Skip to content

Commit

Permalink
fix: github action upgrades and coordinates. Upgrade logback to non-c…
Browse files Browse the repository at this point in the history 
…ritical version. Document the manual postprocessing of spring-web-5 to remove the critical invoker package.
  • Loading branch information
@drcgjung
drcgjung committed Feb 12, 2024
1 parent c16fa29 commit 2a17d34
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 3 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/helm-chart-lint.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ jobs:
# Preparing a kind cluster to install and test charts on
- name: Create kind cluster
uses: container-tools/kind-action@61f1afd4807b0dac84f3232ec99e45c63701d220 # v2.0.1
uses: container-tools/kind-action@0fc957b58d9a5bc9ca57a1b419324a2074c7653b # v2.0.3
with:
# upgrade version, default (v0.17.0) uses node image v1.21.1 and doesn't work with more recent node image versions
version: v0.20.0
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/veracode.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ jobs:
verify-formatting:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3.5.2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- uses: ./.github/actions/setup-java

Check warning on line 48 in .github/workflows/veracode.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Expand Down Expand Up @@ -118,7 +118,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Tar gzip files for veracode upload
run: |-
tar --exclude='spring-web-5.3.28.jar' -czvf ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz ${{ matrix.variant.dir }}/target/lib/*.jar ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}-*.jar
tar --exclude='spring-web-5.3.31.jar' -czvf ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz ${{ matrix.variant.dir }}/target/lib/*.jar ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}-*.jar
- name: Veracode Upload And Scan
uses: veracode/veracode-uploadandscan-action@c3c0b78bddb42d5f6b10d70562f692215a410d7b #v1.0
if: |
Expand Down
12 changes: 12 additions & 0 deletions provisioning/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,18 @@
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>${logback.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
<version>${logback.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-actuator</artifactId>
Expand Down

0 comments on commit 2a17d34

Please sign in to comment.