Skip to content

Bump io.hypersistence:hypersistence-utils-hibernate-63 from 3.8.3 to … #19890

Bump io.hypersistence:hypersistence-utils-hibernate-63 from 3.8.3 to …

Bump io.hypersistence:hypersistence-utils-hibernate-63 from 3.8.3 to … #19890

Workflow file for this run

name: Security
on:
pull_request:
branches:
- "main"
- "release/**"
push:
branches:
- "main"
- "release/**"
tags:
- "v*"
defaults:
run:
shell: bash
permissions:
contents: read
env:
LC_ALL: C.UTF-8
jobs:
dependencies:
name: Dependency Check
runs-on: mirror-node-linux-large
if: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Node
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 21
- name: Install JDK
uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
with:
distribution: temurin
java-version: 21
- name: Setup Gradle
uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808 # v4
with:
gradle-home-cache-includes: |
caches
notifications
jdks
dependency-check-data
# write a cache on all executions to ensure the NVD data stays up-to-date
cache-read-only: false
- name: Vulnerability check
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
run: ./gradlew dependencyCheckAggregate
- name: Upload report
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: failure()
with:
name: dependency-check-report
path: build/reports/dependency-check-report.html
gosec:
name: GoSec Code Scan
env:
GO111MODULE: on
runs-on: mirror-node-linux-large
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: tmp
- name: Copy hedera-mirror-rosetta to workspace root
working-directory: .
run: |
cp -r tmp/hedera-mirror-rosetta/* .
rm -fr tmp
- name: Setup Node
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 21
- name: Setup GoLang
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: 1.22
- name: Run Gosec Security Scanner
uses: securego/gosec@d4617f51baf75f4f809066386a4f9d27b3ac3e46 # v2.21.4
with:
args: ./...
sonar:
if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
name: SonarCloud
runs-on: mirror-node-linux-large
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Setup Node
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 21
- name: Install JDK
uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
with:
distribution: temurin
java-version: 21
- name: Setup Gradle
uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808 # v4
- name: Cache SonarCloud dependencies
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Execute Gradle
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: ./gradlew build sonar -x test
snyk:
if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
name: Snyk Open Source
runs-on: mirror-node-linux-large
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Node
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 21
- name: Install JDK
uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
with:
distribution: temurin
java-version: 21
- name: Setup Gradle
uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808 # v4
- name: Setup Snyk
run: npm install -g snyk-to-html @wcj/html-to-markdown-cli
- name: Execute Snyk Test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: ./gradlew snyk-test
- name: Publish Snyk Results
continue-on-error: true
if: ${{ !cancelled() && always() }}
run: |
report="build/reports/snyk-test"
if [[ -f ${report}.json ]]; then
snyk-to-html -i ${report}.json -o ${report}.html && \
html-to-markdown ${report}.html -o build/reports && \
cat ${report}.html.md >> $GITHUB_STEP_SUMMARY
fi
snyk-code:
if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
name: Snyk Code
runs-on: mirror-node-linux-large
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Node
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 21
- name: Install JDK
uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
with:
distribution: temurin
java-version: 21
- name: Setup Gradle
uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808 # v4
- name: Setup Snyk
run: npm install -g snyk-to-html @wcj/html-to-markdown-cli
- name: Execute Snyk Code Test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: ./gradlew snyk-code
- name: Publish Snyk Results
continue-on-error: true
if: ${{ !cancelled() && always() }}
run: |
report="build/reports/snyk-code"
if [[ -f ${report}.json ]]; then
snyk-to-html -i ${report}.json -o ${report}.html && \
html-to-markdown ${report}.html -o build/reports && \
cat ${report}.html.md >> $GITHUB_STEP_SUMMARY
fi