Merge branch 'master' into dependabot/docker/Docker/prod/CLI/python-3…

….12-slim

.github/workflows/build.yml

@@ -47,7 +47,7 @@ jobs:
       uses: graalvm/setup-graalvm@v1
       with:
         java-version: '21'
-        distribution: 'graalvm-community'
+        distribution: 'graalvm'
         github-token: ${{ secrets.GITHUB_TOKEN }}
         set-java-home: true
         cache: 'maven'
@@ -56,7 +56,7 @@ jobs:
       run: mvn -P build-drifty-cli-for-${{ matrix.os }} package
     - name: Set Up Maven version 3.8.8 # For GUI build issues, maven version 3.8.8 needs to be used
       if: ${{ matrix.mode == 'GUI' }}
-      uses: stCarolas/setup-maven@v4.5
+      uses: stCarolas/setup-maven@v5
       with:
         maven-version: 3.8.8
     - name: Build platform-specific C object for missing jdk libraries

.github/workflows/docker-publish.yml

@@ -1,10 +1,5 @@
 name: Build and publish Docker images
 
-# This workflow uses actions that GitHub does not certify.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
 on:
   push:
     branches: [ "**" ]
@@ -13,7 +8,7 @@ on:
     paths-ignore:
       - "Website/**"
       - "*.md"
-  pull_request:
+  pull_request_target:
     paths-ignore:
       - "Website/**"
       - "*.md"
@@ -25,6 +20,7 @@ env:
 jobs:
   build:
     runs-on: "ubuntu-latest"
+    if: github.repository == 'SaptarshiSarkar12/Drifty'
     strategy:
       matrix:
         filename: [ CLI/Dockerfile, GUI/Dockerfile ]
@@ -53,12 +49,12 @@ jobs:
     permissions:
       contents: read
       packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside PRs.
-      id-token: write
+      security-events: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
       - name: Update system packages
         if: matrix.filename == 'GUI/Dockerfile'
         run: sudo apt-get update
@@ -71,7 +67,7 @@ jobs:
         uses: graalvm/setup-graalvm@v1
         with:
           java-version: '21'
-          distribution: 'graalvm-community'
+          distribution: 'graalvm'
           github-token: ${{ secrets.GITHUB_TOKEN }}
           set-java-home: true
           cache: 'maven'
@@ -80,7 +76,7 @@ jobs:
         run: mvn -P build-drifty-cli-for-ubuntu-latest package
       - name: Set Up Maven version 3.8.8 # For GUI build issues, maven version 3.8.8 needs to be used
         if: matrix.filename == 'GUI/Dockerfile'
-        uses: stCarolas/setup-maven@v4.5
+        uses: stCarolas/setup-maven@v5
         with:
           maven-version: 3.8.8
       - name: Build platform-specific C object for missing jdk libraries
@@ -116,14 +112,14 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3.0.0
 
-      # Login against a Docker registry except on PR
+      # Login to GitHub Container Registry
       # https://github.com/docker/login-action
       - name: Log into registry
-        if: github.event_name != 'pull_request' && github.repository == 'SaptarshiSarkar12/Drifty'
         uses: docker/login-action@v3.0.0
+        if: github.event_name != 'pull_request_target'
         with:
           registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
+          username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       # Extract metadata (tags, labels) for Docker
@@ -149,10 +145,34 @@ jobs:
         uses: docker/build-push-action@v5.1.0
         with:
           context: build/${{ matrix.docker_context }}
-          push: ${{ github.event_name != 'pull_request' && github.repository == 'SaptarshiSarkar12/Drifty' }}
+          push: ${{ github.event_name != 'pull_request_target' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           file: Docker/prod/${{ matrix.filename }}
           platforms: linux/amd64,linux/arm64,linux/arm/v7
+
+      - name: Generate short commit SHA
+        if: github.event_name != 'pull_request_target'
+        run: echo "SHORT_SHA=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_ENV
+
+      - name: Run Trivy security scan
+        uses: aquasecurity/trivy-action@0.17.0
+        if: github.event_name != 'pull_request_target'
+        continue-on-error: true
+        with:
+          image-ref: ${{ env.REGISTRY }}/saptarshisarkar12/${{ matrix.image_name }}:sha-${{ env.SHORT_SHA }}
+          format: 'sarif'
+          exit-code: 1
+          vuln-type: os,library
+          ignore-unfixed: true
+          output: 'trivy-report.sarif'
+          hide-progress: false
+          scanners: vuln,secret,misconfig
+
+      - name: Upload Trivy security scan results
+        if: github.event_name != 'pull_request_target'
+        uses: github/codeql-action/upload-sarif@main
+        with:
+          sarif_file: trivy-report.sarif

CLI/pom.xml

@@ -45,7 +45,7 @@
                     <plugin>
                         <groupId>org.graalvm.buildtools</groupId>
                         <artifactId>native-maven-plugin</artifactId>
-                        <version>0.10.0</version>
+                        <version>0.10.1</version>
                         <extensions>true</extensions>
                         <configuration>
                             <imageName>Drifty CLI</imageName>
@@ -56,6 +56,7 @@
                                 <buildArg>--enable-url-protocols=http</buildArg>
                                 <buildArg>-H:ResourceConfigurationFiles=${project.parent.basedir}/config/${resource-config-file}</buildArg>
                                 <buildArg>--no-fallback</buildArg>
+                                <buildArg>-march=compatibility</buildArg>
                                 <buildArg>-H:+ReportExceptionStackTraces</buildArg>
                                 <buildArg>--verbose</buildArg>
                             </buildArgs>
@@ -64,7 +65,7 @@
                             <execution>
                                 <id>build</id>
                                 <goals>
-                                    <goal>build</goal>
+                                    <goal>compile-no-fork</goal>
                                 </goals>
                                 <phase>package</phase>
                             </execution>
@@ -84,7 +85,7 @@
                     <plugin>
                         <groupId>org.graalvm.buildtools</groupId>
                         <artifactId>native-maven-plugin</artifactId>
-                        <version>0.10.0</version>
+                        <version>0.10.1</version>
                         <extensions>true</extensions>
                         <configuration>
                             <imageName>Drifty CLI</imageName>
@@ -104,7 +105,7 @@
                             <execution>
                                 <id>build</id>
                                 <goals>
-                                    <goal>build</goal>
+                                    <goal>compile-no-fork</goal>
                                 </goals>
                                 <phase>package</phase>
                             </execution>
@@ -124,7 +125,7 @@
                     <plugin>
                         <groupId>org.graalvm.buildtools</groupId>
                         <artifactId>native-maven-plugin</artifactId>
-                        <version>0.10.0</version>
+                        <version>0.10.1</version>
                         <extensions>true</extensions>
                         <configuration>
                             <imageName>Drifty CLI</imageName>
@@ -144,7 +145,7 @@
                             <execution>
                                 <id>build</id>
                                 <goals>
-                                    <goal>build</goal>
+                                    <goal>compile-no-fork</goal>
                                 </goals>
                                 <phase>package</phase>
                             </execution>

