This is an automated email from the ASF dual-hosted git repository.
danwatford pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new dad64bd1f9 Implemented: Upgrade GitHub Actions to verions dependent on
Node.js v20 (OFBIZ-12901) (#700)
dad64bd1f9 is described below
commit dad64bd1f94646bce479f178a9a5098286a3d20a
Author: Daniel Watford <dan...@watfordconsulting.com>
AuthorDate: Sat Feb 17 15:06:44 2024 +0000
Implemented: Upgrade GitHub Actions to verions dependent on Node.js v20
(OFBIZ-12901) (#700)
Use newer versions of GitHub Actions in the various workflows to avoid
those that are dependent on Node.js v16, instead preferring versions
that use Node.js v20.
---
.github/workflows/codeql-analysis.yml | 4 +-
.github/workflows/codeql-analysis.yml.bak | 86 -------------------------------
.github/workflows/docker-image.yaml | 18 +++----
.github/workflows/gradle.yaml | 10 +++-
.github/workflows/scorecard.yml | 30 +++++++++--
5 files changed, 44 insertions(+), 104 deletions(-)
diff --git a/.github/workflows/codeql-analysis.yml
b/.github/workflows/codeql-analysis.yml
index 5798166e55..580f7ee59a 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,7 +20,7 @@
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
-#
+
name: "CodeQL"
on:
@@ -53,7 +53,7 @@ jobs:
steps:
- name: Checkout repository
- uses: actions/checkout@v3
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
diff --git a/.github/workflows/codeql-analysis.yml.bak
b/.github/workflows/codeql-analysis.yml.bak
deleted file mode 100644
index 2b67573e65..0000000000
--- a/.github/workflows/codeql-analysis.yml.bak
+++ /dev/null
@@ -1,86 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-#
-name: "CodeQL"
-
-on:
- push:
- branches: [ trunk, release* ]
- pull_request:
- # The branches below must be a subset of the branches above
- branches: [ trunk ]
- schedule:
- - cron: '27 15 * * 1'
-
-jobs:
- analyze:
- name: Analyze
- runs-on: ubuntu-latest
- permissions:
- actions: read
- contents: read
- security-events: write
-
- strategy:
- fail-fast: false
- matrix:
- #language: [ 'java', 'javascript' ]
- language: [ 'javascript' ]
- #language: [ 'javascript' ]
- # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript',
'python' ]
- # Learn more:
- #
https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
-
- steps:
- - name: Checkout repository
- uses: actions/checkout@v2
-
- # Initializes the CodeQL tools for scanning.
- - name: Initialize CodeQL
- uses: github/codeql-action/init@v2
- with:
- languages: ${{ matrix.language }}
- debug: true
- # If you wish to specify custom queries, you can do so here or in a
config file.
- # By default, queries listed here will override any specified in a
config file.
- # Prefix the list here with "+" to use these queries and those in the
config file.
- # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
- # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
- # If this step fails, then you should remove it and run the build manually
(see below)
- - name: Autobuild
- uses: github/codeql-action/autobuild@v2
-
- # âšī¸ Command-line programs to run using the OS shell.
- # đ https://git.io/JvXDl
-
- # âī¸ If the Autobuild fails above, remove it and uncomment the following
three lines
- # and modify them (or add more) to build your code if your project
- # uses a compiled language
-
- #- run: |
- # make bootstrap
- # make release
-
- - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v2
diff --git a/.github/workflows/docker-image.yaml
b/.github/workflows/docker-image.yaml
index 064936ed83..1cff4a790e 100644
--- a/.github/workflows/docker-image.yaml
+++ b/.github/workflows/docker-image.yaml
@@ -19,7 +19,7 @@
#
# Act will set an environment variable, ACT, to indicate that it is running
the workflow.
# This environment variable is used to skip some build steps, such as logging
in to
-# a container registry or pushing container images.
+# a container registry and pushing container images.
#
# On first run, act will prompt you to select a micro, medium or large runner
image. This
# workflow can be run using the medium image.
@@ -50,11 +50,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out OFBiz sources
- uses: actions/checkout@v3
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #
v4.1.1
- name: Log in to the Container registry
if: ${{ !env.ACT && vars.DO_DOCKER_PUSH == 'true' }}
- uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+ uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d #
v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -64,7 +64,7 @@ jobs:
# Build and push a container image of the OFBiz Framework without any
data loaded.
