From fc326c741b4c1ba1ef291abd098811f364a4b330 Mon Sep 17 00:00:00 2001 From: Robert Zondervan Date: Tue, 26 Mar 2024 11:12:47 +0100 Subject: [PATCH 01/10] Exclude security.txt from gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 826f3ed01..cd6951c94 100644 --- a/.gitignore +++ b/.gitignore @@ -22,6 +22,7 @@ gatsby/npm-debug.log .cache/ node_modules/ public/ +!public/security.txt npm-debug.log .DS_Store .idea From ee720b274ddf56644489bce99887ede0904865d4 Mon Sep 17 00:00:00 2001 From: Robert Zondervan Date: Tue, 26 Mar 2024 11:13:11 +0100 Subject: [PATCH 02/10] Add security.txt --- api/public/security.txt | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 api/public/security.txt diff --git a/api/public/security.txt b/api/public/security.txt new file mode 100644 index 000000000..4890493b6 --- /dev/null +++ b/api/public/security.txt @@ -0,0 +1,22 @@ +# Information related to reporting security vulnerabilities of this site. + +# How to communicate about security issues. +Contact: mailto:info@conduction.nl + +# Date and time after which this data is considered stale +Expires: 2024-12-31T23:00:00.000Z + +# Encryption + +# Acknowledgements + +# Preferred languages for communication. +Preferred-Languages: nl, en + +# Canonical + +# Policy + +# Hiring + +# Please see https://securitytxt.org/ for details of the specification of this file. From bfff24b7da41e2779d023404af314ffbc15db1e2 Mon Sep 17 00:00:00 2001 From: Robert Zondervan Date: Tue, 26 Mar 2024 11:13:57 +0100 Subject: [PATCH 03/10] remove security.txt excemption from gitignore --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index cd6951c94..826f3ed01 100644 --- a/.gitignore +++ b/.gitignore @@ -22,7 +22,6 @@ gatsby/npm-debug.log .cache/ node_modules/ public/ -!public/security.txt npm-debug.log .DS_Store .idea From 84fde520a0ab300efc4c72cfb61776f4dcd59b01 Mon Sep 17 00:00:00 2001 From: Robert Zondervan Date: Tue, 26 Mar 2024 11:38:02 +0100 Subject: [PATCH 04/10] Move security.txt to correct folder --- api/docker/nginx/conf.d/default.conf | 2 +- api/public/{ => .well-known}/security.txt | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename api/public/{ => .well-known}/security.txt (100%) diff --git a/api/docker/nginx/conf.d/default.conf b/api/docker/nginx/conf.d/default.conf index 9a38eac52..0e4c58db5 100644 --- a/api/docker/nginx/conf.d/default.conf +++ b/api/docker/nginx/conf.d/default.conf @@ -1,6 +1,6 @@ server { root /srv/api/public; - add_header Content-Security-Policy "default-src 'self'"; + add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'"; add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(self), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), conversion-measurement=(self),focus-without-user-activation=(), hid=(), idle-detection=(), serial=(),sync-script=(), trust-token-redemption=(), vertical-scroll=(self)"; client_max_body_size 51M; diff --git a/api/public/security.txt b/api/public/.well-known/security.txt similarity index 100% rename from api/public/security.txt rename to api/public/.well-known/security.txt From 87cbcc60b304ebb03214a94b89993760fb5e5fa0 Mon Sep 17 00:00:00 2001 From: Robert Zondervan Date: Wed, 27 Mar 2024 12:03:23 +0100 Subject: [PATCH 05/10] Run more security checks on build, composer update --- .github/workflows/release.yml | 602 ++++++++++++++++++++++++++-------- api/.dockerignore | 1 + api/composer.lock | 189 +++++------ 3 files changed, 566 insertions(+), 226 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8d891be0a..d6482a960 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,133 +1,479 @@ name: Docker Image CI Release + on: - push: - branches: - - main - - development - - version-* - - feature-* + push: + branches: + - main + - development + - version-* + - feature-* + pull_request: + branches: + - main + - development + - version-* + - feature-* jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - uses: actions/setup-node@v1 - - name: Default Environment Variables - run: - echo "https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables"; - echo "GITHUB_WORKFLOW is $GITHUB_WORKFLOW"; - echo "GITHUB_WORKFLOW_REF is $GITHUB_WORKFLOW_REF"; - echo "GITHUB_RUN_ATTEMPT is $GITHUB_RUN_ATTEMPT"; - echo "GITHUB_REF is $GITHUB_REF"; - echo "GITHUB_REF_NAME is $GITHUB_REF_NAME"; - echo "GITHUB_REF_PROTECTED is $GITHUB_REF_PROTECTED"; - - name: Export release code - if: (success() || failure()) - id: releasecode #version number in a more comprehensible format: 0.1.YearMonthDay in UTC - run: | - export VERSION=$(grep APP_VERSION= .env | cut -d '=' -f2) - export RELEASE=$VERSION.$(date --utc +%y%m%d) - echo "RELEASE=$RELEASE" >> $GITHUB_ENV - - name: Create vendor folder - run: | - mkdir api/vendor - chmod +777 api/vendor - chmod +777 -R api/public - - name: Setting APP_NAME - run: | - export NAME=$(grep APP_NAME= .env | cut -d '=' -f2) - echo "APP_NAME=$NAME" >> $GITHUB_ENV - - name: Print app name - run: echo "APP_NAME = $APP_NAME" - - name: Setting APP_ENV to dev - run: | - echo "APP_ENV=dev">> $GITHUB_ENV - echo "set APP_ENV to dev, see Print definitive APP_ENV" - - name: Setting APP_ENV to prod - if: contains( github.ref, 'main' ) - run: | - echo "APP_ENV=prod">> $GITHUB_ENV - echo "settin APP_ENV to prod, see Print definitive APP_ENV" - - name: Setting APP_ENV to version or feature - if: contains( github.ref, 'version-' ) || contains( github.ref, 'feature-') - run: | - GENERAL_TAG=$GITHUB_REF_NAME - export GENERAL_TAG=${GENERAL_TAG//-/} - echo "APP_ENV=$GENERAL_TAG">> $GITHUB_ENV - echo "setting APP_ENV to $GENERAL_TAG, see Print definitive APP_ENV" - - name: Print definitive APP_ENV - run: echo "APP_ENV is now $APP_ENV" - - name: Build the Docker image - run: docker-compose build --build-arg APP_ENV=$APP_ENV --build-arg APP_BUILD_ALL_FIXTURES=true - - name: Run the docker image - run: docker-compose up -d - - name: Taking some sleep (for containers to come up) - run: sleep 120 - - name: Check if all containers are running - run: docker ps - - name: Dumping the logs - run: docker-compose logs - - name: Database Update - run: docker-compose exec -T php bin/console doctrine:schema:update --force - - if: (github.ref == 'refs/heads/main') - name: Add docker tag latest - run: | - images=$(docker-compose images -q | xargs docker inspect --format='{{ index .RepoTags 0}}' | cut -d':' -f1 | grep $APP_NAME) - for image in $images - do - docker tag "${image}":${APP_ENV} "${image}":"latest" - done - echo 'IMAGES=$images' >> $GITHUB_ENV - - name: Add docker tags - run: | - images=$(docker-compose images -q | xargs docker inspect --format='{{ index .RepoTags 0}}' | cut -d':' -f1 | grep $APP_NAME) - for image in $images - do - docker tag "${image}":${APP_ENV} "${image}":"$GITHUB_REF_NAME.$RELEASE" - done - echo 'IMAGES=$images' >> $GITHUB_ENV - - name: Show all images - run: docker images - - name: Login to Container Registry - id: containerregistry-login - run: | - if [ "${{ secrets.GITHUB_TOKEN }}" != "" ]; then - echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u $(cut -d'/' -f1 <<< $GITHUB_REPOSITORY) --password-stdin - echo "##[set-output name=success;]true" - else - echo "##[set-output name=success;]false" - fi - - if: steps.containerregistry-login.outputs.success == 'true' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/development' || contains(github.ref, 'version-' ) || contains( github.ref, 'feature-')) - name: Push to Container Registry - run: docker-compose push + Build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - uses: actions/setup-node@v1 + - name: Default Environment Variables + run: + export NAME=$(grep CONTAINER_PROJECT_NAME= .env | cut -d '=' -f2); + export REGISTRY=$(grep CONTAINER_REGISTRY_BASE= .env | cut -d '=' -f2); + echo "https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables"; + echo "GITHUB_WORKFLOW is $GITHUB_WORKFLOW"; + echo "GITHUB_WORKFLOW_REF is $GITHUB_WORKFLOW_REF"; + echo "GITHUB_RUN_ATTEMPT is $GITHUB_RUN_ATTEMPT"; + echo "GITHUB_REF is $GITHUB_REF"; + echo "GITHUB_REF_NAME is $GITHUB_REF_NAME"; + echo "GITHUB_REF_PROTECTED is $GITHUB_REF_PROTECTED"; + echo "APP_NAME=$NAME" >> $GITHUB_ENV; + export VERSION=$(grep APP_VERSION= .env | cut -d '=' -f2); + export RELEASE=$VERSION.$(date --utc +%y%m%d); + echo "RELEASE=$RELEASE" >> $GITHUB_ENV; + echo "REGISTRY_BASE=$REGISTRY" >> $GITHUB_ENV; + - name: Create vendor folder + run: | + mkdir api/vendor + chmod +777 api/vendor + chmod +777 -R api/public + - name: Setting APP_NAME + run: | + export NAME=$(grep APP_NAME= .env | cut -d '=' -f2) + echo "APP_NAME=$NAME" >> $GITHUB_ENV + - name: Print app name + run: echo "APP_NAME = $APP_NAME" + - name: Setting APP_ENV to dev + run: | + echo "APP_ENV=dev">> $GITHUB_ENV + echo "set APP_ENV to dev, see Print definitive APP_ENV" + - name: Setting APP_ENV to prod + if: contains( github.ref, 'main' ) + run: | + echo "APP_ENV=prod">> $GITHUB_ENV + echo "settin APP_ENV to prod, see Print definitive APP_ENV" + - name: Setting APP_ENV to version or feature + if: contains( github.ref, 'version-' ) || contains( github.ref, 'feature-') + run: | + GENERAL_TAG=$GITHUB_REF_NAME + export GENERAL_TAG=${GENERAL_TAG//-/} + echo "APP_ENV=$GENERAL_TAG">> $GITHUB_ENV + echo "setting APP_ENV to $GENERAL_TAG, see Print definitive APP_ENV" + - name: Print definitive APP_ENV + run: echo "APP_ENV is now $APP_ENV" + - name: Build Docker Image + run: docker-compose build --build-arg APP_ENV=$APP_ENV + - name: Run docker image + run: docker compose up -d + - name: Taking some sleep (for containers to come up) + run: sleep 10 + - name: Check if all containers are running + run: docker ps + - name: Dumping the logs + run: docker-compose logs + - name: Add docker tags + if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/development' + run: | + images=$(docker-compose images -q | xargs docker inspect --format='{{ index .RepoTags 0}}' | cut -d':' -f1 | grep $APP_NAME) + for image in $images + do + docker tag "${image}":${APP_ENV} "${image}":"$GITHUB_REF_NAME_$RELEASE" + done + echo 'IMAGES=$images' >> $GITHUB_ENV + - name: Show all images + run: docker images + + # Lets save the images + - name: Create PHP Artifact + run: docker save -o php.tar "${REGISTRY_BASE}/${APP_NAME}"-php + - name: Upload PHP artifact + uses: actions/upload-artifact@v2 + with: + name: php.tar + path: php.tar + - name: Create NGINX Artifact + run: docker save -o nginx.tar ghcr.io/conductionnl/commonground-gateway-nginx + - name: Upload NGINX artifact + uses: actions/upload-artifact@v2 + with: + name: nginx.tar + path: nginx.tar + - name: Create postgres Artifact + run: docker save -o postgres.tar postgres + Dependency-check: + runs-on: ubuntu-latest + needs: build + steps: + - uses: actions/checkout@v1 + - uses: actions/setup-node@v1 + with: + node-version: '16' + - name: Download a single artifact + uses: actions/download-artifact@v3 + with: + name: php.tar + - name: Download a single artifact + uses: actions/download-artifact@v3 + with: + name: nginx.tar + - name: Load Docker images from previous workflows + run: docker load --input php.tar && docker load --input nginx.tar + - name: Default Environment Variables + run: + export NAME=$(grep CONTAINER_PROJECT_NAME= .env | cut -d '=' -f2); + export REGISTRY=$(grep CONTAINER_REGISTRY_BASE= .env | cut -d '=' -f2); + echo "https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables"; + echo "GITHUB_WORKFLOW is $GITHUB_WORKFLOW"; + echo "GITHUB_WORKFLOW_REF is $GITHUB_WORKFLOW_REF"; + echo "GITHUB_RUN_ATTEMPT is $GITHUB_RUN_ATTEMPT"; + echo "GITHUB_REF is $GITHUB_REF"; + echo "GITHUB_REF_NAME is $GITHUB_REF_NAME"; + echo "GITHUB_REF_PROTECTED is $GITHUB_REF_PROTECTED"; + echo "APP_NAME=$NAME" >> $GITHUB_ENV; + echo "APP_ENV=prod">> $GITHUB_ENV; + export VERSION=$(grep APP_VERSION= .env | cut -d '=' -f2); + export RELEASE=$VERSION.