diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index 4989aba..8cea999 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -1,117 +1,128 @@ -# Generated by Project Keeper -# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/ci-build.yml +# This file was generated by Project Keeper. name: CI Build on: push: - branches: ["main"] - pull_request: - + branches: [ + main + ] + + pull_request: null + workflow_dispatch: null jobs: build: runs-on: ubuntu-latest defaults: - run: - shell: "bash" - permissions: - contents: read - checks: write # Allow scacap/action-surefire-report - concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + run: { + shell: bash + } + permissions: { + contents: read, + checks: write, + issues: read + } + concurrency: { + group: '${{ github.workflow }}-${{ github.ref }}', cancel-in-progress: true + } + outputs: { + release-required: '${{ steps.check-release.outputs.release-required }}' + } steps: - name: Free Disk Space + id: free-disk-space if: ${{ false }} run: | sudo rm -rf /usr/local/lib/android sudo rm -rf /usr/share/dotnet - name: Checkout the repository + id: checkout uses: actions/checkout@v4 - with: + with: { fetch-depth: 0 + } - name: Set up JDKs + id: setup-java uses: actions/setup-java@v4 with: - distribution: "temurin" + distribution: temurin java-version: | 11 17 - cache: "maven" + cache: maven - name: Cache SonarCloud packages + id: cache-sonar uses: actions/cache@v4 - with: - path: ~/.sonar/cache - key: ${{ runner.os }}-sonar - restore-keys: ${{ runner.os }}-sonar - - name: Enable testcontainer reuse + with: { + path: ~/.sonar/cache, + key: '${{ runner.os }}-sonar', + restore-keys: '${{ runner.os }}-sonar' + } + - { + name: Enable testcontainer reuse, + id: enable-testcontainer-reuse, run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties" + } - name: Run tests and build with Maven - id: pk-verify + id: build-pk-verify run: | mvn --batch-mode clean verify \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ -DtrimStackTrace=false - - name: Publish Test Report - uses: scacap/action-surefire-report@v1 - if: ${{ always() && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' }} - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - name: Sonar analysis + id: sonar-analysis if: ${{ env.SONAR_TOKEN != null }} run: | mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ -DtrimStackTrace=false \ -Dsonar.token=$SONAR_TOKEN - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - + env: { + GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}', + SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' + } - name: Verify Release Artifacts + id: verify-release-artifacts + run: "print_message() {\n local -r message=$1\n echo \"$message\"\n echo \"$message\" >> \"$GITHUB_STEP_SUMMARY\"\n}\n\nprint_message \"### Release Artifacts\"\n\nIFS=$'\\n' artifacts_array=($ARTIFACTS)\nmissing_files=()\nfor file in \"${artifacts_array[@]}\";\ndo \n echo \"Checking if file $file exists...\"\n if ! [[ -f \"$file\" ]]; then\n print_message \"* ⚠️ \\`$file\\` does not exist ⚠️\"\n echo \"Content of directory $(dirname \"$file\"):\"\n ls \"$(dirname \"$file\")\"\n missing_files+=(\"$file\")\n else\n print_message \"* \\`$file\\` ✅\" \n fi\ndone\nprint_message \"\"\nnumber_of_missing_files=${#missing_files[@]}\nif [[ $number_of_missing_files -gt 0 ]]; then\n print_message \"⚠️ $number_of_missing_files release artifact(s) missing ⚠️\"\n exit 1\nfi\n" + env: { + ARTIFACTS: '${{ steps.build-pk-verify.outputs.release-artifacts }}' + } + - name: Upload artifacts + id: upload-artifacts + uses: actions/upload-artifact@v4 + with: { + name: artifacts, + path: '${{ steps.build-pk-verify.outputs.release-artifacts }}', + retention-days: 5 + } + - name: Check if release is needed + id: check-release + if: ${{ github.ref == 'refs/heads/main' }} run: | - print_message() { - local -r message=$1 - echo "$message" - echo "$message" >> "$GITHUB_STEP_SUMMARY" - } - - print_message "# Release Artifacts" - - IFS=$'\n' artifacts_array=($ARTIFACTS) - missing_files=() - for file in "${artifacts_array[@]}"; - do - echo "Checking if file $file exists..." - if ! [[ -f "$file" ]]; then - print_message "* ⚠️ \`$file\` does not exist ⚠️" - echo "Content of directory $(dirname "$file"):" - ls "$(dirname "$file")" - missing_files+=("$file") - else - print_message "* \`$file\` ✅" - fi - done - print_message "" - number_of_missing_files=${#missing_files[@]} - if [[ $number_of_missing_files -gt 0 ]]; then - print_message "⚠️ $number_of_missing_files release artifact(s) missing ⚠️" - exit 1 + if mvn --batch-mode com.exasol:project-keeper-maven-plugin:verify-release --projects .; then + echo "### ✅ Release preconditions met, start release" >> "$GITHUB_STEP_SUMMARY" + echo "release-required=true" >> "$GITHUB_OUTPUT" else - print_message "All ${#artifacts_array[@]} artifact(s) present ✅" + echo "### 🛑 Release precondition not met, skipping release" >> "$GITHUB_STEP_SUMMARY" + echo "See log output for details." >> "$GITHUB_STEP_SUMMARY" + echo "release-required=false" >> "$GITHUB_OUTPUT" fi - env: - ARTIFACTS: ${{ steps.pk-verify.outputs.release-artifacts }} - - # [impl->dsn~release-workflow.ci-build-starts-release~1] + env: { + GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + } start_release: needs: build - if: ${{ github.ref == 'refs/heads/main' }} - concurrency: - cancel-in-progress: false - group: "release" + if: ${{ github.ref == 'refs/heads/main' && needs.build.outputs.release-required == 'true' }} + concurrency: { + cancel-in-progress: false, + group: release + } secrets: inherit - permissions: - contents: write - actions: read + permissions: { + contents: write, + actions: read, + issues: read + } uses: ./.github/workflows/release.yml - with: + with: { started-from-ci: true + } diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml index bd26ab6..9c2365c 100644 --- a/.github/workflows/dependencies_check.yml +++ b/.github/workflows/dependencies_check.yml @@ -1,68 +1,80 @@ -# Generated by Project Keeper -# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/dependencies_check.yml +# This file was generated by Project Keeper. name: Report Security Issues on: - workflow_dispatch: + workflow_dispatch: null schedule: - - cron: "0 2 * * *" - + - { + cron: 0 2 * * * + } jobs: report_security_issues: runs-on: ubuntu-latest defaults: - run: - shell: "bash" - permissions: - contents: read + run: { + shell: bash + } + permissions: { + contents: read, issues: write - outputs: - created-issues: ${{ steps.security-issues.outputs.created-issues }} + } + outputs: { + created-issues: '${{ steps.security-issues.outputs.created-issues }}' + } + concurrency: { + group: '${{ github.workflow }}-report_security_issues', + cancel-in-progress: true + } steps: - - uses: actions/checkout@v4 - + - { + name: Checkout, + id: checkout, + uses: actions/checkout@v4 + } - name: Set up JDKs + id: setup-jdks uses: actions/setup-java@v4 with: - distribution: "temurin" + distribution: temurin java-version: | 11 17 - cache: "maven" - + cache: maven - name: Generate ossindex report + id: ossindex-report run: | mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit \ org.sonatype.ossindex.maven:ossindex-maven-plugin:audit-aggregate \ -Dossindex.reportFile=$(pwd)/ossindex-report.json \ -Dossindex.fail=false - - name: Report Security Issues id: security-issues uses: exasol/python-toolbox/.github/actions/security-issues@main - with: - format: "maven" - command: "cat ossindex-report.json" - github-token: ${{ secrets.GITHUB_TOKEN }} - + with: { + format: maven, + command: cat ossindex-report.json, + github-token: '${{ secrets.GITHUB_TOKEN }}' + } - name: Output security issues (Debugging) + id: debug-print-security-issues run: | echo "$CREATED_ISSUES" > test.jsonl cat test.jsonl - env: - CREATED_ISSUES: ${{ steps.security-issues.outputs.created-issues }} - + env: { + CREATED_ISSUES: '${{ steps.security-issues.outputs.created-issues }}' + } start_dependency_udpate: needs: report_security_issues - # [impl->dsn~trigger-dependency-updates~1] if: ${{ needs.report_security_issues.outputs.created-issues }} - concurrency: - cancel-in-progress: true - group: "dependencies_update" - # Workflow needs secret INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK + concurrency: { + group: '${{ github.workflow }}-start_dependency_update', + cancel-in-progress: false + } secrets: inherit - permissions: - contents: write + permissions: { + contents: write, pull-requests: write + } uses: ./.github/workflows/dependencies_update.yml - with: - vulnerability_issues: ${{ needs.report_security_issues.outputs.created-issues }} + with: { + vulnerability_issues: '${{ needs.report_security_issues.outputs.created-issues }}' + } diff --git a/.github/workflows/dependencies_update.yml b/.github/workflows/dependencies_update.yml index 0f6b816..9f536ee 100644 --- a/.github/workflows/dependencies_update.yml +++ b/.github/workflows/dependencies_update.yml @@ -1,76 +1,76 @@ -# Generated by Project Keeper -# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/dependencies_update.yml +# This file was generated by Project Keeper. name: Update dependencies on: workflow_call: inputs: - # [impl->dsn~dependency-updater.workflow.vulnerability-info~1] - vulnerability_issues: - description: "GitHub issues for vulnerable dependencies as JSONL" - required: true + vulnerability_issues: { + description: GitHub issues for vulnerable dependencies as JSONL, + required: true, type: string - workflow_dispatch: - + } + workflow_dispatch: null jobs: update_dependencies: runs-on: ubuntu-latest defaults: - run: - shell: "bash" - permissions: - contents: write + run: { + shell: bash + } + permissions: { + contents: write, pull-requests: write - + } + concurrency: { + group: '${{ github.workflow }}', + cancel-in-progress: false + } steps: - uses: actions/checkout@v4 - with: + id: checkout + with: { fetch-depth: 0 - + } - name: Set up JDKs + id: setup-jdks uses: actions/setup-java@v4 with: - distribution: "temurin" + distribution: temurin java-version: | 11 17 - cache: "maven" - + cache: maven - name: Print issues + id: debug-print-issues run: | echo "Issues from Action input: $ISSUES" - env: - ISSUES: ${{ inputs.vulnerability_issues }} - + env: { + ISSUES: '${{ inputs.vulnerability_issues }}' + } - name: Fail if not running on a branch + id: check-branch if: ${{ !startsWith(github.ref, 'refs/heads/') }} uses: actions/github-script@v7 with: script: | core.setFailed('Not running on a branch, github.ref is ${{ github.ref }}. Please start this workflow only on main or a branch') - - name: Update dependencies - # [impl->dsn~dependency-updater.workflow.start-pk-update~1] + id: update-dependencies run: | mvn --batch-mode com.exasol:project-keeper-maven-plugin:update-dependencies --projects . \ -Dproject-keeper:vulnerabilities="$CREATED_ISSUES" - env: - CREATED_ISSUES: ${{ inputs.vulnerability_issues }} - + env: { + CREATED_ISSUES: '${{ inputs.vulnerability_issues }}' + } - name: Project Keeper Fix + id: project-keeper-fix run: | mvn --batch-mode com.exasol:project-keeper-maven-plugin:fix --projects . - - name: Project Keeper Fix for updated Project Keeper version - # Calling PK fix a second time is necessary because the first invocation potentially updated PK itself. - # So we need to run PK fix again with the latest PK version. - # [impl->dsn~dependency-updater.workflow.start-pk-fix~1] + id: project-keeper-fix-2 run: | mvn --batch-mode com.exasol:project-keeper-maven-plugin:fix --projects . - - name: Generate Pull Request comment id: pr-comment - # [impl->dsn~dependency-updater.workflow.create-pull-request~1] - # [impl->dsn~dependency-updater.workflow.pull-request-trigger-ci-build~1] run: | echo 'comment<> "$GITHUB_OUTPUT" echo 'This Pull Request was created by [`dependencies_update.yml`](https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/dependencies_update.yml) workflow.' >> "$GITHUB_OUTPUT" @@ -87,9 +87,9 @@ jobs: echo 'EOF' >> "$GITHUB_OUTPUT" cat "$GITHUB_OUTPUT" - env: - CREATED_ISSUES: ${{ inputs.vulnerability_issues }} - + env: { + CREATED_ISSUES: '${{ inputs.vulnerability_issues }}' + } - name: Generate Pull Request Title id: pr-title run: | @@ -102,22 +102,23 @@ jobs: fi cat "$GITHUB_OUTPUT" - env: - CREATED_ISSUES: ${{ inputs.vulnerability_issues }} - + env: { + CREATED_ISSUES: '${{ inputs.vulnerability_issues }}' + } - name: Configure git + id: configure-git run: | git config --global user.email "opensource@exasol.com" git config --global user.name "Automatic Dependency Updater" - - name: Create branch + id: create-branch if: ${{ github.ref == 'refs/heads/main' }} run: | branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" echo "Creating branch $branch_name" git checkout -b "$branch_name" - - name: Commit changes & push + id: publish-branch if: ${{ startsWith(github.ref, 'refs/heads/' ) }} run: | branch_name=$(git rev-parse --abbrev-ref HEAD) @@ -135,9 +136,9 @@ jobs: echo "Pushing branch $branch_name..." git push --set-upstream origin "$branch_name" echo "Done." - env: - TITLE: ${{ steps.pr-title.outputs.title }} - + env: { + TITLE: '${{ steps.pr-title.outputs.title }}' + } - name: Create pull request id: create-pr if: ${{ github.ref == 'refs/heads/main' }} @@ -145,31 +146,35 @@ jobs: pr_url=$(gh pr create --base main --title "$TITLE" --body "$COMMENT") echo "Created Pull Request: $pr_url" echo "pr_url=$pr_url" >> "$GITHUB_OUTPUT" - env: - COMMENT: ${{ steps.pr-comment.outputs.comment }} - TITLE: ${{ steps.pr-title.outputs.title }} - GH_TOKEN: ${{ github.token }} - + env: { + COMMENT: '${{ steps.pr-comment.outputs.comment }}', + TITLE: '${{ steps.pr-title.outputs.title }}', + GH_TOKEN: '${{ github.token }}' + } - name: Report failure Status to Slack channel - # Also run this step in case of failures + id: report-failure-slack if: ${{ always() }} uses: ravsamhq/notify-slack-action@v2 - with: - status: ${{ job.status }} - token: ${{ secrets.GITHUB_TOKEN }} - notification_title: "Dependency check in {repo} has {status_message}" - message_format: "{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}>" - notify_when: "failure,cancelled,warnings" - env: - SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }} - + with: { + status: '${{ job.status }}', + token: '${{ secrets.GITHUB_TOKEN }}', + notification_title: 'Dependency check in {repo} has {status_message}', + message_format: '{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}>', + notify_when: 'failure,cancelled,warnings' + } + env: { + SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }}' + } - name: Report new Pull Request to Slack channel + id: report-pr-slack if: ${{ steps.create-pr.outputs.pr_url }} uses: ravsamhq/notify-slack-action@v2 - with: - status: ${{ job.status }} - token: ${{ secrets.GITHUB_TOKEN }} - notification_title: "Dependency update for {repo} created a Pull Request" - message_format: "{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}" - env: - SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }} + with: { + status: '${{ job.status }}', + token: '${{ secrets.GITHUB_TOKEN }}', + notification_title: 'Dependency update for {repo} created a Pull Request', + message_format: '{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}' + } + env: { + SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }}' + } diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fe959c9..5be64c8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,81 +1,85 @@ -# Generated by Project Keeper -# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/release.yml +# This file was generated by Project Keeper. name: Release on: - # [impl->dsn~release-workflow.triggers~1] workflow_call: inputs: - started-from-ci: - description: "Marks this release as started from CI, skipping precondition check" - type: boolean - required: true + started-from-ci: { + description: 'Marks this release as started from CI, skipping precondition check', + type: boolean, + required: true, default: false + } workflow_dispatch: inputs: - skip-maven-central: - description: "Skip deployment to Maven Central" - required: true - type: boolean + skip-maven-central: { + description: Skip deployment to Maven Central, + required: true, + type: boolean, default: false - skip-github-release: - description: "Skip creating the GitHub release" - required: true - type: boolean + } + skip-github-release: { + description: Skip creating the GitHub release, + required: true, + type: boolean, default: false - + } jobs: release: runs-on: ubuntu-latest defaults: - run: - shell: "bash" - concurrency: - group: ${{ github.workflow }} + run: { + shell: bash + } + concurrency: { + group: '${{ github.workflow }}', cancel-in-progress: false - permissions: - contents: write - actions: read + } + permissions: { + contents: write, + actions: read, + issues: read + } steps: - name: Checkout the repository + id: checkout uses: actions/checkout@v4 - with: + with: { fetch-depth: 0 + } - name: Set up Maven Central Repository + id: configure-maven-central-credentials if: ${{ true }} uses: actions/setup-java@v4 with: - distribution: "temurin" + distribution: temurin java-version: | 11 17 - cache: "maven" + cache: maven server-id: ossrh server-username: MAVEN_USERNAME server-password: MAVEN_PASSWORD gpg-private-key: ${{ secrets.OSSRH_GPG_SECRET_KEY }} gpg-passphrase: MAVEN_GPG_PASSPHRASE - name: Set up JDKs + id: setup-jdks if: ${{ ! true }} uses: actions/setup-java@v4 with: - distribution: "temurin" + distribution: temurin java-version: | 11 17 - cache: "maven" - - # Check preconditions - + cache: maven - name: Fail if not running on main branch + id: check-main-branch if: ${{ github.ref != 'refs/heads/main' }} uses: actions/github-script@v7 with: script: | core.setFailed('Not running on main branch, github.ref is ${{ github.ref }}. Please start this workflow only on main') - - # [impl->dsn~release-workflow.verify-ci-build-success~1] - name: Check CI build of this commit succeeded - # We skip this check if this was started from ci-build.yml, because the build status would be "in progress". + id: check-ci-build-status if: ${{ ! inputs.started-from-ci }} run: | echo "Commit SHA: $COMMIT_SHA" @@ -88,43 +92,45 @@ jobs: cat $GITHUB_STEP_SUMMARY exit 1 fi - env: - COMMIT_SHA: ${{ github.sha }} - GH_TOKEN: ${{ github.token }} - # [impl->dsn~release-workflow.run-verify-release~1] + env: { + COMMIT_SHA: '${{ github.sha }}', + GH_TOKEN: '${{ github.token }}' + } - name: Verify release preconditions id: verify-release run: | mvn --batch-mode com.exasol:project-keeper-maven-plugin:verify-release --projects . echo "$GITHUB_OUTPUT" - env: - GITHUB_TOKEN: ${{ github.token }} - # [impl->dsn~release-workflow.verify-skip-tests~1] - - name: Build project + env: { + GITHUB_TOKEN: '${{ github.token }}' + } + - { + name: Build project, + id: build, run: mvn --batch-mode -DskipTests clean verify - - # Maven Central Deployment - - name: List secret GPG keys - if: ${{ true && (! inputs.skip-maven-central) }} + } + - { + name: List secret GPG keys, + id: list-secret-gpg-keys, + if: '${{ true && (! inputs.skip-maven-central) }}', run: gpg --list-secret-keys - # [impl->dsn~release-workflow.deploy-maven-central~1] + } - name: Publish to Central Repository + id: deploy-maven-central if: ${{ true && (! inputs.skip-maven-central) }} run: | + echo "#### Maven Central Release" >> "$GITHUB_STEP_SUMMARY" mvn --batch-mode -Dgpg.skip=false -DskipTests deploy - echo "Published to Maven Central" >> "$GITHUB_STEP_SUMMARY" - env: - MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }} - MAVEN_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - MAVEN_GPG_PASSPHRASE: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} - - # Create GitHub releasse - + echo "Published to Maven Central ✅" >> "$GITHUB_STEP_SUMMARY" + env: { + MAVEN_USERNAME: '${{ secrets.OSSRH_USERNAME }}', + MAVEN_PASSWORD: '${{ secrets.OSSRH_PASSWORD }}', + MAVEN_GPG_PASSPHRASE: '${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}' + } - name: Calculate Artifact Checksums id: artifact-checksum if: ${{ ! inputs.skip-github-release }} run: | - ls target/ echo "Calculating sha256 checksum for artifact files" echo "artifacts<> "$GITHUB_OUTPUT" IFS=$'\n' artifacts_array=($ARTIFACTS) @@ -144,50 +150,70 @@ jobs: echo "EOF" >> "$GITHUB_OUTPUT" echo "Full artifact file list" cat "$GITHUB_OUTPUT" - env: - ARTIFACTS: ${{ steps.verify-release.outputs.release-artifacts }} - - # [impl->dsn~release-workflow.create-github-release~1] + env: { + ARTIFACTS: '${{ steps.verify-release.outputs.release-artifacts }}' + } - name: Create GitHub Release id: create-github-release if: ${{ ! inputs.skip-github-release }} run: | + echo "### GitHub Release" >> "$GITHUB_STEP_SUMMARY" IFS=$'\n' artifacts_array=($ARTIFACTS) + echo "#### Attaching Release Artifacts" >> "$GITHUB_STEP_SUMMARY" for file in "${artifacts_array[@]}"; do - echo "Attaching file '$file'" + echo "Attaching artifact '$file'" + echo "* \`$file\`" >> "$GITHUB_STEP_SUMMARY" done - release_url=$(gh release create --draft --latest --title "$TITLE" --notes "$NOTES" --target main $TAG "${artifacts_array[@]}") - echo "Created release $TAG with title '$TITLE' at $release_url" >> "$GITHUB_STEP_SUMMARY" + echo "" >> "$GITHUB_STEP_SUMMARY" + release_url=$(gh release create --latest --title "$TITLE" --notes "$NOTES" --target main $TAG "${artifacts_array[@]}") + echo "Created release $TAG with title '$TITLE' at $release_url ✅" >> "$GITHUB_STEP_SUMMARY" echo "release-url=$release_url" >> "$GITHUB_OUTPUT" - git fetch --tags origin - env: - GH_TOKEN: ${{ github.token }} - TAG: ${{ steps.verify-release.outputs.version }} - NOTES: ${{ steps.verify-release.outputs.release-notes }} - TITLE: ${{ steps.verify-release.outputs.release-title }} - ARTIFACTS: ${{ steps.artifact-checksum.outputs.artifacts }} + # [impl->dsn~release-workflow.create-golang-tags~1] + echo "#### Creating Additional Tags" >> "$GITHUB_STEP_SUMMARY" + IFS=$'\n' tags_array=($ADDITIONAL_TAGS) + for tag in "${tags_array[@]}"; + do + echo "Creating tag '$tag'" + git tag "$tag" + git push origin "$tag" + echo "* \`$tag\`" >> "$GITHUB_STEP_SUMMARY" + done + + git fetch --tags origin + env: { + GH_TOKEN: '${{ github.token }}', + TAG: '${{ steps.verify-release.outputs.release-tag }}', + ADDITIONAL_TAGS: '${{ steps.verify-release.outputs.additional-release-tags }}', + NOTES: '${{ steps.verify-release.outputs.release-notes }}', + TITLE: '${{ steps.verify-release.outputs.release-title }}', + ARTIFACTS: '${{ steps.artifact-checksum.outputs.artifacts }}' + } - name: Report failure Status to Slack channel - # Also run this step in case of failures + id: report-failure-status-slack if: ${{ always() }} uses: ravsamhq/notify-slack-action@v2 - with: - status: ${{ job.status }} - token: ${{ github.token }} - notification_title: "Release build in {repo} has {status_message}" - message_format: "{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}>" - notify_when: "failure,cancelled,warnings,skipped" - env: - SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }} - + with: { + status: '${{ job.status }}', + token: '${{ github.token }}', + notification_title: 'Release build in {repo} has {status_message}', + message_format: '{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}>', + notify_when: 'failure,cancelled,warnings,skipped' + } + env: { + SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }}' + } - name: Report new release to Slack channel + id: report-new-release-slack if: ${{ steps.create-github-release.outputs.release-url }} uses: ravsamhq/notify-slack-action@v2 - with: - status: ${{ job.status }} - token: ${{ github.token }} - notification_title: "Release build for {repo} created a new release" - message_format: "{workflow} created release ${{ steps.create-github-release.outputs.release-url }}" - env: - SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }} + with: { + status: '${{ job.status }}', + token: '${{ github.token }}', + notification_title: 'Release build for {repo} created a new release', + message_format: '{workflow} created release ${{ steps.create-github-release.outputs.release-url }}' + } + env: { + SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }}' + } diff --git a/dependencies.md b/dependencies.md index 19a3159..22d4b9b 100644 --- a/dependencies.md +++ b/dependencies.md @@ -15,47 +15,50 @@ | [Apache Ivy][14] | [The Apache Software License, Version 2.0][15] | | [Apache ZooKeeper - Server][16] | [Apache License, Version 2.0][11] | | [Apache Avro][17] | [Apache-2.0][11] | +| [Joda-Time][18] | [Apache License, Version 2.0][11] | +| [Netty/All-in-One][19] | [Apache License, Version 2.0][9] | +| [janino][20] | [BSD-3-Clause][21] | ## Test Dependencies | Dependency | License | | ----------------------------------------------- | ---------------------------------------------- | -| [mockito-core][18] | [MIT][19] | -| [mockito-junit-jupiter][18] | [MIT][19] | -| [JUnit Jupiter (Aggregator)][20] | [Eclipse Public License v2.0][21] | -| [JUnit Jupiter API][20] | [Eclipse Public License v2.0][21] | -| [Hamcrest][22] | [BSD License 3][23] | -| [Testcontainers :: JUnit Jupiter Extension][24] | [MIT][25] | -| [Test containers for Exasol on Docker][26] | [MIT License][27] | -| [Test Database Builder for Java][28] | [MIT License][29] | -| [Matcher for SQL Result Sets][30] | [MIT License][31] | -| [Test utilities for `java.util.logging`][32] | [MIT][19] | -| [EqualsVerifier \| release normal jar][33] | [Apache License, Version 2.0][11] | -| [Jackson-core][34] | [The Apache Software License, Version 2.0][11] | +| [mockito-core][22] | [MIT][23] | +| [mockito-junit-jupiter][22] | [MIT][23] | +| [JUnit Jupiter (Aggregator)][24] | [Eclipse Public License v2.0][25] | +| [JUnit Jupiter API][24] | [Eclipse Public License v2.0][25] | +| [Hamcrest][26] | [BSD License 3][27] | +| [Testcontainers :: JUnit Jupiter Extension][28] | [MIT][29] | +| [Test containers for Exasol on Docker][30] | [MIT License][31] | +| [Test Database Builder for Java][32] | [MIT License][33] | +| [Matcher for SQL Result Sets][34] | [MIT License][35] | +| [Test utilities for `java.util.logging`][36] | [MIT][23] | +| [EqualsVerifier \| release normal jar][37] | [Apache License, Version 2.0][11] | +| [Jackson-core][38] | [The Apache Software License, Version 2.0][11] | ## Plugin Dependencies | Dependency | License | | ------------------------------------------------------- | --------------------------------- | -| [SonarQube Scanner for Maven][35] | [GNU LGPL 3][36] | -| [Apache Maven Toolchains Plugin][37] | [Apache License, Version 2.0][11] | -| [Apache Maven Compiler Plugin][38] | [Apache-2.0][11] | -| [Apache Maven Enforcer Plugin][39] | [Apache-2.0][11] | -| [Maven Flatten Plugin][40] | [Apache Software Licenese][11] | -| [org.sonatype.ossindex.maven:ossindex-maven-plugin][41] | [ASL2][15] | -| [Maven Surefire Plugin][42] | [Apache-2.0][11] | -| [Versions Maven Plugin][43] | [Apache License, Version 2.0][11] | -| [duplicate-finder-maven-plugin Maven Mojo][44] | [Apache License 2.0][7] | -| [Apache Maven Deploy Plugin][45] | [Apache-2.0][11] | -| [Apache Maven GPG Plugin][46] | [Apache-2.0][11] | -| [Apache Maven Source Plugin][47] | [Apache License, Version 2.0][11] | -| [Apache Maven Javadoc Plugin][48] | [Apache-2.0][11] | -| [Nexus Staging Maven Plugin][49] | [Eclipse Public License][50] | -| [Maven Failsafe Plugin][51] | [Apache-2.0][11] | -| [JaCoCo :: Maven Plugin][52] | [Eclipse Public License 2.0][53] | -| [error-code-crawler-maven-plugin][54] | [MIT License][55] | -| [Reproducible Build Maven Plugin][56] | [Apache 2.0][15] | -| [Project Keeper Maven plugin][57] | [The MIT License][58] | +| [SonarQube Scanner for Maven][39] | [GNU LGPL 3][40] | +| [Apache Maven Toolchains Plugin][41] | [Apache License, Version 2.0][11] | +| [Apache Maven Compiler Plugin][42] | [Apache-2.0][11] | +| [Apache Maven Enforcer Plugin][43] | [Apache-2.0][11] | +| [Maven Flatten Plugin][44] | [Apache Software Licenese][11] | +| [org.sonatype.ossindex.maven:ossindex-maven-plugin][45] | [ASL2][15] | +| [Maven Surefire Plugin][46] | [Apache-2.0][11] | +| [Versions Maven Plugin][47] | [Apache License, Version 2.0][11] | +| [duplicate-finder-maven-plugin Maven Mojo][48] | [Apache License 2.0][7] | +| [Apache Maven Deploy Plugin][49] | [Apache-2.0][11] | +| [Apache Maven GPG Plugin][50] | [Apache-2.0][11] | +| [Apache Maven Source Plugin][51] | [Apache License, Version 2.0][11] | +| [Apache Maven Javadoc Plugin][52] | [Apache-2.0][11] | +| [Nexus Staging Maven Plugin][53] | [Eclipse Public License][54] | +| [Maven Failsafe Plugin][55] | [Apache-2.0][11] | +| [JaCoCo :: Maven Plugin][56] | [EPL-2.0][57] | +| [error-code-crawler-maven-plugin][58] | [MIT License][59] | +| [Reproducible Build Maven Plugin][60] | [Apache 2.0][15] | +| [Project Keeper Maven plugin][61] | [The MIT License][62] | [0]: http://www.exasol.com/ [1]: https://repo1.maven.org/maven2/com/exasol/exasol-jdbc/24.0.0/exasol-jdbc-24.0.0-license.txt @@ -75,44 +78,48 @@ [15]: http://www.apache.org/licenses/LICENSE-2.0.txt [16]: http://zookeeper.apache.org/zookeeper [17]: https://avro.apache.org -[18]: https://github.com/mockito/mockito -[19]: https://opensource.org/licenses/MIT -[20]: https://junit.org/junit5/ -[21]: https://www.eclipse.org/legal/epl-v20.html -[22]: http://hamcrest.org/JavaHamcrest/ -[23]: http://opensource.org/licenses/BSD-3-Clause -[24]: https://java.testcontainers.org -[25]: http://opensource.org/licenses/MIT -[26]: https://github.com/exasol/exasol-testcontainers/ -[27]: https://github.com/exasol/exasol-testcontainers/blob/main/LICENSE -[28]: https://github.com/exasol/test-db-builder-java/ -[29]: https://github.com/exasol/test-db-builder-java/blob/main/LICENSE -[30]: https://github.com/exasol/hamcrest-resultset-matcher/ -[31]: https://github.com/exasol/hamcrest-resultset-matcher/blob/main/LICENSE -[32]: https://github.com/exasol/java-util-logging-testing/ -[33]: https://www.jqno.nl/equalsverifier -[34]: https://github.com/FasterXML/jackson-core -[35]: http://sonarsource.github.io/sonar-scanner-maven/ -[36]: http://www.gnu.org/licenses/lgpl.txt -[37]: https://maven.apache.org/plugins/maven-toolchains-plugin/ -[38]: https://maven.apache.org/plugins/maven-compiler-plugin/ -[39]: https://maven.apache.org/enforcer/maven-enforcer-plugin/ -[40]: https://www.mojohaus.org/flatten-maven-plugin/ -[41]: https://sonatype.github.io/ossindex-maven/maven-plugin/ -[42]: https://maven.apache.org/surefire/maven-surefire-plugin/ -[43]: https://www.mojohaus.org/versions/versions-maven-plugin/ -[44]: https://basepom.github.io/duplicate-finder-maven-plugin -[45]: https://maven.apache.org/plugins/maven-deploy-plugin/ -[46]: https://maven.apache.org/plugins/maven-gpg-plugin/ -[47]: https://maven.apache.org/plugins/maven-source-plugin/ -[48]: https://maven.apache.org/plugins/maven-javadoc-plugin/ -[49]: http://www.sonatype.com/public-parent/nexus-maven-plugins/nexus-staging/nexus-staging-maven-plugin/ -[50]: http://www.eclipse.org/legal/epl-v10.html -[51]: https://maven.apache.org/surefire/maven-failsafe-plugin/ -[52]: https://www.jacoco.org/jacoco/trunk/doc/maven.html -[53]: https://www.eclipse.org/legal/epl-2.0/ -[54]: https://github.com/exasol/error-code-crawler-maven-plugin/ -[55]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE -[56]: http://zlika.github.io/reproducible-build-maven-plugin -[57]: https://github.com/exasol/project-keeper/ -[58]: https://github.com/exasol/project-keeper/blob/main/LICENSE +[18]: https://www.joda.org/joda-time/ +[19]: https://netty.io/netty-all/ +[20]: http://janino-compiler.github.io/janino/ +[21]: https://spdx.org/licenses/BSD-3-Clause.html +[22]: https://github.com/mockito/mockito +[23]: https://opensource.org/licenses/MIT +[24]: https://junit.org/junit5/ +[25]: https://www.eclipse.org/legal/epl-v20.html +[26]: http://hamcrest.org/JavaHamcrest/ +[27]: http://opensource.org/licenses/BSD-3-Clause +[28]: https://java.testcontainers.org +[29]: http://opensource.org/licenses/MIT +[30]: https://github.com/exasol/exasol-testcontainers/ +[31]: https://github.com/exasol/exasol-testcontainers/blob/main/LICENSE +[32]: https://github.com/exasol/test-db-builder-java/ +[33]: https://github.com/exasol/test-db-builder-java/blob/main/LICENSE +[34]: https://github.com/exasol/hamcrest-resultset-matcher/ +[35]: https://github.com/exasol/hamcrest-resultset-matcher/blob/main/LICENSE +[36]: https://github.com/exasol/java-util-logging-testing/ +[37]: https://www.jqno.nl/equalsverifier +[38]: https://github.com/FasterXML/jackson-core +[39]: http://sonarsource.github.io/sonar-scanner-maven/ +[40]: http://www.gnu.org/licenses/lgpl.txt +[41]: https://maven.apache.org/plugins/maven-toolchains-plugin/ +[42]: https://maven.apache.org/plugins/maven-compiler-plugin/ +[43]: https://maven.apache.org/enforcer/maven-enforcer-plugin/ +[44]: https://www.mojohaus.org/flatten-maven-plugin/ +[45]: https://sonatype.github.io/ossindex-maven/maven-plugin/ +[46]: https://maven.apache.org/surefire/maven-surefire-plugin/ +[47]: https://www.mojohaus.org/versions/versions-maven-plugin/ +[48]: https://basepom.github.io/duplicate-finder-maven-plugin +[49]: https://maven.apache.org/plugins/maven-deploy-plugin/ +[50]: https://maven.apache.org/plugins/maven-gpg-plugin/ +[51]: https://maven.apache.org/plugins/maven-source-plugin/ +[52]: https://maven.apache.org/plugins/maven-javadoc-plugin/ +[53]: http://www.sonatype.com/public-parent/nexus-maven-plugins/nexus-staging/nexus-staging-maven-plugin/ +[54]: http://www.eclipse.org/legal/epl-v10.html +[55]: https://maven.apache.org/surefire/maven-failsafe-plugin/ +[56]: https://www.jacoco.org/jacoco/trunk/doc/maven.html +[57]: https://www.eclipse.org/legal/epl-2.0/ +[58]: https://github.com/exasol/error-code-crawler-maven-plugin/ +[59]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE +[60]: http://zlika.github.io/reproducible-build-maven-plugin +[61]: https://github.com/exasol/project-keeper/ +[62]: https://github.com/exasol/project-keeper/blob/main/LICENSE diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index 42c2922..ea0c50f 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [2.0.5](changes_2.0.5.md) * [2.0.4](changes_2.0.4.md) * [2.0.3](changes_2.0.3.md) * [2.0.2](changes_2.0.2.md) diff --git a/doc/changes/changes_2.0.5.md b/doc/changes/changes_2.0.5.md new file mode 100644 index 0000000..0d73f25 --- /dev/null +++ b/doc/changes/changes_2.0.5.md @@ -0,0 +1,31 @@ +# Spark Connector Common Java 2.0.5, released 2024-05-08 + +Code name: Fix CVEs in compile and test dependencies + +## Summary +This release fixes the following vulnerabilities in dependencies: +* CVE-2024-29025 in `io.netty:netty-codec-http:jar:4.1.96.Final:provided` +* CVE-2024-23080 in `joda-time:joda-time:jar:2.12.5:provided` +* CVE-2023-33546 in `org.codehaus.janino:janino:jar:3.1.9:provided` + +## Features + +* #36: Fixed CVE-2024-23080 +* #35: Fixed CVE-2024-29025 + +## Dependency Updates + +### Compile Dependency Updates + +* Added `io.netty:netty-all:4.1.109.Final` +* Added `joda-time:joda-time:2.12.7` +* Added `org.codehaus.janino:janino:3.1.12` + +### Plugin Dependency Updates + +* Updated `com.exasol:error-code-crawler-maven-plugin:2.0.1` to `2.0.2` +* Updated `com.exasol:project-keeper-maven-plugin:4.2.0` to `4.3.0` +* Updated `org.apache.maven.plugins:maven-compiler-plugin:3.12.1` to `3.13.0` +* Updated `org.apache.maven.plugins:maven-gpg-plugin:3.1.0` to `3.2.2` +* Updated `org.jacoco:jacoco-maven-plugin:0.8.11` to `0.8.12` +* Updated `org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594` to `3.11.0.3922` diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index 9719607..6e566cc 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,7 +3,7 @@ 4.0.0 com.exasol spark-connector-common-java-generated-parent - 2.0.4 + 2.0.5 pom UTF-8 @@ -50,7 +50,7 @@ org.sonarsource.scanner.maven sonar-maven-plugin - 3.10.0.2594 + 3.11.0.3922 org.apache.maven.plugins @@ -74,15 +74,14 @@ org.apache.maven.plugins maven-compiler-plugin - 3.12.1 + 3.13.0 ${java.version} ${java.version} true - - -Xlint:all,-processing - + -Xlint:all + -Werror @@ -224,7 +223,7 @@ org.apache.maven.plugins maven-gpg-plugin - 3.1.0 + 3.2.2 sign-artifacts @@ -323,7 +322,7 @@ org.jacoco jacoco-maven-plugin - 0.8.11 + 0.8.12 prepare-agent @@ -364,7 +363,7 @@ com.exasol error-code-crawler-maven-plugin - 2.0.1 + 2.0.2 verify diff --git a/pom.xml b/pom.xml index 36b5134..3d31212 100644 --- a/pom.xml +++ b/pom.xml @@ -3,14 +3,14 @@ 4.0.0 com.exasol spark-connector-common-java - 2.0.4 + 2.0.5 spark-connector-common-java An Exasol common library for Apache Spark connectors https://github.com/exasol/spark-connector-common-java/ spark-connector-common-java-generated-parent com.exasol - 2.0.4 + 2.0.5 pk_generated_parent.pom @@ -94,6 +94,24 @@ avro 1.11.3 + + + joda-time + joda-time + 2.12.7 + + + + io.netty + netty-all + 4.1.109.Final + + + + org.codehaus.janino + janino + 3.1.12 + org.mockito @@ -191,8 +209,6 @@ ossindex-maven-plugin - - CVE-2023-33546 @@ -212,7 +228,7 @@ com.exasol project-keeper-maven-plugin - 4.2.0 + 4.3.0