Skip to content

Deploy Release version v2026.06.15.01 to Prod #1637

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
davidberry-sb merged 17 commits into from
Jun 16, 2026
Merged

Deploy Release version v2026.06.15.01 to Prod #1637

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
4e5770c
switch personal access token to service pat token
Dinesh-Kantamneni Jun 4, 2026
9809878
chore: QPPA-11791 bump tomcat-embed-core
davidberry-sb Jun 11, 2026
f2cfc10
chore: QPPA-11791 added shared versioning and ssl copy to test docker…
davidberry-sb Jun 11, 2026
03afcb0
chore: QPPA-11791 patch open-telemetry version
davidberry-sb Jun 11, 2026
e4a1d73
chore: QPPA-11791 PR change requests
davidberry-sb Jun 11, 2026
41db962
Merge pull request #1634 from CMSgov/QPPA-11757
Dinesh-Kantamneni Jun 11, 2026
e4e9075
QPPA-11791: remove test profile activation from DockerfileTest
Jun 12, 2026
22b30a5
Merge branch 'develop' into QPPA-11791-tomcat-embed-core-bump
davidberry-sb Jun 12, 2026
79caa3d
Merge pull request #1635 from CMSgov/QPPA-11791-tomcat-embed-core-bump
chetanmunegowda Jun 12, 2026
d0cdff1
Merge branch 'develop' into backfill/master
chetanmunegowda Jun 12, 2026
d6a4b5a
chore: QPPA-11785 security.md creation
davidberry-sb Jun 12, 2026
913272e
chore: QPPA-11785 unicode emoji update
davidberry-sb Jun 12, 2026
c65fdb3
Merge pull request #1636 from CMSgov/QPPA-11785-security-md-creation
davidberry-sb Jun 15, 2026
e31483c
Prepare release v2026.06.15.01
web-flow Jun 15, 2026
710e93f
Merge branch 'develop' into backfill/master
davidberry-sb Jun 15, 2026
c2a1ad4
Merge pull request #1632 from CMSgov/backfill/master
davidberry-sb Jun 15, 2026
c47b4af
Merge remote-tracking branch 'origin' into release/v2026.06.15.01
davidberry-sb Jun 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 24 additions & 5 deletions .github/workflows/draft-new-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ on:
version:
description: "The version you want to release."
required: true
permissions:
id-token: write # required for OIDC token exchange
contents: read

jobs:
draft-new-release:
Expand All @@ -15,9 +18,25 @@ jobs:
outputs:
commitSha: ${{ steps.make-commit.outputs.commit }}
steps:
- name: Configure AWS Credentials via OIDC
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: arn:aws:iam::730335206644:role/delegatedadmin/developer/qppa-github-actions-role
aws-region: us-east-1

- name: Retrieve GitHub service account token from secops account
id: get-token
run: |
SECRET_VALUE=$(aws secretsmanager get-secret-value \
--secret-id "arn:aws:secretsmanager:us-east-1:863249929524:secret:qpp/qppa/github/token/automation-bhLO2e" \
--query SecretString \
--output text | jq -r ".GITHUB_TOKEN")
echo "::add-mask::$SECRET_VALUE"
echo "GITHUB_TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT

- uses: actions/checkout@v4
with:
token: ${{ secrets.ACTIONS_NICHOLAS_PAT }}
token: ${{ steps.get-token.outputs.GITHUB_TOKEN }}

- name: Create release branch
run: |
Expand All @@ -33,7 +52,7 @@ jobs:
prerelease: false
publish: false
env:
GITHUB_TOKEN: ${{ secrets.ACTIONS_NICHOLAS_PAT }}
GITHUB_TOKEN: ${{ steps.get-token.outputs.GITHUB_TOKEN }}

- name: Set up JDK 21
uses: actions/setup-java@v4
Expand All @@ -44,11 +63,11 @@ jobs:

- name: Bump version in pom.xml files
run: |

# Update parent and child module pom.xml files
echo "Updating version in parent and module pom.xml files to ${{ github.event.inputs.version }}-RELEASE..."
mvn versions:set -DnewVersion=${{ github.event.inputs.version }}-RELEASE -DgenerateBackupPoms=false

# Update standalone module pom.xml files
echo "Updating standalone module versions..."
mvn versions:set -DnewVersion=${{ github.event.inputs.version }}-RELEASE -DgenerateBackupPoms=false -f acceptance-tests/pom.xml
Expand Down Expand Up @@ -79,7 +98,7 @@ jobs:
- name: Create pull request to master branch
uses: thomaseizinger/create-pull-request@1.4.0
env:
GITHUB_TOKEN: ${{ secrets.ACTIONS_NICHOLAS_PAT }} # MUST use a PAT here in order to trigger the next workflow: CodeBuild Trigger; see https://docs.github.com/en/actions/using-workflows/triggering-a-workflow
GITHUB_TOKEN: ${{ steps.get-token.outputs.GITHUB_TOKEN }} # MUST use a PAT here in order to trigger the next workflow: CodeBuild Trigger; see https://docs.github.com/en/actions/using-workflows/triggering-a-workflow
with:
head: release/v${{ github.event.inputs.version }}
base: master
Expand Down
50 changes: 43 additions & 7 deletions .github/workflows/publish-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,36 @@ on:
branches:
- master

permissions:
id-token: write # required for OIDC token exchange
contents: read

jobs:
publish_and_backfill:
name: Publish GitHub release and create backfill PR
runs-on: ubuntu-latest
steps:

- name: Configure AWS Credentials via OIDC
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: arn:aws:iam::730335206644:role/delegatedadmin/developer/qppa-github-actions-role
aws-region: us-east-1

- name: Retrieve GitHub service account token from secops account
id: get-token
run: |
SECRET_VALUE=$(aws secretsmanager get-secret-value \
--secret-id "arn:aws:secretsmanager:us-east-1:863249929524:secret:qpp/qppa/github/token/automation-bhLO2e" \
--query SecretString \
--output text | jq -r ".GITHUB_TOKEN")
echo "::add-mask::$SECRET_VALUE"
echo "GITHUB_TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT

- name: Checkout codebase
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ steps.get-token.outputs.GITHUB_TOKEN }}

- name: Get latest draft release
id: get_release
Expand All @@ -23,24 +43,40 @@ jobs:
RELEASE_DATA=$(gh release list --limit 1 --json isDraft,tagName,name | jq -r '.[0]')
IS_DRAFT=$(echo "$RELEASE_DATA" | jq -r '.isDraft')
TAG_NAME=$(echo "$RELEASE_DATA" | jq -r '.tagName')

echo "is_draft=${IS_DRAFT}" >> $GITHUB_OUTPUT
echo "tag_name=${TAG_NAME}" >> $GITHUB_OUTPUT
echo "Found release: ${TAG_NAME} (draft: ${IS_DRAFT})"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ steps.get-token.outputs.GITHUB_TOKEN }}

- name: Publish draft release
if: steps.get_release.outputs.is_draft == 'true'
run: |
gh release edit ${{ steps.get_release.outputs.tag_name }} --draft=false --latest
echo "Published release ${{ steps.get_release.outputs.tag_name }} as latest"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ steps.get-token.outputs.GITHUB_TOKEN }}
backfill:
name: Backfill master to develop branch
runs-on: ubuntu-latest
steps:
- name: Configure AWS Credentials via OIDC
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: arn:aws:iam::730335206644:role/delegatedadmin/developer/qppa-github-actions-role
aws-region: us-east-1

- name: Retrieve GitHub service account token from secops account
id: get-token
run: |
SECRET_VALUE=$(aws secretsmanager get-secret-value \
--secret-id "arn:aws:secretsmanager:us-east-1:863249929524:secret:qpp/qppa/github/token/automation-bhLO2e" \
--query SecretString \
--output text | jq -r ".GITHUB_TOKEN")
echo "::add-mask::$SECRET_VALUE"
echo "GITHUB_TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT

- name: Check params
run: |
echo "head.ref = ${{github.event.pull_request.head.ref}}"
Expand All @@ -49,7 +85,7 @@ jobs:
- uses: actions/checkout@v4
with:
ref: master
token: ${{ secrets.ACTIONS_NICHOLAS_PAT }}
token: ${{ steps.get-token.outputs.GITHUB_TOKEN }}

- name: Create backfill branch
run: git checkout -b backfill/master;
Expand All @@ -62,14 +98,14 @@ jobs:

- name: Push backfill branch
env:
GITHUB_TOKEN: ${{ secrets.ACTIONS_NICHOLAS_PAT }}
GITHUB_TOKEN: ${{ steps.get-token.outputs.GITHUB_TOKEN }}
run: |
git push origin backfill/master

- name: Create backfill pull request to develop branch
uses: thomaseizinger/create-pull-request@1.4.0
with:
github_token: ${{ secrets.ACTIONS_NICHOLAS_PAT }}
github_token: ${{ steps.get-token.outputs.GITHUB_TOKEN }}
head: backfill/master
base: develop
draft: true
Expand Down
4 changes: 4 additions & 0 deletions DockerfileTest
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ COPY --from=builder /usr/src/app/rest-api/target/rest-api.jar /usr/src/run/rest-
# Copy test runtime artifacts, including qppConverterTest.sh.
COPY --from=builder /usr/src/app/tools/docker/docker-test-artifacts/ /usr/src/run/

# Copy test profile config and SSL keystore so Spring Boot can load external test settings.
COPY --from=builder /usr/src/app/rest-api/src/test/resources/application.properties /usr/src/run/application-test.properties
COPY --from=builder /usr/src/app/rest-api/src/test/resources/test-keystore.p12 /usr/src/run/

# Fix the startup script for Alpine runtime:
# 1. Remove Windows CRLF line endings if present.
# 2. Replace #!/bin/bash with #!/bin/sh because Alpine does not include bash by default.
Expand Down
15 changes: 15 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# Security Policy

We always recommend users to upgrade to the latest revision. All security vulnerability fixes will be addressed as quickly as possible using a patch release.

## Supported Versions

| Version | Supported |
| ------- | --------- |
| >= 2026.03.31.01-RELEASE | ✅ |
| < 2026.03.31.01-RELEASE | ❌ |

## Reporting a Vulnerability

If you believe that you've found a security vulnerability in the codebase
or one of the libraries maintained in this repository, please create an issue and provide details of the bug. For guidelines refer [SUPPORT.md](./.github/SUPPORT.md)
15 changes: 13 additions & 2 deletions acceptance-tests/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<modelVersion>4.0.0</modelVersion>
<artifactId>acceptance-tests</artifactId>
<groupId>gov.cms.qpp.conversion</groupId>
<version>2026.05.01.01-RELEASE</version>
<version>2026.06.15.01-RELEASE</version>
<name>conversion-tests</name>
<packaging>jar</packaging>
<properties>
Expand All @@ -12,6 +12,17 @@
<cucumber.version>4.2.5</cucumber.version>
</properties>

<dependencyManagement>
<dependencies>
<!-- Override Selenium's vulnerable transitive OpenTelemetry API version. -->
<dependency>
<groupId>io.opentelemetry</groupId>
<artifactId>opentelemetry-api</artifactId>
<version>1.62.0</version>
</dependency>
</dependencies>
</dependencyManagement>

<dependencies>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
Expand Down Expand Up @@ -49,7 +60,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>6.2.18</version>
<version>6.2.19</version>
</dependency>

<dependency>
Expand Down
4 changes: 3 additions & 1 deletion buildspec/build_deploy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,14 @@ env:
DOCKERHUB_TOKEN: "/global/dockerhub_token"
DOCKERHUB_USER: "/global/dockerhub_user"
AWS_ACCOUNT : "/global/aws_account"
REPO_PAT: "/global/scoring_api_repo_pat"
BRANCH_STATUS_URL: "/global/ct_branch_status_url"
PART_FILE: "/qppar-sf/conversion-tool/CPC_PLUS_FILE_NAME"
PART_FILE_BUCKET: "/qppar-sf/$ENV/conversion-tool/CPC_PLUS_BUCKET_NAME"
OUTPUT_PART_FILE: "/qppar-sf/$ENV/conversion-tool/CPC_PLUS_VALIDATION_FILE"

secrets-manager:
REPO_PAT: "arn:aws:secretsmanager:us-east-1:863249929524:secret:qpp/qppa/github/token/automation-bhLO2e:GITHUB_TOKEN"

phases:
install:
runtime-versions:
Expand Down
8 changes: 5 additions & 3 deletions buildspec/pr_build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,9 @@ env:
parameter-store:
DOCKERHUB_TOKEN: "/global/dockerhub_token"
DOCKERHUB_USER: "/global/dockerhub_user"
SCORING_REPO_PAT: "/global/scoring_api_repo_pat"

