diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index cbe34a59..c776f784 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,24 +1,10 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# name: "CodeQL" on: push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - schedule: - - cron: '43 16 * * 4' + branches: + - main + - deps0408 jobs: codeql-analyze: @@ -29,48 +15,31 @@ jobs: contents: read security-events: write - strategy: - fail-fast: false - matrix: - language: [ 'java' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] - # Use only 'java' to analyze code written in Java, Kotlin or both - # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹ️ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: "/language:${{matrix.language}}" + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: java + queries: security-and-quality + + - name: Set up JDK + uses: actions/setup-java@v3 + with: + distribution: temurin + java-version: 17 + cache: gradle + + - name: Validate Gradle wrapper + uses: gradle/wrapper-validation-action@v1 + + - name: Build application + run: ./gradlew clean build + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:java" \ No newline at end of file diff --git a/.github/workflows/deploy-dev.yaml b/.github/workflows/deploy-dev.yaml new file mode 100644 index 00000000..bf706b99 --- /dev/null +++ b/.github/workflows/deploy-dev.yaml @@ -0,0 +1,112 @@ +name: deploy-dev + +on: + push: + branches: + - main + - deps0408 + +jobs: + build: + name: Build app, docker image and push docker image + permissions: + contents: write + id-token: write + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Set up JDK + uses: actions/setup-java@v3 + with: + distribution: temurin + java-version: 17 + cache: gradle + + - name: Validate Gradle wrapper + uses: gradle/wrapper-validation-action@v1 + + - uses: gradle/gradle-build-action@v2.7.0 + env: # Eksluder test dependencies + DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS: compileClasspath|runtimeClasspath + TESTCONTAINERS_RYUK_DISABLED: true + with: + dependency-graph: generate-and-submit + arguments: build + + - name: Pre-deploy + uses: navikt/digihot-deploy/actions/pre-deploy@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push docker image + uses: nais/docker-build-push@v0 + id: docker-build-push + with: + byosbom: dependency-graph-reports/deploy-dev-build.json + team: teamdigihot + identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} + project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} + tag: ${{ env.VERSION_TAG }} + + - name: Deploy to dev-gcp + uses: nais/deploy/actions/deploy@v1 + env: + APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} + CLUSTER: dev-gcp + RESOURCE: nais/nais-dev.yaml,nais/alerts-dev.yaml + IMAGE: ${{steps.docker-build-push.outputs.image}} + + - name: post-deploy + if: github.ref == 'refs/heads/main' + uses: navikt/digihot-deploy/actions/post-deploy@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: draft release + if: github.ref == 'refs/heads/main' + uses: actions/create-release@latest + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ env.VERSION_TAG }} + release_name: ${{ env.APPLICATION }} ${{ env.VERSION_TAG }} + body: ${{ env.CHANGE_LOG }} + draft: true + prerelease: false + + outputs: + image: ${{ steps.docker-build-push.outputs.image }} + + trivy-imagescan: + name: Scan dockerimage with Trivy + needs: build + if: github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + actions: read + id-token: write + steps: + - uses: nais/login@v0 + with: + project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} + identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} + team: teamdigihot + + - name: Run Trivy vulnerability scanner on docker image + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ needs.build.outputs.image }} + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/.github/workflows/deploy-prod.yaml b/.github/workflows/deploy-prod.yaml new file mode 100644 index 00000000..aba5d278 --- /dev/null +++ b/.github/workflows/deploy-prod.yaml @@ -0,0 +1,43 @@ +name: deploy-prod +on: + release: + types: [ published ] + +jobs: + deploy-prod: + permissions: + contents: "write" + id-token: "write" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - uses: nais/login@v0 + name: get image registry + id: nais-login + with: + team: teamdigihot + identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} + project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} + + - name: get image + env: + VERSION_TAG: ${{ github.event.release.tag_name }} + REGISTRY: ${{ steps.nais-login.outputs.registry }} + APP: ${{ github.event.repository.name }} + run: | + IMAGE=$REGISTRY/$APP:$VERSION_TAG + echo "IMAGE=${IMAGE}" >> $GITHUB_ENV + echo $IMAGE + + - uses: nais/deploy/actions/deploy@v1 + name: deploy to prod-gcp + env: + APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} + CLUSTER: prod-gcp + RESOURCE: nais/nais-prod.yaml,nais/alerts-prod.yaml + + - name: post-production + uses: navikt/digihot-deploy/actions/post-production@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/detekt-analysis.yml b/.github/workflows/detekt-analysis.yml index a129bb50..4a9092a1 100644 --- a/.github/workflows/detekt-analysis.yml +++ b/.github/workflows/detekt-analysis.yml @@ -1,46 +1,19 @@ -# This workflow performs a static analysis of your Kotlin source code using -# Detekt. -# -# Scans are triggered: -# 1. On every push to default and protected branches -# 2. On every Pull Request targeting the default branch -# 3. On a weekly schedule -# 4. Manually, on demand, via the "workflow_dispatch" event -# -# The workflow should work with no modifications, but you might like to use a -# later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG -# environment variable. name: Scan with Detekt on: - # Triggers the workflow on push or pull request events but only for default and protected branches push: branches: [ main, detekt-config-2 ] - pull_request: - branches: [ main ] - schedule: - - cron: '16 23 * * 3' - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: env: - # Release tag associated with version of Detekt to be installed - # SARIF support (required for this workflow) was introduced in Detekt v1.15.0 DETEKT_RELEASE_TAG: v1.15.0 -# A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: - # This workflow contains a single job called "scan" detekt-scan: name: Scan - # The type of runner that the job will run on runs-on: ubuntu-latest - # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Gets the download URL associated with the $DETEKT_RELEASE_TAG - name: Get Detekt download URL diff --git a/.github/workflows/monitor-dependencies.yml b/.github/workflows/monitor-dependencies.yml deleted file mode 100644 index e91fc732..00000000 --- a/.github/workflows/monitor-dependencies.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: Monitor dependencies with Dependabot -on: - push: - branches: - - main - - master - - dependabot - paths: - - "**.gradle.kts" - - "gradle.properties" - workflow_dispatch: - -jobs: - dependabot: - name: Monitor dependencies with Dependabot - runs-on: ubuntu-20.04 - permissions: - contents: write # The Dependency Submission API requires write permission - steps: - - uses: actions/checkout@v3 - - name: Run snapshot action - uses: mikepenz/gradle-dependency-submission@v0.8.6 - with: - fail-on-error: true - gradle-dependency-path: "build.gradle.kts" \ No newline at end of file diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml deleted file mode 100644 index c00030c7..00000000 --- a/.github/workflows/workflow.yaml +++ /dev/null @@ -1,91 +0,0 @@ -name: Build and deploy - -on: - push: - branches: - - main - - takhoyde - -env: - IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }} - -jobs: - build: - name: Build app, docker image and push docker image - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v2 - - name: Set up Java 17 - uses: actions/setup-java@v1 - with: - java-version: '17.x' - - name: Cache gradle dependencies - uses: actions/cache@v1 - with: - path: ~/.gradle/caches - key: ${{ runner.os }}-gradle-${{ hashFiles('build.gradle.kts') }} - restore-keys: | - ${{ runner.os }}-gradle- - - name: Format code with spotless - run: ./gradlew spotlessApply - - name: Build with Gradle - run: ./gradlew clean build --info - env: - TESTCONTAINERS_RYUK_DISABLED: true - - name: Docker login - uses: docker/login-action@v1 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Docker build and push - uses: docker/build-push-action@v2 - with: - context: . - push: true - tags: ${{ env.IMAGE }} - - trivy-imagescan: - name: Scan dockerimage with Trivy - needs: build - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - steps: - - name: Run Trivy vulnerability scanner on docker image - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ env.IMAGE }} - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results.sarif' - - deploy-dev: - name: Deploy to dev - needs: build - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: dev-gcp - RESOURCE: nais/nais-dev.yaml,nais/alerts-dev.yaml - - deploy-prod: - name: Deploy to Production - needs: [build, deploy-dev] - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - uses: nais/deploy/actions/deploy@v1 - env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} - CLUSTER: prod-gcp - RESOURCE: nais/nais-prod.yaml,nais/alerts-prod.yaml diff --git a/build.gradle.kts b/build.gradle.kts index 51eb822e..9893d7bb 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -4,7 +4,7 @@ import org.jetbrains.kotlin.gradle.tasks.KotlinCompile plugins { application - kotlin("jvm") version "1.8.0" + kotlin("jvm") version "1.9.0" id("com.expediagroup.graphql") version "6.2.5" id("com.diffplug.spotless") version "6.2.0" } @@ -26,7 +26,7 @@ java { targetCompatibility = JavaVersion.VERSION_17 } -fun ktor(name: String) = "io.ktor:ktor-$name:2.2.4" +fun ktor(name: String) = "io.ktor:ktor-$name:2.3.3" fun graphqlKotlin(name: String) = "com.expediagroup:graphql-kotlin-$name:6.4.0" dependencies { @@ -36,7 +36,7 @@ dependencies { implementation("no.nav.hjelpemidler.http:hm-http:v0.0.4") // Jackson - val jacksonVersion = "2.14.2" + val jacksonVersion = "2.15.1" implementation("com.fasterxml.jackson.core:jackson-databind:$jacksonVersion") implementation("com.fasterxml.jackson.module:jackson-module-kotlin:$jacksonVersion") implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310:$jacksonVersion") @@ -56,7 +56,7 @@ dependencies { implementation(ktor("client-content-negotiation")) // Database - implementation("org.flywaydb:flyway-core:9.16.0") + implementation("org.flywaydb:flyway-core:9.21.1") implementation("com.zaxxer:HikariCP:5.0.1") implementation("com.github.seratch:kotliquery:1.9.0") implementation("org.postgresql:postgresql:42.6.0") @@ -73,7 +73,7 @@ dependencies { // Logging implementation("io.github.microutils:kotlin-logging:3.0.5") - runtimeOnly("ch.qos.logback:logback-classic:1.4.6") + runtimeOnly("ch.qos.logback:logback-classic:1.4.7") runtimeOnly("net.logstash.logback:logstash-logback-encoder:7.3") implementation("com.natpryce:konfig:1.6.10.0") @@ -94,7 +94,7 @@ dependencies { // Test testImplementation(kotlin("test")) testImplementation(ktor("server-test-host")) - testImplementation("io.mockk:mockk:1.13.4") + testImplementation("io.mockk:mockk:1.13.5") val kotestVersion = "5.5.5" testImplementation("io.kotest:kotest-assertions-core:$kotestVersion") diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar index 7454180f..249e5832 100644 Binary files a/gradle/wrapper/gradle-wrapper.jar and b/gradle/wrapper/gradle-wrapper.jar differ diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 8049c684..84a0b92f 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,5 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-7.5-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-bin.zip zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/gradlew b/gradlew index c53aefaa..a69d9cb6 100755 --- a/gradlew +++ b/gradlew @@ -1,7 +1,7 @@ #!/bin/sh # -# Copyright 2015-2021 the original authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -32,10 +32,10 @@ # Busybox and similar reduced shells will NOT work, because this script # requires all of these POSIX shell features: # * functions; -# * expansions $var, ${var}, ${var:-default}, ${var+SET}, -# ${var#prefix}, ${var%suffix}, and $( cmd ); -# * compound commands having a testable exit status, especially case; -# * various built-in commands including command, set, and ulimit. +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». # # Important for patching: # @@ -205,6 +205,12 @@ set -- \ org.gradle.wrapper.GradleWrapperMain \ "$@" +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + # Use "xargs" to parse quoted args. # # With -n1 it outputs one arg per line, with the quotes and backslashes removed. diff --git a/gradlew.bat b/gradlew.bat index 107acd32..f127cfd4 100644 --- a/gradlew.bat +++ b/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,7 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +40,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto execute +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -75,13 +75,15 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal