From 783bd292a8668cf63629f0e2beee2154ffe357d7 Mon Sep 17 00:00:00 2001 From: Hauke Hund Date: Sun, 15 Mar 2026 19:42:22 +0100 Subject: [PATCH] improved Actions workflow and dependabot config * Added a dependabot config to automate creation of pull requests for maven, github-actions, docker and docker-compose version upgrades. Will be active once merged into main. * Fixed missing tika-core version in maven api v2 dependency copy config. * Pinned base docker images in Dockerfiles. * Reconfigured GitHub Actions workflows: New build.yml workflow with automated maven and docker builds. Maven build configured to run tests and other elements in parallel. Docker images are scanned with trivy, trivy results are published to the internal GitHub Security Code Scanning results page. Docker images are signed and can be verified using ```cosign verify ghcr.io/datasharingframework/:@sha256: --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" --certificate-oidc-issuer "https://token.actions.githubusercontent.com"```. A cyclonedx SBOM is generated for the docker images and attached to the registry, SBOM is signed by cosign. New workflow includes codeql config. * New build.yml workflow is configured to run for pushes in release/* and hotfix/* branches, on Git tag pushes (regular releases, milestone and release candidates), on pull request to main and develop (opened, synchronize, reopened and closed events) as well as on a weakly schedule. * Releases are triggered via Git tags: If a commit is tagged that is part of the main branch, the docker images are tagged with a.b, a.b.c and 'latest'. Other Git tags (e.g. in a hotfix branch) will result in a.b and a.b.c for regular releases, and (e.g. in a release branch) a.b.c-RCx or a.b.c-Mx for preview releases. Merged pull requests into the develop branch trigger a docker image build that is tagged with 'develop'. --- .github/dependabot.yml | 92 ++++++ .github/workflows/build.yml | 288 ++++++++++++++++++ .github/workflows/codeql.yml | 53 ---- .github/workflows/maven-build.yml | 22 -- .github/workflows/maven-publish.yml | 29 -- dsf-bpe/dsf-bpe-process-api-v2-impl/pom.xml | 1 - .../dsf-bpe-server-jetty/docker/Dockerfile | 4 +- dsf-docker/bpe_proxy/Dockerfile | 2 +- dsf-docker/fhir_proxy/Dockerfile | 2 +- .../dsf-fhir-server-jetty/docker/Dockerfile | 4 +- 10 files changed, 386 insertions(+), 111 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/build.yml delete mode 100644 .github/workflows/codeql.yml delete mode 100644 .github/workflows/maven-build.yml delete mode 100644 .github/workflows/maven-publish.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..461978114 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,92 @@ +version: 2 +updates: + # Java / Maven dependencies + - package-ecosystem: "maven" + directory: "/" + target-branch: "develop" + schedule: + interval: "weekly" + day: "sunday" + open-pull-requests-limit: 15 + ignore: + - dependency-name: "*" + update-types: ["version-update:semver-major"] + groups: + spring-framework: + patterns: + - "org.springframework*" + jetty: + patterns: + - "org.eclipse.jetty*" + jersey: + patterns: + - "org.glassfish.jersey*" + jackson: + patterns: + - "com.fasterxml.jackson*" + tyrus: + patterns: + - "org.glassfish.tyrus*" + operaton: + patterns: + - "org.operaton*" + slf4j: + patterns: + - "org.slf4j*" + bouncycastle: + patterns: + - "org.bouncycastle*" + fhir: + patterns: + - "hapi-fhir*" + - "org.hl7.fhir*" + testing-tools: + patterns: + - "org.junit*" + - "org.mockito*" + safe-patch-updates: + update-types: + - "patch" + remaining-minor-updates: + update-types: + - "minor" + + # GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + target-branch: "develop" + schedule: + interval: "weekly" + day: "sunday" + open-pull-requests-limit: 10 + + # Dockerfile base image updates + - package-ecosystem: "docker" + directories: + - "/dsf-bpe/dsf-bpe-server-jetty/docker" + - "/dsf-docker/bpe_proxy" + - "/dsf-docker/fhir_proxy" + - "/dsf-fhir/dsf-fhir-server-jetty/docker" + target-branch: "develop" + schedule: + interval: "weekly" + day: "sunday" + groups: + dockerfiles: + patterns: + - "*" + + # docker-compose image updates + - package-ecosystem: "docker-compose" + directories: + - "/dsf-docker-dev-setup/bpe" + - "/dsf-docker-dev-setup/fhir" + - "/dsf-docker-dev-setup-3dic-ttp" + target-branch: "develop" + schedule: + interval: "weekly" + day: "sunday" + groups: + docker-compose: + patterns: + - "*" \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 000000000..80e21b04e --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,288 @@ +name: DSF 2.x Full Build + +on: + push: + branches: [ "release/*", "hotfix/*" ] + tags: + - v[0-9]+.[0-9]+.[0-9]+ + - v[0-9]+.[0-9]+.[0-9]+-M[0-9]+ + - v[0-9]+.[0-9]+.[0-9]+-RC[0-9]+ + pull_request: + branches: [ "main", "develop" ] + types: [opened, synchronize, reopened, closed] + schedule: + - cron: '11 15 * * 0' # Sundays, 15:11 + +permissions: read-all + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} + cancel-in-progress: true + +jobs: + codeql: + runs-on: ubuntu-latest + permissions: + security-events: write + strategy: + fail-fast: false + matrix: + language: [ 'java-kotlin', 'javascript-typescript' ] + name: ${{ matrix.language }} + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Set up JDK 25 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 + with: + distribution: 'zulu' + java-version: 25 + cache: 'maven' + - name: Initialize CodeQL + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + with: + languages: ${{ matrix.language }} + queries: security-extended, security-and-quality + - name: Minimal Maven Build + run: mvn package --batch-mode --fail-at-end -P!generate-source-and-javadoc-jars -Dimpsort.skip=true -Dformatter.skip=true -Dlicense.skip=true -Denforcer.skip -DskipTests -Dmaven.buildNumber.skip=true -DskipShadePlugin=true + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + with: + category: "/language:${{matrix.language}}" + + maven-quick: + runs-on: ubuntu-latest + outputs: + version: ${{ steps.version.outputs.version }} + main: ${{ steps.main.outputs.main }} + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Set up JDK 25 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 + with: + distribution: 'zulu' + java-version: 25 + cache: 'maven' + - name: Minimal Maven Build + run: mvn install --batch-mode --fail-at-end -P!generate-source-and-javadoc-jars -Dimpsort.skip=true -Dformatter.skip=true -Dlicense.skip=true -Denforcer.skip -DskipTests -Dmaven.buildNumber.skip=true -DskipShadePlugin=true -DbuildNumber=${GITHUB_SHA} -DscmBranch=${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} + - name: Upload quick-build results + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: quick_build + path: | + ./**/target + dsf-docker/bpe_proxy/ca/client_ca_chains/*.crt + dsf-docker/bpe_proxy/ca/client_issuing_cas/*.crt + dsf-docker/fhir_proxy/ca/client_ca_chains/*.crt + dsf-docker/fhir_proxy/ca/client_issuing_cas/*.crt + dsf-bpe/dsf-bpe-server-jetty/docker/api/v1/*.jar + dsf-bpe/dsf-bpe-server-jetty/docker/api/v2/*.jar + dsf-bpe/dsf-bpe-server-jetty/docker/ca/client_ca_chains/*.crt + dsf-bpe/dsf-bpe-server-jetty/docker/ca/server_root_cas/*.crt + dsf-bpe/dsf-bpe-server-jetty/docker/lib/*.jar + dsf-bpe/dsf-bpe-server-jetty/docker/dsf_bpe.jar + dsf-fhir/dsf-fhir-server-jetty/docker/ca/client_ca_chains/*.crt + dsf-fhir/dsf-fhir-server-jetty/docker/ca/server_root_cas/*.crt + dsf-fhir/dsf-fhir-server-jetty/docker/lib/*.jar + dsf-fhir/dsf-fhir-server-jetty/docker/dsf_fhir.jar + - name: Get Maven project version + id: version + run: echo "version=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive org.codehaus.mojo:exec-maven-plugin:3.6.3:exec)" >> $GITHUB_OUTPUT + - name: Checkout main branch + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: main + - name: Check if ref is main HEAD + id: main + run: echo "main=$( [ "$GITHUB_SHA" = "$(git rev-parse HEAD)" ] && echo true || echo false )" >> $GITHUB_OUTPUT + + maven-full: + runs-on: ubuntu-latest + needs: maven-quick + strategy: + fail-fast: false + matrix: + mvn: + - name: JavaDoc + cmd: mvn javadoc:javadoc -Dformatter.skip=true -Denforcer.skip -Dmaven.buildNumber.skip=true -DskipShadePlugin=true + - name: Formatter, Impsort, Enforcer, License Check + cmd: mvn compile test-compile license:check -Dmaven.buildNumber.skip=true + - name: DAO Tests (not Binary) + cmd: mvn failsafe:integration-test --fail-at-end -P!generate-source-and-javadoc-jars -Dimpsort.skip=true -Dformatter.skip=true -Dlicense.skip=true -Denforcer.skip -Dmaven.buildNumber.skip=true -DskipShadePlugin=true -Dfailsafe.includes=**/*DaoTest -Dfailsafe.excludes=**/BinaryDaoTest -DforkCount=2 + - name: DAO Tests (Binary only) + cmd: mvn failsafe:integration-test --fail-at-end -P!generate-source-and-javadoc-jars -Dimpsort.skip=true -Dformatter.skip=true -Dlicense.skip=true -Denforcer.skip -Dmaven.buildNumber.skip=true -DskipShadePlugin=true -Dfailsafe.includes=**/BinaryDaoTest + - name: Integration Tests (FHIR, not Binary) + cmd: mvn failsafe:integration-test --fail-at-end -P!generate-source-and-javadoc-jars -Dimpsort.skip=true -Dformatter.skip=true -Dlicense.skip=true -Denforcer.skip -Dmaven.buildNumber.skip=true -DskipShadePlugin=true -Dfailsafe.includes=dev/dsf/fhir/**/*IntegrationTest -Dfailsafe.excludes=**/BinaryIntegrationTest -DforkCount=2 + - name: Integration Tests (FHIR, Binary only) + cmd: mvn failsafe:integration-test --fail-at-end -P!generate-source-and-javadoc-jars -Dimpsort.skip=true -Dformatter.skip=true -Dlicense.skip=true -Denforcer.skip -Dmaven.buildNumber.skip=true -DskipShadePlugin=true -Dfailsafe.includes=dev/dsf/fhir/**/BinaryIntegrationTest -DforkCount=2 + - name: Integration Tests (BPE) + cmd: mvn failsafe:integration-test --fail-at-end -P!generate-source-and-javadoc-jars -Dimpsort.skip=true -Dformatter.skip=true -Dlicense.skip=true -Denforcer.skip -Dmaven.buildNumber.skip=true -DskipShadePlugin=true -Dfailsafe.includes=dev/dsf/bpe/**/*IntegrationTest -DforkCount=2 + - name: Unit Tests + cmd: mvn dependency:properties surefire:test --fail-at-end -P!generate-source-and-javadoc-jars -Dimpsort.skip=true -Dformatter.skip=true -Dlicense.skip=true -Denforcer.skip -Dmaven.buildNumber.skip=true -DskipShadePlugin=true + name: ${{ matrix.mvn.name }} + timeout-minutes: 8 + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Download quick-build results + uses: actions/download-artifact/@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 + with: + name: quick_build + path: ./ + - name: Set up JDK 25 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 + with: + distribution: 'zulu' + java-version: 25 + cache: 'maven' + - name: ${{ matrix.mvn.name }} + run: ${{ matrix.mvn.cmd }} + + trivy: + runs-on: ubuntu-latest + needs: maven-quick + permissions: + security-events: write + strategy: + fail-fast: false + matrix: + image: + - name: bpe_proxy + context: dsf-docker/bpe_proxy + - name: fhir_proxy + context: dsf-docker/fhir_proxy + - name: bpe + context: dsf-bpe/dsf-bpe-server-jetty/docker + - name: fhir + context: dsf-fhir/dsf-fhir-server-jetty/docker + name: ${{ matrix.image.name }} + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Download quick-build results + uses: actions/download-artifact/@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 + with: + name: quick_build + path: ./ + - name: Set up Buildx + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + - name: Build Docker image + run: docker build -t ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}:${{ github.sha }} ${{ matrix.image.context }} + - name: Scan Docker image with Trivy + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + with: + image-ref: ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}:${{ github.sha }} + format: 'sarif' + output: 'trivy-results.sarif' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + if: always() + with: + sarif_file: 'trivy-results.sarif' + + docker-deploy: + if: ${{ (!endsWith(needs.maven-quick.outputs.version, '-SNAPSHOT') && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) || (github.event_name == 'pull_request' && github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'develop') }} + runs-on: ubuntu-latest + needs: [codeql, maven-quick, maven-full, trivy] + permissions: + packages: write + id-token: write + strategy: + fail-fast: false + matrix: + image: + - name: bpe + context: dsf-bpe/dsf-bpe-server-jetty/docker + - name: fhir + context: dsf-fhir/dsf-fhir-server-jetty/docker + - name: bpe_proxy + context: dsf-docker/bpe_proxy + - name: fhir_proxy + context: dsf-docker/fhir_proxy + name: ${{ matrix.image.name }} + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Download quick-build results + uses: actions/download-artifact/@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 + with: + name: quick_build + path: ./ + - name: Set up QEMU + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 + - name: Set up Buildx + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + - name: Login to GitHub Container Registry + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Docker metadata + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + id: meta + with: + images: ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }} + flavor: latest=false + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=raw,value=latest,enable=${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-') && needs.maven-quick.outputs.main == 'true' }} + type=raw,value=develop,enable=${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'develop' }} + # full version (1.2.3, 1.2.3-RC1, etc) + # minor version (1.2) + # latest only for stable releases + # develop builds + - name: Build and Push + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 + id: push + with: + push: true + tags: ${{ steps.meta.outputs.tags }} + context: ${{ matrix.image.context }} + platforms: linux/amd64,linux/arm64 + cache-from: type=gha,scope=${{ matrix.image.name }} + cache-to: type=gha,mode=max,scope=${{ matrix.image.name }} + - name: Export digest + run: echo "DIGEST=${{ steps.push.outputs.digest }}" >> $GITHUB_ENV + - name: Set up syft + uses: anchore/sbom-action/download-syft@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1 + - name: Generate SBOM + run: syft ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}@${DIGEST} -o cyclonedx-json > sbom.json + - name: Set up cosign + uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 + - name: Attach SBOM + run: cosign attest --yes --predicate sbom.json --type cyclonedx ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}@${DIGEST} + - name: Sign image + run: cosign sign --yes ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}@${DIGEST} + + maven-deploy: + if: ${{ !endsWith(needs.maven-quick.outputs.version, '-SNAPSHOT') && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }} + runs-on: ubuntu-latest + needs: [codeql, maven-quick, maven-full, trivy] + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Download quick-build results + uses: actions/download-artifact/@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 + with: + name: quick_build + path: ./ + - name: Set up JDK 25 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 + with: + distribution: 'zulu' + java-version: 25 + cache: 'maven' + server-id: central + server-username: MAVEN_CENTRAL_USERNAME + server-password: MAVEN_CENTRAL_TOKEN + gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} + gpg-passphrase: MAVEN_GPG_PASSPHRASE + - name: Deploy to Maven Central + run: mvn deploy -Dimpsort.skip=true -Dformatter.skip=true -Dlicense.skip=true -DskipTests -Ppublish-to-maven-central -Dmaven.buildNumber.skip=true -DbuildNumber=${GITHUB_SHA} -DscmBranch=${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} + env: + MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }} + MAVEN_CENTRAL_TOKEN: ${{ secrets.MAVEN_CENTRAL_TOKEN }} + MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 7519dbb95..000000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,53 +0,0 @@ -name: DSF 2.x CodeQL - -on: - push: - branches: [ "main", "develop", "hotfix/2*", "release/2*" ] - pull_request: - branches: [ "main", "develop", "hotfix/2*", "release/2*" ] - schedule: - - cron: '11 15 * * 0' # Sundays, 15:11 - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - timeout-minutes: 360 - permissions: - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'java-kotlin', 'javascript-typescript' ] - - steps: - - name: Checkout repository - uses: actions/checkout@v5 - - - name: Set up JDK 25 - if: ${{ matrix.language == 'java-kotlin' }} - uses: actions/setup-java@v5 - with: - distribution: 'zulu' - java-version: 25 - cache: 'maven' - check-latest: true - - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - queries: security-extended, security-and-quality - - - name: Display Maven Version - run: mvn --version - - - name: Compile with Maven - if: ${{ matrix.language == 'java-kotlin' }} - run: mvn --batch-mode --fail-at-end --threads 1C -Dimpsort.skip=true -Dformatter.skip=true -Denforcer.skip -Dmaven.buildNumber.skip=true -Dexec.skip=true -DskipTests -DskipShadePlugin=true -P!generate-source-and-javadoc-jars clean package - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" diff --git a/.github/workflows/maven-build.yml b/.github/workflows/maven-build.yml deleted file mode 100644 index cfaa79d0b..000000000 --- a/.github/workflows/maven-build.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: DSF 2.x Java CI Build with Maven - -on: - pull_request: - branches: develop_2 - -jobs: - build: - - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v5 - - name: Set up JDK 25 - uses: actions/setup-java@v5 - with: - distribution: 'zulu' - java-version: 25 - cache: 'maven' - - name: Build with Maven - run: mvn --batch-mode --fail-at-end -DforkCount=2 clean verify diff --git a/.github/workflows/maven-publish.yml b/.github/workflows/maven-publish.yml deleted file mode 100644 index fe9d968c7..000000000 --- a/.github/workflows/maven-publish.