secrets-manager:
REPO_PAT: "arn:aws:secretsmanager:us-east-1:863249929524:secret:qpp/qppa/github/token/automation-bhLO2e:GITHUB_TOKEN"

phases:
install:
Expand All @@ -27,7 +29,7 @@ phases:
curl \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${SCORING_REPO_PAT}" \
-H "Authorization: Bearer ${REPO_PAT}" \
${BRANCH_STATUSES_URL} \
-d "${CURL_PAYLOAD}"
- node -v
Expand Down Expand Up @@ -69,6 +71,6 @@ phases:
curl \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${SCORING_REPO_PAT}" \
-H "Authorization: Bearer ${REPO_PAT}" \
${BRANCH_STATUSES_URL} \
-d "${CURL_PAYLOAD}"
2 changes: 1 addition & 1 deletion commandline/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
<parent>
<groupId>gov.cms.qpp.conversion</groupId>
<artifactId>qpp-conversion-tool-parent</artifactId>
<version>2026.05.01.01-RELEASE</version>
<version>2026.06.15.01-RELEASE</version>
<relativePath>../pom.xml</relativePath>
</parent>

Expand Down
2 changes: 1 addition & 1 deletion commons/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
<parent>
<groupId>gov.cms.qpp.conversion</groupId>
<artifactId>qpp-conversion-tool-parent</artifactId>
<version>2026.05.01.01-RELEASE</version>
<version>2026.06.15.01-RELEASE</version>
<relativePath>../pom.xml</relativePath>
</parent>

Expand Down
2 changes: 1 addition & 1 deletion converter/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
<parent>
<groupId>gov.cms.qpp.conversion</groupId>
<artifactId>qpp-conversion-tool-parent</artifactId>
<version>2026.05.01.01-RELEASE</version>
<version>2026.06.15.01-RELEASE</version>
<relativePath>../pom.xml</relativePath>
</parent>

Expand Down
2 changes: 1 addition & 1 deletion generate-race-cpcplus/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

<groupId>gov.cms.qpp.conversion</groupId>
<artifactId>generateRaceCpcPlus</artifactId>
<version>2026.05.01.01-RELEASE</version>
<version>2026.06.15.01-RELEASE</version>
<name>generate-race-cpcplus</name>
<packaging>jar</packaging>

Expand Down
2 changes: 1 addition & 1 deletion generate/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<parent>
<artifactId>qpp-conversion-tool-parent</artifactId>
<groupId>gov.cms.qpp.conversion</groupId>
<version>2026.05.01.01-RELEASE</version>
<version>2026.06.15.01-RELEASE</version>
<relativePath>../pom.xml</relativePath>
</parent>
<modelVersion>4.0.0</modelVersion>
Expand Down
19 changes: 11 additions & 8 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
<groupId>gov.cms.qpp.conversion</groupId>
<artifactId>qpp-conversion-tool-parent</artifactId>
<packaging>pom</packaging>
<version>2026.05.01.01-RELEASE</version>
<version>2026.06.15.01-RELEASE</version>
<name>QPP Conversion Tool</name>

<properties>
Expand All @@ -15,6 +15,9 @@
<junit.version>5.11.4</junit.version>
<junit.platform.version>1.11.4</junit.platform.version>
<jjwt.version>0.10.7</jjwt.version>
<spring.framework.version>6.2.19</spring.framework.version>
<spring.security.version>6.5.11</spring.security.version>
<tomcat.embed.version>10.1.55</tomcat.embed.version>

<requiredCodeCoverage>0.90</requiredCodeCoverage>
<verificationsPhase>verify</verificationsPhase>
Expand Down Expand Up @@ -511,25 +514,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>6.5.9</version>
<version>${spring.security.version}</version>
</dependency>

<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>6.2.18</version>
<version>${spring.framework.version}</version>
</dependency>

<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>6.2.18</version>
<version>${spring.framework.version}</version>
</dependency>

<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>6.2.18</version>
<version>${spring.framework.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
Expand All @@ -555,17 +558,17 @@
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-core</artifactId>
<version>10.1.54</version>
<version>${tomcat.embed.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-el</artifactId>
<version>10.1.54</version>
<version>${tomcat.embed.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-websocket</artifactId>
<version>10.1.54</version>
<version>${tomcat.embed.version}</version>
</dependency>

<dependency>
Expand Down
Loading
Loading