chore(deps): group dependency updates and repository maintenance (#62)

* chore(deps): update all non-major dependencies * chore: dependency updates and repository refactorings * test(e2e): fixed e2e * ci: fixed e2e test * fix: re-enabled loinc-converter * chore: digest-pinned loinc-conv * chore: fix tracing config Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
miracum · Jan 5, 2023 · 09d493d · 09d493d
1 parent 403eeee
commit 09d493d
Show file tree

Hide file tree

Showing 30 changed files with 915 additions and 676 deletions.
diff --git a/.bandit.yml b/.bandit.yml
@@ -0,0 +1,2 @@
+assert_used:
+  skips: ["*test*.py"]
diff --git a/.checkstyle/checkstyle.xml b/.checkstyle/checkstyle.xml
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,4 +1,4 @@
-name: CI
+name: ci
 
 on:
   push:
@@ -8,153 +8,184 @@ on:
   pull_request:
     branches: [master]
 
+permissions: read-all
+
+env:
+  IMAGE_NAME: ghcr.io/${{ github.repository }}
+
 jobs:
-  lint:
-    name: Lint Code Base
-    runs-on: ubuntu-20.04
+  trivy:
+    name: trivy scan Code Base
+    runs-on: ubuntu-22.04
+    permissions:
+      security-events: write
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@v4
-      - name: Run pre-commit
-        uses: pre-commit/[email protected]
-      - name: Lint code base
-        uses: github/super-linter@v4
-        env:
-          VALIDATE_ALL_CODEBASE: false
-          VALIDATE_DOCKERFILE: false
-          DEFAULT_BRANCH: master
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          FILTER_REGEX_EXCLUDE: "gradlew"
-          VALIDATE_JAVA: false
+
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # 0.8.0
         with:
           scan-type: "fs"
           ignore-unfixed: true
           format: "template"
           template: "@/contrib/sarif.tpl"
           output: "trivy-results.sarif"
           severity: "CRITICAL"
+
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
         with:
           sarif_file: "trivy-results.sarif"
+
   build:
-    name: Build
-    runs-on: ubuntu-20.04
-    needs: lint
+    name: build
+    runs-on: ubuntu-22.04
+    outputs:
+      image-tags: ${{ steps.container_meta.outputs.tags }}
+      image-digest: ${{ steps.build.outputs.digest }}
+      image-name: ${{ env.IMAGE_NAME }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Docker meta
-        id: docker_meta
-        uses: docker/metadata-action@v4
-        with:
-          images: |
-            ghcr.io/${{ github.repository }}
-            harbor.miracum.org/miracum-etl/fhir-gateway
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
+
+      - name: Validate Gradle wrapper
+        uses: gradle/wrapper-validation-action@55e685c48d84285a5b0418cd094606e199cca3b6 # v1
+
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2
+
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2
+
+      - name: Container meta
+        id: container_meta
+        uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea # v4
+        with:
+          images: |
+            ${{ env.IMAGE_NAME }}
+
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
         if: ${{ github.event_name != 'pull_request' }}
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Login to MIRACUM Container Registry
-        uses: docker/login-action@v2
-        if: ${{ github.event_name != 'pull_request' }}
-        with:
-          registry: harbor.miracum.org
-          username: "robot$miracum-etl+github-actions"
-          password: ${{ secrets.MIRACUM_HARBOR_ETL_TOKEN }}
-      - name: Cache Docker layers
-        uses: actions/cache@v3
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
+
       - name: Get platforms to build
         id: platforms
         run: |
           if [ "$IS_PULL_REQUEST" == "true" ]; then
-            echo "::set-output name=platforms::linux/amd64"
+            echo "{platforms}={linux/amd64}" >> "$GITHUB_OUTPUT"
           else
-            echo "::set-output name=platforms::linux/amd64"
+            echo "{platforms}={linux/amd64}" >> "$GITHUB_OUTPUT"
           fi
         env:
           IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }}
+
       - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v3
+        id: build
+        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3
         with:
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.docker_meta.outputs.tags }}
-          labels: ${{ steps.docker_meta.outputs.labels }}
+          tags: ${{ steps.container_meta.outputs.tags }}
+          labels: ${{ steps.container_meta.outputs.labels }}
           load: ${{ github.event_name == 'pull_request' }}
           platforms: ${{ steps.platforms.outputs.platforms }}
-      - name: List images
-        id: list_images
-        run: |
-          docker image ls
-          IMAGES=(${{ steps.docker_meta.outputs.tags }})
-          echo "##[set-output name=image_name;]${IMAGES[0]}"
+
+      - uses: KengoTODA/actions-setup-docker-compose@main
+        with:
+          version: '2.14.2' # the full version of `docker-compose` command
+
       - name: Run E2E tests
         env:
-          FHIR_GATEWAY_IMAGE_NAME: "${{ steps.list_images.outputs.image_name }}"
+          FHIR_GATEWAY_IMAGE_NAME: "${{ fromJson(steps.container_meta.outputs.json).tags[0] }}"
         run: |
-          docker-compose -p "$GITHUB_JOB-e2e" -f deploy/docker-compose.yml -f deploy/docker-compose.gw-deps.yml -f tests/e2e/docker-compose.yml --project-directory=tests/e2e build
