From 87245ab48664cec966dc30941f158da93e4c6fbc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Feb 2026 08:27:18 +0000 Subject: [PATCH 1/6] Initial plan From 084dbef7ff280156939ab4002ba2e50ac05855d6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Feb 2026 08:29:08 +0000 Subject: [PATCH 2/6] Fix Docker config directory path to use $HOME Co-authored-by: martypitt <348852+martypitt@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9a57c1fac..a1baccc49 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -78,8 +78,8 @@ jobs: - name: Configure Docker authentication run: | - mkdir -p /home/runner/.docker/ - cat > /home/runner/.docker/config.json << EOF + mkdir -p $HOME/.docker/ + cat > $HOME/.docker/config.json << EOF { "auths": { "https://index.docker.io/v1/": { From b553a04365d1e0b9d5c80a9f5115cc6b5ff8c884 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Feb 2026 08:31:18 +0000 Subject: [PATCH 3/6] Add UI artifact dependencies and cache dirs to gitignore Co-authored-by: martypitt <348852+martypitt@users.noreply.github.com> --- .github/workflows/ci.yml | 18 ++++++++++++++++-- .gitignore | 4 ++++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a1baccc49..9a0cfee7f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -220,7 +220,9 @@ jobs: publish-orbital: name: Publish Orbital (Alpine) runs-on: ubuntu-latest - needs: build-jvm + needs: + - build-jvm + - build-orbital-ui if: | github.event_name == 'push' && ( github.ref == 'refs/heads/develop' || @@ -238,6 +240,11 @@ jobs: with: name: build-artifacts + - name: Download UI artifacts + uses: actions/download-artifact@v4 + with: + name: orbital-ui + - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -293,7 +300,9 @@ jobs: publish-orbital-jammy: name: Publish Orbital (Ubuntu Jammy) runs-on: ubuntu-latest - needs: build-jvm + needs: + - build-jvm + - build-orbital-ui if: | github.event_name == 'push' && ( github.ref == 'refs/heads/develop' || @@ -311,6 +320,11 @@ jobs: with: name: build-artifacts + - name: Download UI artifacts + uses: actions/download-artifact@v4 + with: + name: orbital-ui + - name: Set up QEMU uses: docker/setup-qemu-action@v3 diff --git a/.gitignore b/.gitignore index e43402edb..7cfe694b1 100644 --- a/.gitignore +++ b/.gitignore @@ -243,3 +243,7 @@ orbital/ station/.unikraft /station/search/ /prometheus_data/ + +# GitHub Actions cache directories +.npm/ +.m2/ From ec4ce60a907d92a5c85a5dacce5b0145700450aa Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Feb 2026 08:32:12 +0000 Subject: [PATCH 4/6] Update migration guide with JOOQ secrets Co-authored-by: martypitt <348852+martypitt@users.noreply.github.com> --- .github/GITHUB_ACTIONS_MIGRATION.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/GITHUB_ACTIONS_MIGRATION.md b/.github/GITHUB_ACTIONS_MIGRATION.md index 116e90cb1..ea8ff4d44 100644 --- a/.github/GITHUB_ACTIONS_MIGRATION.md +++ b/.github/GITHUB_ACTIONS_MIGRATION.md @@ -51,6 +51,14 @@ The following secrets need to be configured in GitHub repository settings (Setti - Description: SSH private key for accessing orbital-core-taxi repository - Used for: Publishing core types to GitHub +3. **`JOOQ_REPO_USERNAME`** + - Description: Username for jOOQ Pro repository access + - Used for: Maven build dependencies + +4. **`JOOQ_REPO_PASSWORD`** + - Description: Password for jOOQ Pro repository access + - Used for: Maven build dependencies + ### Optional Secrets These may be needed depending on your Maven repository configuration: @@ -127,6 +135,8 @@ In GitLab CI, releases were triggered manually on the develop branch with button - [ ] Configure `DOCKER_HUB_PASSWORD` secret in GitHub - [ ] Configure `GITHUB_PRIVATE_KEY` secret in GitHub +- [ ] Configure `JOOQ_REPO_USERNAME` secret in GitHub +- [ ] Configure `JOOQ_REPO_PASSWORD` secret in GitHub - [ ] Verify Maven settings.xml is present at `.mvn/settings.xml` - [ ] Test a feature branch build - [ ] Test a develop branch build and Docker publish From 69ac070d330eb88fb05c4c7a97f8644541347a4b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Feb 2026 10:34:08 +0000 Subject: [PATCH 5/6] Restructure CI/CD pipeline with proper branch-specific behavior Co-authored-by: martypitt <348852+martypitt@users.noreply.github.com> --- .github/workflows/ci.yml | 150 ++++++++++++++++++++++++++--------- .github/workflows/verify.yml | 63 --------------- .gitlab-ci.yml | 4 +- 3 files changed, 116 insertions(+), 101 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9a0cfee7f..44bff0982 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -76,40 +76,31 @@ jobs: distribution: 'temurin' cache: 'maven' - - name: Configure Docker authentication - run: | - mkdir -p $HOME/.docker/ - cat > $HOME/.docker/config.json << EOF - { - "auths": { - "https://index.docker.io/v1/": { - "username": "vynecd", - "password": "${{ secrets.DOCKER_HUB_PASSWORD }}", - "auth": "$(echo -n 'vynecd:${{ secrets.DOCKER_HUB_PASSWORD }}' | base64)" - } - } - } - EOF - - name: Determine Maven goals id: maven-config run: | if [[ "${{ github.ref }}" == refs/tags/* ]]; then + # Tags: deploy release jars, skip tests (already ran on branch) echo "goals=clean deploy" >> $GITHUB_OUTPUT - echo "extra_args=-P release -DskipTests" >> $GITHUB_OUTPUT - elif [[ "${{ github.ref_name }}" == "develop" ]] || [[ "${{ github.ref_name }}" == release/* ]]; then + echo "extra_args=-P release -DskipTests -Daws.region=eu-west-2" >> $GITHUB_OUTPUT + elif [[ "${{ github.ref_name }}" == "develop" ]] || [[ "${{ github.ref_name }}" == "master" ]] || [[ "${{ github.ref_name }}" == "main" ]]; then + # Develop/Master/Main: deploy snapshot jars, skip tests (already ran on branches) echo "goals=clean deploy" >> $GITHUB_OUTPUT - echo "extra_args=-P snapshot-release -DskipTests" >> $GITHUB_OUTPUT + echo "extra_args=-P snapshot-release -DskipTests -Daws.region=eu-west-2" >> $GITHUB_OUTPUT + elif [[ "${{ github.ref_name }}" == release/* ]]; then + # Release branches: deploy snapshot jars, run tests + echo "goals=clean deploy" >> $GITHUB_OUTPUT + echo "extra_args=-P snapshot-release -Daws.region=eu-west-2" >> $GITHUB_OUTPUT else + # Feature branches: build and test, do not publish echo "goals=clean install" >> $GITHUB_OUTPUT echo "extra_args=" >> $GITHUB_OUTPUT fi - name: Build with Maven env: - DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }} JOOQ_REPO_USERNAME: ${{ secrets.JOOQ_REPO_USERNAME }} - JOOQ_REPO_PASSWORD: ${{ secrets.JOOQ_REPO_PASSWORD }} + JOOQ_REPO_PASSWORD: ${{ secrets.JOOQ_REPO_PASSWORD }} run: | echo "Running Maven with goals: ${{ steps.maven-config.outputs.goals }}" mvn $MAVEN_CLI_OPTS -DbuildNumber=${{ github.run_id }} ${{ steps.maven-config.outputs.extra_args }} ${{ steps.maven-config.outputs.goals }} @@ -144,6 +135,7 @@ jobs: retention-days: 7 if-no-files-found: ignore + build-orbital-ui: name: Build Orbital UI runs-on: self-hosted @@ -182,6 +174,7 @@ jobs: licenses.csv retention-days: 1 + build-playground-ui: name: Build Playground UI runs-on: self-hosted @@ -217,16 +210,48 @@ jobs: path: taxi-playground/target/classes/static retention-days: 1 + + validate-license-compliance: + name: Validate License Compliance + runs-on: ubuntu-latest + needs: + - build-jvm + - build-orbital-ui + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Download build artifacts + uses: actions/download-artifact@v4 + with: + name: build-artifacts + + - name: Download UI artifacts + uses: actions/download-artifact@v4 + with: + name: orbital-ui + + - name: Set up Node.js + uses: actions/setup-node@v4 + with: + node-version: '22' + + - name: Validate licenses + run: node processLicenses.js + + publish-orbital: name: Publish Orbital (Alpine) runs-on: ubuntu-latest - needs: + needs: - build-jvm - build-orbital-ui if: | github.event_name == 'push' && ( github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master' || + github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') || startsWith(github.ref, 'refs/heads/release/') ) @@ -265,7 +290,7 @@ jobs: if [[ "${{ github.ref }}" == refs/tags/* ]]; then tag="${{ github.ref_name }}" versionTag="${{ github.ref_name }}" - elif [[ "${{ github.ref_name }}" == "master" ]]; then + elif [[ "${{ github.ref_name }}" == "master" ]] || [[ "${{ github.ref_name }}" == "main" ]]; then tag="latest" versionTag="$PROJECT_VERSION" elif [[ "${{ github.ref_name }}" == "develop" ]]; then @@ -273,10 +298,7 @@ jobs: versionTag="next-${{ github.run_id }}" elif [[ "${{ github.ref_name }}" == release/* ]]; then stripped_branch=$(echo "${{ github.ref_name }}" | sed 's/release\///') - tag="$stripped_branch-next" - versionTag="$PROJECT_VERSION-BETA-${{ github.run_id }}" - else - tag="${{ github.ref_name }}-next" + tag="${stripped_branch}-next" versionTag="$PROJECT_VERSION-BETA-${{ github.run_id }}" fi @@ -297,6 +319,7 @@ jobs: orbitalhq/orbital:${{ steps.docker-tags.outputs.tag }} orbitalhq/orbital:${{ steps.docker-tags.outputs.version_tag }} + publish-orbital-jammy: name: Publish Orbital (Ubuntu Jammy) runs-on: ubuntu-latest @@ -307,6 +330,7 @@ jobs: github.event_name == 'push' && ( github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master' || + github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') || startsWith(github.ref, 'refs/heads/release/') ) @@ -345,7 +369,7 @@ jobs: if [[ "${{ github.ref }}" == refs/tags/* ]]; then tag="${{ github.ref_name }}-jammy" versionTag="${{ github.ref_name }}-jammy" - elif [[ "${{ github.ref_name }}" == "master" ]]; then + elif [[ "${{ github.ref_name }}" == "master" ]] || [[ "${{ github.ref_name }}" == "main" ]]; then tag="latest-jammy" versionTag="$PROJECT_VERSION-jammy" elif [[ "${{ github.ref_name }}" == "develop" ]]; then @@ -353,10 +377,7 @@ jobs: versionTag="next-${{ github.run_id }}-jammy" elif [[ "${{ github.ref_name }}" == release/* ]]; then stripped_branch=$(echo "${{ github.ref_name }}" | sed 's/release\///') - tag="$stripped_branch-next-jammy" - versionTag="$PROJECT_VERSION-BETA-${{ github.run_id }}-jammy" - else - tag="${{ github.ref_name }}-next-jammy" + tag="${stripped_branch}-next-jammy" versionTag="$PROJECT_VERSION-BETA-${{ github.run_id }}-jammy" fi @@ -375,6 +396,7 @@ jobs: orbitalhq/orbital:${{ steps.docker-tags.outputs.tag }} orbitalhq/orbital:${{ steps.docker-tags.outputs.version_tag }} + publish-query-node: name: Publish Query Node runs-on: ubuntu-latest @@ -383,6 +405,7 @@ jobs: github.event_name == 'push' && ( github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master' || + github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') || startsWith(github.ref, 'refs/heads/release/') ) @@ -416,7 +439,7 @@ jobs: if [[ "${{ github.ref }}" == refs/tags/* ]]; then tag="${{ github.ref_name }}" versionTag="${{ github.ref_name }}" - elif [[ "${{ github.ref_name }}" == "master" ]]; then + elif [[ "${{ github.ref_name }}" == "master" ]] || [[ "${{ github.ref_name }}" == "main" ]]; then tag="latest" versionTag="$PROJECT_VERSION" elif [[ "${{ github.ref_name }}" == "develop" ]]; then @@ -424,10 +447,7 @@ jobs: versionTag="next-${{ github.run_id }}" elif [[ "${{ github.ref_name }}" == release/* ]]; then stripped_branch=$(echo "${{ github.ref_name }}" | sed 's/release\///') - tag="$stripped_branch-next" - versionTag="$PROJECT_VERSION-BETA-${{ github.run_id }}" - else - tag="${{ github.ref_name }}-next" + tag="${stripped_branch}-next" versionTag="$PROJECT_VERSION-BETA-${{ github.run_id }}" fi @@ -444,6 +464,64 @@ jobs: orbitalhq/query-node:${{ steps.docker-tags.outputs.tag }} orbitalhq/query-node:${{ steps.docker-tags.outputs.version_tag }} + + scan-trivy: + name: Container Vulnerability Scan + runs-on: ubuntu-latest + needs: publish-orbital + if: | + github.event_name == 'push' && ( + github.ref == 'refs/heads/develop' || + github.ref == 'refs/heads/master' || + github.ref == 'refs/heads/main' || + startsWith(github.ref, 'refs/heads/release/') + ) + + steps: + - name: Determine image to scan + id: image + run: | + if [[ "${{ github.ref_name }}" == "develop" ]]; then + echo "tag=orbitalhq/orbital:next" >> $GITHUB_OUTPUT + elif [[ "${{ github.ref_name }}" == "master" ]] || [[ "${{ github.ref_name }}" == "main" ]]; then + echo "tag=orbitalhq/orbital:latest" >> $GITHUB_OUTPUT + elif [[ "${{ github.ref_name }}" == release/* ]]; then + stripped=$(echo "${{ github.ref_name }}" | sed 's/release\///') + echo "tag=orbitalhq/orbital:${stripped}-next" >> $GITHUB_OUTPUT + fi + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.image.outputs.tag }} + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'HIGH,CRITICAL' + exit-code: '1' + + - name: Upload Trivy results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results.sarif' + + - name: Run detailed Trivy scan + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.image.outputs.tag }} + format: 'table' + output: 'vulnerabilities.txt' + severity: 'HIGH,CRITICAL' + + - name: Upload vulnerability report + uses: actions/upload-artifact@v4 + if: always() + with: + name: vulnerability-report + path: vulnerabilities.txt + retention-days: 30 + + tag-as-latest: name: Tag Images as Latest runs-on: ubuntu-latest diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index c1d32d635..c1683ae9b 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -1,75 +1,12 @@ name: Verify on: - push: - branches: - - develop workflow_dispatch: jobs: - scan-orbital: - name: Container Scan - Orbital - runs-on: ubuntu-latest - if: github.ref == 'refs/heads/develop' - - steps: - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: 'orbitalhq/orbital:next' - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'HIGH,CRITICAL' - exit-code: '1' - - - name: Upload Trivy results to GitHub Security - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: 'trivy-results.sarif' - - - name: Run detailed Trivy scan - uses: aquasecurity/trivy-action@master - with: - image-ref: 'orbitalhq/orbital:next' - format: 'table' - output: 'vulnerabilities.txt' - severity: 'HIGH,CRITICAL' - - - name: Upload vulnerability report - uses: actions/upload-artifact@v4 - if: always() - with: - name: vulnerability-report-orbital - path: vulnerabilities.txt - retention-days: 30 - - validate-license-compliance: - name: Validate License Compliance - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Download UI artifacts - uses: actions/download-artifact@v4 - with: - name: orbital-ui - continue-on-error: true - - - name: Set up Node.js - uses: actions/setup-node@v4 - with: - node-version: '22' - - - name: Validate licenses - run: node processLicenses.js - regression-test: name: Regression Tests runs-on: ubuntu-latest - if: github.event_name == 'workflow_dispatch' steps: - name: Checkout code diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 84f8f242f..0aee956de 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -161,7 +161,7 @@ build-jvm-develop: variables: MAVEN_GOALS: 'clean deploy' # We skip tests on develop and master, as the tests have already run on the branch - MAVEN_EXTRA_ARGS: '-P snapshot-release -DskipTests' + MAVEN_EXTRA_ARGS: '-P snapshot-release -DskipTests -Daws.region=eu-west-2' verify-version: @@ -204,7 +204,7 @@ build-jvm-release: variables: MAVEN_GOALS: 'clean deploy' # We skip tests on develop and master, as the tests have already run on the branch - MAVEN_EXTRA_ARGS: '-P release -DskipTests' + MAVEN_EXTRA_ARGS: '-P release -DskipTests -Daws.region=eu-west-2' release-major: image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/maven:3.9.6-eclipse-temurin-21 From 7ad45643792939741887e7fba03a4396423c0d48 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Feb 2026 10:35:59 +0000 Subject: [PATCH 6/6] Add explicit permissions to validate-license-compliance and scan-trivy jobs Co-authored-by: martypitt <348852+martypitt@users.noreply.github.com> --- .github/workflows/ci.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 44bff0982..18e899749 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -214,6 +214,8 @@ jobs: validate-license-compliance: name: Validate License Compliance runs-on: ubuntu-latest + permissions: + contents: read needs: - build-jvm - build-orbital-ui @@ -468,6 +470,9 @@ jobs: scan-trivy: name: Container Vulnerability Scan runs-on: ubuntu-latest + permissions: + contents: read + security-events: write needs: publish-orbital if: | github.event_name == 'push' && (