Updated dockerfile deps and workflows

.github/workflows/build-images.yaml

@@ -10,27 +10,33 @@ on:
  branches: [master]
  paths-ignore:
  - "charts/**"
+
+permissions: read-all
+
 env:
- IMAGES: docker.io/hapiproject/hapi
+ IMAGES: |
+ ghcr.io/${{ github.repository }}
+ # docker.io/hapiproject/hapi
  PLATFORMS: linux/amd64,linux/arm64/v8
 
 jobs:
  build:
  name: Build
- runs-on: ubuntu-20.04
+ runs-on: ubuntu-22.04
+ permissions:
+ packages: write
  steps:
  - name: Container meta for default (distroless) image
  id: docker_meta
- uses: docker/metadata-action@v3
+ uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
  with:
  images: ${{ env.IMAGES }}
  tags: |
  type=match,pattern=image-(.*),group=1,enable=${{github.event_name != 'pull_request'}}
-
 
  - name: Container meta for tomcat image
  id: docker_tomcat_meta
- uses: docker/metadata-action@v3
+ uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
  with:
  images: ${{ env.IMAGES }}
  tags: |
@@ -39,20 +45,28 @@ jobs:
  suffix=-tomcat,onlatest=true
 
  - name: Set up QEMU
- uses: docker/setup-qemu-action@v1
+ uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
 
  - name: Set up Docker Buildx
- uses: docker/setup-buildx-action@v1
+ uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+ # - name: Login to DockerHub
+ # uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+ # if: github.event_name != 'pull_request'
+ # with:
+ # username: ${{ secrets.DOCKERHUB_USERNAME }}
+ # password: ${{ secrets.DOCKERHUB_TOKEN }}
 
- - name: Login to DockerHub
- uses: docker/login-action@v1
- if: github.event_name != 'pull_request'
+ - name: Login to GitHub Container Registry
+ uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+ if: ${{ github.event_name != 'pull_request' }}
  with:
- username: ${{ secrets.DOCKERHUB_USERNAME }}
- password: ${{ secrets.DOCKERHUB_TOKEN }}
+ registry: ghcr.io
+ username: ${{ github.actor }}
+ password: ${{ github.token }}
 
  - name: Cache Docker layers
- uses: actions/cache@v2
+ uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
  with:
  path: /tmp/.buildx-cache
  key: ${{ runner.os }}-buildx-${{ github.sha }}
@@ -61,7 +75,7 @@ jobs:
 
  - name: Build and push default (distroless) image
  id: docker_build
- uses: docker/build-push-action@v2
+ uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
  with:
  cache-from: type=local,src=/tmp/.buildx-cache
  cache-to: type=local,dest=/tmp/.buildx-cache
@@ -73,7 +87,7 @@ jobs:
 
  - name: Build and push tomcat image
  id: docker_build_tomcat
- uses: docker/build-push-action@v2
+ uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
  with:
  cache-from: type=local,src=/tmp/.buildx-cache
  cache-to: type=local,dest=/tmp/.buildx-cache

.github/workflows/chart-release.yaml

@@ -7,16 +7,22 @@ on:
  paths:
  - "charts/**"
 
+permissions: read-all
+
 jobs:
  release:
  runs-on: ubuntu-22.04
+ permissions:
+ contents: write
+ # if we deice to push the chart to ghcr.io as well, uncomment the following:
+ # packages: write
  steps:
  - name: Add workspace as safe directory
  run: |
  git config --global --add safe.directory /__w/hapi-fhir-jpaserver-starter/hapi-fhir-jpaserver-starter
 
  - name: Checkout
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
  with:
  fetch-depth: 0
 

.github/workflows/chart-test.yaml

@@ -7,6 +7,8 @@ on:
  paths:
  - "charts/**"
 
+permissions: read-all
+
 jobs:
  lint:
  runs-on: ubuntu-22.04
@@ -27,7 +29,7 @@ jobs:
  git config --global --add safe.directory /__w/hapi-fhir-jpaserver-starter/hapi-fhir-jpaserver-starter
 
  - name: Checkout
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
  with:
  fetch-depth: 0
 
@@ -41,12 +43,12 @@ jobs:
  runs-on: ubuntu-22.04
  strategy:
  matrix:
- k8s-version: [1.25.9, 1.26.4, 1.27.2]
+ k8s-version: [1.25.11, 1.26.6, 1.27.3, 1.28.0]
  needs:
  - lint
  steps:
  - name: Checkout
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
  with:
  fetch-depth: 0
 
@@ -62,7 +64,7 @@ jobs:
  fi
 
  - name: Create k8s Kind Cluster
- uses: helm/kind-action@fa81e57adff234b2908110485695db0f181f3c67 # v1.7.0
+ uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
  if: ${{ steps.list-changed.outputs.changed == 'true' }}
  with:
  cluster_name: kind-cluster-k8s-${{ matrix.k8s-version }}

.github/workflows/maven.yml

@@ -14,16 +14,17 @@ on:
  paths-ignore:
  - "charts/**"
 
+permissions: read-all
+
 jobs:
  build:
-
- runs-on: ubuntu-latest
-
+ runs-on: ubuntu-22.04
  steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
  - name: Set up JDK 17
- uses: actions/setup-java@v1
+ uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
  with:
+ distribution: temurin
  java-version: 17
  - name: Build with Maven
  run: mvn -B package --file pom.xml verify

.github/workflows/smoke-tests.yml

@@ -6,35 +6,34 @@ name: Smoke Tests
 on:
  push:
  branches:
- - '**'
+ - "**"
  paths-ignore:
  - "charts/**"
  pull_request:
- branches: [ master ]
+ branches: [master]
  paths-ignore:
  - "charts/**"
 
+permissions: read-all
+
 jobs:
  build_and_smoke_test:
-
- runs-on: ubuntu-latest
-
+ runs-on: ubuntu-22.04
  steps:
- - name: Checkout project
- uses: actions/checkout@v2
- - name: Set up JDK 17
- uses: actions/setup-java@v1
- with:
- java-version: 17
- - name: Build with Maven
- run: mvn -B package --file pom.xml -Dmaven.test.skip=true
- - name: Docker Pull HTTP client
- run: docker pull jetbrains/intellij-http-client
- - name: Start server with jetty
- run: |
- mvn jetty:run & export JPA_PROCESS=$!
- sleep 80
- - name: Execute smoke tests
- run: docker run --rm -v $PWD:/workdir --add-host host.docker.internal:host-gateway jetbrains/intellij-http-client -D src/test/smoketest/plain_server.http --env-file src/test/smoketest/http-client.env.json --env default
-
-
+ - name: Checkout project
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ - name: Set up JDK 17
+ uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
+ with:
+ distribution: temurin
+ java-version: 17
+ - name: Build with Maven
+ run: mvn -B package --file pom.xml -Dmaven.test.skip=true
+ - name: Docker Pull HTTP client
+ run: docker pull jetbrains/intellij-http-client
+ - name: Start server with jetty
+ run: |
+ mvn jetty:run & export JPA_PROCESS=$!
+ sleep 80
+ - name: Execute smoke tests
+ run: docker run --rm -v $PWD:/workdir --add-host host.docker.internal:host-gateway jetbrains/intellij-http-client -D src/test/smoketest/plain_server.http --env-file src/test/smoketest/http-client.env.json --env default

Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/library/maven:3.9.4-eclipse-temurin-17 AS build-hapi
+FROM docker.io/library/maven:3.9.5-eclipse-temurin-17 AS build-hapi
 WORKDIR /tmp/hapi-fhir-jpaserver-starter
 
 ARG OPENTELEMETRY_JAVA_AGENT_VERSION=1.31.0
@@ -36,7 +36,7 @@ COPY --from=build-hapi --chown=1001:1001 /tmp/hapi-fhir-jpaserver-starter/opente
 ENV ALLOW_EMPTY_PASSWORD=yes
 
 ########### distroless brings focus on security and runs on plain spring boot - this is the default image
-FROM gcr.io/distroless/java17-debian11:nonroot AS default
+FROM gcr.io/distroless/java17-debian12:nonroot AS default
 # 65532 is the nonroot user's uid
 # used here instead of the name to allow Kubernetes to easily detect that the container
 # is running as a non-root (uid != 0) user.