From 020e7ddd679bad2aab5e65fcbf727b6178224725 Mon Sep 17 00:00:00 2001 From: Dmitry Smirnov Date: Thu, 8 Jan 2026 15:42:32 +0300 Subject: [PATCH 1/5] upgrade to usabilitydynamics/udx-worker:0.36.0 --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 497be0c..07ea42b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,8 @@ # Use the latest udx-worker as the base image -FROM usabilitydynamics/udx-worker:0.35.0 +FROM usabilitydynamics/udx-worker:0.36.0 # Add metadata labels -LABEL version="0.23.0" +LABEL version="0.24.0" # Set build arguments for Node.js version and application port ARG NODE_VERSION=22.21.1 From 7006c3252f2b6dde73bac7d3b738d0d6200d5a9e Mon Sep 17 00:00:00 2001 From: Dmitry Smirnov Date: Thu, 8 Jan 2026 15:42:48 +0300 Subject: [PATCH 2/5] migrate to docker-ops --- .github/workflows/build-and-test.yml | 2 +- .github/workflows/docker-ops.yml | 32 ++++++++++++++++++++++++++++ .github/workflows/release.yml | 4 ++-- 3 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/docker-ops.yml diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index e61dcbe..157580e 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -91,7 +91,7 @@ jobs: jq -r '.packages[] | select(.versionInfo != null) | "\(.name) | \(.versionInfo)"' sbom.json | sort | uniq | head -n 20 | column -t -s '|' - name: Upload SBOM Artifact - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@v6 with: name: sbom path: sbom.json diff --git a/.github/workflows/docker-ops.yml b/.github/workflows/docker-ops.yml new file mode 100644 index 0000000..27f7025 --- /dev/null +++ b/.github/workflows/docker-ops.yml @@ -0,0 +1,32 @@ +--- +name: Docker Operations + +"on": + push: + paths: + - '.github/workflows/release.yml' + - 'Dockerfile' + - 'ci/**' + - 'src/**' + - LICENSE + workflow_dispatch: + +jobs: + docker_ops: + permissions: + id-token: write + contents: write + security-events: write + actions: read + + uses: udx/reusable-workflows/.github/workflows/docker-ops.yml@master + with: + image_name: worker-nodejs + release_branch: latest + docker_login: ${{ vars.DOCKER_LOGIN }} + docker_org: ${{ vars.DOCKER_ORG }} + docker_repo: ${{ vars.DOCKER_REPO }} + enable_security_upload: ${{ github.repository == 'udx/worker-nodejs' }} + + secrets: + docker_token: ${{ secrets.DOCKER_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d3740b6..89a7936 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -111,7 +111,7 @@ jobs: fi - name: Upload SBOM Artifact - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@v6 with: name: sbom path: sbom.json @@ -137,7 +137,7 @@ jobs: git config --global user.name "UDX Worker NodeJS" - name: Download SBOM Artifact - uses: actions/download-artifact@v6 + uses: actions/download-artifact@v7 with: name: sbom From 59532e8b753e614bdee4403ef83db7b3e9de52a3 Mon Sep 17 00:00:00 2001 From: Dmitry Smirnov Date: Thu, 8 Jan 2026 15:44:14 +0300 Subject: [PATCH 3/5] added permissions for codeql workflow --- .github/workflows/codeql.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d7ae00e..b563dee 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -4,6 +4,9 @@ name: "CodeQL and Linter" on: push: +permissions: + contents: read + jobs: analyze-shell: name: Analyze Shell Scripts From 4ef563e922edc212f558d9c273d13a6d8a43552d Mon Sep 17 00:00:00 2001 From: Dmitry Smirnov Date: Thu, 8 Jan 2026 15:47:12 +0300 Subject: [PATCH 4/5] tweak --- .github/workflows/docker-ops.