Merge branch 'master' into fix-3977

liquibase · Apr 27, 2024 · 25fd81b · 25fd81b
2 parents 49255fe + 6a98509
commit 25fd81b
Show file tree

Hide file tree

Showing 136 changed files with 1,296 additions and 385 deletions.
diff --git a/.github/util/re-version.sh b/.github/util/re-version.sh
@@ -101,7 +101,6 @@ do
   ls $workdir
   echo "debug"
   unzip -q $workdir/$jar -d $workdir/rebuild
-
   find $workdir/rebuild -name "*.html" -exec sed -i -e "s/0-SNAPSHOT/$version/g" {} \;
   find $workdir/rebuild -name "*.xml" -exec sed -i -e "s/<version>0-SNAPSHOT<\/version>/<version>$version<\/version>/g" {} \;
 

diff --git a/.github/workflows/build-azure-uber-jar.yml b/.github/workflows/build-azure-uber-jar.yml
@@ -12,6 +12,15 @@ on:
         required: true
         type: string
   workflow_dispatch:
+    inputs:
+      branch:
+          description: 'branch to check out'
+          required: true
+          type: string
+      liquibase-version:
+          description: 'liquibase version'
+          required: true
+          type: string
 
 env:
   MAVEN_VERSION: '3.9.2'
@@ -106,7 +115,8 @@ jobs:
           maven-version: ${{ env.MAVEN_VERSION }}
 
       - name: Set version
-        run: cd liquibase-pro/liquibase-azure-deps && mvn versions:set -DnewVersion=${{ inputs.liquibase-version }}
+        run: |
+          cd liquibase-pro/liquibase-azure-deps && mvn versions:set -DnewVersion=${{ inputs.liquibase-version }}
 
       - name: Build & Test
         run: |
@@ -116,5 +126,4 @@ jobs:
         uses: actions/upload-artifact@v3
         with:
           name: liquibase-pro-azure-artifacts
-          path: |
-            liquibase-azure-deps/target/*.jar
+          path: liquibase-pro/liquibase-azure-deps/target/liquibase-azure-deps-${{ inputs.liquibase-version }}.jar
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -120,7 +120,7 @@ jobs:
 
       ##Cache based on install4j file, since changes to JVM is seen in there. If install4j version changes without changing the file, change the prefix letter before hashFiles to force a new cache
       - name: Install4j Cache
-        uses: actions/cache@v3.3.1
+        uses: actions/cache@v4.0.2
         with:
           key: install4j-A${{ hashFiles('liquibase-dist/src/main/install4j/liquibase.install4j') }}
           path: ~/.install4j8/**

diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -20,7 +20,7 @@ jobs:
       version: ${{ steps.collect-data.outputs.version }}
       branch: ${{ steps.collect-data.outputs.branch }}
       runId: ${{ steps.collect-data.outputs.runId }}
-
+      uber_jar_runId: ${{ steps.get_run_id.outputs.run_id }}
     steps:
       - name: Collect Data
         id: collect-data
@@ -33,17 +33,17 @@ jobs:
       - run: |
           echo "Creating version ${{ steps.collect-data.outputs.version }} from ${{ steps.collect-data.outputs.branch }} with artifacts from build ${{ steps.collect-data.outputs.runId }} "
           
-          # build-azure-uber-jar:
-          #   needs: [ setup ]
-          #   uses: liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml@master
-          #   with:
-          #     branch: ${{ needs.setup.outputs.branch }}
-          #     liquibase-version: ${{ needs.setup.outputs.version }}
-          #   secrets: inherit
+  build-azure-uber-jar:
+   needs: [ setup ]
+   uses: liquibase/liquibase/.github/workflows/build-azure-uber-jar.yml@master
+   with:
+     branch: ${{ needs.setup.outputs.branch }}
+     liquibase-version: ${{ needs.setup.outputs.version }}
+   secrets: inherit
 
 
   reversion:
-    needs: [ setup ]
+    needs: [ setup, build-azure-uber-jar ]
     name: Re-version artifacts ${{ needs.setup.outputs.version }}
     runs-on: ubuntu-22.04
     steps:
@@ -66,13 +66,19 @@ jobs:
           name: liquibase-artifacts
           path: download/liquibase-artifacts
 
-      #      - name: Download liquibase-pro-azure-artifacts
-      #        uses: liquibase/action-download-artifact@v2-liquibase
-      #        with:
-      #          workflow: build-azure-uber-jar.yml
-      #          run_id: ${{ needs.setup.outputs.runId }}
-      #          name: liquibase-pro-azure-artifacts
-      #          path: download/liquibase-pro-azure-artifacts
+      - name: Get Current Run ID
+        id: get_run_id
+        run: |
+          run_id=${{ github.run_id }}
+          echo "uber_jar_runId=${run_id}" >> $GITHUB_OUTPUT
+
+      - name: Download liquibase-pro-azure-artifacts
+        uses: liquibase/action-download-artifact@v2-liquibase
+        with:
+          workflow: build-azure-uber-jar.yml
+          run_id: ${{ steps.get_run_id.outputs.run_id }}
+          name: liquibase-pro-azure-artifacts
+          path: liquibase-pro/liquibase-azure-deps
 
       - name: Set up JDK
         uses: actions/setup-java@v4
@@ -106,7 +112,7 @@ jobs:
           
           ##Sign Files
           ## liquibase-azure-deps is already on its correct version. Check reusable workflow: build-azure-uber-jar.yml
-          # mv download/liquibase-pro-azure-artifacts/liquibase-azure-deps-${{ needs.setup.outputs.version }}.jar re-version/out
+          mv liquibase-pro/liquibase-azure-deps/* re-version/out
           
           $PWD/.github/util/sign-artifacts.sh re-version/out
           
@@ -116,12 +122,12 @@ jobs:
           mv re-version/out/liquibase-commercial-${{ needs.setup.outputs.version }}.jar re-version/final
           mv re-version/out/liquibase-${{ needs.setup.outputs.version }}.tar.gz re-version/final
           mv re-version/out/liquibase-${{ needs.setup.outputs.version }}.zip re-version/final
-          # mv re-version/out/liquibase-azure-deps-${{ needs.setup.outputs.version }}.jar re-version/final
+          mv re-version/out/liquibase-azure-deps-v${{ needs.setup.outputs.version }}.jar re-version/final/liquibase-azure-deps-${{ needs.setup.outputs.version }}.jar
           
           (cd re-version/out/ && zip liquibase-additional-${{ needs.setup.outputs.version }}.zip *)
-          mv re-version/out/liquibase-additional-${{ needs.setup.outputs.version }}.zip re-version/final
+
       - name: Cache Completed Artifacts
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@v4.0.2
         with:
           key: completed-artifacts-${{ github.run_number }}-${{ github.run_attempt }}
           path: re-version/final
@@ -132,19 +138,20 @@ jobs:
           git push -f origin v${{ needs.setup.outputs.version }}
           (cd download/repo/liquibase-pro && git tag -f v${{ needs.setup.outputs.version }})
           (cd download/repo/liquibase-pro && git push -f origin v${{ needs.setup.outputs.version }})
+
   build-installers:
     permissions:
       contents: write  # for softprops/action-gh-release to create GitHub release
     needs: [ setup, reversion ]
     name: Build Installers
-    runs-on: macos-latest #needs macos for apple notarization
+    runs-on: macos-13 #needs macos for apple notarization
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - uses: actions/checkout@v4
 
       - name: Restore Completed Artifacts
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@v4.0.2
         with:
           key: completed-artifacts-${{ github.run_number }}-${{ github.run_attempt }}
           path: re-version/final
@@ -195,7 +202,7 @@ jobs:
           rm re-version/final/*.md5
           rm re-version/final/*.sha1
       - name: Attach Files to Draft Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           tag_name: v${{ needs.setup.outputs.version }}
           fail_on_unmatched_files: true

diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
@@ -4,7 +4,9 @@ name: FOSSA License Compliance and Security Check
 # Event triggers for the workflow
 on:
   workflow_dispatch:  # Run this action manually from the GitHub Actions tab
-
+  release:
+   types: [published] # Run this action when a release is published
+
 # Define the jobs in the workflow
 jobs:
   fossa-scan:
@@ -17,15 +19,57 @@ jobs:
     - name: Checkout Code
       uses: actions/checkout@v4
 
-    # Run FOSSA Scan
-    - name: Run FOSSA Scan
+    - name: run FOSSA CLI
       uses: fossas/fossa-action@main
       with:
-        api-key: ${{secrets.FOSSA_API_KEY}}  # Set this secret in your GitHub repo settings
+        api-key: ${{ secrets.FOSSA_API_KEY }}
 
-    # Run FOSSA Tests
-    - name: Run FOSSA Tests
-      uses: fossas/fossa-action@main
+    - name: Get the commit sha
+      id: get_commit_sha_oss
+      run: |
+        commit_sha_lb=`(git rev-parse HEAD)`
+        echo "commit_sha_lb=${commit_sha_lb}" >> $GITHUB_OUTPUT
+
+      # from the below curl commands we output the fossa report with the headers we need. Following this documentation : https://docs.fossa.com/docs/download-fossa-project-attribution-reports
+    - name: Set the dependency metadata information
+      run: |
+        mkdir /home/runner/fossa_reports
+        curl --location --request PUT 'https://app.fossa.com/api/projects/git+github.com/liquibase/liquibase' \
+        --header 'Authorization: Bearer ${{ secrets.FOSSA_API_KEY }}' \
+        --header 'Content-Type: application/x-www-form-urlencoded' \
+          --data-urlencode 'bom_column_settings%5B%5D=Title' \
+          --data-urlencode 'bom_column_settings%5B%5D=Version' \
+          --data-urlencode 'bom_column_settings%5B%5D=Authors' \
+          --data-urlencode 'bom_column_settings%5B%5D=DeclaredLicense' \
+          --data-urlencode 'bom_column_settings%5B%5D=PackageHomepage' \
+
+        curl --location 'https://app.fossa.com/api/revisions/git%2Bgithub.com%2Fliquibase%2Fliquibase%24${{ steps.get_commit_sha_oss.outputs.commit_sha_lb }}/attribution/download?format=CSV&includeDeepDependencies=true&download=true' \
+        --header 'Authorization: Bearer ${{ secrets.FOSSA_API_KEY }}' -o /home/runner/fossa_reports/liquibase.csv
+
+      # Upload to build page for the team to check the csv file contents.
+    - name: Upload to build page
+      uses: actions/upload-artifact@v2
       with:
-        api-key: ${{secrets.FOSSA_API_KEY}}  # Set this secret in your GitHub repo settings
-        run-tests: true  # Run FOSSA tests for policy checks
+        name: fossa-reports
+        path: /home/runner/fossa_reports/liquibase.csv
+
+      # Upload report to S3
+    - name: Upload report to S3
+      if: always()
+      run: aws s3 cp /home/runner/fossa_reports/liquibase.csv s3://liquibaseorg-origin/fossa_reports_liquibase-pro/
+      env:
+        AWS_ACCESS_KEY_ID: ${{ secrets.LIQUIBASEORIGIN_ACCESS_KEY_ID }}
+        AWS_SECRET_ACCESS_KEY: ${{ secrets.LIQUIBASEORIGIN_SECRET_ACCESS_KEY }}
+        AWS_DEFAULT_REGION: us-east-1
+
+  # trigger a job in liquibase-pro for the fossa-scan report generation and merging of OSS and PRO reports 
+  run-pro-fossa-report:
+    runs-on: ubuntu-latest
+    needs: [ fossa-scan ]
+    steps:
+      - name: Dispatch event to PRO repository
+        uses: peter-evans/repository-dispatch@v1
+        with:
+          token: ${{ secrets.LIQUIBOT_PAT_GPM_ACCESS }}
+          repository: liquibase/liquibase-pro
+          event-type: FOSSA_Scan_PRO
diff --git a/.github/workflows/fossa_ai.yml b/.github/workflows/fossa_ai.yml
@@ -0,0 +1,17 @@
+name: FOSSA AI License Compliance and Security Check
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+jobs:
+  fossa:
+    uses: liquibase/build-logic/.github/workflows/fossa_ai.yml@v0.7.2
+    secrets: inherit
+    with:
+      check_snippets: true
+      check_ai_generated_code: true
+      generate_sbom: true
diff --git a/.github/workflows/release-extensions.yml b/.github/workflows/release-extensions.yml
@@ -8,7 +8,7 @@ on:
 
 jobs:
   automated-os-extensions-release:
-    uses: liquibase/build-logic/.github/workflows/os-extension-automated-release.yml@v0.6.7
+    uses: liquibase/build-logic/.github/workflows/os-extension-automated-release.yml@v0.7.5
     secrets: inherit
     with:
       version: ${{ inputs.version }}

diff --git a/.github/workflows/release-published.yml b/.github/workflows/release-published.yml
@@ -59,7 +59,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Download release assets
-        uses: robinraju/release-downloader@v1.9
+        uses: robinraju/release-downloader@v1.10
         with:
           repository: "liquibase/liquibase"
           tag: "${{ needs.setup.outputs.tag }}"
@@ -214,7 +214,7 @@ jobs:
       contents: read
     steps:
       - name: Download release javadocs
-        uses: robinraju/release-downloader@v1.9
+        uses: robinraju/release-downloader@v1.10
         with:
           repository: "liquibase/liquibase"
           tag: "${{ needs.setup.outputs.tag }}"
@@ -407,7 +407,7 @@ jobs:
           event-type: oss-released-tag
 
   package:
-    uses: liquibase/build-logic/.github/workflows/package.yml@v0.6.7
+    uses: liquibase/build-logic/.github/workflows/package.yml@v0.7.5
     needs: [ setup ]
     secrets: inherit
     with: