chore: update ci workflows and deps (#170)

* update ci worklows and deps

* clean up unused deps

* use kafka bom

* update grpc utils

* update kafka streams framework

Author: SrikarMannepalli

.github/workflows/codeql-analysis.yml

@@ -28,21 +28,6 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
-
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2

.github/workflows/merge-publish.yml

@@ -7,33 +7,21 @@ on:
 
 jobs:
   merge-publish:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
        # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_READ_USER }}
           password: ${{ secrets.DOCKERHUB_READ_TOKEN }}
 
-      - name: push docker image
+      - name: Push docker image
         uses: hypertrace/github-actions/gradle@main
         with: 
           args: dockerPushImages

.github/workflows/pr-build.yml

@@ -9,50 +9,39 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
           fetch-depth: 0
 
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
-
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_READ_USER }}
           password: ${{ secrets.DOCKERHUB_READ_TOKEN }}
 
       - name: Build with Gradle
         uses: hypertrace/github-actions/gradle@main
         with:
-          args: build dockerBuildImages
+          args: assemble dockerBuildImages
+
+      - name: Run Trivy vulnerability scanner
+        uses: hypertrace/github-actions/trivy-image-scan@main
+        with:
+          image: hypertrace/config-service
+          output-mode: github
 
   validate-protos:
-    runs-on: ubuntu-20.04
-    container:
-      image: bufbuild/buf:0.35.1
-      credentials:
-        username: ${{ secrets.DOCKERHUB_READ_USER }}
-        password: ${{ secrets.DOCKERHUB_READ_TOKEN }}
+    runs-on: ubuntu-22.04
       # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
     steps:
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
@@ -69,21 +58,4 @@ jobs:
       - name: Check for breaking changes
         uses: bufbuild/buf-breaking-action@v1
         with:
-          against: '.git#branch=origin/main'
-
-  snyk-scan:
-    runs-on: ubuntu-20.04
-    steps:
-      # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
-      - name: Check out code
-        uses: actions/checkout@v2.3.4
-        with:
-          ref: ${{github.event.pull_request.head.ref}}
-          repository: ${{github.event.pull_request.head.repo.full_name}}
-          fetch-depth: 0
-      - name: Setup snyk
-        uses: snyk/actions/setup@0.3.0
-      - name: Snyk test
-        run: snyk test --all-sub-projects --org=hypertrace --severity-threshold=low --policy-path=.snyk --configuration-matching='^runtimeClasspath$' --remote-repo-url='${{ github.server_url }}/${{ github.repository }}.git'
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          against: '.git#branch=origin/main'

.github/workflows/pr-test.yml

@@ -7,34 +7,21 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        id: cache-packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
-
-      - name: Unit test
+      - name: Unit test and other verification
         uses: hypertrace/github-actions/gradle@main
         with:
-          args: jacocoTestReport
+          args: check jacocoTestReport
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@v3
         with:
           name: unit test reports
           flags: unit
@@ -45,25 +32,31 @@ jobs:
           args: jacocoIntegrationTestReport
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@v3
         with:
           name: integration test reports
           flags: integration
 
       - name: Publish Unit Test Results
-        uses: docker://ghcr.io/enricomi/publish-unit-test-result-action:v1.6
+        uses: EnricoMi/publish-unit-test-result-action@v2
         if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           files: ./**/build/test-results/**/*.xml
 
   validate-helm-charts:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
       - name: validate charts
         uses: hypertrace/github-actions/validate-charts@main
+
+  dependency-check:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Dependency Check
+        uses: hypertrace/github-actions/dependency-check@main

.github/workflows/publish.yml

@@ -8,33 +8,21 @@ on:
 
 jobs:
   publish-artifacts:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
-            
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_READ_USER }}
           password: ${{ secrets.DOCKERHUB_READ_TOKEN }}
 
-      - name: publish docker image
+      - name: Publish docker image
         uses: hypertrace/github-actions/gradle@main
         with: 
           args: publish dockerPushImages
@@ -47,11 +35,11 @@ jobs:
 
   publish-helm-charts:
     needs: publish-artifacts
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
        # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Checkout Repository
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
@@ -62,9 +50,9 @@ jobs:
           helm-gcs-repository: ${{ secrets.HELM_GCS_REPOSITORY }}
 
   publish-release-notes:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v2.3.4
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - uses: hypertrace/github-actions/release-notes@main

.snyk

@@ -7,7 +7,7 @@ import com.google.protobuf.gradle.protoc
 
 plugins {
   `java-library`
-  id("com.google.protobuf") version "0.8.17"
+  id("com.google.protobuf")
   id("org.hypertrace.publish-plugin")
 }
 

alerting-config-service-api/build.gradle.kts

@@ -7,6 +7,8 @@ plugins {
   id("org.hypertrace.docker-publish-plugin") version "0.9.4" apply false
   id("org.hypertrace.integration-test-plugin") version "0.2.0" apply false
   id("org.hypertrace.code-style-plugin") version "1.1.2" apply false
+  id("com.google.protobuf") version "0.8.19" apply false
+  id("org.owasp.dependencycheck") version "8.2.1"
 }
 
 subprojects {
@@ -26,3 +28,10 @@ subprojects {
 
   apply(plugin = "org.hypertrace.code-style-plugin")
 }
+
+dependencyCheck {
+  format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL.toString()
+  suppressionFile = "owasp-suppressions.xml"
+  scanConfigurations.add("runtimeClasspath")
+  failBuildOnCVSS = 7.0F
+}

build.gradle.kts

@@ -8,7 +8,7 @@ import com.google.protobuf.gradle.protoc
 plugins {
   `java-library`
   `java-test-fixtures`
-  id("com.google.protobuf") version "0.8.17"
+  id("com.google.protobuf")
   id("org.hypertrace.publish-plugin")
 }
 

config-service-api/build.gradle.kts

@@ -3,7 +3,7 @@ import com.google.protobuf.gradle.protoc
 
 plugins {
   `java-library`
-  id("com.google.protobuf") version "0.8.17"
+  id("com.google.protobuf")
   id("org.hypertrace.publish-plugin")
 }
 
@@ -23,5 +23,6 @@ sourceSets {
 
 dependencies {
   api(libs.protobuf.java)
+  api(platform(libs.kafka.bom))
   api(libs.kafka.clients)
 }