ci: update ci, vulns (#161)

* ci: update ci, vulns

* ci: update a few missed versions

Author: aaron-steinfeld

.github/workflows/codeql-analysis.yml

@@ -13,7 +13,7 @@ on:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       actions: read
       contents: read
@@ -28,30 +28,15 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
-
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2
         with:
           languages: ${{ matrix.language }}
 
-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+      - uses: hypertrace/github-actions/gradle@main
+        with:
+          args: assemble
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v2

.github/workflows/merge-publish.yml

@@ -7,28 +7,16 @@ on:
 
 jobs:
   merge-publish:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
        # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_READ_USER }}
           password: ${{ secrets.DOCKERHUB_READ_TOKEN }}

.github/workflows/pr-build.yml

@@ -9,77 +9,41 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
        # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
           fetch-depth: 0
-      
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_READ_USER }}
           password: ${{ secrets.DOCKERHUB_READ_TOKEN }}
 
       - name: Build with Gradle
         uses: hypertrace/github-actions/gradle@main
         with: 
-          args: build dockerBuildImages
+          args: assemble dockerBuildImages
 
-      - name: Determine docker tag
-        id: tag
-        run: echo ::set-output name=tag::$(./gradlew -q printDockerImageDefaultTag | head -1)
-
-      - name: Scan docker image
-        uses: azure/container-scan@v0.1
+      - name: Run Trivy vulnerability scanner
+        uses: hypertrace/github-actions/trivy-image-scan@main
         with:
-          image-name: hypertrace/attribute-service:${{ steps.tag.outputs.tag }}
-        env:
-          DOCKLE_HOST: "unix:///var/run/docker.sock"
-        continue-on-error: true
+          image: hypertrace/attribute-service
 
   validate-helm-charts:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
           fetch-depth: 0
 
       - name: validate charts
         uses: hypertrace/github-actions/validate-charts@main
-
-  snyk-scan:
-    runs-on: ubuntu-20.04
-    steps:
-    # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
-      - name: Check out code
-        uses: actions/checkout@v2.3.4
-        with:
-          ref: ${{github.event.pull_request.head.ref}}
-          repository: ${{github.event.pull_request.head.repo.full_name}}
-          fetch-depth: 0
-      - name: Setup snyk
-        uses: snyk/actions/setup@0.3.0
-      - name: Snyk test
-        run: snyk test --all-sub-projects --org=hypertrace --severity-threshold=low --policy-path=.snyk --configuration-matching='^runtimeClasspath$' --remote-repo-url='${{ github.server_url }}/${{ github.repository }}.git'
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

.github/workflows/pr-test.yml

@@ -7,34 +7,21 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
        # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
 
-      - name: Cache packages
-        id: cache-packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
-
-      - name: Unit test
+      - name: Unit test and other verification
         uses: hypertrace/github-actions/gradle@main
         with: 
-          args: jacocoTestReport
+          args: check jacocoTestReport
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@v3
         with:
           name: unit test reports
           flags: unit
@@ -45,26 +32,32 @@ jobs:
           args: jacocoIntegrationTestReport
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@v3
         with:
           name: integration test reports
           flags: integration
 
       - name: copy test reports
         uses: hypertrace/github-actions/gradle@main
+        if: always()
         with: 
           args: copyAllReports --output-dir=/tmp/test-reports
 
       - name: Archive test reports
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v3
         with:
           name: test-reports
           path: /tmp/test-reports
         if: always()
-     
+
       - name: Publish Unit Test Results
-        uses: docker://ghcr.io/enricomi/publish-unit-test-result-action:v1.6
+        uses: EnricoMi/publish-unit-test-result-action@v2
         if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           files: ./**/build/test-results/**/*.xml
+  dependency-check:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Dependency Check
+        uses: hypertrace/github-actions/dependency-check@main