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: DSF 2.x Java CI Publish with Maven - -on: - pull_request: - types: closed - branches: develop_2 - -jobs: - publish: - - # Only run if pull requests are merged, omit running if pull requests are closed without merging - if: github.event.pull_request.merged - - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v5 - - name: Set up JDK 25 - uses: actions/setup-java@v5 - with: - distribution: 'zulu' - java-version: 25 - cache: 'maven' - check-latest: true - - name: Publish with Maven - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: mvn --batch-mode --fail-at-end -DforkCount=2 clean deploy diff --git a/dsf-bpe/dsf-bpe-process-api-v2-impl/pom.xml b/dsf-bpe/dsf-bpe-process-api-v2-impl/pom.xml index bd1c39cf5..aa7bf84c5 100644 --- a/dsf-bpe/dsf-bpe-process-api-v2-impl/pom.xml +++ b/dsf-bpe/dsf-bpe-process-api-v2-impl/pom.xml @@ -303,7 +303,6 @@ org.apache.tika tika-core - ${apache.tika.version} diff --git a/dsf-bpe/dsf-bpe-server-jetty/docker/Dockerfile b/dsf-bpe/dsf-bpe-server-jetty/docker/Dockerfile index 390e1d19c..82b2b9f33 100755 --- a/dsf-bpe/dsf-bpe-server-jetty/docker/Dockerfile +++ b/dsf-bpe/dsf-bpe-server-jetty/docker/Dockerfile @@ -14,7 +14,7 @@ # limitations under the License. # -FROM debian:trixie-slim AS builder +FROM debian:trixie-slim@sha256:1d3c811171a08a5adaa4a163fbafd96b61b87aa871bbc7aa15431ac275d3d430 AS builder WORKDIR /opt/bpe COPY --chown=root:2202 ./ ./ RUN chown root:2202 ./ && \ @@ -23,7 +23,7 @@ RUN chown root:2202 ./ && \ chmod 1775 ./log -FROM azul/zulu-openjdk:25-jre-headless +FROM azul/zulu-openjdk:25-jre-headless@sha256:c8e35e74e2cfbdeffb4e4850123c41378d3ec0a6d80f17d2f9f3a9293f9236e6 LABEL org.opencontainers.image.source=https://github.com/datasharingframework/dsf LABEL org.opencontainers.image.description="DSF BPE Server" LABEL org.opencontainers.image.licenses="Apache License, Version 2.0" diff --git a/dsf-docker/bpe_proxy/Dockerfile b/dsf-docker/bpe_proxy/Dockerfile index b6c878c49..3a2c06070 100644 --- a/dsf-docker/bpe_proxy/Dockerfile +++ b/dsf-docker/bpe_proxy/Dockerfile @@ -14,7 +14,7 @@ # limitations under the License. # -FROM httpd:2.4-alpine +FROM httpd:2.4-alpine@sha256:8f26f33a7002658050e9ab2cd6b77502619dfc89d0a6ba2e9e4a202e0ef04596 LABEL org.opencontainers.image.source=https://github.com/datasharingframework/dsf LABEL org.opencontainers.image.description="DSF BPE Reverse Proxy" LABEL org.opencontainers.image.licenses="Apache License, Version 2.0" diff --git a/dsf-docker/fhir_proxy/Dockerfile b/dsf-docker/fhir_proxy/Dockerfile index 0cf56480d..168144f25 100755 --- a/dsf-docker/fhir_proxy/Dockerfile +++ b/dsf-docker/fhir_proxy/Dockerfile @@ -14,7 +14,7 @@ # limitations under the License. # -FROM httpd:2.4-alpine +FROM httpd:2.4-alpine@sha256:8f26f33a7002658050e9ab2cd6b77502619dfc89d0a6ba2e9e4a202e0ef04596 LABEL org.opencontainers.image.source=https://github.com/datasharingframework/dsf LABEL org.opencontainers.image.description="DSF FHIR Reverse Proxy" LABEL org.opencontainers.image.licenses="Apache License, Version 2.0" diff --git a/dsf-fhir/dsf-fhir-server-jetty/docker/Dockerfile b/dsf-fhir/dsf-fhir-server-jetty/docker/Dockerfile index 8aacea261..2219f8a69 100755 --- a/dsf-fhir/dsf-fhir-server-jetty/docker/Dockerfile +++ b/dsf-fhir/dsf-fhir-server-jetty/docker/Dockerfile @@ -14,7 +14,7 @@ # limitations under the License. # -FROM debian:trixie-slim AS builder +FROM debian:trixie-slim@sha256:1d3c811171a08a5adaa4a163fbafd96b61b87aa871bbc7aa15431ac275d3d430 AS builder WORKDIR /opt/fhir COPY --chown=root:2101 ./ ./ RUN chown root:2101 ./ && \ @@ -23,7 +23,7 @@ RUN chown root:2101 ./ && \ chmod 1775 ./log -FROM azul/zulu-openjdk:25-jre-headless +FROM azul/zulu-openjdk:25-jre-headless@sha256:c8e35e74e2cfbdeffb4e4850123c41378d3ec0a6d80f17d2f9f3a9293f9236e6 LABEL org.opencontainers.image.source=https://github.com/datasharingframework/dsf LABEL org.opencontainers.image.description="DSF FHIR Server" LABEL org.opencontainers.image.licenses="Apache License, Version 2.0"