diff --git a/.github/workflows/draft-new-release.yml b/.github/workflows/draft-new-release.yml
index d43523def..0b2a11b07 100644
--- a/.github/workflows/draft-new-release.yml
+++ b/.github/workflows/draft-new-release.yml
@@ -6,6 +6,9 @@ on:
version:
description: "The version you want to release."
required: true
+permissions:
+ id-token: write # required for OIDC token exchange
+ contents: read
jobs:
draft-new-release:
@@ -15,9 +18,25 @@ jobs:
outputs:
commitSha: ${{ steps.make-commit.outputs.commit }}
steps:
+ - name: Configure AWS Credentials via OIDC
+ uses: aws-actions/configure-aws-credentials@v6
+ with:
+ role-to-assume: arn:aws:iam::730335206644:role/delegatedadmin/developer/qppa-github-actions-role
+ aws-region: us-east-1
+
+ - name: Retrieve GitHub service account token from secops account
+ id: get-token
+ run: |
+ SECRET_VALUE=$(aws secretsmanager get-secret-value \
+ --secret-id "arn:aws:secretsmanager:us-east-1:863249929524:secret:qpp/qppa/github/token/automation-bhLO2e" \
+ --query SecretString \
+ --output text | jq -r ".GITHUB_TOKEN")
+ echo "::add-mask::$SECRET_VALUE"
+ echo "GITHUB_TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT
+
- uses: actions/checkout@v4
with:
- token: ${{ secrets.ACTIONS_NICHOLAS_PAT }}
+ token: ${{ steps.get-token.outputs.GITHUB_TOKEN }}
- name: Create release branch
run: |
@@ -33,7 +52,7 @@ jobs:
prerelease: false
publish: false
env:
- GITHUB_TOKEN: ${{ secrets.ACTIONS_NICHOLAS_PAT }}
+ GITHUB_TOKEN: ${{ steps.get-token.outputs.GITHUB_TOKEN }}
- name: Set up JDK 21
uses: actions/setup-java@v4
@@ -44,11 +63,11 @@ jobs:
- name: Bump version in pom.xml files
run: |
-
+
# Update parent and child module pom.xml files
echo "Updating version in parent and module pom.xml files to ${{ github.event.inputs.version }}-RELEASE..."
mvn versions:set -DnewVersion=${{ github.event.inputs.version }}-RELEASE -DgenerateBackupPoms=false
-
+
# Update standalone module pom.xml files
echo "Updating standalone module versions..."
mvn versions:set -DnewVersion=${{ github.event.inputs.version }}-RELEASE -DgenerateBackupPoms=false -f acceptance-tests/pom.xml
@@ -79,7 +98,7 @@ jobs:
- name: Create pull request to master branch
uses: thomaseizinger/create-pull-request@1.4.0
env:
- GITHUB_TOKEN: ${{ secrets.ACTIONS_NICHOLAS_PAT }} # MUST use a PAT here in order to trigger the next workflow: CodeBuild Trigger; see https://docs.github.com/en/actions/using-workflows/triggering-a-workflow
+ GITHUB_TOKEN: ${{ steps.get-token.outputs.GITHUB_TOKEN }} # MUST use a PAT here in order to trigger the next workflow: CodeBuild Trigger; see https://docs.github.com/en/actions/using-workflows/triggering-a-workflow
with:
head: release/v${{ github.event.inputs.version }}
base: master
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index 2f31f6e7c..af9be2af2 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -5,16 +5,36 @@ on:
branches:
- master
+permissions:
+ id-token: write # required for OIDC token exchange
+ contents: read
+
jobs:
publish_and_backfill:
name: Publish GitHub release and create backfill PR
runs-on: ubuntu-latest
steps:
-
+ - name: Configure AWS Credentials via OIDC
+ uses: aws-actions/configure-aws-credentials@v6
+ with:
+ role-to-assume: arn:aws:iam::730335206644:role/delegatedadmin/developer/qppa-github-actions-role
+ aws-region: us-east-1
+
+ - name: Retrieve GitHub service account token from secops account
+ id: get-token
+ run: |
+ SECRET_VALUE=$(aws secretsmanager get-secret-value \
+ --secret-id "arn:aws:secretsmanager:us-east-1:863249929524:secret:qpp/qppa/github/token/automation-bhLO2e" \
+ --query SecretString \
+ --output text | jq -r ".GITHUB_TOKEN")
+ echo "::add-mask::$SECRET_VALUE"
+ echo "GITHUB_TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT
+
- name: Checkout codebase
uses: actions/checkout@v4
with:
fetch-depth: 0
+ token: ${{ steps.get-token.outputs.GITHUB_TOKEN }}
- name: Get latest draft release
id: get_release
@@ -23,12 +43,12 @@ jobs:
RELEASE_DATA=$(gh release list --limit 1 --json isDraft,tagName,name | jq -r '.[0]')
IS_DRAFT=$(echo "$RELEASE_DATA" | jq -r '.isDraft')
TAG_NAME=$(echo "$RELEASE_DATA" | jq -r '.tagName')
-
+
echo "is_draft=${IS_DRAFT}" >> $GITHUB_OUTPUT
echo "tag_name=${TAG_NAME}" >> $GITHUB_OUTPUT
echo "Found release: ${TAG_NAME} (draft: ${IS_DRAFT})"
env:
- GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GH_TOKEN: ${{ steps.get-token.outputs.GITHUB_TOKEN }}
- name: Publish draft release
if: steps.get_release.outputs.is_draft == 'true'
@@ -36,11 +56,27 @@ jobs:
gh release edit ${{ steps.get_release.outputs.tag_name }} --draft=false --latest
echo "Published release ${{ steps.get_release.outputs.tag_name }} as latest"
env:
- GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GH_TOKEN: ${{ steps.get-token.outputs.GITHUB_TOKEN }}
backfill:
name: Backfill master to develop branch
runs-on: ubuntu-latest
steps:
+ - name: Configure AWS Credentials via OIDC
+ uses: aws-actions/configure-aws-credentials@v6
+ with:
+ role-to-assume: arn:aws:iam::730335206644:role/delegatedadmin/developer/qppa-github-actions-role
+ aws-region: us-east-1
+
+ - name: Retrieve GitHub service account token from secops account
+ id: get-token
+ run: |
+ SECRET_VALUE=$(aws secretsmanager get-secret-value \
+ --secret-id "arn:aws:secretsmanager:us-east-1:863249929524:secret:qpp/qppa/github/token/automation-bhLO2e" \
+ --query SecretString \
+ --output text | jq -r ".GITHUB_TOKEN")
+ echo "::add-mask::$SECRET_VALUE"
+ echo "GITHUB_TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT
+
- name: Check params
run: |
echo "head.ref = ${{github.event.pull_request.head.ref}}"
@@ -49,7 +85,7 @@ jobs:
- uses: actions/checkout@v4
with:
ref: master
- token: ${{ secrets.ACTIONS_NICHOLAS_PAT }}
+ token: ${{ steps.get-token.outputs.GITHUB_TOKEN }}
- name: Create backfill branch
run: git checkout -b backfill/master;
@@ -62,14 +98,14 @@ jobs:
- name: Push backfill branch
env:
- GITHUB_TOKEN: ${{ secrets.ACTIONS_NICHOLAS_PAT }}
+ GITHUB_TOKEN: ${{ steps.get-token.outputs.GITHUB_TOKEN }}
run: |
git push origin backfill/master
- name: Create backfill pull request to develop branch
uses: thomaseizinger/create-pull-request@1.4.0
with:
- github_token: ${{ secrets.ACTIONS_NICHOLAS_PAT }}
+ github_token: ${{ steps.get-token.outputs.GITHUB_TOKEN }}
head: backfill/master
base: develop
draft: true
diff --git a/DockerfileTest b/DockerfileTest
index 28b446748..2713d897a 100644
--- a/DockerfileTest
+++ b/DockerfileTest
@@ -38,6 +38,10 @@ COPY --from=builder /usr/src/app/rest-api/target/rest-api.jar /usr/src/run/rest-
# Copy test runtime artifacts, including qppConverterTest.sh.
COPY --from=builder /usr/src/app/tools/docker/docker-test-artifacts/ /usr/src/run/
+# Copy test profile config and SSL keystore so Spring Boot can load external test settings.
+COPY --from=builder /usr/src/app/rest-api/src/test/resources/application.properties /usr/src/run/application-test.properties
+COPY --from=builder /usr/src/app/rest-api/src/test/resources/test-keystore.p12 /usr/src/run/
+
# Fix the startup script for Alpine runtime:
# 1. Remove Windows CRLF line endings if present.
# 2. Replace #!/bin/bash with #!/bin/sh because Alpine does not include bash by default.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..4412f9c92
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,15 @@
+# Security Policy
+
+We always recommend users to upgrade to the latest revision. All security vulnerability fixes will be addressed as quickly as possible using a patch release.
+
+## Supported Versions
+
+| Version | Supported |
+| ------- | --------- |
+| >= 2026.03.31.01-RELEASE | ✅ |
+| < 2026.03.31.01-RELEASE | ❌ |
+
+## Reporting a Vulnerability
+
+If you believe that you've found a security vulnerability in the codebase
+or one of the libraries maintained in this repository, please create an issue and provide details of the bug. For guidelines refer [SUPPORT.md](./.github/SUPPORT.md)
diff --git a/acceptance-tests/pom.xml b/acceptance-tests/pom.xml
index f3891dbf6..1d33f04dd 100644
--- a/acceptance-tests/pom.xml
+++ b/acceptance-tests/pom.xml
@@ -3,7 +3,7 @@
4.0.0
acceptance-tests
gov.cms.qpp.conversion
- 2026.05.01.01-RELEASE
+ 2026.06.15.01-RELEASE
conversion-tests
jar
@@ -12,6 +12,17 @@
4.2.5
+
+
+
+
+ io.opentelemetry
+ opentelemetry-api
+ 1.62.0
+
+
+
+
com.fasterxml.jackson.core
@@ -49,7 +60,7 @@
org.springframework
spring-web
- 6.2.18
+ 6.2.19
diff --git a/buildspec/build_deploy.yaml b/buildspec/build_deploy.yaml
index a9fb9b535..40d65e240 100644
--- a/buildspec/build_deploy.yaml
+++ b/buildspec/build_deploy.yaml
@@ -14,12 +14,14 @@ env:
DOCKERHUB_TOKEN: "/global/dockerhub_token"
DOCKERHUB_USER: "/global/dockerhub_user"
AWS_ACCOUNT : "/global/aws_account"
- REPO_PAT: "/global/scoring_api_repo_pat"
BRANCH_STATUS_URL: "/global/ct_branch_status_url"
PART_FILE: "/qppar-sf/conversion-tool/CPC_PLUS_FILE_NAME"
PART_FILE_BUCKET: "/qppar-sf/$ENV/conversion-tool/CPC_PLUS_BUCKET_NAME"
OUTPUT_PART_FILE: "/qppar-sf/$ENV/conversion-tool/CPC_PLUS_VALIDATION_FILE"
+ secrets-manager:
+ REPO_PAT: "arn:aws:secretsmanager:us-east-1:863249929524:secret:qpp/qppa/github/token/automation-bhLO2e:GITHUB_TOKEN"
+
phases:
install:
runtime-versions:
diff --git a/buildspec/pr_build.yaml b/buildspec/pr_build.yaml
index 4685b96b1..eab655af7 100644
--- a/buildspec/pr_build.yaml
+++ b/buildspec/pr_build.yaml
@@ -9,7 +9,9 @@ env:
parameter-store:
DOCKERHUB_TOKEN: "/global/dockerhub_token"
DOCKERHUB_USER: "/global/dockerhub_user"
- SCORING_REPO_PAT: "/global/scoring_api_repo_pat"
+
+ secrets-manager:
+ REPO_PAT: "arn:aws:secretsmanager:us-east-1:863249929524:secret:qpp/qppa/github/token/automation-bhLO2e:GITHUB_TOKEN"
phases:
install:
@@ -27,7 +29,7 @@ phases:
curl \
-X POST \
-H "Accept: application/vnd.github+json" \
- -H "Authorization: Bearer ${SCORING_REPO_PAT}" \
+ -H "Authorization: Bearer ${REPO_PAT}" \
${BRANCH_STATUSES_URL} \
-d "${CURL_PAYLOAD}"
- node -v
@@ -69,6 +71,6 @@ phases:
curl \
-X POST \
-H "Accept: application/vnd.github+json" \
- -H "Authorization: Bearer ${SCORING_REPO_PAT}" \
+ -H "Authorization: Bearer ${REPO_PAT}" \
${BRANCH_STATUSES_URL} \
-d "${CURL_PAYLOAD}"
diff --git a/commandline/pom.xml b/commandline/pom.xml
index bec511301..6a52213dd 100644
--- a/commandline/pom.xml
+++ b/commandline/pom.xml
@@ -6,7 +6,7 @@
gov.cms.qpp.conversion
qpp-conversion-tool-parent
- 2026.05.01.01-RELEASE
+ 2026.06.15.01-RELEASE
../pom.xml
diff --git a/commons/pom.xml b/commons/pom.xml
index 846d1b263..95cb6ac61 100644
--- a/commons/pom.xml
+++ b/commons/pom.xml
@@ -6,7 +6,7 @@
gov.cms.qpp.conversion
qpp-conversion-tool-parent
- 2026.05.01.01-RELEASE
+ 2026.06.15.01-RELEASE
../pom.xml
diff --git a/converter/pom.xml b/converter/pom.xml
index be87ebdc4..9d7b0d1bf 100644
--- a/converter/pom.xml
+++ b/converter/pom.xml
@@ -6,7 +6,7 @@
gov.cms.qpp.conversion
qpp-conversion-tool-parent
- 2026.05.01.01-RELEASE
+ 2026.06.15.01-RELEASE
../pom.xml