- name: Determine metadata (tags, labels) for Docker runtime build
id: runtimemeta
- uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96
+ uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
# v5.5.1
with:
images: ghcr.io/apache/ofbiz
tags: |
@@ -92,7 +92,7 @@ jobs:
- name: Build and push runtime docker image
- uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
+ uses:
docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
target: runtime
@@ -104,7 +104,7 @@ jobs:
# Build and push a container image of the OFBiz Framework preloaded with
demo data
- name: Determine metadata (tags, labels) for Docker demo-preload build
id: demometa
- uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96
+ uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
# v5.5.1
with:
images: ghcr.io/apache/ofbiz
tags: |
@@ -112,7 +112,7 @@ jobs:
type=ref,event=branch,suffix=-preloaddemo-snapshot,priority=650
- name: Build and push demo docker image
- uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
+ uses:
docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
target: demo
@@ -129,7 +129,7 @@ jobs:
run: ./pullAllPluginsSource.sh
- name: Determine metadata (tags, labels) for Docker framework with
plugins build
id: pluginsmeta
- uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96
+ uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
# v5.5.1
with:
images: ghcr.io/apache/ofbiz
tags: |
@@ -137,7 +137,7 @@ jobs:
type=ref,event=branch,suffix=-plugins-snapshot,priority=650
- name: Build and push framework with plugins docker image
- uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
+ uses:
docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
target: runtime
diff --git a/.github/workflows/gradle.yaml b/.github/workflows/gradle.yaml
index 6a09998aa4..55f3983042 100644
--- a/.github/workflows/gradle.yaml
+++ b/.github/workflows/gradle.yaml
@@ -34,19 +34,25 @@ jobs:
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}
steps:
- - uses: actions/checkout@v3
+ - name: Check out OFBiz sources
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
- name: Set up JDK 17
- uses: actions/setup-java@v3.6.0
+ uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 #
v4.0.0
with:
java-version: 17
distribution: temurin
cache: 'gradle'
+
- name: Grant execute permission for gradlew and pullAllPluginsSource.sh
run: chmod +x gradlew pullAllPluginsSource.sh
+
- name: Load all plugins
run: ./pullAllPluginsSource.sh
+
- name: Build with Gradle
run: ./gradlew check javadoc
+
# Below does not work, see see
https://lists.apache.org/thread/80wzf4kclfk5nh2fss56jd6otf7y4n2f
# BuildBot does it anyway
# - name: Builds with Gradle, checks style and run integration tests (just
to know if they pass)
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 68bac74197..b10c3c3ec7 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -2,6 +2,24 @@
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.
+#############################################################################
+# Local testing of this workflow can be carried out using
+# act (https://github.com/nektos/act).
+#
+# Act will set an environment variable, ACT, to indicate that it is running
the workflow.
+# This environment variable is used to skip some build steps, such as uploading
+# results as artefacts of the workflow run.
+#
+# On first run, act will prompt you to select a micro, medium or large runner
image. This
+# workflow can be run using the medium image.
+#
+# Action, ossf/scorecard-action requires a GITHUB_TOKEN. To meet this
+# requirement when using act you will need to create a Personal Access Token
on GitHub.
+# You can then run act using a command similar to:
+# act --workflows .github/workflows/scorecard.yml --secret GITHUB_TOKEN
+# Act will then prompt you to enter your token.
+#############################################################################
+
name: Scorecard supply-chain security
on:
# For Branch-Protection check. Only the default branch is supported. See
@@ -32,12 +50,12 @@ jobs:
steps:
- name: "Checkout code"
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 #
v3.1.0
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #
v4.1.1
with:
persist-credentials: false
- name: "Run analysis"
- uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 #
v2.1.2
+ uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 #
v2.3.1
with:
results_file: results.sarif
results_format: sarif
@@ -54,12 +72,13 @@ jobs:
# For private repositories:
# - `publish_results` will always be set to `false`, regardless
# of the value entered here.
- publish_results: true
+ publish_results: ${{ !env.ACT }}
# Upload the results as artifacts (optional). Commenting out will
disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
- uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
# v3.1.0
+ if: ${{ !env.ACT }}
+ uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
# v4.3.1
with:
name: SARIF file
path: results.sarif
@@ -67,6 +86,7 @@ jobs:
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
- uses:
github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 #
v2.2.4
+ if: ${{ !env.ACT }}
+ uses:
github/codeql-action/upload-sarif@cf7e9f23492505046de9a37830c3711dd0f25bb3 #
v2.16.2
with:
sarif_file: results.sarif