.github/workflows/publish.yml

@@ -8,28 +8,16 @@ on:
 
 jobs:
   publish-artifacts:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
-
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_READ_USER }}
           password: ${{ secrets.DOCKERHUB_READ_TOKEN }}
@@ -47,11 +35,11 @@ jobs:
 
   publish-helm-charts:
     needs: publish-artifacts
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
        # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Checkout Repository
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
@@ -62,9 +50,9 @@ jobs:
           helm-gcs-repository: ${{ secrets.HELM_GCS_REPOSITORY }}
 
   publish-release-notes:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v2.3.4
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - uses: hypertrace/github-actions/release-notes@main

attribute-service-api/build.gradle.kts

@@ -1,48 +1,24 @@
-import com.google.protobuf.gradle.generateProtoTasks
 import com.google.protobuf.gradle.id
-import com.google.protobuf.gradle.ofSourceSet
-import com.google.protobuf.gradle.plugins
-import com.google.protobuf.gradle.protobuf
-import com.google.protobuf.gradle.protoc
 
 plugins {
   `java-library`
-  id("com.google.protobuf") version "0.8.18"
+  id("com.google.protobuf") version "0.9.2"
   id("org.hypertrace.publish-plugin")
 }
 
-val generateLocalGoGrpcFiles = false
-
 protobuf {
   protoc {
     artifact = "com.google.protobuf:protoc:3.21.12"
   }
   plugins {
-    id("grpc_java") {
-      artifact = "io.grpc:protoc-gen-grpc-java:1.44.0"
-    }
-
-    if (generateLocalGoGrpcFiles) {
-      id("grpc_go") {
-        path = "<go-path>/bin/protoc-gen-go"
-      }
+    id("grpc") {
+      artifact = "io.grpc:protoc-gen-grpc-java:1.50.0"
     }
   }
   generateProtoTasks {
-    ofSourceSet("main").forEach {
-      it.plugins {
-        // Apply the "grpc" plugin whose spec is defined above, without options.
-        id("grpc_java")
-
-        if (generateLocalGoGrpcFiles) {
-          id("grpc_go")
-        }
-      }
-      it.builtins {
-        java
-        if (generateLocalGoGrpcFiles) {
-          id("go")
-        }
+    ofSourceSet("main").configureEach {
+      plugins {
+        id("grpc")
       }
     }
   }
@@ -51,7 +27,7 @@ protobuf {
 sourceSets {
   main {
     java {
-      srcDirs("src/main/java", "build/generated/source/proto/main/java", "build/generated/source/proto/main/grpc_java")
+      srcDirs("build/generated/source/proto/main/java", "build/generated/source/proto/main/grpc_java")
     }
   }
 }

attribute-service-client/build.gradle.kts

@@ -7,5 +7,5 @@ dependencies {
   api(project(":attribute-service-api"))
   api("com.typesafe:config:1.4.1")
 
-  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.7.2")
+  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.11.2")
 }

attribute-service-factory/build.gradle.kts

@@ -6,7 +6,7 @@ dependencies {
   api("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.49")
 
   // Only required because AttributeService constructor test overload uses a doc store API
-  compileOnly("org.hypertrace.core.documentstore:document-store:0.7.20")
+  compileOnly("org.hypertrace.core.documentstore:document-store:0.7.26")
 
   implementation(project(":attribute-service-impl"))
 }

attribute-service-impl/build.gradle.kts

@@ -8,8 +8,8 @@ dependencies {
   api(project(":attribute-service-api"))
   implementation(project(":attribute-service-tenant-api"))
 
-  implementation("org.hypertrace.core.documentstore:document-store:0.7.20")
-  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.9.0")
+  implementation("org.hypertrace.core.documentstore:document-store:0.7.26")
+  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.11.2")
 
   implementation("com.fasterxml.jackson.core:jackson-databind:2.14.2")
   implementation("com.typesafe:config:1.4.1")

attribute-service/build.gradle.kts

@@ -64,7 +64,7 @@ dependencies {
   integrationTestImplementation("com.google.guava:guava:31.1-jre")
   integrationTestImplementation(project(":attribute-service-client"))
   integrationTestImplementation("org.hypertrace.core.serviceframework:integrationtest-service-framework:0.1.49")
-  integrationTestImplementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.9.0")
+  integrationTestImplementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.11.2")
 }
 
 application {