Merge pull request #400 from xdev-software/develop

Release

Author: AB-xdev

.github/workflows/check-build.yml

@@ -73,11 +73,11 @@ jobs:
         if-no-files-found: error
 
     # Build docker
-    - uses: docker/setup-qemu-action@v3
+    - uses: docker/setup-qemu-action@v4
 
-    - uses: docker/setup-buildx-action@v3
+    - uses: docker/setup-buildx-action@v4
 
-    - uses: docker/build-push-action@v6
+    - uses: docker/build-push-action@v7
       with:
         context: ./server
         push: false
@@ -87,7 +87,7 @@ jobs:
         cache-to: type=gha,mode=max,scope=build
 
     # 2 steps required because "failed to build: docker exporter does not currently support exporting manifest lists"
-    - uses: docker/build-push-action@v6
+    - uses: docker/build-push-action@v7
       with:
         context: ./server
         push: false
@@ -180,7 +180,7 @@ jobs:
       run: ./mvnw -B pmd:aggregate-cpd -P pmd -DskipTests -T2C
 
     - name: Upload report
-      if: always()
+      if: ${{ !cancelled() }}
       uses: actions/upload-artifact@v7
       with:
         name: pmd-report

.github/workflows/image-vuln-scan.yml

@@ -20,7 +20,7 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Scan - Full
-        uses: aquasecurity/trivy-action@0.34.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           image-ref: ${{ env.TRIVYY_IMAGE_REF }}
 
@@ -34,7 +34,7 @@ jobs:
 
       - name: Scan - Relevant
         id: scan_relevant
-        uses: aquasecurity/trivy-action@0.34.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           trivy-config: trivy.yml
           image-ref: ${{ env.TRIVYY_IMAGE_REF }}
@@ -46,7 +46,7 @@ jobs:
 
       - name: Find already existing issue
         id: find-issue
-        if: ${{ always() }}
+        if: ${{ !cancelled() }}
         run: |
           echo "number=$(gh issue list -l 'bug' -l 'automated' -L 1 -S 'in:title "Trivy Vulnerability Report"' -s 'open' --json 'number' --jq '.[].number')" >> $GITHUB_OUTPUT
         env:

.github/workflows/release.yml

@@ -88,7 +88,7 @@ jobs:
 
     - name: Create Release
       id: create-release
-      uses: shogo82148/actions-create-release@559c27ce7eb834825e2b55927c64f6d1bd1db716 # v1
+      uses: shogo82148/actions-create-release@6a396031bc74c57403da1018fec74d24c6aa03cd # v1
       with:
         tag_name: v${{ steps.version.outputs.release }}
         release_name: v${{ steps.version.outputs.release }}
@@ -213,6 +213,7 @@ jobs:
       packages: write
       contents: read
       attestations: write
+      artifact-metadata: write
       id-token: write
     steps:
     - uses: actions/checkout@v6
@@ -229,26 +230,26 @@ jobs:
         name: server-standalone
         path: server/target
 
-    - uses: docker/setup-qemu-action@v3
+    - uses: docker/setup-qemu-action@v4
 
-    - uses: docker/setup-buildx-action@v3
+    - uses: docker/setup-buildx-action@v4
 
     - name: Login to DockerHub
-      uses: docker/login-action@v3
+      uses: docker/login-action@v4
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
 
     - name: Login to ghcr.io
-      uses: docker/login-action@v3
+      uses: docker/login-action@v4
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Extract metadata (tags, labels) for Docker
       id: meta
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@v6
       with:
         images: |
           ${{ secrets.DOCKERHUB_USERNAME }}/mockserver
@@ -259,7 +260,7 @@ jobs:
           type=semver,pattern={{major}},value=${{ needs.prepare-release.outputs.version }}
           latest
 
-    - uses: docker/build-push-action@v6
+    - uses: docker/build-push-action@v7
       id: push
       with:
         context: ./server

.github/workflows/report-gha-workflow-security-problems.yml

@@ -0,0 +1,61 @@
+name: Report workflow security problems
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ develop ]
+    paths:
+      - '.github/workflows/**'
+
+permissions:
+  issues: write
+
+jobs:
+  prt:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    # Only run this in our repos (Prevent notification spam by forks)
+    if: ${{ github.repository_owner == 'xdev-software' }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Check
+        id: check
+        run: |
+          grep -l 'pull_request_target:' --exclude report-gha-workflow-security-problems.yml *.yml > reported.txt && exit 1 || exit 0
+        working-directory: .github/workflows
+
+      - name: Find already existing issue
+        id: find-issue
+        if: ${{ !cancelled() }}
+        run: |
+          echo "number=$(gh issue list -l 'bug' -l 'automated' -L 1 -S 'in:title "Incorrectly configure GHA workflow (prt)"' -s 'open' --json 'number' --jq '.[].number')" >> $GITHUB_OUTPUT
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Close issue if everything is fine
+        if: ${{ success() && steps.find-issue.outputs.number != '' }}
+        run: gh issue close -r 'not planned' ${{ steps.find-issue.outputs.number }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Create report
+        if: ${{ failure() && steps.check.conclusion == 'failure' }}
+        run: |
+          echo 'Detected usage of `pull_request_target`. This event is dangerous and MUST NOT BE USED AT ALL COST!' > reported.md
+          echo '' >> reported.md
+          echo '/cc @xdev-software/gha-workflow-security' >> reported.md
+          echo '' >> reported.md
+          echo '```' >> reported.md
+          cat .github/workflows/reported.txt >> reported.md
+          echo '```' >> reported.md
+          cat reported.md
+
+      - name: Create Issue From File
+        if: ${{ failure() && steps.check.conclusion == 'failure' }}
+        uses: peter-evans/create-issue-from-file@fca9117c27cdc29c6c4db3b86c48e4115a786710 # v6
+        with:
+          issue-number: ${{ steps.find-issue.outputs.number }}
+          title: 'Incorrectly configure GHA workflow (prt)'
+          content-filepath: ./reported.md
+          labels: bug, automated

.github/workflows/test-deploy.yml

@@ -69,6 +69,7 @@ jobs:
       packages: write
       contents: read
       attestations: write
+      artifact-metadata: write
       id-token: write
     steps:
     - uses: actions/checkout@v6
@@ -79,34 +80,34 @@ jobs:
         name: server-standalone
         path: server/target
 
-    - uses: docker/setup-qemu-action@v3
+    - uses: docker/setup-qemu-action@v4
 
-    - uses: docker/setup-buildx-action@v3
+    - uses: docker/setup-buildx-action@v4
 
     - name: Login to DockerHub
-      uses: docker/login-action@v3
+      uses: docker/login-action@v4
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
 
     - name: Login to ghcr.io
-      uses: docker/login-action@v3
+      uses: docker/login-action@v4
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Extract metadata (tags, labels) for Docker
       id: meta
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@v6
       with:
         images: |
           ${{ secrets.DOCKERHUB_USERNAME }}/mockserver
           ghcr.io/${{ github.repository }}
         tags: |
           experimental
 
-    - uses: docker/build-push-action@v6
+    - uses: docker/build-push-action@v7
       id: push
       with:
         context: ./server

.idea/externalDependencies.xml

@@ -1,3 +1,3 @@
 wrapperVersion=3.3.4
 distributionType=only-script
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.12/apache-maven-3.9.12-bin.zip
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.14/apache-maven-3.9.14-bin.zip

.mvn/wrapper/maven-wrapper.properties

@@ -1,3 +1,6 @@
+# 2.0.4
+* Updated dependencies
+
 # 2.0.3
 * Updated dependencies
   * `testcontainers` is currently using an outdated versions of `jackson-annotations` which may override the version required by `jackson-databind`, you may be required to manually update this in your project.