CLI/src/main/resources/META-INF/native-image/reflect-config.json

@@ -40,10 +40,6 @@
   "name":"com.sun.crypto.provider.GaloisCounterMode$AESGCM",
   "methods":[{"name":"<init>","parameterTypes":[] }]
 },
-{
-  "name":"com.sun.crypto.provider.HmacCore$HmacSHA256",
-  "methods":[{"name":"<init>","parameterTypes":[] }]
-},
 {
   "name":"com.sun.crypto.provider.HmacCore$HmacSHA384",
   "methods":[{"name":"<init>","parameterTypes":[] }]
@@ -84,12 +80,6 @@
 {
   "name":"java.security.SecureRandomParameters"
 },
-{
-  "name":"java.security.interfaces.ECPrivateKey"
-},
-{
-  "name":"java.security.interfaces.ECPublicKey"
-},
 {
   "name":"java.security.interfaces.RSAPrivateKey"
 },
@@ -203,10 +193,6 @@
   "name":"sun.security.rsa.RSASignature$SHA256withRSA",
   "methods":[{"name":"<init>","parameterTypes":[] }]
 },
-{
-  "name":"sun.security.rsa.RSASignature$SHA384withRSA",
-  "methods":[{"name":"<init>","parameterTypes":[] }]
-},
 {
   "name":"sun.security.ssl.KeyManagerFactoryImpl$SunX509",
   "methods":[{"name":"<init>","parameterTypes":[] }]

GUI/pom.xml

@@ -86,6 +86,7 @@
                 <system-native-image-arg>-Dsvm.platform=org.graalvm.nativeimage.Platform$MACOS_AMD64</system-native-image-arg>
                 <system-linker-arg>${pom.parent.basedir}/config/missing_symbols-macos-latest.o</system-linker-arg>
                 <resource-config-file>resource-config-mac.json</resource-config-file>
+                <compatibility-arg>-march=compatibility</compatibility-arg>
                 <mac.app.store>true</mac.app.store>
             </properties>
         </profile>
@@ -105,6 +106,7 @@
                 <package.type>msi</package.type>
                 <system-linker-arg>${pom.parent.basedir}/config/missing_symbols-windows-latest.o</system-linker-arg>
                 <resource-config-file>resource-config-windows.json</resource-config-file>
+                <compatibility-arg>-march=compatibility</compatibility-arg>
             </properties>
         </profile>
     </profiles>

GUI/src/main/resources/META-INF/native-image/resource-config.json

@@ -76,6 +76,8 @@
     "pattern":"java.base:\\Qjdk/internal/icu/impl/data/icudt72b/uprops.icu\\E"
   }, {
     "pattern":"java.base:\\Qsun/net/idn/uidna.spp\\E"
+  }, {
+    "pattern":"java.base:\\Qsun/text/resources/WordBreakIteratorData\\E"
   }, {
     "pattern":"java.xml:\\Qcom/sun/org/apache/xml/internal/serializer/Encodings.properties\\E"
   }, {
@@ -104,8 +106,6 @@
     "pattern":"javafx.graphics:\\Qcom/sun/prism/es2/glsl/Texture_LinearGradient_PAD.frag\\E"
   }, {
     "pattern":"javafx.graphics:\\Qcom/sun/scenario/effect/impl/es2/glsl/Blend_SRC_IN.frag\\E"
-  }, {
-    "pattern":"javafx.graphics:\\Qcom/sun/scenario/effect/impl/es2/glsl/LinearConvolveShadow_20.frag\\E"
   }, {
     "pattern":"javafx.graphics:\\Qcom/sun/scenario/effect/impl/es2/glsl/LinearConvolveShadow_28.frag\\E"
   }, {

pom.xml

@@ -40,7 +40,7 @@
             <plugin>
                 <groupId>org.openrewrite.maven</groupId>
                 <artifactId>rewrite-maven-plugin</artifactId>
-                <version>5.22.0</version>
+                <version>5.23.1</version>
                 <configuration>
                     <activeRecipes>
                         <recipe>org.openrewrite.staticanalysis.CommonStaticAnalysis</recipe>
@@ -57,12 +57,12 @@
                     <dependency>
                         <groupId>org.openrewrite.recipe</groupId>
                         <artifactId>rewrite-static-analysis</artifactId>
-                        <version>1.3.0</version>
+                        <version>1.3.1</version>
                     </dependency>
                     <dependency>
                         <groupId>org.openrewrite.recipe</groupId>
                         <artifactId>rewrite-recommendations</artifactId>
-                        <version>1.2.1</version>
+                        <version>1.2.2</version>
                     </dependency>
                 </dependencies>
             </plugin>