From 19dc598cdefb9a6052df7f4884b98c18c0e02b8a Mon Sep 17 00:00:00 2001 From: Ladislav Sulak Date: Mon, 22 Dec 2025 17:07:46 +0100 Subject: [PATCH 1/4] #151: addressing Aquasec findings --- .github/workflows/build.yml | 4 ++-- .github/workflows/dependent_items.yml | 2 +- .github/workflows/jacoco_report.yml | 26 +++++++++++++++------- .github/workflows/license_check.yml | 4 ++-- .github/workflows/release.yml | 10 +++++++-- .github/workflows/test_filenames_check.yml | 4 ++-- 6 files changed, 33 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 64673324..5364e703 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -45,9 +45,9 @@ jobs: scala: [2.12.17, 2.13.12] steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 - name: Setup Scala - uses: olafurpg/setup-scala@v14 + uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c with: java-version: "adopt@1.8" - name: Build and run unit tests diff --git a/.github/workflows/dependent_items.yml b/.github/workflows/dependent_items.yml index 1ab7f5c1..f0c60278 100644 --- a/.github/workflows/dependent_items.yml +++ b/.github/workflows/dependent_items.yml @@ -28,7 +28,7 @@ jobs: name: Dependent Items Check runs-on: ubuntu-latest steps: - - uses: z0al/dependent-issues@v1.5.2 + - uses: z0al/dependent-issues@950226e7ca8fc43dc209a7febf67c655af3bdb43 env: # (Required) The token to use to make API calls to GitHub. GITHUB_TOKEN: ${{ secrets.PAT_REPO_PROJECT_DISCUSS }} diff --git a/.github/workflows/jacoco_report.yml b/.github/workflows/jacoco_report.yml index 7830b727..55a12f68 100644 --- a/.github/workflows/jacoco_report.yml +++ b/.github/workflows/jacoco_report.yml @@ -49,21 +49,25 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + - name: Setup Scala - uses: olafurpg/setup-scala@v14 + uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c with: java-version: "adopt@1.8" + - name: Prepare testing database run: sbt flywayMigrate + - name: Build and run tests continue-on-error: true id: jacocorun run: sbt ++${{env.scalaLong}} jacoco + - name: Add coverage to PR (core) if: steps.jacocorun.outcome == 'success' id: jacoco-core - uses: madrapps/jacoco-report@v1.6.1 + uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848 with: paths: ${{ github.workspace }}/core/target/scala-${{ env.scalaShort }}/jacoco/report/jacoco.xml token: ${{ secrets.GITHUB_TOKEN }} @@ -71,10 +75,11 @@ jobs: min-coverage-changed-files: ${{ env.coverage-changed-files }} title: JaCoCo `core` module code coverage report - scala ${{ env.scalaLong }} update-comment: true + - name: Add coverage to PR (doobie) if: steps.jacocorun.outcome == 'success' id: jacoco-doobie - uses: madrapps/jacoco-report@v1.6.1 + uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848 with: paths: ${{ github.workspace }}/doobie/target/scala-${{ env.scalaShort }}/jacoco/report/jacoco.xml token: ${{ secrets.GITHUB_TOKEN }} @@ -82,10 +87,11 @@ jobs: min-coverage-changed-files: ${{ env.coverage-changed-files }} title: JaCoCo `doobie` module code coverage report - scala ${{ env.scalaLong }} update-comment: true + - name: Add coverage to PR (slick) if: steps.jacocorun.outcome == 'success' id: jacoco-slick - uses: madrapps/jacoco-report@v1.6.1 + uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848 with: paths: ${{ github.workspace }}/slick/target/scala-${{ env.scalaShort }}/jacoco/report/jacoco.xml token: ${{ secrets.GITHUB_TOKEN }} @@ -93,6 +99,7 @@ jobs: min-coverage-changed-files: ${{ env.coverage-changed-files }} title: JaCoCo `slick` module code coverage report - scala ${{ env.scalaLong }} update-comment: true + - name: Get the Coverage info if: steps.jacocorun.outcome == 'success' run: | @@ -102,9 +109,10 @@ jobs: echo "Changed Files coverage ${{ steps.jacoco-doobie.outputs.coverage-changed-files }}" echo "Total `slick` module coverage ${{ steps.jacoco-slick.outputs.coverage-overall }}" echo "Changed Files coverage ${{ steps.jacoco-slick.outputs.coverage-changed-files }}" + - name: Fail PR if changed files coverage is less than ${{ env.coverage-changed-files }}% if: steps.jacocorun.outcome == 'success' - uses: actions/github-script@v6 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd with: script: | const coverageCheckFailed = @@ -114,9 +122,10 @@ jobs: if (coverageCheckFailed) { core.setFailed('Changed files coverage is less than ${{ env.coverage-changed-files }}%!'); } + - name: Fail PR if overall files coverage is less than ${{ env.coverage-overall }}% if: ${{ (steps.jacocorun.outcome == 'success') && (env.check-overall-coverages == 'true') }} - uses: actions/github-script@v6 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd with: script: | const coverageCheckFailed = @@ -126,9 +135,10 @@ jobs: if (coverageCheckFailed) { core.setFailed('Overall coverage is less than ${{ env.coverage-overall }}%!'); } + - name: Edit JaCoCo comments on build failure if: steps.jacocorun.outcome != 'success' - uses: actions/github-script@v6 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd with: script: | const issue_number = context.issue.number; diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml index 2ab787b0..27062050 100644 --- a/.github/workflows/license_check.yml +++ b/.github/workflows/license_check.yml @@ -29,9 +29,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 - name: Setup Scala - uses: olafurpg/setup-scala@v10 + uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c with: java-version: "adopt@1.8" - run: sbt headerCheck diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e15fbddb..2a795c45 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,10 +22,16 @@ jobs: publish: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2.3.4 + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: fetch-depth: 0 - - uses: olafurpg/setup-scala@v13 + + - name: Setup Scala + uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c + with: + java-version: "adopt@1.8" + - run: sbt ci-release env: PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }} diff --git a/.github/workflows/test_filenames_check.yml b/.github/workflows/test_filenames_check.yml index 2c075522..61e2761f 100644 --- a/.github/workflows/test_filenames_check.yml +++ b/.github/workflows/test_filenames_check.yml @@ -27,11 +27,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 - name: Filename Inspector id: scan-test-files - uses: AbsaOSS/filename-inspector@v0.1.0 + uses: AbsaOSS/filename-inspector@355108975e656fac9faaa04209b6df3f9997c8fa with: name-patterns: '*UnitTests.*,*IntegrationTests.*' paths: '**/src/test/scala/**' From c8681018a0cf7a3631f6668532f125a21b205a3e Mon Sep 17 00:00:00 2001 From: Ladislav Sulak Date: Mon, 22 Dec 2025 17:19:30 +0100 Subject: [PATCH 2/4] just following a common practice we agreed upon a while ago --- .github/workflows/build.yml | 4 ++++ .github/workflows/jacoco_report.yml | 2 ++ .github/workflows/license_check.yml | 4 ++++ .github/workflows/release.yml | 1 + .github/workflows/test_filenames_check.yml | 2 ++ 5 files changed, 13 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5364e703..5f14ce94 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,10 +46,14 @@ jobs: steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + with: + persist-credentials: false + - name: Setup Scala uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c with: java-version: "adopt@1.8" + - name: Build and run unit tests run: sbt ++${{matrix.scala}} test - name: Generate documentation diff --git a/.github/workflows/jacoco_report.yml b/.github/workflows/jacoco_report.yml index 55a12f68..d49734b1 100644 --- a/.github/workflows/jacoco_report.yml +++ b/.github/workflows/jacoco_report.yml @@ -50,6 +50,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + with: + persist-credentials: false - name: Setup Scala uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml index 27062050..309dd969 100644 --- a/.github/workflows/license_check.yml +++ b/.github/workflows/license_check.yml @@ -30,8 +30,12 @@ jobs: steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + with: + persist-credentials: false + - name: Setup Scala uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c with: java-version: "adopt@1.8" + - run: sbt headerCheck diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2a795c45..d69928a3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -26,6 +26,7 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: fetch-depth: 0 + persist-credentials: false - name: Setup Scala uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c diff --git a/.github/workflows/test_filenames_check.yml b/.github/workflows/test_filenames_check.yml index 61e2761f..f2ade18e 100644 --- a/.github/workflows/test_filenames_check.yml +++ b/.github/workflows/test_filenames_check.yml @@ -28,6 +28,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + with: + persist-credentials: false - name: Filename Inspector id: scan-test-files From 68a289596f630b7a50862aa7c87175c8e9fc1974 Mon Sep 17 00:00:00 2001 From: Ladislav Sulak Date: Mon, 29 Dec 2025 11:44:25 +0100 Subject: [PATCH 3/4] Aquasec related automation we implement in each repo as our standard (just PR generation, not auto merge, frequency: each Sunday) --- .github/workflows/dependabot.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/dependabot.yml diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml new file mode 100644 index 00000000..dc34bf2c --- /dev/null +++ b/.github/workflows/dependabot.yml @@ -0,0 +1,31 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + target-branch: "master" + schedule: + interval: "weekly" + day: "sunday" + labels: + - "auto update" + - "infrastructure" + - "no RN" + open-pull-requests-limit: 3 + commit-message: + prefix: "chore" + include: "scope" + + - package-ecosystem: "sbt" + directory: "/" + target-branch: "master" + schedule: + interval: "weekly" + day: "sunday" + labels: + - "auto update" + - "dependencies" + - "no RN" + open-pull-requests-limit: 3 + commit-message: + prefix: "chore" + include: "scope" From 3cd8a5fbdb27cf707da8924c2e2feeab32fb24a5 Mon Sep 17 00:00:00 2001 From: Ladislav Sulak Date: Mon, 29 Dec 2025 12:54:41 +0100 Subject: [PATCH 4/4] fixing the location for Dependabot - this is the standard, it's not a workflow per se but something GH runs internally --- .github/{workflows => }/dependabot.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{workflows => }/dependabot.yml (100%) diff --git a/.github/workflows/dependabot.yml b/.github/dependabot.yml similarity index 100% rename from .github/workflows/dependabot.yml rename to .github/dependabot.yml