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-ops.yml b/.github/workflows/docker-ops.yml index 27f7025..1fc274c 100644 --- a/.github/workflows/docker-ops.yml +++ b/.github/workflows/docker-ops.yml @@ -4,7 +4,7 @@ name: Docker Operations "on": push: paths: - - '.github/workflows/release.yml' + - '.github/workflows/docker-ops.yml' - 'Dockerfile' - 'ci/**' - 'src/**' From 638f0631888d7fe0c436e78510180550fad23faa Mon Sep 17 00:00:00 2001 From: Dmitry Smirnov Date: Thu, 8 Jan 2026 15:48:12 +0300 Subject: [PATCH 5/5] removed legacy workflows --- .github/workflows/build-and-test.yml | 97 ----------------- .github/workflows/codeql.yml | 2 +- .github/workflows/docker-ops.yml | 10 +- .github/workflows/release.yml | 156 --------------------------- 4 files changed, 6 insertions(+), 259 deletions(-) delete mode 100644 .github/workflows/build-and-test.yml delete mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml deleted file mode 100644 index 157580e..0000000 --- a/.github/workflows/build-and-test.yml +++ /dev/null @@ -1,97 +0,0 @@ ---- -name: Build and Test Docker Image - -on: - push: - branches-ignore: - - latest - paths: - - '.github/workflows/build-and-test.yml' - - 'Dockerfile' - - 'src/**' - - LICENSE - -jobs: - build: - runs-on: ubuntu-latest - permissions: - contents: write - - steps: - - name: Checkout code - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Run Development Pipeline - run: make dev-pipeline - working-directory: . - - - name: Install Trivy - run: | - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | \ - sudo sh -s -- -b /usr/local/bin - - - name: Trivy Vulnerability Scanning - run: | - export TRIVY_DISABLE_VEX_NOTICE=true - - # Disable exit on error for the retry logic - set +e - - # Retry logic for Trivy - max_retries=5 - attempt=1 - success=false - - while [ $attempt -le $max_retries ]; do - echo "Running Trivy scan, attempt $attempt..." - - # Run the Trivy scan and capture the exit status - trivy image --severity CRITICAL --exit-code 1 --quiet \ - usabilitydynamics/udx-worker-nodejs:latest | tee trivy.log | grep -v 'INFO' - scan_exit_code=$? - - # Check if CRITICAL vulnerabilities were detected - if grep -E "Total: [1-9]" trivy.log; then - echo "CRITICAL vulnerabilities detected! Exiting." - exit 1 - fi - - # Handle a successful scan (no critical vulnerabilities found) - if [ $scan_exit_code -eq 0 ]; then - echo "No CRITICAL vulnerabilities found." - success=true - break - else - echo "Trivy scan encountered an error, retrying in 2 minutes..." - sleep 120 - attempt=$((attempt+1)) - fi - done - - # Exit if all retries fail without a successful scan - if [ "$success" = false ]; then - echo "Failed to complete Trivy scan after $max_retries attempts." - exit 1 - fi - - - name: Trivy SBOM Generation - run: | - export TRIVY_DISABLE_VEX_NOTICE=true - trivy image --format spdx-json --output sbom.json usabilitydynamics/udx-worker-nodejs:latest 2>/dev/null - - echo "SBOM Top Packages Summary:" - echo "| Package Name | Version |" - echo "|-------------------|-----------|" - - jq -r '.packages[] | select(.versionInfo != null) | "\(.name) | \(.versionInfo)"' sbom.json | sort | uniq | head -n 20 | column -t -s '|' - - - name: Upload SBOM Artifact - uses: actions/upload-artifact@v6 - with: - name: sbom - path: sbom.json diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b563dee..4ad43e9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -5,7 +5,7 @@ on: push: permissions: - contents: read + contents: read jobs: analyze-shell: diff --git a/.github/workflows/docker-ops.yml b/.github/workflows/docker-ops.yml index 1fc274c..c630986 100644 --- a/.github/workflows/docker-ops.yml +++ b/.github/workflows/docker-ops.yml @@ -4,10 +4,10 @@ name: Docker Operations "on": push: paths: - - '.github/workflows/docker-ops.yml' - - 'Dockerfile' - - 'ci/**' - - 'src/**' + - ".github/workflows/docker-ops.yml" + - "Dockerfile" + - "ci/**" + - "src/**" - LICENSE workflow_dispatch: @@ -29,4 +29,4 @@ jobs: enable_security_upload: ${{ github.repository == 'udx/worker-nodejs' }} secrets: - docker_token: ${{ secrets.DOCKER_TOKEN }} \ No newline at end of file + docker_token: ${{ secrets.DOCKER_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 89a7936..0000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,156 +0,0 @@ ---- -name: Release - -on: - push: - branches: - - "latest" - paths: - - '.github/workflows/release.yml' - - 'Dockerfile' - - 'ci/**' - - 'src/**' - - LICENSE - -jobs: - docker-release: - runs-on: ubuntu-latest - permissions: - id-token: write - contents: write - - outputs: - semVer: ${{ steps.gitversion.outputs.semVer }} - changelog: ${{ steps.changelog.outputs.changelog }} - - steps: - - name: Checkout code - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - driver: docker-container - - - name: Install GitVersion - uses: gittools/actions/gitversion/setup@v4.1.0 - with: - versionSpec: "6.1.0" - - - name: Clear GitVersion Cache - run: rm -rf .git/gitversion_cache - - - name: Determine Version - id: gitversion - uses: gittools/actions/gitversion/execute@v4.1.0 - with: - useConfigFile: true - configFilePath: ci/git-version.yml - - - name: Generate Changelog - id: changelog - run: | - git log $(git describe --tags --abbrev=0)..HEAD -- . \ - --pretty=format:"- %s" > changelog.txt - CHANGELOG=$(cat changelog.txt | jq -sRr @uri) - echo "changelog<> $GITHUB_ENV - echo "$CHANGELOG" >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV - env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - - - name: Log in to Docker Hub - uses: docker/login-action@v3 - with: - username: "usabilitydynamics" - password: ${{ secrets.DOCKER_TOKEN }} - - - name: Build and Push Docker Image - id: docker_push - uses: docker/build-push-action@v6 - with: - context: . - platforms: linux/amd64, linux/arm64 - push: true - sbom: true - provenance: true - tags: | - usabilitydynamics/udx-worker-nodejs:${{ steps.gitversion.outputs.semVer }} - usabilitydynamics/udx-worker-nodejs:latest - - - name: Install Trivy - run: | - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | \ - sudo sh -s -- -b /usr/local/bin - - - name: Generate SBOM with Retry Logic - id: generate-sbom - run: | - export TRIVY_DISABLE_VEX_NOTICE=true - max_retries=10 - attempt=1 - success=false - while [ $attempt -le $max_retries ]; do - echo "Generating SBOM, attempt $attempt..." - output=$(trivy image --format spdx-json --output sbom.json usabilitydynamics/udx-worker-nodejs:${{ steps.gitversion.outputs.semVer }} 2>&1) - sbom_exit_code=$? - if [ $sbom_exit_code -eq 0 ]; then - echo "SBOM generation successful." - success=true - break - else - echo "Retrying in 120 seconds..." - sleep 120 - attempt=$((attempt+1)) - fi - done - if [ "$success" = false ]; then - exit 1 - fi - - - name: Upload SBOM Artifact - uses: actions/upload-artifact@v6 - with: - name: sbom - path: sbom.json - - - name: Log out from Docker Hub - run: docker logout - - github-release: - runs-on: ubuntu-latest - needs: docker-release - permissions: - contents: write - - steps: - - name: Checkout code - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - - name: Configure Git for Pushing - run: | - git config --global user.email "worker@udx.io" - git config --global user.name "UDX Worker NodeJS" - - - name: Download SBOM Artifact - uses: actions/download-artifact@v7 - with: - name: sbom - - - name: Create GitHub Release - uses: softprops/action-gh-release@v2 - with: - tag_name: ${{ needs.docker-release.outputs.semVer }} - body: | - Release version ${{ needs.docker-release.outputs.semVer }}. - [View on Docker Hub](https://hub.docker.com/r/usabilitydynamics/udx-worker-nodejs/tags?page=1&ordering=last_updated). - ${{ needs.docker-release.outputs.changelog }} - draft: false - prerelease: false - files: sbom.json - env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}