Merge branch 'main' of github.com:directedproject-eu/pygeoapi-mca-process

Author: MartinPontius

.github/workflows/build-pipeline.yaml

@@ -30,10 +30,10 @@ jobs:
     steps:
     -
       name: Checkout Repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     -
       name: Set up Docker Buildkit env
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@v4
     -
       name: Determine Branch or Tag
       id: determine
@@ -48,7 +48,7 @@ jobs:
     -
       name: Extract metadata (tags, labels) for tagging Docker Image
       id: meta
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@v6
       with:
         images: "${{ env.IMAGE_TAG }}"
         labels: |
@@ -62,7 +62,7 @@ jobs:
     -
       name: Log in to Docker Hub
       if: github.event_name != 'pull_request'
-      uses: docker/login-action@v3
+      uses: docker/login-action@v4
       with:
         username: ${{ secrets.DOCKER_USERNAME }}
         password: ${{ secrets.DOCKER_TOKEN }}
@@ -80,7 +80,7 @@ jobs:
     #     ruff format --diff
     -
       name: Build and push Docker image
-      uses: docker/build-push-action@v6
+      uses: docker/build-push-action@v7
       with:
         context: "${{ env.BUILD_CONTEXT }}"
         build-args: |
@@ -96,7 +96,8 @@ jobs:
         cache-to: type=gha
     -
       name: Run trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@master
+      # get latest version from https://github.com/aquasecurity/trivy-action/releases
+      uses: aquasecurity/trivy-action@v0.35.0
       env:
         TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
         TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
@@ -112,41 +113,43 @@ jobs:
         scanners: vuln,secret,misconfig
         severity: CRITICAL,HIGH
     -
-     name: remove empty results
-     run: |
-       vulnerabilities=$(cat trivy-results.json | jq 'if (.Results | length) == 0 then 0 else [.Results[].Vulnerabilities | length] | add end'); \
-       if [[ "$vulnerabilities" -eq 0 ]]; then \
-        rm trivy-results.json
-       fi
+      name: remove empty results
+      run: |
+        vulnerabilities=$(cat trivy-results.json | jq 'if (.Results | length) == 0 then 0 else [.Results[].Vulnerabilities | length] | add end'); \
+        if [[ "$vulnerabilities" -eq 0 ]]; then \
+          rm trivy-results.json
+        fi
     -
-     if: ${{ hashFiles('trivy-results.json') != '' }}
-     name: 2nd scan to create human readable report
-     uses: aquasecurity/trivy-action@master
-     env:
-       TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
-       TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
-       TRIVY_DISABLE_VEX_NOTICE: disable_vex_notice
-       TRIVY_FORMAT: table
-       TRIVY_OUTPUT: trivy-results.txt
-     with:
-       image-ref: "${{ env.IMAGE_TAG }}"
-       format: 'table'
-       output: 'trivy-results.txt'
-       exit-code: '0'
-       ignore-unfixed: true
-       vuln-type: 'os,library'
-       severity: 'CRITICAL,HIGH'
+      if: ${{ hashFiles('trivy-results.json') != '' }}
+      name: 2nd scan to create human readable report
+      # get latest version from https://github.com/aquasecurity/trivy-action/releases
+      uses: aquasecurity/trivy-action@v0.35.0
+      env:
+        TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+        TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+        TRIVY_DISABLE_VEX_NOTICE: disable_vex_notice
+        TRIVY_FORMAT: table
+        TRIVY_OUTPUT: trivy-results.txt
+      with:
+        image-ref: "${{ env.IMAGE_TAG }}"
+        format: 'table'
+        output: 'trivy-results.txt'
+        exit-code: '0'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
     -
       if: ${{ hashFiles('trivy-results.txt') != '' }}
-      name: Upload to 52N slack
-      uses: MeilCli/slack-upload-file@v4
-      with:
-        slack_token: ${{ secrets.SLACK_TOKEN }}
-        file_path: trivy-results.txt
-        file_type: text/plain
-        title: trivy scan results of ${{ github.repository }}
-        channel_id: ${{ secrets.SLACK_CHANNEL_ID_52N }}
-        initial_comment: "Trivy Results for '${{ github.repository }}' uploaded. Please review: https://github.com/${{ github.repository }}/actions"
+      name: Send Trivy Results to Google Chat
+      env:
+        WEBHOOK_URL: ${{ secrets.GOOGLE_CHAT_WEBHOOK_URL }}
+        REPO_NAME: ${{ github.repository }}
+        REPO_URL: "https://github.com/${{ github.repository }}/actions"
+      run: |
+        CONTENT=$(cat trivy-results.txt | head -c 3800)
+        MESSAGE="Trivy Results for '${REPO_NAME}':\n\n\`\`\`\n${TRIVY_CONTENT}\n\`\`\`\n\n(Results truncated) Please review full report at: ${REPO_URL}"
+        JSON_PAYLOAD=$(jq -n --arg msg "$MESSAGE" '{text: $msg}')
+        curl -X POST -H 'Content-Type: application/json' "$WEBHOOK_URL" -d "$JSON_PAYLOAD"
     #
     # BEFORE ACTIVATING the deployment trigger, configure the according secrets
     # -

.github/workflows/lint-and-format.yaml

@@ -15,10 +15,10 @@ jobs:
     steps:
     -
       name: Checkout Repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     -
       name: Set up Python 3.11
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v6
       with:
         python-version: "3.11"
     -

.github/workflows/stale.yml

@@ -3,11 +3,13 @@ on:
   schedule:
     # https://crontab.cronhub.io/
     - cron: '52 4 * * Mon'
+permissions:
+  issues: write
 jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
         with:
           stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.'
           days-before-stale: 60