-          docker-compose -p "$GITHUB_JOB-e2e" -f deploy/docker-compose.yml -f deploy/docker-compose.gw-deps.yml -f tests/e2e/docker-compose.yml --project-directory=tests/e2e run gpasinit
-          docker-compose -p "$GITHUB_JOB-e2e" -f deploy/docker-compose.yml -f deploy/docker-compose.gw-deps.yml -f tests/e2e/docker-compose.yml --project-directory=tests/e2e run tester
+          docker-compose -p e2e -f deploy/docker-compose.yml -f deploy/docker-compose.gw-deps.yml -f tests/e2e/docker-compose.yml --project-directory=tests/e2e build
+          docker-compose -p e2e -f deploy/docker-compose.yml -f deploy/docker-compose.gw-deps.yml --project-directory=tests/e2e up -d
+          docker-compose -p e2e -f deploy/docker-compose.yml -f deploy/docker-compose.gw-deps.yml -f tests/e2e/docker-compose.yml --project-directory=tests/e2e run tester
+
       - name: Print E2E logs
-        if: always()
+        env:
+          FHIR_GATEWAY_IMAGE_NAME: "${{ fromJson(steps.container_meta.outputs.json).tags[0] }}"
+        if: ${{ always() }}
         run: |
-          docker-compose -p "$GITHUB_JOB-e2e" -f deploy/docker-compose.yml -f deploy/docker-compose.gw-deps.yml -f tests/e2e/docker-compose.yml logs
-          docker-compose -p "$GITHUB_JOB-e2e" -f deploy/docker-compose.yml -f deploy/docker-compose.gw-deps.yml -f tests/e2e/docker-compose.yml down --volumes --remove-orphans
+          docker-compose -p e2e -f deploy/docker-compose.yml -f deploy/docker-compose.gw-deps.yml -f tests/e2e/docker-compose.yml logs
+          docker-compose -p e2e -f deploy/docker-compose.yml -f deploy/docker-compose.gw-deps.yml -f tests/e2e/docker-compose.yml down --volumes --remove-orphans
+
+  sign-images:
+    name: sign images
+    runs-on: ubuntu-22.04
+    if: ${{ github.event_name != 'pull_request' }}
+    needs:
+      - build
+    permissions:
+      id-token: write
+      packages: write
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Install Cosign
-        if: ${{ github.event_name != 'pull_request' }}
-        uses: sigstore/cosign-installer@main
-      - name: Store signing key in tmp file
-        if: ${{ github.event_name != 'pull_request' }}
-        env:
-          COSIGN_KEY: ${{ secrets.MIRACUM_COSIGN_PRIVATE_KEY }}
-        run: echo "$COSIGN_KEY" > /tmp/cosign.key
-      - name: Sign images
-        if: ${{ github.event_name != 'pull_request' }}
+        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
+
+      - name: Sign image
         env:
-          COSIGN_PASSWORD: ${{ secrets.MIRACUM_COSIGN_PASSWORD }}
-          IMAGES: ${{ steps.docker_meta.outputs.tags }}
+          IMAGES: ${{ needs.build.outputs.image-tags }}
+          DIGEST: ${{ needs.build.outputs.image-digest }}
+          COSIGN_EXPERIMENTAL: "true"
         run: |
           while read -r image; do
-            echo "Signing $image"
-            cosign sign --key /tmp/cosign.key "$image"
+            echo "Signing '$image' using keyless approach"
+            cosign sign "$image@$DIGEST"
           done <<< "$IMAGES"
+
+  container-provenance:
+    if: ${{ startsWith(github.ref, 'refs/tags/') }}
+    needs:
+      - build
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ${{ needs.build.outputs.image-name }}
+      digest: ${{ needs.build.outputs.image-digest }}
+      registry-username: ${{ github.actor }}
+      # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
+      compile-generator: true
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
   release:
-    needs: build
-    name: Release
-    runs-on: ubuntu-20.04
+    needs:
+      - build
+    name: release
+    runs-on: ubuntu-22.04
     if: ${{ github.event_name != 'pull_request' }}
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
         with:
           fetch-depth: 0
-      - name: Setup Node.js
-        uses: actions/setup-node@v3
+
+      - name: Semantic Release
+        uses: cycjimmy/semantic-release-action@3b88c82b34098e8b51e401c1082c9170b0a3ec3c # tag=v3
         with:
-          node-version: 14
-      - name: Install semantic release
-        run: npm install -g semantic-release@17 @semantic-release/github @semantic-release/exec @semantic-release/error @semantic-release/changelog @commitlint/cli @semantic-release/commit-analyzer @semantic-release/release-notes-generator conventional-changelog-conventionalcommits
-      - name: Release
+          extra_plugins: |
+            [email protected]
         env:
           GITHUB_TOKEN: ${{ secrets.MIRACUM_BOT_SEMANTIC_RELEASE_TOKEN }}
-        run: npx semantic-release
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -0,0 +1,84 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+permissions: read-all
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["master"]
+  schedule:
+    - cron: "32 16 * * 3"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-22.04
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["java"]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Use only 'java' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
+
+      - name: Set up Java
+        uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b # v3
+        with:
+          java-version: "17"
+          distribution: "adopt"
+          cache: gradle
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #   echo "Run, Build Application using script"
+      #   ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2
+        with:
+          category: "/language:${{matrix.language}}"