Merge pull request #143 from scality/improvement/OSIS-147-move-to-ghcr

Improvement/osis 147 move to ghcr and bump OSIS

.github/workflows/codeql.yaml

@@ -0,0 +1,50 @@
+---
+name: codeQL
+
+on:
+  push:
+    branches:
+      - main
+      - development/2.1
+  pull_request:
+    branches:
+      - main
+      - development/2.1
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Static analysis with CodeQL
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+    env:
+      NEXUS_UNAME: ${{ secrets.NEXUS_USERNAME }}
+      NEXUS_PWD: ${{ secrets.NEXUS_PASSWORD }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: java
+
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: "corretto"
+          java-version: "17"
+
+      - name: Setup Gradle
+        uses: gradle/gradle-build-action@v3
+        with:
+          gradle-version: 7.3
+
+      - name: Execute build with Gradle wrapper
+        run: ./gradlew build -PsonatypeUsername=$NEXUS_UNAME -PsonatypePassword=$NEXUS_PWD
+
+      - name: Build and analyze
+        uses: github/codeql-action/analyze@v3

.github/workflows/dependency-review.yaml

@@ -0,0 +1,18 @@
+---
+name: dependency review
+
+on:
+  pull_request:
+    branches:
+      - main
+      - development/2.1
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v4
+
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v4

.github/workflows/docker-build.yml

@@ -4,28 +4,13 @@ name: docker-build
 on:
   workflow_call:
     inputs:
-      namespace:
-        required: false
-        type: string
-        default: osis-dev
       tag:
         required: false
         type: string
         default: "${{ github.sha }}"
-      registry:
-        required: false
-        type: string
-        default: registry.scality.com
-    secrets:
-      REGISTRY_LOGIN:
-        required: true
-      REGISTRY_PASSWORD:
-        required: true
 
 env:
-  NAMESPACE: ${{ inputs.namespace }}
   TAG: ${{ inputs.tag }}
-  REGISTRY: ${{ inputs.registry }}
 
 jobs:
   build:
@@ -34,25 +19,23 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ secrets.REGISTRY_LOGIN }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ github.token }}
 
       - name: Build and push development docker image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: true
-          tags: ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/osis:${{ env.TAG }}
+          tags: ghcr.io/${{ github.repository }}:${{ env.TAG }}
           cache-from: type=gha,scope=osis
           cache-to: type=gha,mode=max,scope=osis
-          build-args: |
-            NODE_ENV=${{ matrix.build.env }}

.github/workflows/gradle-build-and-upload.yml

@@ -21,16 +21,16 @@ jobs:
       SIGNING_PWD: ${{ secrets.SIGNING_PASSWORD }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: "corretto"
           java-version: "17"
 
       - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2
+        uses: gradle/gradle-build-action@v3
         with:
           gradle-version: 7.3
 

.github/workflows/release.yml

@@ -13,11 +13,7 @@ jobs:
     name: Docker image
     uses: ./.github/workflows/docker-build.yml
     with:
-      namespace: osis
       tag: ${{ github.event.inputs.tag }}
-    secrets:
-      REGISTRY_LOGIN: ${{ secrets.REGISTRY_LOGIN }}
-      REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
 
   github-release:
     name: Creating GitHub Release
@@ -27,7 +23,7 @@ jobs:
       - docker-build
     steps:
       - name: Github Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/security.yaml

@@ -0,0 +1,33 @@
+---
+name: security
+
+on:
+  push:
+    branches:
+      - main
+      - development/2.1
+  release:
+    types: [published]
+  pull_request:
+    branches:
+      - main
+      - development/2.1
+  schedule:
+    - cron: '0 8 * * 1' # Monday - 8am - UTC
+  workflow_dispatch:
+
+jobs:
+  build:
+    permissions:
+      contents: read
+      packages: write
+    uses: ./.github/workflows/docker-build.yml
+
+  trivy:
+    needs: build
+    name: Trivy Vulnerability Scan for Code
+    uses: scality/workflows/.github/workflows/trivy.yaml@v2
+    with:
+      name: ${{ github.event.repository.name }}
+      namespace: ${{ github.repository_owner }}
+      registry: ghcr.io

.github/workflows/test-and-build.yml

@@ -16,17 +16,14 @@ jobs:
   docker-build:
     name: Development docker image
     uses: ./.github/workflows/docker-build.yml
-    secrets:
-      REGISTRY_LOGIN: ${{ secrets.REGISTRY_LOGIN }}
-      REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
 
   code_coverage:
     name: code coverage
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos
           name: codecov-osis

README.md

@@ -20,11 +20,11 @@ This project is for OSIS, which integrates [Scality RING](https://www.scality.co
     ```
     Dev:
     ```sh
-        $ docker pull registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality:<short SHA-1 commit hash>
+        docker pull ghcr.io/scality/osis:<short SHA-1 commit hash>
     ```
     Production image:
     ```sh
-        $ docker pull registry.scality.com/vmware-ose-scality/vmware-ose-scality:<tag>
+        docker pull ghcr.io/scality/osis:<tag>
     ```
 1. Generate a self-signed SSL certificate and store it in a binary PKCS#12 format file with extension `.p12` file. (Refer [here](#To-generate-PKCS12-file-for-self-signed-SSL-certificate))
 
@@ -57,7 +57,7 @@ This project is for OSIS, which integrates [Scality RING](https://www.scality.co
        -v <absolute_path_to_.p12_file>:/app/lib/osis.p12:ro,z \
        -v <absolute_path_to_crypto.yml_file>:/conf/crypto.yml:ro,z \
        -v <absolute_path_to_application.properties_file>:/conf/application.properties:ro,z \
-       registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality:<short SHA-1 commit hash>
+       ghcr.io/scality/osis:<short SHA-1 commit hash>
     ```
    Production image:
     ```sh
@@ -68,7 +68,7 @@ This project is for OSIS, which integrates [Scality RING](https://www.scality.co
        -v <absolute_path_to_.p12_file>:/app/lib/osis.p12:ro,z \
        -v <absolute_path_to_crypto.yml_file>:/conf/crypto.yml:ro,z \
        -v <absolute_path_to_application.properties_file>:/conf/application.properties:ro,z \
-       registry.scality.com/vmware-ose-scality/vmware-ose-scality:<tag>
+       ghcr.io/scality/osis:<tag>
     ```
 
 

build.gradle

@@ -1,6 +1,6 @@
 buildscript {
     ext {
-        osisVersion = '2.1.3'
+        osisVersion = '2.1.4'
         vaultclientVersion = '1.1.2'
         springBootVersion = '2.7.6'
     }

docs/RELEASE.md

@@ -2,11 +2,10 @@
 
 ## Docker Image generation
 
-Docker images are hosted on registry.scality.com.
-It has two names spaces for Vmware-ose-scality:
+Docker images are hosted on ghcr.io/scality.
+It has one image:
 
-* Production Namespace: registry.scality.com/vmware-ose-scality
-* Dev Namespace: registry.scality.com/vmware-ose-scality-dev
+* Production container image: ghcr.io/scality/osis
 
 Production namespace provides write access to a few admins and CI while read
 access is given to all the developers. Dev namespace provides write access
@@ -17,8 +16,8 @@ images to be used by developers, CI builds, build chain and so on.
 ## How to pull docker images
 
 ```sh
-    docker pull registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality:<short SHA-1 commit hash>
-    docker pull registry.scality.com/vmware-ose-scality/vmware-ose-scality:<tag>
+    docker pull ghcr.io/scality/osis:<short SHA-1 commit hash>
+    docker pull ghcr.io/scality/osis:<tag>
 ```
 
 ## Release Process

docs/milestone-2-steps.md

@@ -67,7 +67,7 @@ docker restart scality-vault-1
 - Pull this docker image. Use the latest commit from thew repository as SHA in the below command.
 
 ```sh
-docker pull registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality:<SHA>
+docker pull ghcr.io/scality/osis:<SHA>
 
 ```
 
@@ -105,7 +105,7 @@ docker pull registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality:<SHA>
        -p 8443:8443 \
        -v /root/keyStore.p12:/app/lib/osis.p12:ro,z \
        -v /root/crypto.yml:/app/config/crypto.yml:ro,z \
-       registry.scality.com/vmware-ose-scality-dev/vmware-ose-scality:<SHA1>
+       ghcr.io/scality/osis:<SHA1>
     ```
 
 Note: For S3 Connector, use the host network as shows in the example above.