Trivy scan result upload to GitHub fails due to permission issue. Added permission security-events=write to the workflow file as a fix. Since workflow permission explicitly defined, it requires contents=read explicity set as well
Signed-off-by: Chaminda Divitotawela <cdivitotawela@gmail.com>
Release workflow publish step was missing the depepndency of artifacts jobs. Due to this reason it could not collect the artifact hashes from the artifacts job. This was introduced in the release workflow consolidation
Signed-off-by: Chaminda Divitotawela <cdivitotawela@gmail.com>
Repository follow standard to use git hash to pin the GitHub actions. Updated the container security scan workflow actions with their git hashes
Signed-off-by: Chaminda Divitotawela <cdivitotawela@gmail.com>
Container security scanning workflow added. This runs on schedule everyday. Also possible to run on-demand for a given image tag
Signed-off-by: Chaminda Divitotawela <cdivitotawela@gmail.com>
Co-authored-by: Sally MacFarlane <macfarla.github@gmail.com>
Co-authored-by: Justin Florentine <justin+github@florentine.us>
* build: Update jacoco version to 0.8.11
* build: Enforce Java 21 and above check for build
* CI: Use Java 21 in Github CI workflows
* CI: Use Java 21 in circleci workflows
* build: Update gradle verification metadata for jacoco 0.8.11
* refactor: Fix javadoc related warnings which are applicable to Java 21
* fix(test): BackwardSyncAlgSpec slightly increase timeout to pass it in CI
---------
Signed-off-by: Usman Saleem <usman@usmans.info>
DCO App not working and needed to be disabled the check.
Introducing DCO GitHub action workflow to validate the commit signatures.
Closes#7175
Signed-off-by: Chaminda Divitotawela <cdivitotawela@gmail.com>
Signed-off-by: Ry Jones <ry@linux.com>
Now that the arm64 runners are re-created with the ubuntu 22.04 image,
docker and other tools are available.
See #7053 and #7171fixes#7026
Signed-off-by: Sean Young <sean@mess.org>
Co-authored-by: Simon Dudley <simon.dudley@consensys.net>
* Split unit tests by time
Signed-off-by: Fabio Di Fabio <fabio.difabio@consensys.net>
* Parallelize compile and unit tests since there is not shared cache
Signed-off-by: Fabio Di Fabio <fabio.difabio@consensys.net>
* fix
Signed-off-by: Fabio Di Fabio <fabio.difabio@consensys.net>
* Reduce ATs runnes to 10
Signed-off-by: Fabio Di Fabio <fabio.difabio@consensys.net>
* Apply suggestions from code review
Co-authored-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Fabio Di Fabio <fabio.difabio@consensys.net>
---------
Signed-off-by: Fabio Di Fabio <fabio.difabio@consensys.net>
Co-authored-by: Sally MacFarlane <macfarla.github@gmail.com>
Publish to dockerhub on merge to the main branch
Signed-off-by: garyschulte <garyschulte@gmail.com>
Co-authored-by: Simon Dudley <simon.dudley@consensys.net>
* correcting env vars
* removes conditionals which result in skipped tasks being considered success
* spotless fix
---------
Signed-off-by: Justin Florentine <justin+github@florentine.us>
* resumes publishing jars, but not distros to artifactory
* checkMavenCoordinateCollisions needs a publication with an explicitly set version, does not inherit project.version
---------
Signed-off-by: Justin Florentine <justin+github@florentine.us>
Co-authored-by: garyschulte <garyschulte@gmail.com>
* pull_req instead of target
* updates template to put description first
* compensate for changes to versioning on interim builds
---------
Signed-off-by: Justin Florentine <justin+github@florentine.us>
Co-authored-by: Sally MacFarlane <macfarla.github@gmail.com>
* make artifacts more snapshot friendly
* break out new workflows for snapshots, and a develop releease
* removes checking for approval, runs on pr update
* adds concurrency so updated refs cancel prior runs if still running
* explicitly disable caching on gradle setup tasks
---------
Signed-off-by: Justin Florentine <justin+github@florentine.us>
* repo owner didn't include repo name
* switches back to docker.io
* specify registry and login consistently
* artifacts workflow can be manually executed
---------
Signed-off-by: Justin Florentine <justin+github@florentine.us>
* wildcard in place of task name in path, in case it gets changed.
* test splitting action is unreliable at these numbers of tests
* pin to new gradle action, increase runners
* found the missing tests, back to parity
* rename to avoid consolidation status collision with workflow name
* fixes javadoc checks at build time
* overrides project version on release, so embeds (startup info) will match release artifacts
---------
Signed-off-by: Justin Florentine <justin+github@florentine.us>
Co-authored-by: RoboCopsGoneSock <158174948+RoboCopsGoneSock@users.noreply.github.com>
- Uses pull_request_target to make sure action definitions only come from main or release-*. This also allows them to escalate privs.
- All priv escalations moved as narrowly as possible. Typically this is only required to upload test results.
- All actions pinned to specific SHA versions. When updated, repository settings will need to be adjusted to allow it.
---------
Signed-off-by: Justin Florentine <justin+github@florentine.us>