backport .github/workflows from develop to v1.17.x (#694)

* backport .github/workflows from develop branch (upcoming v2)

* update changelog

* revert github workflows to jdk 17 to match pom

* revert maven-verify workflow to mongodb

* try using mongo 8 in maven-verify workflow

  to prevent 'Error: Command failed: sudo systemctl start mongod'

  see ankane/setup-mongodb#6

  looks like mongo 8 is the lowest version supported by ankane/setup-mongodb for ubuntu 24 runners:

  https://github.com/ankane/setup-mongodb?tab=readme-ov-file#versions

* match mongo-setup db version to github runner version

* check with preliminary changes to maven-verify workflow

* Revert "check with preliminary changes to maven-verify workflow"

  This reverts commit ce3177d.

  the preliminary workflow resulted in successful tests, so we can patch the maven-verify workflow v2 (in the github-workflows repo)

* revert Dockerfile base images to from alpine to focal

  to prevent error "no match for platform in manifest" when building for arm64 architecture

* adapt adduser command to ubuntu (focal) in Dockerfile

  because the commands and option flags differ between alpine and focal

  we can now use adduser to create both user and group in one go (see man adduser)

Author: dennisvang

.github/workflows/build.yml

@@ -2,8 +2,14 @@ name: "Code Style"
 
 on:
   push:
+    branches:
+      - develop
   pull_request:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
 
   checkstyle:
@@ -16,10 +22,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DISTRIBUTION }}
           java-version: ${{ env.JAVA_VERSION }}
@@ -43,10 +49,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DISTRIBUTION }}
           java-version: ${{ env.JAVA_VERSION }}
@@ -70,10 +76,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DISTRIBUTION }}
           java-version: ${{ env.JAVA_VERSION }}

.github/workflows/code-style.yml

@@ -0,0 +1,29 @@
+name: Publish to Docker Hub
+
+on:
+  push:
+    branches:
+      - develop
+  pull_request:
+  release:
+    types:
+      - created
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  verify:
+    uses: FAIRDataTeam/github-workflows/.github/workflows/maven-verify.yml@v2
+    with:
+      java-version: 17
+      # todo: enable tests when test duration has been minimized
+      mvn-options: "-DskipTests"
+  publish:
+    needs: verify
+    uses: FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@v2
+    secrets: inherit
+    with:
+      file: './Dockerfile'
+      push: ${{ github.event_name == 'push' || github.event_name == 'release' }}

.github/workflows/docker-publish.yml

@@ -0,0 +1,36 @@
+# https://docs.github.com/en/actions/use-cases-and-examples/building-and-testing/building-and-testing-java-with-maven
+
+name: Maven verify
+
+on:
+  push:
+    branches:
+      - develop
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    strategy:
+      matrix:
+        runner:
+          # https://github.com/ankane/setup-mongodb?tab=readme-ov-file#versions
+          - os: ubuntu-24.04
+            mongo: 8
+          - os: windows-2022
+            mongo: 5
+          - os: macos-14
+            mongo: 8
+        java-version:
+          - 17
+    uses: FAIRDataTeam/github-workflows/.github/workflows/maven-verify.yml@v2
+    with:
+      runner: ${{ matrix.runner.os }}
+      java-version: ${{ matrix.java-version }}
+      # db settings must match testing profile
+      db-type: mongodb
+      db-version: ${{ matrix.runner.mongo }}  # see https://github.com/ankane/setup-mongodb/issues/6

.github/workflows/maven-verify.yml

@@ -2,12 +2,16 @@ name: "Security Audit"
 
 on:
   push:
-    branches: [ develop, master ]
+    branches:
+      - develop
   pull_request:
-    branches: [ develop ]
   schedule:
     - cron: '23 4 * * 1'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   codeql:
     name: CodeQL
@@ -23,10 +27,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DISTRIBUTION }}
           java-version: ${{ env.JAVA_VERSION }}
@@ -37,7 +41,7 @@ jobs:
           mvn --version
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: 'java'
 
@@ -46,7 +50,7 @@ jobs:
           mvn --quiet -B -U --fail-fast -DskipTests package
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
 
   snyk:
     name: Snyk (Maven)
@@ -59,7 +63,7 @@ jobs:
     steps:
 
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Perform Snyk Check (Maven)
         uses: snyk/actions/maven@master
@@ -83,12 +87,12 @@ jobs:
     steps:
 
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Docker build
         run: |
           docker pull $PUBLIC_IMAGE:$TAG_DEVELOP
-          docker build --cache-from $PUBLIC_IMAGE:$TAG_DEVELOP -t fdp:snyk-test -f Dockerfile.build .
+          docker build --cache-from $PUBLIC_IMAGE:$TAG_DEVELOP -t fdp:snyk-test -f Dockerfile .
 
       - name: Perform Snyk Check (Docker)
         uses: snyk/actions/docker@master

.github/workflows/security.yml

@@ -14,6 +14,7 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ### Changed
 
 - Cleaned up Dockerfile (backport)
+- Separate Github workflows for test and publish (backport)
 
 ## [1.17.2]
 

CHANGELOG.md

@@ -4,7 +4,7 @@
 ################################################################################
 # BUILD JAR
 
-FROM maven:3-eclipse-temurin-17-alpine AS builder
+FROM maven:3-eclipse-temurin-17-focal AS builder
 
 WORKDIR /builder
 
@@ -16,11 +16,12 @@ RUN mvn --quiet --batch-mode --update-snapshots --fail-fast -DskipTests package
 ################################################################################
 # BUILD IMAGE
 
-FROM eclipse-temurin:17-jdk-alpine
+FROM eclipse-temurin:17-jdk-focal
 
 # add non-root user to run the app
 # https://spring.io/guides/gs/spring-boot-docker
-RUN addgroup -S spring && adduser -S spring -G spring
+# on ubuntu the following creates a group with the same name as user
+RUN adduser spring --system --group
 USER spring:spring
 
 WORKDIR /fdp