diff --git a/.github/workflows/first-interaction.yaml b/.github/workflows/first-interaction.yaml index 2adda1e1d5..8ba6ce01da 100644 --- a/.github/workflows/first-interaction.yaml +++ b/.github/workflows/first-interaction.yaml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/first-interaction@v3 + - uses: actions/first-interaction@v3.1.0 with: repo_token: ${{ secrets.PAT_SECRET }} issue_message: |- diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index e35cf8dc37..dcb8d84d32 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -92,7 +92,7 @@ jobs: - 5672:5672 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.2 with: ref: ${{ inputs.revision == '0-SNAPSHOT' && github.ref || inputs.revision }} @@ -109,7 +109,7 @@ jobs: gpg-passphrase: MAVEN_GPG_PASSPHRASE - name: Cache local Maven repository - uses: actions/cache@v5 + uses: actions/cache@v5.0.4 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} diff --git a/.github/workflows/release_docker.yaml b/.github/workflows/release_docker.yaml index 343ad0781b..fc83d9f297 100644 --- a/.github/workflows/release_docker.yaml +++ b/.github/workflows/release_docker.yaml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.2 - name: "Release ${{ inputs.revision }}" run: echo "Releasing ${{ inputs.revision }}" @@ -57,7 +57,7 @@ jobs: done - name: Log into Docker Hub - uses: docker/login-action@v4 + uses: docker/login-action@v4.1.0 with: username: ${{ vars.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/reusable_workflow_license-scan.yaml b/.github/workflows/reusable_workflow_license-scan.yaml index 85ad434427..27b6d3bc12 100644 --- a/.github/workflows/reusable_workflow_license-scan.yaml +++ b/.github/workflows/reusable_workflow_license-scan.yaml @@ -24,19 +24,19 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.2 with: ref: ${{ inputs.ref }} - name: Set up JDK & Maven Central credentials - uses: actions/setup-java@v5 + uses: actions/setup-java@v5.2.0 with: distribution: 'temurin' java-version: 21 cache: 'maven' - name: Cache local Maven repository - uses: actions/cache@v5 + uses: actions/cache@v5.0.4 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} diff --git a/.github/workflows/reusable_workflow_tag.yaml b/.github/workflows/reusable_workflow_tag.yaml index 38fe653158..6059ea15c1 100644 --- a/.github/workflows/reusable_workflow_tag.yaml +++ b/.github/workflows/reusable_workflow_tag.yaml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.2 # should work with actions/checkout@v6 with fetch-tags: true, BUT it doesn't work as expected! # See https://github.com/actions/checkout/issues/1471. diff --git a/.github/workflows/reusable_workflow_trivy-scan.yaml b/.github/workflows/reusable_workflow_trivy-scan.yaml index 4019c560a2..edb7948de6 100644 --- a/.github/workflows/reusable_workflow_trivy-scan.yaml +++ b/.github/workflows/reusable_workflow_trivy-scan.yaml @@ -23,12 +23,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.2 with: ref: ${{ inputs.ref }} - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@v5.2.0 with: distribution: "temurin" java-version: 21 @@ -42,61 +42,110 @@ jobs: ./build_dev.sh && \ cd ../../.. - - name: Determine most recent Trivy version - run: | - echo "TRIVY_VERSION=$(wget -qO - 'https://api.github.com/repos/aquasecurity/trivy/releases/latest' | \ - grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\1/')" >> $GITHUB_ENV + - name: Create scan output directory + run: mkdir -p scans - - name: Install Trivy - run: | - wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz -O - | tar -zxvf - + - name: Scan hawkbit-ddi-server + uses: aquasecurity/trivy-action@v0.35.0 + with: + image-ref: 'hawkbit/hawkbit-ddi-server:latest' + ignore-unfixed: true + trivyignores: .github/workflows/.trivyignore + severity: 'HIGH,CRITICAL' + vuln-type: 'library' + format: 'sarif' + output: 'scans/hawkbit-ddi-server.sarif' - - name: Scan Docker images - run: | - mkdir -p scans/eclipse-hawkbit/hawkbit - for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "hawkbit/hawkbit-*:latest"); do - echo "Scanning image ${IMAGE} ..." - ./trivy image "${IMAGE}" --ignore-unfixed --ignorefile .github/workflows/.trivyignore --severity HIGH,CRITICAL --vuln-type library --output "scans/eclipse-hawkbit/${IMAGE}.sarif" --format sarif - done + - name: Scan hawkbit-dmf-server + uses: aquasecurity/trivy-action@v0.35.0 + with: + image-ref: 'hawkbit/hawkbit-dmf-server:latest' + ignore-unfixed: true + trivyignores: .github/workflows/.trivyignore + severity: 'HIGH,CRITICAL' + vuln-type: 'library' + format: 'sarif' + output: 'scans/hawkbit-dmf-server.sarif' - - name: Check if to upload scan results - run: | - if [ "${{ inputs.upload }}" = "true" ]; then - echo "Uploading scan results..." - else - echo "Skipping upload of scan results." - exit 0 - fi + - name: Scan hawkbit-mgmt-server + uses: aquasecurity/trivy-action@v0.35.0 + with: + image-ref: 'hawkbit/hawkbit-mgmt-server:latest' + ignore-unfixed: true + trivyignores: .github/workflows/.trivyignore + severity: 'HIGH,CRITICAL' + vuln-type: 'library' + format: 'sarif' + output: 'scans/hawkbit-mgmt-server.sarif' + + - name: Scan hawkbit-ui + uses: aquasecurity/trivy-action@v0.35.0 + with: + image-ref: 'hawkbit/hawkbit-ui:latest' + ignore-unfixed: true + trivyignores: .github/workflows/.trivyignore + severity: 'HIGH,CRITICAL' + vuln-type: 'library' + format: 'sarif' + output: 'scans/hawkbit-ui.sarif' + + - name: Scan hawkbit-update-server + uses: aquasecurity/trivy-action@v0.35.0 + with: + image-ref: 'hawkbit/hawkbit-update-server:latest' + ignore-unfixed: true + trivyignores: .github/workflows/.trivyignore + severity: 'HIGH,CRITICAL' + vuln-type: 'library' + format: 'sarif' + output: 'scans/hawkbit-update-server.sarif' + + - name: Scan hawkbit-repository-jpa-init + uses: aquasecurity/trivy-action@v0.35.0 + with: + image-ref: 'hawkbit/hawkbit-repository-jpa-init:latest' + ignore-unfixed: true + trivyignores: .github/workflows/.trivyignore + severity: 'HIGH,CRITICAL' + vuln-type: 'library' + format: 'sarif' + output: 'scans/hawkbit-repository-jpa-init.sarif' - name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server - uses: github/codeql-action/upload-sarif@v4 + if: ${{ inputs.upload }} + uses: github/codeql-action/upload-sarif@v4.35.1 with: - sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-ddi-server:latest.sarif' + sarif_file: 'scans/hawkbit-ddi-server.sarif' category: "Container Images (hawkbit-ddi-server)" - name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server - uses: github/codeql-action/upload-sarif@v4 + if: ${{ inputs.upload }} + uses: github/codeql-action/upload-sarif@v4.35.1 with: - sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-dmf-server:latest.sarif' + sarif_file: 'scans/hawkbit-dmf-server.sarif' category: "Container Images (hawkbit-dmf-server)" - name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server - uses: github/codeql-action/upload-sarif@v4 + if: ${{ inputs.upload }} + uses: github/codeql-action/upload-sarif@v4.35.1 with: - sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-mgmt-server:latest.sarif' + sarif_file: 'scans/hawkbit-mgmt-server.sarif' category: "Container Images (hawkbit-mgmt-server)" - name: Upload Docker image scan results to GitHub Security tab hawkbit-ui - uses: github/codeql-action/upload-sarif@v4 + if: ${{ inputs.upload }} + uses: github/codeql-action/upload-sarif@v4.35.1 with: - sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-ui:latest.sarif' + sarif_file: 'scans/hawkbit-ui.sarif' category: "Container Images (hawkbit-ui)" - name: Upload Docker image scan results to GitHub Security tab hawkbit-update-server - uses: github/codeql-action/upload-sarif@v4 + if: ${{ inputs.upload }} + uses: github/codeql-action/upload-sarif@v4.35.1 with: - sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-update-server:latest.sarif' + sarif_file: 'scans/hawkbit-update-server.sarif' category: "Container Images (hawkbit-update-server)" - name: Upload Docker image scan results to GitHub Security tab hawkbit-repository-jpa-init - uses: github/codeql-action/upload-sarif@v4 + if: ${{ inputs.upload }} + uses: github/codeql-action/upload-sarif@v4.35.1 with: - sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-repository-jpa-init:latest.sarif' + sarif_file: 'scans/hawkbit-repository-jpa-init.sarif' category: "Container Images (hawkbit-repository-jpa-init)" \ No newline at end of file diff --git a/.github/workflows/reusable_workflow_verify.yaml b/.github/workflows/reusable_workflow_verify.yaml index 019de320b8..e50c2a4081 100644 --- a/.github/workflows/reusable_workflow_verify.yaml +++ b/.github/workflows/reusable_workflow_verify.yaml @@ -41,20 +41,20 @@ jobs: echo "Ref: ${{ inputs.ref }}," echo "Maven Properties: ${{ inputs.maven_properties }}" - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.2 with: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@v5.2.0 with: distribution: 'temurin' java-version: 21 cache: 'maven' - name: Cache local Maven repository - uses: actions/cache@v5 + uses: actions/cache@v5.0.4 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index b49d669c7d..5061f8d201 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v10 + - uses: actions/stale@v10.2.0 with: repo-token: ${{ secrets.PAT_SECRET }} # disables automatic marking of issues as stale diff --git a/.github/workflows/style_check.yaml b/.github/workflows/style_check.yaml index b317034beb..8d6632c5f5 100644 --- a/.github/workflows/style_check.yaml +++ b/.github/workflows/style_check.yaml @@ -16,13 +16,13 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.2 with: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@v5.2.0 with: distribution: 'temurin' java-version: 21 diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/management/JpaRolloutManagement.java b/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/management/JpaRolloutManagement.java index b63a0ce811..754c6c1e1a 100644 --- a/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/management/JpaRolloutManagement.java +++ b/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/management/JpaRolloutManagement.java @@ -607,7 +607,7 @@ private int updateTargetAssignedDsWithFirstActiveAction(List targetIds) { "SET t.assigned_distribution_set = ( " + "SELECT a.distribution_set" + " FROM sp_action a" + - " WHERE a.target = t.id AND a.active = 1" + + " WHERE a.target = t.id AND a.active = TRUE" + " ORDER BY a.id ASC" + " LIMIT 1" + ") " +