@ -27,21 +25,25 @@ env: PRODUCTION_STAGE: production jobs: - build-check-test-push: - name: Build, check, test, push + ci: + name: Build, check, test runs-on: ubuntu-latest + permissions: + contents: read + packages: read steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: clean: 'true' fetch-depth: 2 + persist-credentials: false - name: Install Node + # zizmor:ignore[cache-poisoning] Node binary tool-cache is implicit and cannot be disabled; no npm package cache is configured uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "lts/*" - cache: "npm" - name: Install NPM dependencies run: npm ci @@ -65,46 +67,17 @@ jobs: fail_ci_if_error: true report_type: test_results - - name: Check if perform release - id: perform_release - run: | - PERFORM_RELEASE=false - if [[ "${GITHUB_REF}" == "refs/heads/main" || "${GITHUB_REF}" == "refs/heads/develop" || "${GITHUB_REF}" == "refs/heads/aks-dev" ]]; then - PERFORM_RELEASE=true - elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then - PERFORM_RELEASE=true - elif [[ "${{ inputs.performRelease }}" == "true" ]]; then - PERFORM_RELEASE=true - fi - echo "PERFORM_RELEASE=${PERFORM_RELEASE}" >> $GITHUB_ENV - echo "Perform release: ${PERFORM_RELEASE}" - - name: Lowercase Docker Image Name run: | echo "IMAGE_NAME=${IMAGE_NAME_MIXED_CASE,,}" >> "${GITHUB_ENV}" - - name: Extract docker metadata - id: meta - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 - with: - images: ${{ env.IMAGE_NAME }} - tags: | - type=edge,branch=main - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} - type=sha,format=long - - - name: Setup Docker Buildx - if: env.PERFORM_RELEASE == 'true' - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - - name: Build and export to Docker if: ${{ inputs.checkAndTestInsideDocker }} uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: . load: true + no-cache: true target: "${{ env.TEST_STAGE }}" tags: "${{ env.IMAGE_NAME }}:${{ env.TEST_STAGE }}" @@ -113,19 +86,57 @@ jobs: run: | docker run --rm "${{ env.IMAGE_NAME }}:${{ env.TEST_STAGE }}" + release: + name: Build & push Docker image + needs: ci + if: >- + github.ref == 'refs/heads/main' || + github.ref == 'refs/heads/develop' || + github.ref == 'refs/heads/aks-dev' || + startsWith(github.ref, 'refs/tags/') || + inputs.performRelease == true + runs-on: ubuntu-latest + environment: docker-hub-release + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + clean: 'true' + persist-credentials: false + + - name: Lowercase Docker Image Name + run: | + echo "IMAGE_NAME=${IMAGE_NAME_MIXED_CASE,,}" >> "${GITHUB_ENV}" + + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + + - name: Extract docker metadata + id: meta + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 + with: + images: ${{ env.IMAGE_NAME }} + tags: | + type=edge,branch=main + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} + type=sha,format=long + - name: Login to Docker Hub - if: env.PERFORM_RELEASE == 'true' uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }} password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }} - name: Build and push - if: env.PERFORM_RELEASE == 'true' uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: . push: true + no-cache: true target: "${{ env.PRODUCTION_STAGE }}" tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b857286..b5e5a7a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,3 +42,18 @@ jobs: - name: Run script tests run: pytest scripts/ -v + + zizmor: + name: Workflow security audit (zizmor) + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3