$(date --utc +%y%m%d); + echo "RELEASE=$RELEASE" >> $GITHUB_ENV; + echo "REGISTRY_BASE=$REGISTRY" >> $GITHUB_ENV; + - name: Setting APP_NAME + run: | + export NAME=$(grep APP_NAME= .env | cut -d '=' -f2) + echo "APP_NAME=$NAME" >> $GITHUB_ENV + - name: Print app name + run: echo "APP_NAME = $APP_NAME" + - name: Setting APP_ENV to dev + run: | + echo "APP_ENV=dev">> $GITHUB_ENV + echo "set APP_ENV to dev, see Print definitive APP_ENV" + - name: Setting APP_ENV to prod + if: contains( github.ref, 'main' ) + run: | + echo "APP_ENV=prod">> $GITHUB_ENV + echo "settin APP_ENV to prod, see Print definitive APP_ENV" + - name: Setting APP_ENV to version or feature + if: contains( github.ref, 'version-' ) || contains( github.ref, 'feature-') + run: | + GENERAL_TAG=$GITHUB_REF_NAME + export GENERAL_TAG=${GENERAL_TAG//-/} + echo "APP_ENV=$GENERAL_TAG">> $GITHUB_ENV + echo "setting APP_ENV to $GENERAL_TAG, see Print definitive APP_ENV" + - name: Print definitive APP_ENV + run: echo "APP_ENV is now $APP_ENV" + - name: Show all images + run: docker images + - name: Up the images + run: docker compose up -d + - name: Check images with Composer Audit + run: docker compose exec php composer audit + Unit: + needs: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - uses: actions/setup-node@v1 + with: + node-version: '16' + - name: Download a single artifact + uses: actions/download-artifact@v3 + with: + name: php.tar + - name: Download a single artifact + uses: actions/download-artifact@v3 + with: + name: nginx.tar + - name: Default Environment Variables + run: + export NAME=$(grep CONTAINER_PROJECT_NAME= .env | cut -d '=' -f2); + export REGISTRY=$(grep CONTAINER_REGISTRY_BASE= .env | cut -d '=' -f2); + echo "https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables"; + echo "GITHUB_WORKFLOW is $GITHUB_WORKFLOW"; + echo "GITHUB_WORKFLOW_REF is $GITHUB_WORKFLOW_REF"; + echo "GITHUB_RUN_ATTEMPT is $GITHUB_RUN_ATTEMPT"; + echo "GITHUB_REF is $GITHUB_REF"; + echo "GITHUB_REF_NAME is $GITHUB_REF_NAME"; + echo "GITHUB_REF_PROTECTED is $GITHUB_REF_PROTECTED"; + echo "APP_NAME=$NAME" >> $GITHUB_ENV; + echo "APP_ENV=prod">> $GITHUB_ENV; + export VERSION=$(grep APP_VERSION= .env | cut -d '=' -f2); + export RELEASE=$VERSION.$(date --utc +%y%m%d); + echo "RELEASE=$RELEASE" >> $GITHUB_ENV; + echo "REGISTRY_BASE=$REGISTRY" >> $GITHUB_ENV; + - name: Setting APP_NAME + run: | + export NAME=$(grep APP_NAME= .env | cut -d '=' -f2) + echo "APP_NAME=$NAME" >> $GITHUB_ENV + - name: Print app name + run: echo "APP_NAME = $APP_NAME" + - name: Setting APP_ENV to dev + run: | + echo "APP_ENV=dev">> $GITHUB_ENV + echo "set APP_ENV to dev, see Print definitive APP_ENV" + - name: Setting APP_ENV to prod + if: contains( github.ref, 'main' ) + run: | + echo "APP_ENV=prod">> $GITHUB_ENV + echo "settin APP_ENV to prod, see Print definitive APP_ENV" + - name: Setting APP_ENV to version or feature + if: contains( github.ref, 'version-' ) || contains( github.ref, 'feature-') + run: | + GENERAL_TAG=$GITHUB_REF_NAME + export GENERAL_TAG=${GENERAL_TAG//-/} + echo "APP_ENV=$GENERAL_TAG">> $GITHUB_ENV + echo "setting APP_ENV to $GENERAL_TAG, see Print definitive APP_ENV" + - name: Print definitive APP_ENV + run: echo "APP_ENV is now $APP_ENV" + - name: Load Docker images from previous workflows + run: docker load --input php.tar && docker load --input nginx.tar + - name: Show all images + run: docker images + - name: Up the images + run: docker compose up -d + - name: Run PHPUnit + run: docker-compose exec -T php bin/phpunit + Fossa: + needs: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - uses: actions/setup-node@v1 + with: + node-version: '16' + - name: Download a single artifact + uses: actions/download-artifact@v3 + with: + name: php.tar + - name: Download a single artifact + uses: actions/download-artifact@v3 + with: + name: nginx.tar + - name: Load Docker images from previous workflows + run: docker load --input php.tar && docker load --input nginx.tar + - name: Show all images + run: docker images + - name: Up the images + run: docker compose up -d + - name: Run Fossa checks + uses: fossas/fossa-action@main # Use a specific version if locking is preferred + with: + api-key: ${{secrets.fossaApiKey}} + container: php + debug: true + - name: Upload results as artifact + uses: actions/upload-artifact@v3 + with: + name: 'fossa-results' + path: ./fossa.debug.json.gz + Database: + needs: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - uses: actions/setup-node@v1 + with: + node-version: '16' + - name: Download a single artifact + uses: actions/download-artifact@v3 + with: + name: php.tar + - name: Download a single artifact + uses: actions/download-artifact@v3 + with: + name: nginx.tar + - name: Load Docker images from previous workflows + run: docker load --input php.tar && docker load --input nginx.tar + - name: Default Environment Variables + run: + export NAME=$(grep CONTAINER_PROJECT_NAME= .env | cut -d '=' -f2); + export REGISTRY=$(grep CONTAINER_REGISTRY_BASE= .env | cut -d '=' -f2); + echo "https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables"; + echo "GITHUB_WORKFLOW is $GITHUB_WORKFLOW"; + echo "GITHUB_WORKFLOW_REF is $GITHUB_WORKFLOW_REF"; + echo "GITHUB_RUN_ATTEMPT is $GITHUB_RUN_ATTEMPT"; + echo "GITHUB_REF is $GITHUB_REF"; + echo "GITHUB_REF_NAME is $GITHUB_REF_NAME"; + echo "GITHUB_REF_PROTECTED is $GITHUB_REF_PROTECTED"; + echo "APP_NAME=$NAME" >> $GITHUB_ENV; + echo "APP_ENV=prod">> $GITHUB_ENV; + export VERSION=$(grep APP_VERSION= .env | cut -d '=' -f2); + export RELEASE=$VERSION.$(date --utc +%y%m%d); + echo "RELEASE=$RELEASE" >> $GITHUB_ENV; + echo "REGISTRY_BASE=$REGISTRY" >> $GITHUB_ENV; + - name: Setting APP_NAME + run: | + export NAME=$(grep APP_NAME= .env | cut -d '=' -f2) + echo "APP_NAME=$NAME" >> $GITHUB_ENV + - name: Print app name + run: echo "APP_NAME = $APP_NAME" + - name: Setting APP_ENV to dev + run: | + echo "APP_ENV=dev">> $GITHUB_ENV + echo "set APP_ENV to dev, see Print definitive APP_ENV" + - name: Setting APP_ENV to prod + if: contains( github.ref, 'main' ) + run: | + echo "APP_ENV=prod">> $GITHUB_ENV + echo "settin APP_ENV to prod, see Print definitive APP_ENV" + - name: Setting APP_ENV to version or feature + if: contains( github.ref, 'version-' ) || contains( github.ref, 'feature-') + run: | + GENERAL_TAG=$GITHUB_REF_NAME + export GENERAL_TAG=${GENERAL_TAG//-/} + echo "APP_ENV=$GENERAL_TAG">> $GITHUB_ENV + echo "setting APP_ENV to $GENERAL_TAG, see Print definitive APP_ENV" + - name: Print definitive APP_ENV + run: echo "APP_ENV is now $APP_ENV" + - name: Show all images + run: docker images + - name: Up the images + run: docker compose up -d + - name: Wait for the containers to run + run: sleep 20 + - name: Database Update + run: docker-compose exec -T php bin/console doctrine:schema:update --force + Snyk: + needs: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/node@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + Docker-Scout: + needs: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - uses: actions/setup-node@v1 + with: + node-version: '16' + - name: Download a single artifact + uses: actions/download-artifact@v3 + with: + name: php.tar + - name: Download a single artifact + uses: actions/download-artifact@v3 + with: + name: nginx.tar + - name: Default Environment Variables + run: + export NAME=$(grep CONTAINER_PROJECT_NAME= .env | cut -d '=' -f2); + export REGISTRY=$(grep CONTAINER_REGISTRY_BASE= .env | cut -d '=' -f2); + echo "https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables"; + echo "GITHUB_WORKFLOW is $GITHUB_WORKFLOW"; + echo "GITHUB_WORKFLOW_REF is $GITHUB_WORKFLOW_REF"; + echo "GITHUB_RUN_ATTEMPT is $GITHUB_RUN_ATTEMPT"; + echo "GITHUB_REF is $GITHUB_REF"; + echo "GITHUB_REF_NAME is $GITHUB_REF_NAME"; + echo "GITHUB_REF_PROTECTED is $GITHUB_REF_PROTECTED"; + echo "APP_NAME=$NAME" >> $GITHUB_ENV; + echo "APP_ENV=prod">> $GITHUB_ENV; + export VERSION=$(grep APP_VERSION= .env | cut -d '=' -f2); + export RELEASE=$VERSION.$(date --utc +%y%m%d); + echo "RELEASE=$RELEASE" >> $GITHUB_ENV; + echo "REGISTRY_BASE=$REGISTRY" >> $GITHUB_ENV; + - name: Setting APP_NAME + run: | + export NAME=$(grep APP_NAME= .env | cut -d '=' -f2) + echo "APP_NAME=$NAME" >> $GITHUB_ENV + - name: Print app name + run: echo "APP_NAME = $APP_NAME" + - name: Setting APP_ENV to dev + run: | + echo "APP_ENV=dev">> $GITHUB_ENV + echo "set APP_ENV to dev, see Print definitive APP_ENV" + - name: Setting APP_ENV to prod + if: contains( github.ref, 'main' ) + run: | + echo "APP_ENV=prod">> $GITHUB_ENV + echo "settin APP_ENV to prod, see Print definitive APP_ENV" + - name: Setting APP_ENV to version or feature + if: contains( github.ref, 'version-' ) || contains( github.ref, 'feature-') + run: | + GENERAL_TAG=$GITHUB_REF_NAME + export GENERAL_TAG=${GENERAL_TAG//-/} + echo "APP_ENV=$GENERAL_TAG">> $GITHUB_ENV + echo "setting APP_ENV to $GENERAL_TAG, see Print definitive APP_ENV" + - name: Print definitive APP_ENV + run: echo "APP_ENV is now $APP_ENV" + - name: Load Docker images from previous workflows + run: docker load --input php.tar && docker load --input nginx.tar + - name: Show docker images + run: docker images + - name: Docker Scout + uses: docker/scout-action@v1.6.4 + with: + command: quickview,cves + image: ${{ env.REGISTRY_BASE }}/${{ env.APP_NAME }}-php:${{ env.APP_ENV }} + github-token: ${{ secrets.GITHUB_TOKEN }} + dockerhub-user: ${{ secrets.DOCKER_USER }} + dockerhub-password: ${{ secrets.DOCKER_ACCESS_TOKEN }} + Publish: + needs: [Dependency-check,Database,Docker-Scout] + runs-on: ubuntu-latest + if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/development' + steps: + - uses: actions/checkout@v1 + - uses: actions/setup-node@v1 + with: + node-version: '16' + - name: Download a single artifact + uses: actions/download-artifact@v3 + with: + name: php.tar + - name: Download a single artifact + uses: actions/download-artifact@v3 + with: + name: nginx.tar + - name: Load Docker images from previous workflows + run: docker load --input php.tar && docker load --input nginx.tar + - name: Show all images + run: docker images + - name: Up the images + run: docker compose up -d + - name: Login to Container Registry + id: containerregistry-login + run: | + if [ "${{ secrets.GITHUB_TOKEN }}" != "" ]; then + echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u $(cut -d'/' -f1 <<< $GITHUB_REPOSITORY) --password-stdin + echo "##[set-output name=success;]true" + else + echo "##[set-output name=success;]false" + fi + - if: steps.containerregistry-login.outputs.success == 'true' + name: Push to Container Registry + run: docker-compose push - - if: steps.containerregistry-login.outputs.success == 'true' && (github.ref == 'refs/heads/main') - name: Push latest container to Container Registry - run: | - images=$(docker-compose images -q | xargs docker inspect --format='{{ index .RepoTags 0}}' | cut -d':' -f1 | grep $APP_NAME) - for image in $images - do - docker push "${image}":"latest" - done - - if: steps.containerregistry-login.outputs.success == 'true' && (contains(github.ref, 'version-' ) || contains( github.ref, 'feature-') || (github.ref == 'refs/heads/main')) - name: Push versioned containers to Container Registry - run: | - images=$(docker-compose images -q | xargs docker inspect --format='{{ index .RepoTags 0}}' | cut -d':' -f1 | grep $APP_NAME) - for image in $images - do - docker push "${image}":"$GITHUB_REF_NAME.$RELEASE" - done - - name: Create kube config - id: kubeconfig - if: contains( github.ref, 'development' ) - run: | - if [ "${{ secrets.KUBECONFIG }}" != "" ]; then - printf "${{ secrets.KUBECONFIG }}" > kubeconfig.yaml - echo "##[set-output name=success]true" - else - echo "##[set-output name=success]false" - fi - - name: Chores - if: (success() || failure()) - run: docker-compose down + - if: steps.containerregistry-login.outputs.success == 'true' + name: Push versioned containers to Container Registry + run: | + images=$(docker-compose images -q | xargs docker inspect --format='{{ index .RepoTags 0}}' | cut -d':' -f1 | grep $APP_NAME) + for image in $images + do + docker push "${image}":"$GITHUB_REF_NAME_$RELEASE" + done + - name: Print release name + if: (success() || failure()) + run: echo $RELEASENAME + env: + RELEASENAME: ${{ steps.releasecode.outputs.releasename }} + - name: Create Release + if: contains( github.ref, 'master' ) && steps.kubeconfig.outputs.success == 'true' && ( success() || failure() ) + id: create_release + uses: actions/create-release@v1 + continue-on-error: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token + with: + tag_name: ${{ steps.releasecode.outputs.releasename }} + release_name: ${{ steps.releasecode.outputs.releasename }} + draft: false + prerelease: false + - name: Chores + if: (success() || failure()) + run: docker-compose down diff --git a/api/.dockerignore b/api/.dockerignore index 7908bb741..b5b43833e 100644 --- a/api/.dockerignore +++ b/api/.dockerignore @@ -15,5 +15,6 @@ .php_cs.cache bin/* !bin/console +!bin/phpunit docker/db/data/ var/* diff --git a/api/composer.lock b/api/composer.lock index 03e597431..fc3df2f07 100644 --- a/api/composer.lock +++ b/api/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "dc2a9f17a748ed5fbf959d425f91a347", + "content-hash": "eab834e63293b529d608adc247f90977", "packages": [ { "name": "adbario/php-dot-notation", @@ -130,16 +130,16 @@ }, { "name": "api-platform/core", - "version": "v2.7.16", + "version": "v2.7.18", "source": { "type": "git", "url": "https://github.com/api-platform/core.git", - "reference": "e6f77e20b4ed9cb3e44c7398d6cda971d32190b0" + "reference": "6ff3e05d97602cdaa3b329112ca21f7e916a504d" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/api-platform/core/zipball/e6f77e20b4ed9cb3e44c7398d6cda971d32190b0", - "reference": "e6f77e20b4ed9cb3e44c7398d6cda971d32190b0", + "url": "https://api.github.com/repos/api-platform/core/zipball/6ff3e05d97602cdaa3b329112ca21f7e916a504d", + "reference": "6ff3e05d97602cdaa3b329112ca21f7e916a504d", "shasum": "" }, "require": { @@ -287,15 +287,9 @@ ], "support": { "issues": "https://github.com/api-platform/core/issues", - "source": "https://github.com/api-platform/core/tree/v2.7.16" + "source": "https://github.com/api-platform/core/tree/v2.7.18" }, - "funding": [ - { - "url": "https://tidelift.com/funding/github/packagist/api-platform/core", - "type": "tidelift" - } - ], - "time": "2023-10-06T10:13:25+00:00" + "time": "2024-03-19T07:17:43+00:00" }, { "name": "bacon/bacon-qr-code", @@ -562,16 +556,16 @@ }, { "name": "commongateway/corebundle", - "version": "1.3.0", + "version": "1.3.4", "source": { "type": "git", "url": "https://github.com/CommonGateway/CoreBundle.git", - "reference": "cc4716640b05f988e1b171bf30776489d42e1841" + "reference": "deeeb3d6d1a3d0f14e7656848f7efb7e5d3c6dd2" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/CommonGateway/CoreBundle/zipball/cc4716640b05f988e1b171bf30776489d42e1841", - "reference": "cc4716640b05f988e1b171bf30776489d42e1841", + "url": "https://api.github.com/repos/CommonGateway/CoreBundle/zipball/deeeb3d6d1a3d0f14e7656848f7efb7e5d3c6dd2", + "reference": "deeeb3d6d1a3d0f14e7656848f7efb7e5d3c6dd2", "shasum": "" }, "require": { @@ -681,7 +675,7 @@ "issues": "https://github.com/CommonGateway/CoreBundle/issues", "source": "https://github.com/CommonGateway/CoreBundle" }, - "time": "2024-03-14T11:15:54+00:00" + "time": "2024-03-22T14:02:55+00:00" }, { "name": "composer/package-versions-deprecated", @@ -758,16 +752,16 @@ }, { "name": "composer/pcre", - "version": "3.1.2", + "version": "3.1.3", "source": { "type": "git", "url": "https://github.com/composer/pcre.git", - "reference": "4775f35b2d70865807c89d32c8e7385b86eb0ace" + "reference": "5b16e25a5355f1f3afdfc2f954a0a80aec4826a8" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/composer/pcre/zipball/4775f35b2d70865807c89d32c8e7385b86eb0ace", - "reference": "4775f35b2d70865807c89d32c8e7385b86eb0ace", + "url": "https://api.github.com/repos/composer/pcre/zipball/5b16e25a5355f1f3afdfc2f954a0a80aec4826a8", + "reference": "5b16e25a5355f1f3afdfc2f954a0a80aec4826a8", "shasum": "" }, "require": { @@ -809,7 +803,7 @@ ], "support": { "issues": "https://github.com/composer/pcre/issues", - "source": "https://github.com/composer/pcre/tree/3.1.2" + "source": "https://github.com/composer/pcre/tree/3.1.3" }, "funding": [ { @@ -825,7 +819,7 @@ "type": "tidelift" } ], - "time": "2024-03-07T15:38:35+00:00" + "time": "2024-03-19T10:26:25+00:00" }, { "name": "composer/semver", @@ -910,16 +904,16 @@ }, { "name": "composer/xdebug-handler", - "version": "3.0.3", + "version": "3.0.4", "source": { "type": "git", "url": "https://github.com/composer/xdebug-handler.git", - "reference": "ced299686f41dce890debac69273b47ffe98a40c" + "reference": "4f988f8fdf580d53bdb2d1278fe93d1ed5462255" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/composer/xdebug-handler/zipball/ced299686f41dce890debac69273b47ffe98a40c", - "reference": "ced299686f41dce890debac69273b47ffe98a40c", + "url": "https://api.github.com/repos/composer/xdebug-handler/zipball/4f988f8fdf580d53bdb2d1278fe93d1ed5462255", + "reference": "4f988f8fdf580d53bdb2d1278fe93d1ed5462255", "shasum": "" }, "require": { @@ -930,7 +924,7 @@ "require-dev": { "phpstan/phpstan": "^1.0", "phpstan/phpstan-strict-rules": "^1.1", - "symfony/phpunit-bridge": "^6.0" + "phpunit/phpunit": "^8.5 || ^9.6 || ^10.5" }, "type": "library", "autoload": { @@ -954,9 +948,9 @@ "performance" ], "support": { - "irc": "irc://irc.freenode.org/composer", + "irc": "ircs://irc.libera.chat:6697/composer", "issues": "https://github.com/composer/xdebug-handler/issues", - "source": "https://github.com/composer/xdebug-handler/tree/3.0.3" + "source": "https://github.com/composer/xdebug-handler/tree/3.0.4" }, "funding": [ { @@ -972,7 +966,7 @@ "type": "tidelift" } ], - "time": "2022-02-25T21:32:43+00:00" + "time": "2024-03-26T18:29:49+00:00" }, { "name": "dasprid/enum", @@ -1600,16 +1594,16 @@ }, { "name": "doctrine/doctrine-bundle", - "version": "2.11.3", + "version": "2.12.0", "source": { "type": "git", "url": "https://github.com/doctrine/DoctrineBundle.git", - "reference": "492725310ae9a1b5b20d6ae09fb5ae6404616e68" + "reference": "5418e811a14724068e95e0ba43353b903ada530f" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/doctrine/DoctrineBundle/zipball/492725310ae9a1b5b20d6ae09fb5ae6404616e68", - "reference": "492725310ae9a1b5b20d6ae09fb5ae6404616e68", + "url": "https://api.github.com/repos/doctrine/DoctrineBundle/zipball/5418e811a14724068e95e0ba43353b903ada530f", + "reference": "5418e811a14724068e95e0ba43353b903ada530f", "shasum": "" }, "require": { @@ -1647,6 +1641,7 @@ "symfony/property-info": "^5.4 || ^6.0 || ^7.0", "symfony/proxy-manager-bridge": "^5.4 || ^6.0 || ^7.0", "symfony/security-bundle": "^5.4 || ^6.0 || ^7.0", + "symfony/stopwatch": "^5.4 || ^6.0 || ^7.0", "symfony/string": "^5.4 || ^6.0 || ^7.0", "symfony/twig-bridge": "^5.4 || ^6.0 || ^7.0", "symfony/validator": "^5.4 || ^6.0 || ^7.0", @@ -1664,7 +1659,7 @@ "type": "symfony-bundle", "autoload": { "psr-4": { - "Doctrine\\Bundle\\DoctrineBundle\\": "" + "Doctrine\\Bundle\\DoctrineBundle\\": "src" } }, "notification-url": "https://packagist.org/downloads/", @@ -1699,7 +1694,7 @@ ], "support": { "issues": "https://github.com/doctrine/DoctrineBundle/issues", - "source": "https://github.com/doctrine/DoctrineBundle/tree/2.11.3" + "source": "https://github.com/doctrine/DoctrineBundle/tree/2.12.0" }, "funding": [ { @@ -1715,7 +1710,7 @@ "type": "tidelift" } ], - "time": "2024-02-10T20:56:20+00:00" + "time": "2024-03-19T07:20:37+00:00" }, { "name": "doctrine/doctrine-fixtures-bundle", @@ -2330,16 +2325,16 @@ }, { "name": "doctrine/orm", - "version": "2.19.0", + "version": "2.19.3", "source": { "type": "git", "url": "https://github.com/doctrine/orm.git", - "reference": "a809a71aa6a233a6c82e68ebaaf8954adc4998dc" + "reference": "1a5a4c674a416b4fdf76833c627c5e7f58bbb890" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/doctrine/orm/zipball/a809a71aa6a233a6c82e68ebaaf8954adc4998dc", - "reference": "a809a71aa6a233a6c82e68ebaaf8954adc4998dc", + "url": "https://api.github.com/repos/doctrine/orm/zipball/1a5a4c674a416b4fdf76833c627c5e7f58bbb890", + "reference": "1a5a4c674a416b4fdf76833c627c5e7f58bbb890", "shasum": "" }, "require": { @@ -2425,9 +2420,9 @@ ], "support": { "issues": "https://github.com/doctrine/orm/issues", - "source": "https://github.com/doctrine/orm/tree/2.19.0" + "source": "https://github.com/doctrine/orm/tree/2.19.3" }, - "time": "2024-03-03T17:43:41+00:00" + "time": "2024-03-21T11:01:42+00:00" }, { "name": "doctrine/persistence", @@ -3106,16 +3101,16 @@ }, { "name": "friendsofphp/proxy-manager-lts", - "version": "v1.0.16", + "version": "v1.0.18", "source": { "type": "git", "url": "https://github.com/FriendsOfPHP/proxy-manager-lts.git", - "reference": "ecadbdc9052e4ad08c60c8a02268712e50427f7c" + "reference": "2c8a6cffc3220e99352ad958fe7cf06bf6f7690f" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/FriendsOfPHP/proxy-manager-lts/zipball/ecadbdc9052e4ad08c60c8a02268712e50427f7c", - "reference": "ecadbdc9052e4ad08c60c8a02268712e50427f7c", + "url": "https://api.github.com/repos/FriendsOfPHP/proxy-manager-lts/zipball/2c8a6cffc3220e99352ad958fe7cf06bf6f7690f", + "reference": "2c8a6cffc3220e99352ad958fe7cf06bf6f7690f", "shasum": "" }, "require": { @@ -3172,7 +3167,7 @@ ], "support": { "issues": "https://github.com/FriendsOfPHP/proxy-manager-lts/issues", - "source": "https://github.com/FriendsOfPHP/proxy-manager-lts/tree/v1.0.16" + "source": "https://github.com/FriendsOfPHP/proxy-manager-lts/tree/v1.0.18" }, "funding": [ { @@ -3184,7 +3179,7 @@ "type": "tidelift" } ], - "time": "2023-05-24T07:17:17+00:00" + "time": "2024-03-20T12:50:41+00:00" }, { "name": "gedmo/doctrine-extensions", @@ -4660,16 +4655,16 @@ }, { "name": "mongodb/mongodb", - "version": "1.17.0", + "version": "1.17.1", "source": { "type": "git", "url": "https://github.com/mongodb/mongo-php-library.git", - "reference": "9d9c917cf7ff275ed6bd63c596efeb6e49fd0e53" + "reference": "01d0840bf0678f519e72dc71b69c8a50a0856c2d" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/mongodb/mongo-php-library/zipball/9d9c917cf7ff275ed6bd63c596efeb6e49fd0e53", - "reference": "9d9c917cf7ff275ed6bd63c596efeb6e49fd0e53", + "url": "https://api.github.com/repos/mongodb/mongo-php-library/zipball/01d0840bf0678f519e72dc71b69c8a50a0856c2d", + "reference": "01d0840bf0678f519e72dc71b69c8a50a0856c2d", "shasum": "" }, "require": { @@ -4684,7 +4679,7 @@ }, "require-dev": { "doctrine/coding-standard": "^12.0", - "rector/rector": "^0.18", + "rector/rector": "^0.19", "squizlabs/php_codesniffer": "^3.7", "symfony/phpunit-bridge": "^5.2", "vimeo/psalm": "^5.13" @@ -4731,9 +4726,9 @@ ], "support": { "issues": "https://github.com/mongodb/mongo-php-library/issues", - "source": "https://github.com/mongodb/mongo-php-library/tree/1.17.0" + "source": "https://github.com/mongodb/mongo-php-library/tree/1.17.1" }, - "time": "2023-11-15T09:21:50+00:00" + "time": "2024-03-14T10:33:11+00:00" }, { "name": "monolog/monolog", @@ -5795,16 +5790,16 @@ }, { "name": "phpstan/phpdoc-parser", - "version": "1.26.0", + "version": "1.27.0", "source": { "type": "git", "url": "https://github.com/phpstan/phpdoc-parser.git", - "reference": "231e3186624c03d7e7c890ec662b81e6b0405227" + "reference": "86e4d5a4b036f8f0be1464522f4c6b584c452757" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/231e3186624c03d7e7c890ec662b81e6b0405227", - "reference": "231e3186624c03d7e7c890ec662b81e6b0405227", + "url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/86e4d5a4b036f8f0be1464522f4c6b584c452757", + "reference": "86e4d5a4b036f8f0be1464522f4c6b584c452757", "shasum": "" }, "require": { @@ -5836,9 +5831,9 @@ "description": "PHPDoc parser with support for nullable, intersection and generic types", "support": { "issues": "https://github.com/phpstan/phpdoc-parser/issues", - "source": "https://github.com/phpstan/phpdoc-parser/tree/1.26.0" + "source": "https://github.com/phpstan/phpdoc-parser/tree/1.27.0" }, - "time": "2024-02-23T16:05:55+00:00" + "time": "2024-03-21T13:14:53+00:00" }, { "name": "psr/cache", @@ -6717,16 +6712,16 @@ }, { "name": "respect/validation", - "version": "2.3.4", + "version": "2.3.6", "source": { "type": "git", "url": "https://github.com/Respect/Validation.git", - "reference": "788939e35909cbc3dcd72202d616e04dd553b572" + "reference": "263ae118fb9b0d3bc6692eb2154cd851deff7932" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/Respect/Validation/zipball/788939e35909cbc3dcd72202d616e04dd553b572", - "reference": "788939e35909cbc3dcd72202d616e04dd553b572", + "url": "https://api.github.com/repos/Respect/Validation/zipball/263ae118fb9b0d3bc6692eb2154cd851deff7932", + "reference": "263ae118fb9b0d3bc6692eb2154cd851deff7932", "shasum": "" }, "require": { @@ -6779,9 +6774,9 @@ ], "support": { "issues": "https://github.com/Respect/Validation/issues", - "source": "https://github.com/Respect/Validation/tree/2.3.4" + "source": "https://github.com/Respect/Validation/tree/2.3.6" }, - "time": "2024-03-11T21:14:03+00:00" + "time": "2024-03-24T18:49:24+00:00" }, { "name": "sabberworm/php-css-parser", @@ -12593,16 +12588,16 @@ }, { "name": "theofidry/alice-data-fixtures", - "version": "1.7.0", + "version": "1.7.1", "source": { "type": "git", "url": "https://github.com/theofidry/AliceDataFixtures.git", - "reference": "34e4751103f869da06163d91a9a7ace1b47d5d06" + "reference": "c05882a3ba35f8858de189aec0029b0598de7dce" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/theofidry/AliceDataFixtures/zipball/34e4751103f869da06163d91a9a7ace1b47d5d06", - "reference": "34e4751103f869da06163d91a9a7ace1b47d5d06", + "url": "https://api.github.com/repos/theofidry/AliceDataFixtures/zipball/c05882a3ba35f8858de189aec0029b0598de7dce", + "reference": "c05882a3ba35f8858de189aec0029b0598de7dce", "shasum": "" }, "require": { @@ -12677,7 +12672,7 @@ ], "support": { "issues": "https://github.com/theofidry/AliceDataFixtures/issues", - "source": "https://github.com/theofidry/AliceDataFixtures/tree/1.7.0" + "source": "https://github.com/theofidry/AliceDataFixtures/tree/1.7.1" }, "funding": [ { @@ -12685,7 +12680,7 @@ "type": "github" } ], - "time": "2023-12-03T21:49:12+00:00" + "time": "2024-03-18T12:41:21+00:00" }, { "name": "twig/twig", @@ -12761,16 +12756,16 @@ }, { "name": "web-token/jwt-framework", - "version": "3.3.1", + "version": "3.3.4", "source": { "type": "git", "url": "https://github.com/web-token/jwt-framework.git", - "reference": "1dbef13afb91a576d5ce431e5f9570183b19c0dd" + "reference": "734744207ae4f8e0dd5cd6463c8535155e61b92e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/web-token/jwt-framework/zipball/1dbef13afb91a576d5ce431e5f9570183b19c0dd", - "reference": "1dbef13afb91a576d5ce431e5f9570183b19c0dd", + "url": "https://api.github.com/repos/web-token/jwt-framework/zipball/734744207ae4f8e0dd5cd6463c8535155e61b92e", + "reference": "734744207ae4f8e0dd5cd6463c8535155e61b92e", "shasum": "" }, "require": { @@ -12913,7 +12908,7 @@ ], "support": { "issues": "https://github.com/web-token/jwt-framework/issues", - "source": "https://github.com/web-token/jwt-framework/tree/3.3.1" + "source": "https://github.com/web-token/jwt-framework/tree/3.3.4" }, "funding": [ { @@ -12925,7 +12920,7 @@ "type": "patreon" } ], - "time": "2024-02-28T09:04:35+00:00" + "time": "2024-03-24T09:57:06+00:00" }, { "name": "webmozart/assert", @@ -13540,16 +13535,16 @@ }, { "name": "phpunit/phpunit", - "version": "9.6.17", + "version": "9.6.18", "source": { "type": "git", "url": "https://github.com/sebastianbergmann/phpunit.git", - "reference": "1a156980d78a6666721b7e8e8502fe210b587fcd" + "reference": "32c2c2d6580b1d8ab3c10b1e9e4dc263cc69bb04" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/1a156980d78a6666721b7e8e8502fe210b587fcd", - "reference": "1a156980d78a6666721b7e8e8502fe210b587fcd", + "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/32c2c2d6580b1d8ab3c10b1e9e4dc263cc69bb04", + "reference": "32c2c2d6580b1d8ab3c10b1e9e4dc263cc69bb04", "shasum": "" }, "require": { @@ -13623,7 +13618,7 @@ "support": { "issues": "https://github.com/sebastianbergmann/phpunit/issues", "security": "https://github.com/sebastianbergmann/phpunit/security/policy", - "source": "https://github.com/sebastianbergmann/phpunit/tree/9.6.17" + "source": "https://github.com/sebastianbergmann/phpunit/tree/9.6.18" }, "funding": [ { @@ -13639,7 +13634,7 @@ "type": "tidelift" } ], - "time": "2024-02-23T13:14:51+00:00" + "time": "2024-03-21T12:07:32+00:00" }, { "name": "sebastian/cli-parser", @@ -14163,16 +14158,16 @@ }, { "name": "sebastian/resource-operations", - "version": "3.0.3", + "version": "3.0.4", "source": { "type": "git", "url": "https://github.com/sebastianbergmann/resource-operations.git", - "reference": "0f4443cb3a1d92ce809899753bc0d5d5a8dd19a8" + "reference": "05d5692a7993ecccd56a03e40cd7e5b09b1d404e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/resource-operations/zipball/0f4443cb3a1d92ce809899753bc0d5d5a8dd19a8", - "reference": "0f4443cb3a1d92ce809899753bc0d5d5a8dd19a8", + "url": "https://api.github.com/repos/sebastianbergmann/resource-operations/zipball/05d5692a7993ecccd56a03e40cd7e5b09b1d404e", + "reference": "05d5692a7993ecccd56a03e40cd7e5b09b1d404e", "shasum": "" }, "require": { @@ -14184,7 +14179,7 @@ "type": "library", "extra": { "branch-alias": { - "dev-master": "3.0-dev" + "dev-main": "3.0-dev" } }, "autoload": { @@ -14205,8 +14200,7 @@ "description": "Provides a list of PHP built-in functions that operate on resources", "homepage": "https://www.github.com/sebastianbergmann/resource-operations", "support": { - "issues": "https://github.com/sebastianbergmann/resource-operations/issues", - "source": "https://github.com/sebastianbergmann/resource-operations/tree/3.0.3" + "source": "https://github.com/sebastianbergmann/resource-operations/tree/3.0.4" }, "funding": [ { @@ -14214,8 +14208,7 @@ "type": "github" } ], - "abandoned": true, - "time": "2020-09-28T06:45:17+00:00" + "time": "2024-03-14T16:00:52+00:00" }, { "name": "sebastian/type", @@ -14672,7 +14665,7 @@ } ], "aliases": [], - "minimum-stability": "dev", + "minimum-stability": "stable", "stability-flags": [], "prefer-stable": true, "prefer-lowest": false, From e5f45a59e2745fbeaabaca65c11968aad2180d7f Mon Sep 17 00:00:00 2001 From: Robert Zondervan Date: Wed, 27 Mar 2024 12:04:04 +0100 Subject: [PATCH 06/10] temporarily enable running this branch --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d6482a960..541f7a302 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,6 +7,7 @@ on: - development - version-* - feature-* + - fix/security-fixes pull_request: branches: - main From 8195066a3f6d29691782f695cd73d92f9fc8a82b Mon Sep 17 00:00:00 2001 From: Robert Zondervan Date: Wed, 27 Mar 2024 12:15:03 +0100 Subject: [PATCH 07/10] Give php container some time to start, run logs --- .github/workflows/release.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 541f7a302..765194764 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -168,6 +168,10 @@ jobs: run: docker images - name: Up the images run: docker compose up -d + - name: Wait for the containers to run + run: sleep 20 + - name: Dump logs + run: docker compose logs - name: Check images with Composer Audit run: docker compose exec php composer audit Unit: @@ -333,6 +337,8 @@ jobs: run: docker compose up -d - name: Wait for the containers to run run: sleep 20 + - name: Dump logs + run: docker compose logs - name: Database Update run: docker-compose exec -T php bin/console doctrine:schema:update --force Snyk: From 340dccfe6504d35323b26481325e34ad20b30569 Mon Sep 17 00:00:00 2001 From: Robert Zondervan Date: Wed, 27 Mar 2024 13:02:01 +0100 Subject: [PATCH 08/10] create vendor folder --- .github/workflows/release.yml | 34 ++++++++++++++++------------------ 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 765194764..13b3d09ad 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -140,10 +140,11 @@ jobs: export RELEASE=$VERSION.$(date --utc +%y%m%d); echo "RELEASE=$RELEASE" >> $GITHUB_ENV; echo "REGISTRY_BASE=$REGISTRY" >> $GITHUB_ENV; - - name: Setting APP_NAME + - name: Create vendor folder run: | - export NAME=$(grep APP_NAME= .env | cut -d '=' -f2) - echo "APP_NAME=$NAME" >> $GITHUB_ENV + mkdir api/vendor + chmod +777 api/vendor + chmod +777 -R api/public - name: Print app name run: echo "APP_NAME = $APP_NAME" - name: Setting APP_ENV to dev @@ -207,12 +208,11 @@ jobs: export RELEASE=$VERSION.$(date --utc +%y%m%d); echo "RELEASE=$RELEASE" >> $GITHUB_ENV; echo "REGISTRY_BASE=$REGISTRY" >> $GITHUB_ENV; - - name: Setting APP_NAME + - name: Create vendor folder run: | - export NAME=$(grep APP_NAME= .env | cut -d '=' -f2) - echo "APP_NAME=$NAME" >> $GITHUB_ENV - - name: Print app name - run: echo "APP_NAME = $APP_NAME" + mkdir api/vendor + chmod +777 api/vendor + chmod +777 -R api/public - name: Setting APP_ENV to dev run: | echo "APP_ENV=dev">> $GITHUB_ENV @@ -307,12 +307,11 @@ jobs: export RELEASE=$VERSION.$(date --utc +%y%m%d); echo "RELEASE=$RELEASE" >> $GITHUB_ENV; echo "REGISTRY_BASE=$REGISTRY" >> $GITHUB_ENV; - - name: Setting APP_NAME + - name: Create vendor folder run: | - export NAME=$(grep APP_NAME= .env | cut -d '=' -f2) - echo "APP_NAME=$NAME" >> $GITHUB_ENV - - name: Print app name - run: echo "APP_NAME = $APP_NAME" + mkdir api/vendor + chmod +777 api/vendor + chmod +777 -R api/public - name: Setting APP_ENV to dev run: | echo "APP_ENV=dev">> $GITHUB_ENV @@ -384,12 +383,11 @@ jobs: export RELEASE=$VERSION.$(date --utc +%y%m%d); echo "RELEASE=$RELEASE" >> $GITHUB_ENV; echo "REGISTRY_BASE=$REGISTRY" >> $GITHUB_ENV; - - name: Setting APP_NAME + - name: Create vendor folder run: | - export NAME=$(grep APP_NAME= .env | cut -d '=' -f2) - echo "APP_NAME=$NAME" >> $GITHUB_ENV - - name: Print app name - run: echo "APP_NAME = $APP_NAME" + mkdir api/vendor + chmod +777 api/vendor + chmod +777 -R api/public - name: Setting APP_ENV to dev run: | echo "APP_ENV=dev">> $GITHUB_ENV From 1b4e34c8329fe0ae4ce6ac1bca4e42f813043e68 Mon Sep 17 00:00:00 2001 From: Robert Zondervan Date: Wed, 27 Mar 2024 13:26:57 +0100 Subject: [PATCH 09/10] remove fix/security-fixes branch from branches to run action from --- .github/workflows/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 13b3d09ad..67edde048 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,7 +7,6 @@ on: - development - version-* - feature-* - - fix/security-fixes pull_request: branches: - main From 3252548d78b5f789e8c2ca8daf95820c36200854 Mon Sep 17 00:00:00 2001 From: Robert Zondervan Date: Wed, 27 Mar 2024 15:47:57 +0100 Subject: [PATCH 10/10] Add generating an SBOM file --- .github/workflows/release.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 67edde048..a99e1512e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -481,3 +481,15 @@ jobs: - name: Chores if: (success() || failure()) run: docker-compose down + + Generate-SBOM: + needs: [Dependency-check,Database,Docker-Scout] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: advanced-security/generate-sbom-action@v1 + id: gensbom + - uses: actions/upload-artifact@v3 + with: + name: sbom + path: ${{ steps.gensbom.outputs.fileName }}