test: Update demo scaffolder template

ThomasVitale · ThomasVitale · commit 0551bf6f8b15 · 2024-09-25T19:03:50.000+02:00
diff --git a/demo-catalog/templates/spring-boot-ai-rag/base/.github/dependabot.yml b/demo-catalog/templates/spring-boot-ai-rag/base/.github/dependabot.yml
@@ -0,0 +1,24 @@
+version: 2
+updates:
+  - package-ecosystem: gradle
+    directory: "/"
+    schedule:
+      interval: daily
+      time: "23:00"
+      timezone: Europe/Copenhagen
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "deps:"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: daily
+      time: "00:30"
+      timezone: Europe/Copenhagen
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "deps:"
diff --git a/demo-catalog/templates/spring-boot-ai-rag/base/.github/workflows/commit-stage.yml b/demo-catalog/templates/spring-boot-ai-rag/base/.github/workflows/commit-stage.yml
@@ -1,40 +1,78 @@
 name: Commit Stage
+
 on:
   push:
     branches:
       - main
+    paths-ignore:
+      - '.editorconfig'
+      - '.gitignore'
+      - '.sdkmanrc'
+      - '*.adoc'
+      - '*.png'
+      - '*.md'
+      - 'docs/**'
+      - '.github/ISSUE_TEMPLATE/**'
+      - '.github/*.md'
+      - '.github/*.yml'
+      - '.github/*.yaml'
 
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ values.repoUrl.owner | lower }}/${{ values.repoUrl.repo }}
   VERSION: ${{ '${{ github.sha }}' }}
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
     runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
+      security-events: write
     steps:
       - name: Check out source code
-        uses: actions/checkout@v4
-
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+      
       - name: Set up Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4.4.0
         with:
           java-version: 22
-          distribution: temurin
-          cache: gradle
+          distribution: 'graalvm'
+      
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0
 
       - name: Compile and test
-        run: ./gradlew build
+        run: ./gradlew build sonar
+        env:
+          SONAR_TOKEN: ${{ '${{ secrets.SONAR_TOKEN }}' }}
+      
+      - name: SBOM vulnerability scanning
+        uses: aquasecurity/trivy-action@97646fedde05bcd0961217c60b50e23f721e7ec7 # master
+        with:
+          scan-type: 'sbom'
+          scan-ref: 'build/reports/application.cdx.json'
+          format: 'sarif'
+          output: 'trivy-results-build.sarif'
+
+      - name: Upload vulnerability report
+        uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
+        if: success() || failure()
+        with:
+          sarif_file: 'trivy-results-build.sarif'
+          category: build
 
       - name: Package as OCI image
         run: ./gradlew bootBuildImage --imageName ${{ '${{ env.REGISTRY }}' }}/${{ '${{ env.IMAGE_NAME }}' }}:${{ '${{ env.VERSION }}' }}
 
       - name: Authenticate with the container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ '${{ github.actor }}' }}
           password: ${{ '${{ secrets.GITHUB_TOKEN }}' }}
@@ -45,3 +83,54 @@ jobs:
           docker tag ${{ '${{ env.REGISTRY }}' }}/${{ '${{ env.IMAGE_NAME }}' }}:${{ '${{ env.VERSION }}' }} ${{ '${{ env.REGISTRY }}' }}/${{ '${{ env.IMAGE_NAME }}' }}:latest
           docker push ${{ '${{ env.REGISTRY }}' }}/${{ '${{ env.IMAGE_NAME }}' }}:${{ '${{ env.VERSION }}' }}
           docker push ${{ '${{ env.REGISTRY }}' }}/${{ '${{ env.IMAGE_NAME }}' }}:latest
+
+  sign:
+    name: Sign
+    runs-on: ubuntu-24.04
+    needs: [ build ]
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    outputs:
+      image-digest: ${{ '${{ steps.image-info.outputs.digest }}' }}
+      image-name: ${{ '${{ steps.image-info.outputs.name }}' }}
+    steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+
+      - uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
+        with:
+          username: ${{ '${{ github.actor }}' }}
+          password: ${{ '${{ secrets.GITHUB_TOKEN }}' }}
+          registry: ${{ '${{ env.REGISTRY }}' }}
+
+      - name: Fetch OCI image
+        run: podman pull ${{ '${{ env.REGISTRY }}' }}/${{ '${{ env.IMAGE_NAME }}' }}:${{ '${{ env.VERSION }}' }}
+
+      - name: Get OCI image digest
+        id: image-info
+        run: |
+          image_digest=$(podman inspect --format='{{.Digest}}' ${REGISTRY}/${IMAGE_NAME}:${VERSION})
+          echo $image_digest
+          echo "IMAGE_DIGEST=${image_digest}" >> $GITHUB_ENV
+          echo "digest=${image_digest}" >> $GITHUB_OUTPUT
+          echo "name=${REGISTRY}/${IMAGE_NAME}" >> $GITHUB_OUTPUT
+
+      - name: Sign image
+        run: |
+          cosign sign --yes "${REGISTRY}/${IMAGE_NAME}@${IMAGE_DIGEST}"
+
+  provenance:
+    needs: [ sign ]
+    permissions:
+      actions: read
+      id-token: write
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    with:
+      image: ${{ '${{ needs.sign.outputs.image-name }}' }}
+      digest: ${{ '${{ needs.sign.outputs.image-digest }}' }}
+      registry-username: ${{ '${{ github.actor }}' }}
+    secrets:
+      registry-password: ${{ '${{ secrets.GITHUB_TOKEN }}' }}
diff --git a/demo-catalog/templates/spring-boot-ai-rag/base/build.gradle b/demo-catalog/templates/spring-boot-ai-rag/base/build.gradle
@@ -1,7 +1,9 @@
 plugins {
 	id 'java'
-	id 'org.springframework.boot' version '3.4.0-M2'
+	id 'org.springframework.boot' version '3.4.0-M3'
 	id 'io.spring.dependency-management' version '1.1.6'
+	id 'org.cyclonedx.bom' version '1.10.0'
+	id 'org.sonarqube' version '4.4.1.3373'
 }
 
 group = '${{ values.groupId }}'
@@ -83,3 +85,11 @@ tasks.named('bootBuildImage') {
 	builder = "paketobuildpacks/builder-jammy-buildpackless-tiny"
 	buildpacks = [ "gcr.io/paketo-buildpacks/java" ]
 }
+
+sonar {
+	properties {
+		property "sonar.projectKey", "${{ values.repoUrl.owner }}_${{ values.repoUrl.repo }}"
+		property "sonar.organization", "${{ values.repoUrl.owner }}"
+		property "sonar.host.url", "https://sonarcloud.io"
+	}
+}
diff --git a/demo-catalog/templates/spring-boot-ai-rag/base/catalog-info.yml b/demo-catalog/templates/spring-boot-ai-rag/base/catalog-info.yml
@@ -7,6 +7,7 @@ metadata:
   annotations:
     backstage.io/kubernetes-id: ${{ values.name }}
     backstage.io/techdocs-ref: dir:.
+    endoflife.date/products: spring-boot
     github.com/project-slug: ${{ values.repoUrl.owner }}/${{ values.repoUrl.repo }}
     sonarqube.org/project-key: ${{ values.repoUrl.owner }}_${{ values.repoUrl.repo }}
 spec:
diff --git a/demo-catalog/templates/spring-boot-ai-rag/base/gradle/wrapper/gradle-wrapper.properties b/demo-catalog/templates/spring-boot-ai-rag/base/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
