diff --git a/.github/GITHUB_ACTIONS_MIGRATION.md b/.github/GITHUB_ACTIONS_MIGRATION.md index 116e90cb1..ea8ff4d44 100644 --- a/.github/GITHUB_ACTIONS_MIGRATION.md +++ b/.github/GITHUB_ACTIONS_MIGRATION.md @@ -51,6 +51,14 @@ The following secrets need to be configured in GitHub repository settings (Setti - Description: SSH private key for accessing orbital-core-taxi repository - Used for: Publishing core types to GitHub +3. **`JOOQ_REPO_USERNAME`** + - Description: Username for jOOQ Pro repository access + - Used for: Maven build dependencies + +4. **`JOOQ_REPO_PASSWORD`** + - Description: Password for jOOQ Pro repository access + - Used for: Maven build dependencies + ### Optional Secrets These may be needed depending on your Maven repository configuration: @@ -127,6 +135,8 @@ In GitLab CI, releases were triggered manually on the develop branch with button - [ ] Configure `DOCKER_HUB_PASSWORD` secret in GitHub - [ ] Configure `GITHUB_PRIVATE_KEY` secret in GitHub +- [ ] Configure `JOOQ_REPO_USERNAME` secret in GitHub +- [ ] Configure `JOOQ_REPO_PASSWORD` secret in GitHub - [ ] Verify Maven settings.xml is present at `.mvn/settings.xml` - [ ] Test a feature branch build - [ ] Test a develop branch build and Docker publish diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9a57c1fac..18e899749 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -76,40 +76,31 @@ jobs: distribution: 'temurin' cache: 'maven' - - name: Configure Docker authentication - run: | - mkdir -p /home/runner/.docker/ - cat > /home/runner/.docker/config.json << EOF - { - "auths": { - "https://index.docker.io/v1/": { - "username": "vynecd", - "password": "${{ secrets.DOCKER_HUB_PASSWORD }}", - "auth": "$(echo -n 'vynecd:${{ secrets.DOCKER_HUB_PASSWORD }}' | base64)" - } - } - } - EOF - - name: Determine Maven goals id: maven-config run: | if [[ "${{ github.ref }}" == refs/tags/* ]]; then + # Tags: deploy release jars, skip tests (already ran on branch) echo "goals=clean deploy" >> $GITHUB_OUTPUT - echo "extra_args=-P release -DskipTests" >> $GITHUB_OUTPUT - elif [[ "${{ github.ref_name }}" == "develop" ]] || [[ "${{ github.ref_name }}" == release/* ]]; then + echo "extra_args=-P release -DskipTests -Daws.region=eu-west-2" >> $GITHUB_OUTPUT + elif [[ "${{ github.ref_name }}" == "develop" ]] || [[ "${{ github.ref_name }}" == "master" ]] || [[ "${{ github.ref_name }}" == "main" ]]; then + # Develop/Master/Main: deploy snapshot jars, skip tests (already ran on branches) echo "goals=clean deploy" >> $GITHUB_OUTPUT - echo "extra_args=-P snapshot-release -DskipTests" >> $GITHUB_OUTPUT + echo "extra_args=-P snapshot-release -DskipTests -Daws.region=eu-west-2" >> $GITHUB_OUTPUT + elif [[ "${{ github.ref_name }}" == release/* ]]; then + # Release branches: deploy snapshot jars, run tests + echo "goals=clean deploy" >> $GITHUB_OUTPUT + echo "extra_args=-P snapshot-release -Daws.region=eu-west-2" >> $GITHUB_OUTPUT else + # Feature branches: build and test, do not publish echo "goals=clean install" >> $GITHUB_OUTPUT echo "extra_args=" >> $GITHUB_OUTPUT fi - name: Build with Maven env: - DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }} JOOQ_REPO_USERNAME: ${{ secrets.JOOQ_REPO_USERNAME }} - JOOQ_REPO_PASSWORD: ${{ secrets.JOOQ_REPO_PASSWORD }} + JOOQ_REPO_PASSWORD: ${{ secrets.JOOQ_REPO_PASSWORD }} run: | echo "Running Maven with goals: ${{ steps.maven-config.outputs.goals }}" mvn $MAVEN_CLI_OPTS -DbuildNumber=${{ github.run_id }} ${{ steps.maven-config.outputs.extra_args }} ${{ steps.maven-config.outputs.goals }} @@ -144,6 +135,7 @@ jobs: retention-days: 7 if-no-files-found: ignore + build-orbital-ui: name: Build Orbital UI runs-on: self-hosted @@ -182,6 +174,7 @@ jobs: licenses.csv retention-days: 1 + build-playground-ui: name: Build Playground UI runs-on: self-hosted @@ -217,14 +210,50 @@ jobs: path: taxi-playground/target/classes/static retention-days: 1 + + validate-license-compliance: + name: Validate License Compliance + runs-on: ubuntu-latest + permissions: + contents: read + needs: + - build-jvm + - build-orbital-ui + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Download build artifacts + uses: actions/download-artifact@v4 + with: + name: build-artifacts + + - name: Download UI artifacts + uses: actions/download-artifact@v4 + with: + name: orbital-ui + + - name: Set up Node.js + uses: actions/setup-node@v4 + with: + node-version: '22' + + - name: Validate licenses + run: node processLicenses.js + + publish-orbital: name: Publish Orbital (Alpine) runs-on: ubuntu-latest - needs: build-jvm + needs: + - build-jvm + - build-orbital-ui if: | github.event_name == 'push' && ( github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master' || + github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') || startsWith(github.ref, 'refs/heads/release/') ) @@ -238,6 +267,11 @@ jobs: with: name: build-artifacts + - name: Download UI artifacts + uses: actions/download-artifact@v4 + with: + name: orbital-ui + - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -258,7 +292,7 @@ jobs: if [[ "${{ github.ref }}" == refs/tags/* ]]; then tag="${{ github.ref_name }}" versionTag="${{ github.ref_name }}" - elif [[ "${{ github.ref_name }}" == "master" ]]; then + elif [[ "${{ github.ref_name }}" == "master" ]] || [[ "${{ github.ref_name }}" == "main" ]]; then tag="latest" versionTag="$PROJECT_VERSION" elif [[ "${{ github.ref_name }}" == "develop" ]]; then @@ -266,10 +300,7 @@ jobs: versionTag="next-${{ github.run_id }}" elif [[ "${{ github.ref_name }}" == release/* ]]; then stripped_branch=$(echo "${{ github.ref_name }}" | sed 's/release\///') - tag="$stripped_branch-next" - versionTag="$PROJECT_VERSION-BETA-${{ github.run_id }}" - else - tag="${{ github.ref_name }}-next" + tag="${stripped_branch}-next" versionTag="$PROJECT_VERSION-BETA-${{ github.run_id }}" fi @@ -290,14 +321,18 @@ jobs: orbitalhq/orbital:${{ steps.docker-tags.outputs.tag }} orbitalhq/orbital:${{ steps.docker-tags.outputs.version_tag }} + publish-orbital-jammy: name: Publish Orbital (Ubuntu Jammy) runs-on: ubuntu-latest - needs: build-jvm + needs: + - build-jvm + - build-orbital-ui if: | github.event_name == 'push' && ( github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master' || + github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') || startsWith(github.ref, 'refs/heads/release/') ) @@ -311,6 +346,11 @@ jobs: with: name: build-artifacts + - name: Download UI artifacts + uses: actions/download-artifact@v4 + with: + name: orbital-ui + - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -331,7 +371,7 @@ jobs: if [[ "${{ github.ref }}" == refs/tags/* ]]; then tag="${{ github.ref_name }}-jammy" versionTag="${{ github.ref_name }}-jammy" - elif [[ "${{ github.ref_name }}" == "master" ]]; then + elif [[ "${{ github.ref_name }}" == "master" ]] || [[ "${{ github.ref_name }}" == "main" ]]; then tag="latest-jammy" versionTag="$PROJECT_VERSION-jammy" elif [[ "${{ github.ref_name }}" == "develop" ]]; then @@ -339,10 +379,7 @@ jobs: versionTag="next-${{ github.run_id }}-jammy" elif [[ "${{ github.ref_name }}" == release/* ]]; then stripped_branch=$(echo "${{ github.ref_name }}" | sed 's/release\///') - tag="$stripped_branch-next-jammy" - versionTag="$PROJECT_VERSION-BETA-${{ github.run_id }}-jammy" - else - tag="${{ github.ref_name }}-next-jammy" + tag="${stripped_branch}-next-jammy" versionTag="$PROJECT_VERSION-BETA-${{ github.run_id }}-jammy" fi @@ -361,6 +398,7 @@ jobs: orbitalhq/orbital:${{ steps.docker-tags.outputs.tag }} orbitalhq/orbital:${{ steps.docker-tags.outputs.version_tag }} + publish-query-node: name: Publish Query Node runs-on: ubuntu-latest @@ -369,6 +407,7 @@ jobs: github.event_name == 'push' && ( github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master' || + github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') || startsWith(github.ref, 'refs/heads/release/') ) @@ -402,7 +441,7 @@ jobs: if [[ "${{ github.ref }}" == refs/tags/* ]]; then tag="${{ github.ref_name }}" versionTag="${{ github.ref_name }}" - elif [[ "${{ github.ref_name }}" == "master" ]]; then + elif [[ "${{ github.ref_name }}" == "master" ]] || [[ "${{ github.ref_name }}" == "main" ]]; then tag="latest" versionTag="$PROJECT_VERSION" elif [[ "${{ github.ref_name }}" == "develop" ]]; then @@ -410,10 +449,7 @@ jobs: versionTag="next-${{ github.run_id }}" elif [[ "${{ github.ref_name }}" == release/* ]]; then stripped_branch=$(echo "${{ github.ref_name }}" | sed 's/release\///') - tag="$stripped_branch-next" - versionTag="$PROJECT_VERSION-BETA-${{ github.run_id }}" - else - tag="${{ github.ref_name }}-next" + tag="${stripped_branch}-next" versionTag="$PROJECT_VERSION-BETA-${{ github.run_id }}" fi @@ -430,6 +466,67 @@ jobs: orbitalhq/query-node:${{ steps.docker-tags.outputs.tag }} orbitalhq/query-node:${{ steps.docker-tags.outputs.version_tag }} + + scan-trivy: + name: Container Vulnerability Scan + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + needs: publish-orbital + if: | + github.event_name == 'push' && ( + github.ref == 'refs/heads/develop' || + github.ref == 'refs/heads/master' || + github.ref == 'refs/heads/main' || + startsWith(github.ref, 'refs/heads/release/') + ) + + steps: + - name: Determine image to scan + id: image + run: | + if [[ "${{ github.ref_name }}" == "develop" ]]; then + echo "tag=orbitalhq/orbital:next" >> $GITHUB_OUTPUT + elif [[ "${{ github.ref_name }}" == "master" ]] || [[ "${{ github.ref_name }}" == "main" ]]; then + echo "tag=orbitalhq/orbital:latest" >> $GITHUB_OUTPUT + elif [[ "${{ github.ref_name }}" == release/* ]]; then + stripped=$(echo "${{ github.ref_name }}" | sed 's/release\///') + echo "tag=orbitalhq/orbital:${stripped}-next" >> $GITHUB_OUTPUT + fi + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.image.outputs.tag }} + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'HIGH,CRITICAL' + exit-code: '1' + + - name: Upload Trivy results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results.sarif' + + - name: Run detailed Trivy scan + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.image.outputs.tag }} + format: 'table' + output: 'vulnerabilities.txt' + severity: 'HIGH,CRITICAL' + + - name: Upload vulnerability report + uses: actions/upload-artifact@v4 + if: always() + with: + name: vulnerability-report + path: vulnerabilities.txt + retention-days: 30 + + tag-as-latest: name: Tag Images as Latest runs-on: ubuntu-latest diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index c1d32d635..c1683ae9b 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -1,75 +1,12 @@ name: Verify on: - push: - branches: - - develop workflow_dispatch: jobs: - scan-orbital: - name: Container Scan - Orbital - runs-on: ubuntu-latest - if: github.ref == 'refs/heads/develop' - - steps: - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: 'orbitalhq/orbital:next' - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'HIGH,CRITICAL' - exit-code: '1' - - - name: Upload Trivy results to GitHub Security - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: 'trivy-results.sarif' - - - name: Run detailed Trivy scan - uses: aquasecurity/trivy-action@master - with: - image-ref: 'orbitalhq/orbital:next' - format: 'table' - output: 'vulnerabilities.txt' - severity: 'HIGH,CRITICAL' - - - name: Upload vulnerability report - uses: actions/upload-artifact@v4 - if: always() - with: - name: vulnerability-report-orbital - path: vulnerabilities.txt - retention-days: 30 - - validate-license-compliance: - name: Validate License Compliance - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Download UI artifacts - uses: actions/download-artifact@v4 - with: - name: orbital-ui - continue-on-error: true - - - name: Set up Node.js - uses: actions/setup-node@v4 - with: - node-version: '22' - - - name: Validate licenses - run: node processLicenses.js - regression-test: name: Regression Tests runs-on: ubuntu-latest - if: github.event_name == 'workflow_dispatch' steps: - name: Checkout code diff --git a/.gitignore b/.gitignore index e43402edb..7cfe694b1 100644 --- a/.gitignore +++ b/.gitignore @@ -243,3 +243,7 @@ orbital/ station/.unikraft /station/search/ /prometheus_data/ + +# GitHub Actions cache directories +.npm/ +.m2/ diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 84f8f242f..0aee956de 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -161,7 +161,7 @@ build-jvm-develop: variables: MAVEN_GOALS: 'clean deploy' # We skip tests on develop and master, as the tests have already run on the branch - MAVEN_EXTRA_ARGS: '-P snapshot-release -DskipTests' + MAVEN_EXTRA_ARGS: '-P snapshot-release -DskipTests -Daws.region=eu-west-2' verify-version: @@ -204,7 +204,7 @@ build-jvm-release: variables: MAVEN_GOALS: 'clean deploy' # We skip tests on develop and master, as the tests have already run on the branch - MAVEN_EXTRA_ARGS: '-P release -DskipTests' + MAVEN_EXTRA_ARGS: '-P release -DskipTests -Daws.region=eu-west-2' release-major: image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/maven:3.9.6-eclipse-temurin-21