diff --git a/generate-race-cpcplus/pom.xml b/generate-race-cpcplus/pom.xml
index c3788db96..77bada30b 100644
--- a/generate-race-cpcplus/pom.xml
+++ b/generate-race-cpcplus/pom.xml
@@ -6,7 +6,7 @@
gov.cms.qpp.conversion
generateRaceCpcPlus
- 2026.05.01.01-RELEASE
+ 2026.06.15.01-RELEASE
generate-race-cpcplus
jar
diff --git a/generate/pom.xml b/generate/pom.xml
index 60779bd5d..01515181e 100644
--- a/generate/pom.xml
+++ b/generate/pom.xml
@@ -5,7 +5,7 @@
qpp-conversion-tool-parent
gov.cms.qpp.conversion
- 2026.05.01.01-RELEASE
+ 2026.06.15.01-RELEASE
../pom.xml
4.0.0
diff --git a/pom.xml b/pom.xml
index 68476a7bf..bc1a6f287 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
gov.cms.qpp.conversion
qpp-conversion-tool-parent
pom
- 2026.05.01.01-RELEASE
+ 2026.06.15.01-RELEASE
QPP Conversion Tool
@@ -15,6 +15,9 @@
5.11.4
1.11.4
0.10.7
+ 6.2.19
+ 6.5.11
+ 10.1.55
0.90
verify
@@ -511,25 +514,25 @@
org.springframework.security
spring-security-web
- 6.5.9
+ ${spring.security.version}
org.springframework
spring-webmvc
- 6.2.18
+ ${spring.framework.version}
org.springframework
spring-web
- 6.2.18
+ ${spring.framework.version}
org.springframework
spring-framework-bom
- 6.2.18
+ ${spring.framework.version}
pom
import
@@ -555,17 +558,17 @@
org.apache.tomcat.embed
tomcat-embed-core
- 10.1.54
+ ${tomcat.embed.version}
org.apache.tomcat.embed
tomcat-embed-el
- 10.1.54
+ ${tomcat.embed.version}
org.apache.tomcat.embed
tomcat-embed-websocket
- 10.1.54
+ ${tomcat.embed.version}
diff --git a/qrda3-update-measures/pom.xml b/qrda3-update-measures/pom.xml
index 090a0bd6e..50fb5dc81 100644
--- a/qrda3-update-measures/pom.xml
+++ b/qrda3-update-measures/pom.xml
@@ -4,7 +4,7 @@
gov.cms.qpp.conversion
qpp-update-measures
- 2026.05.01.01-RELEASE
+ 2026.06.15.01-RELEASE
qrda3-update-measures
jar
diff --git a/rest-api/pom.xml b/rest-api/pom.xml
index 4bd2226f2..c150567f6 100644
--- a/rest-api/pom.xml
+++ b/rest-api/pom.xml
@@ -19,7 +19,7 @@
gov.cms.qpp.conversion
qpp-conversion-tool-parent
- 2026.05.01.01-RELEASE
+ 2026.06.15.01-RELEASE
../pom.xml
@@ -31,8 +31,8 @@
0.90
-
- 6.2.18
+
+ ${spring.framework.version}
managed-by-boot-bom
@@ -45,7 +45,8 @@
6.1.0
- 6.5.10
+ 6.5.11
+ 2.0.13
@@ -59,7 +60,7 @@
org.springframework.boot
spring-boot-maven-plugin
- 3.5.13
+ 3.5.15
repackage
@@ -187,7 +188,7 @@
org.springframework.boot
spring-boot-dependencies
- 3.5.14
+ 3.5.15
pom
import
@@ -197,23 +198,29 @@
org.springframework
spring-webmvc
- 6.2.18
+ ${spring-framework.version}
org.springframework
spring-beans
- 6.2.18
+ ${spring-framework.version}
-
+
org.springframework
spring-framework-bom
- 6.2.18
+ ${spring-framework.version}
pom
import
+
+ org.springframework.retry
+ spring-retry
+ ${spring.retry.version}
+
+
+ org.springframeworkspring-core${spring-framework.version}
+ org.springframeworkspring-expression${spring-framework.version}
+
org.springframework.retryspring-retry
com.jcabijcabi-manifests
diff --git a/test-commons/pom.xml b/test-commons/pom.xml
index 5b0f622b4..1b9c5d0b6 100644
--- a/test-commons/pom.xml
+++ b/test-commons/pom.xml
@@ -6,7 +6,7 @@
gov.cms.qpp.conversion
qpp-conversion-tool-parent
- 2026.05.01.01-RELEASE
+ 2026.06.15.01-RELEASE
../pom.xml
diff --git a/test-coverage/pom.xml b/test-coverage/pom.xml
index 676e17f67..829df89a9 100644
--- a/test-coverage/pom.xml
+++ b/test-coverage/pom.xml
@@ -6,7 +6,7 @@
gov.cms.qpp.conversion
qpp-conversion-tool-parent
- 2026.05.01.01-RELEASE
+ 2026.06.15.01-RELEASE
../pom.xml