Merge Master to Main #2934
Merge Master to Main #2934
Conversation
Artifactory
…bom/org.springframework-spring-web-6.0.23
…/efiling-bom/org.springframework-spring-web-6.0.23 Bump org.springframework:spring-web from 6.0.19 to 6.0.23 in /src/backend/libs/efiling-bom
fix frontend vulnerabilities
fix frontend vulnerability
…ng-demo/semver-5.7.2
…ng-frontend/semver-5.7.2
…end/efiling-demo/semver-5.7.2 Bump semver from 5.7.1 to 5.7.2 in /src/frontend/efiling-demo
…ng-frontend/semver-5.7.2
…end/efiling-frontend/semver-5.7.2 Bump semver from 5.7.1 to 5.7.2 in /src/frontend/efiling-frontend
Feature/fla 1576 vulnerabilities
Update dev-efiling-api-build.yaml
React Shared Components
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Move to SNAPSHOT
November Vulnerabilities.
Update code-climate-coverage-aggregation.yml
| env: | ||
| FILE_COUNTER: 0 | ||
| ACTION_DEBUG: true | ||
|
|
||
| name: Build and Test React Apps | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Printing node and yarn versions | ||
| run: node --version && yarn --version | ||
| # Figure out where yarn is caching things | ||
| - name: Yarn Cache | ||
| run: yarn cache dir | ||
|
|
||
| # Run Yarn Install - eFiling Frontend | ||
| - name: Run Yarn Install - eFiling Frontend | ||
| run: yarn --cwd src/frontend/efiling-frontend install | ||
|
|
||
| # Check lint version | ||
| - name: Check lint - eFiling Frontend | ||
| run: yarn --cwd src/frontend/efiling-frontend run lint -v | ||
|
|
||
| # Run lint - eFiling Frontend | ||
| - name: Run lint - eFiling Frontend | ||
| run: yarn --cwd src/frontend/efiling-frontend run lint | ||
|
|
||
| # Yarn Coverage - eFiling Frontend | ||
| - name: Run Yarn Coverage - eFiling Frontend | ||
| run: yarn --cwd /home/runner/work/jag-file-submission/jag-file-submission/src/frontend/efiling-frontend coverage | ||
|
|
||
| # Run Yarn Install - eFiling Demo | ||
| - name: Run Yarn Install - eFiling Demo | ||
| run: yarn --cwd src/frontend/efiling-demo install | ||
|
|
||
| # Run lint - eFiling Demo | ||
| - name: Run lint - eFiling Demo | ||
| run: yarn --cwd src/frontend/efiling-demo run lint | ||
|
|
||
| # Yarn Coverage - eFiling Demo | ||
| - name: Run Yarn Coverage - eFiling Demo | ||
| run: yarn --cwd /home/runner/work/jag-file-submission/jag-file-submission/src/frontend/efiling-demo coverage | ||
|
|
||
| # Formatting the FRONTEND DEMO coverage report | ||
| #- name: Format the FRONTEND DEMO coverage report | ||
| # run: | | ||
| # pushd . | ||
| # cd ${{github.workspace}}/src/frontend/efiling-demo/ | ||
| # ${{github.workspace}}/cc-test-reporter format-coverage -t lcov -o ${{github.workspace}}/coverage/frontend-demo-codeclimate.json coverage/lcov.info | ||
| # popd | ||
| # Implement Caching Action for Yarn Project | ||
| - name: Cache node modules | ||
| uses: actions/cache@v4 | ||
| env: | ||
| cache-name: cache-node-modules | ||
| with: | ||
| # YARN cache files are stored in `/home/runner/.cache/yarn/v6` on git actions | ||
| path: /home/runner/.cache/yarn/v6 | ||
| key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-build-${{ env.cache-name }}- | ||
| ${{ runner.os }}-build- | ||
| ${{ runner.os }}- | ||
|
|
||
|
|
||
|
|
||
|
|
||
| spring-boot: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
To address this issue, we need to explicitly set a permissions key at the top level of the workflow file .github/workflows/build-and-test-apps.yml. This key should grant only the minimum necessary access for the jobs in the workflow. Since all current jobs merely build, test, and cache artifacts but do not perform any write operations (e.g., creating releases, commenting, or pushing code), we can safely set contents: read globally. This should be inserted before the jobs: section, right after the name: and on: keys (typically after line 7 or 8 in the current file). No additional methods, imports, or definitions are required.
| @@ -6,6 +6,9 @@ | ||
| pull_request: | ||
| branches: [master] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| yarn: | ||
| env: |
| name: Build and Test Java | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| FILE_COUNTER: 0 | ||
| ACTION_DEBUG: true | ||
|
|
||
| steps: | ||
| - name: Checkout Spring Starters Repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: bcgov/spring-boot-starters | ||
| path: spring-boot-starters | ||
| ref: v1.0.5 | ||
|
|
||
| # Setup Java Environment | ||
| - name: Set up JDK 17 | ||
| uses: actions/setup-java@v1 | ||
| with: | ||
| java-version: 17 | ||
|
|
||
| # TODO REMOVE AFTER SFTP IS IN MAVEN CENTRAL | ||
| - name: Build Spring Starters | ||
| run: mvn install -P all --file ./spring-boot-starters/src/pom.xml | ||
|
|
||
| - name: Checkout File Submission Repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
|
|
||
| # Trimming the ref to master in order to publish correct report (paambaati) | ||
| - name: Set ref/head/master to master | ||
| run: | | ||
| echo "GIT_BRANCH=master" >> $GITHUB_ENV | ||
| #echo "::set-env name=GIT_BRANCH::master" | ||
| if: env.GIT_BRANCH == 'refs/heads/master' | ||
|
|
||
| #- uses: actions/cache@v1 | ||
| # with: | ||
| # path: ~/.m2/repository | ||
| # key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | ||
| # restore-keys: | | ||
| # ${{ runner.os }}-maven- | ||
|
|
||
| #Set env again?? | ||
| - name: Set up JDK 17 | ||
| uses: actions/setup-java@v1 | ||
| with: | ||
| java-version: 17 | ||
|
|
||
| # Run Maven Verify to generate all jacoco reports | ||
| - name: Build with Maven | ||
| run: mvn -B verify -P all --file src/backend/pom.xml |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
To address the issue, add a permissions block setting the minimal necessary permissions to either the workflow root or to each individual job (if jobs have different needs). In this workflow, the jobs only check out code, install dependencies, build, and test; they do not require write access to any GitHub objects, so contents: read is sufficient. Insert the following under the workflow name (line 1) to apply to all jobs:
permissions:
contents: readThis ensures the workflow token only has read access to repository contents. No actions in the current jobs require additional write access. Edit .github/workflows/build-and-test-apps.yml as described.
| @@ -1,4 +1,6 @@ | ||
| name: Build and Test Apps | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
Update zap-baseline.yaml
Description
This PR includes the following proposed change(s):
Type of change
if your change is a breaking change, please add
breaking changelabel to this PRHow Has This Been Tested?
Please describe the tests that you ran to verify your changes.
Does the change impact or break the Docker build?
If Yes: Has Docker been updated accordingly?
Checklist: