From 44f02a3e17fb081eac894a904796bf01a6f48f6f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 25 Oct 2024 12:48:53 +0000 Subject: [PATCH 1/4] chore(deps): update dependency eslint-plugin-import to v2.31.0 --- yarn.lock | 52 +++++++++++++++++++++++++++++++++------------------- 1 file changed, 33 insertions(+), 19 deletions(-) diff --git a/yarn.lock b/yarn.lock index a41b32afda4..58759998a61 100644 --- a/yarn.lock +++ b/yarn.lock @@ -6562,6 +6562,11 @@ resolved "https://registry.yarnpkg.com/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.21.3.tgz#4115233aa1bd5a2060214f96d8511f6247093212" integrity sha512-fOvu7PCQjAj4eWDEuD8Xz5gpzFqXzGlxHZozHP4b9Jxv9APtdxL6STqztDzMLuRXEc4UpXGGhx029Xgm91QBeA== +"@rtsao/scc@^1.1.0": + version "1.1.0" + resolved "https://registry.yarnpkg.com/@rtsao/scc/-/scc-1.1.0.tgz#927dd2fae9bc3361403ac2c7a00c32ddce9ad7e8" + integrity sha512-zt6OdqaDoOnJ1ZYsCYGt9YmWzDXl4vQdKTyJev62gFhRGKdx7mcT54V9KIjg+d2wi9EXsPvAPKe7i7WjfVWB8g== + "@sentry-internal/feedback@7.118.0": version "7.118.0" resolved "https://registry.yarnpkg.com/@sentry-internal/feedback/-/feedback-7.118.0.tgz#5b4b13ba514452d07a22ec8c66c2e4bc2091d8e6" @@ -9981,7 +9986,7 @@ array.prototype.findlast@^1.2.4: es-object-atoms "^1.0.0" es-shim-unscopables "^1.0.2" -array.prototype.findlastindex@^1.2.3: +array.prototype.findlastindex@^1.2.5: version "1.2.5" resolved "https://registry.yarnpkg.com/array.prototype.findlastindex/-/array.prototype.findlastindex-1.2.5.tgz#8c35a755c72908719453f87145ca011e39334d0d" integrity sha512-zfETvRFA8o7EiNn++N5f/kaCw221hrpGsDmcpndVupkPzEc1Wuf3VgC0qby1BbHs7f5DVYjgtEU2LLh5bqeGfQ== @@ -13722,10 +13727,10 @@ eslint-import-resolver-node@^0.3.9: is-core-module "^2.13.0" resolve "^1.22.4" -eslint-module-utils@^2.8.0: - version "2.8.0" - resolved "https://registry.npmjs.org/eslint-module-utils/-/eslint-module-utils-2.8.0.tgz" - integrity sha512-aWajIYfsqCKRDgUfjEXNN/JlrzauMuSEy5sbd7WXbtW3EH6A6MpwEh42c7qD+MqQo9QMJ6fWLAeIJynx0g6OAw== +eslint-module-utils@^2.12.0: + version "2.12.0" + resolved "https://registry.yarnpkg.com/eslint-module-utils/-/eslint-module-utils-2.12.0.tgz#fe4cfb948d61f49203d7b08871982b65b9af0b0b" + integrity sha512-wALZ0HFoytlyh/1+4wuZ9FJCD/leWHQzzrxJ8+rebyReSLk7LApMyd3WJaLVoN+D5+WIdJyDK1c6JnE65V4Zyg== dependencies: debug "^3.2.7" @@ -13751,26 +13756,28 @@ eslint-plugin-formatjs@2.21.0: typescript "^4.5" eslint-plugin-import@^2.17.3: - version "2.29.1" - resolved "https://registry.yarnpkg.com/eslint-plugin-import/-/eslint-plugin-import-2.29.1.tgz#d45b37b5ef5901d639c15270d74d46d161150643" - integrity sha512-BbPC0cuExzhiMo4Ff1BTVwHpjjv28C5R+btTOGaCRC7UEz801up0JadwkeSk5Ued6TG34uaczuVuH6qyy5YUxw== + version "2.31.0" + resolved "https://registry.yarnpkg.com/eslint-plugin-import/-/eslint-plugin-import-2.31.0.tgz#310ce7e720ca1d9c0bb3f69adfd1c6bdd7d9e0e7" + integrity sha512-ixmkI62Rbc2/w8Vfxyh1jQRTdRTF52VxwRVHl/ykPAmqG+Nb7/kNn+byLP0LxPgI7zWA16Jt82SybJInmMia3A== dependencies: - array-includes "^3.1.7" - array.prototype.findlastindex "^1.2.3" + "@rtsao/scc" "^1.1.0" + array-includes "^3.1.8" + array.prototype.findlastindex "^1.2.5" array.prototype.flat "^1.3.2" array.prototype.flatmap "^1.3.2" debug "^3.2.7" doctrine "^2.1.0" eslint-import-resolver-node "^0.3.9" - eslint-module-utils "^2.8.0" - hasown "^2.0.0" - is-core-module "^2.13.1" + eslint-module-utils "^2.12.0" + hasown "^2.0.2" + is-core-module "^2.15.1" is-glob "^4.0.3" minimatch "^3.1.2" - object.fromentries "^2.0.7" - object.groupby "^1.0.1" - object.values "^1.1.7" + object.fromentries "^2.0.8" + object.groupby "^1.0.3" + object.values "^1.2.0" semver "^6.3.1" + string.prototype.trimend "^1.0.8" tsconfig-paths "^3.15.0" eslint-plugin-jsx-a11y@^6.2.3, eslint-plugin-jsx-a11y@^6.3.1, eslint-plugin-jsx-a11y@^6.6.1: @@ -16092,13 +16099,20 @@ is-ci@^2.0.0: dependencies: ci-info "^2.0.0" -is-core-module@^2.13.0, is-core-module@^2.13.1, is-core-module@^2.5.0, is-core-module@^2.8.1: +is-core-module@^2.13.0, is-core-module@^2.5.0, is-core-module@^2.8.1: version "2.13.1" resolved "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz" integrity sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw== dependencies: hasown "^2.0.0" +is-core-module@^2.15.1: + version "2.15.1" + resolved "https://registry.yarnpkg.com/is-core-module/-/is-core-module-2.15.1.tgz#a7363a25bee942fefab0de13bf6aa372c82dcc37" + integrity sha512-z0vtXSwucUJtANQWldhbtbt7BnL0vxiFjIdDLAatwhDYty2bad6s+rijD6Ri4YuYJubLzIJLUidCh09e1djEVQ== + dependencies: + hasown "^2.0.2" + is-data-view@^1.0.1: version "1.0.1" resolved "https://registry.yarnpkg.com/is-data-view/-/is-data-view-1.0.1.tgz#4b4d3a511b70f3dc26d42c03ca9ca515d847759f" @@ -19475,7 +19489,7 @@ object.fromentries@^2.0.7, object.fromentries@^2.0.8: es-abstract "^1.23.2" es-object-atoms "^1.0.0" -object.groupby@^1.0.1: +object.groupby@^1.0.3: version "1.0.3" resolved "https://registry.yarnpkg.com/object.groupby/-/object.groupby-1.0.3.tgz#9b125c36238129f6f7b61954a1e7176148d5002e" integrity sha512-+Lhy3TQTuzXI5hevh8sBGqbmurHbbIjAi0Z4S63nthVLmLxfbj4T54a4CfZrXIrt9iP4mVAPYMo/v99taj3wjQ== @@ -19502,7 +19516,7 @@ object.values@^1.1.1, object.values@^1.1.6: define-properties "^1.2.0" es-abstract "^1.22.1" -object.values@^1.1.7: +object.values@^1.1.7, object.values@^1.2.0: version "1.2.0" resolved "https://registry.yarnpkg.com/object.values/-/object.values-1.2.0.tgz#65405a9d92cee68ac2d303002e0b8470a4d9ab1b" integrity sha512-yBYjY9QX2hnRmZHAjG/f13MzmBzxzYgQhFrke06TTyKY5zSTEqkOeukBzIdVA3j3ulu8Qa3MbVFShV7T2RmGtQ== From 157070eeeccd2fadbf8a22c2bbb08628b07f1334 Mon Sep 17 00:00:00 2001 From: Riku Rouvila Date: Mon, 28 Oct 2024 10:56:59 +0200 Subject: [PATCH 2/4] chore(security): add pipeline to mirror trivy dbs --- .github/workflows/mirror-trivy-db.yml | 34 +++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/mirror-trivy-db.yml diff --git a/.github/workflows/mirror-trivy-db.yml b/.github/workflows/mirror-trivy-db.yml new file mode 100644 index 00000000000..4147165fa88 --- /dev/null +++ b/.github/workflows/mirror-trivy-db.yml @@ -0,0 +1,34 @@ +name: Mirror Docker Images to GHCR + +on: + schedule: + # Run 30 mins after trivy DB runs (the trivy job takes 15 mins max) + # https://github.com/aquasecurity/trivy-db/blob/cfa337a1088bbcee598ab93656c83fe6b9acb946/.github/workflows/cron.yml#L5 + # https://github.com/aquasecurity/trivy-db/actions + - cron: '30 */6 * * *' + + workflow_dispatch: # Allows manual triggering of the workflow + +jobs: + mirror-dbs: + runs-on: ubuntu-latest + env: + RETRIES: 100 + + steps: + - name: Install Skopeo + run: | + sudo apt-get update + sudo apt-get install -y skopeo + + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Log in to GHCR + run: echo "${{ secrets.GITHUB_TOKEN }}" | skopeo login ghcr.io -u ${{ github.actor }} --password-stdin + + - name: Mirror trivy-db to GHCR + run: ./mirror-image.sh docker://ghcr.io/aquasecurity/trivy-db:2 docker://ghcr.io/${{ github.repository_owner }}/trivy-db:2 ${{ env.RETRIES }} + + - name: Mirror trivy-java-db to GHCR + run: ./mirror-image.sh docker://ghcr.io/aquasecurity/trivy-java-db:1 docker://ghcr.io/${{ github.repository_owner }}/trivy-java-db:1 ${{ env.RETRIES }} From 3bd17c9cd755db711f6f32bf6c2ad92f5e2e5a3b Mon Sep 17 00:00:00 2001 From: Riku Rouvila Date: Mon, 28 Oct 2024 11:01:21 +0200 Subject: [PATCH 3/4] fix(security): add missing script --- .github/workflows/mirror-trivy-db.yml | 33 +++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/.github/workflows/mirror-trivy-db.yml b/.github/workflows/mirror-trivy-db.yml index 4147165fa88..db1a1f636f1 100644 --- a/.github/workflows/mirror-trivy-db.yml +++ b/.github/workflows/mirror-trivy-db.yml @@ -27,6 +27,39 @@ jobs: - name: Log in to GHCR run: echo "${{ secrets.GITHUB_TOKEN }}" | skopeo login ghcr.io -u ${{ github.actor }} --password-stdin + - name: Create mirror-image.sh script + run: | + cat << 'EOF' > mirror-image.sh + #!/usr/bin/env bash + set -o errexit -o nounset -o pipefail + + if [ "$#" -ne 3 ]; then + echo "Usage: $0 " + exit 1 + fi + + SOURCE_IMAGE=$1 + DESTINATION_IMAGE=$2 + RETRIES=$3 + COUNT=0 + + until skopeo copy "$SOURCE_IMAGE" "$DESTINATION_IMAGE" || [ $COUNT -ge $RETRIES ]; do + COUNT=$((COUNT+1)) + echo "Retry $COUNT/$RETRIES for $SOURCE_IMAGE to $DESTINATION_IMAGE..." + sleep 1 + done + + if [ $COUNT -ge $RETRIES ]; then + echo "Failed to mirror $SOURCE_IMAGE after $RETRIES attempts." + exit 1 + fi + + echo "Successfully mirrored $SOURCE_IMAGE to $DESTINATION_IMAGE." + EOF + + - name: Make mirror-image.sh executable + run: chmod +x mirror-image.sh + - name: Mirror trivy-db to GHCR run: ./mirror-image.sh docker://ghcr.io/aquasecurity/trivy-db:2 docker://ghcr.io/${{ github.repository_owner }}/trivy-db:2 ${{ env.RETRIES }} From d17cc5691fa588fa902eaec5615f9b639fb5f69c Mon Sep 17 00:00:00 2001 From: Riku Rouvila Date: Mon, 28 Oct 2024 11:07:47 +0200 Subject: [PATCH 4/4] fix: add missing license --- .github/workflows/mirror-trivy-db.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/mirror-trivy-db.yml b/.github/workflows/mirror-trivy-db.yml index db1a1f636f1..2ede6bc54fc 100644 --- a/.github/workflows/mirror-trivy-db.yml +++ b/.github/workflows/mirror-trivy-db.yml @@ -1,3 +1,11 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at https://mozilla.org/MPL/2.0/. +# +# OpenCRVS is also distributed under the terms of the Civil Registration +# & Healthcare Disclaimer located at http://opencrvs.org/license. +# +# Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS. name: Mirror Docker Images to GHCR on: