Merge pull request #34 from bcgov/SC3520

Security updates

Author: TimCsaky

.github/actions/build-push-container/action.yaml

@@ -30,7 +30,7 @@ runs:
   using: composite
   steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Parse Input Values
       shell: bash
@@ -39,23 +39,23 @@ runs:
         echo "HAS_DOCKERHUB=${{ fromJson(inputs.dockerhub_username != '' && inputs.dockerhub_token != '') }}" >> $GITHUB_ENV
 
     - name: Login to Github Container Registry
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ env.GH_USERNAME }}
         password: ${{ inputs.github_token }}
 
     - name: Login to Dockerhub Container Registry
       if: env.HAS_DOCKERHUB == 'true'
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
       with:
         registry: docker.io
         username: ${{ inputs.dockerhub_username }}
         password: ${{ inputs.dockerhub_token }}
 
     - name: Prepare Container Metadata tags
       id: meta
-      uses: docker/metadata-action@v4
+      uses: docker/metadata-action@v5
       with:
         images: |
           ghcr.io/${{ env.GH_USERNAME }}/${{ inputs.image_name }}
@@ -74,7 +74,7 @@ runs:
 
     - name: Build and Push to Container Registry
       id: builder
-      uses: docker/build-push-action@v3
+      uses: docker/build-push-action@v5
       with:
         context: ${{ inputs.context }}
         push: true

.github/actions/deploy-to-environment/action.yaml

@@ -30,7 +30,7 @@ runs:
   using: composite
   steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Login to OpenShift Cluster
       uses: redhat-actions/oc-login@v1

.github/workflows/charts-release.yaml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 

.github/workflows/codeql-analysis.yaml

@@ -42,11 +42,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -57,7 +57,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v3
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -71,4 +71,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3

.github/workflows/on-pr-closed.yaml

@@ -27,7 +27,7 @@ jobs:
     timeout-minutes: 12
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Login to OpenShift Cluster
       uses: redhat-actions/oc-login@v1
       with:
@@ -41,12 +41,12 @@ jobs:
         helm uninstall --namespace ${{ env.NAMESPACE_PREFIX }}-dev pr-${{ github.event.number }} --timeout 10m --wait
         oc delete --namespace ${{ env.NAMESPACE_PREFIX }}-dev cm,secret --selector app.kubernetes.io/instance=pr-${{ github.event.number }}
     - name: Remove Release Comment on PR
-      uses: marocchino/sticky-pull-request-comment@v2
+      uses: marocchino/sticky-pull-request-comment@v2.9.0
       with:
         header: release
         delete: true
     - name: Remove Github Deployment Environment
-      uses: strumwolf/delete-deployment-environment@v2
+      uses: strumwolf/delete-deployment-environment@v3
       with:
         environment: pr
         onlyRemoveDeployments: true

.github/workflows/on-pr-opened.yaml

@@ -26,7 +26,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Build & Push
         uses: ./.github/actions/build-push-container
         with:
@@ -45,7 +45,7 @@ jobs:
     timeout-minutes: 12
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Deploy to Dev
         uses: ./.github/actions/deploy-to-environment
         with:
@@ -58,7 +58,7 @@ jobs:
           openshift_server: ${{ secrets.OPENSHIFT_SERVER }}
           openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}
       - name: Release Comment on PR
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@v2.9.0
         if: success()
         with:
           header: release

.github/workflows/on-push.yaml

@@ -23,7 +23,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Build & Push
         uses: ./.github/actions/build-push-container
         with:
@@ -44,7 +44,7 @@ jobs:
     timeout-minutes: 12
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Deploy to Dev
         uses: ./.github/actions/deploy-to-environment
         with:
@@ -69,7 +69,7 @@ jobs:
     timeout-minutes: 12
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Deploy to Test
         uses: ./.github/actions/deploy-to-environment
         with:
@@ -95,7 +95,7 @@ jobs:
     timeout-minutes: 12
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Deploy to Prod
         uses: ./.github/actions/deploy-to-environment
         with:

.github/workflows/unit-tests.yaml

@@ -5,29 +5,34 @@ on:
   - pull_request
 jobs:
   test-app:
+    name: Unit Tests (App)
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: app
+    outputs:
+      HAS_CC_SECRETS: ${{ steps.check-secrets.outputs.HAS_CC_SECRETS }}
     timeout-minutes: 10
     strategy:
       fail-fast: true
       matrix:
         node-version:
-          - 14.x
           - 16.x
           - 18.x
+          - 20.x
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@v4
+      - name: Check CodeClimate Secrets
+        id: check-secrets
+        run: |
+          echo "HAS_CC_SECRETS=${{ secrets.CC_TEST_REPORTER_ID != '' }}" >> $GITHUB_OUTPUT
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
       - name: Cache node modules
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         id: cache-app
         env:
           cache-name: cache-node-modules
@@ -46,36 +51,52 @@ jobs:
         env:
           CI: true
       - name: Save Coverage Results
-        if: matrix.node-version == '18.x'
-        uses: actions/upload-artifact@v2
+        if: matrix.node-version == '20.x'
+        uses: actions/upload-artifact@v4
         with:
           name: coverage-app
           path: ${{ github.workspace }}/app/coverage
           retention-days: 1
+      - name: Monitor Coverage
+        if: "matrix.node-version == '20.x' && ! github.event.pull_request.head.repo.fork"
+        uses: slavcodev/coverage-monitor-action@v1
+        with:
+          comment_mode: update
+          comment_footer: false
+          comment_context: Coverage Report (Application)
+          coverage_path: app/coverage/clover.xml
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          threshold_alert: 50
+          threshold_warning: 80
   test-frontend:
+    name: Unit Tests (Frontend)
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: app/frontend
+    outputs:
+      HAS_CC_SECRETS: ${{ steps.check-secrets.outputs.HAS_CC_SECRETS }}
     timeout-minutes: 10
     strategy:
       fail-fast: true
       matrix:
         node-version:
-          - 14.x
           - 16.x
           - 18.x
+          - 20.x
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@v4
+      - name: Check CodeClimate Secrets
+        id: check-secrets
+        run: |
+          echo "HAS_CC_SECRETS=${{ secrets.CC_TEST_REPORTER_ID != '' }}" >> $GITHUB_OUTPUT
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
       - name: Cache node modules
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         id: cache-frontend
         env:
           cache-name: cache-node-modules
@@ -94,38 +115,38 @@ jobs:
         env:
           CI: true
       - name: Save Coverage Results
-        if: matrix.node-version == '18.x'
-        uses: actions/upload-artifact@v2
+        if: matrix.node-version == '20.x'
+        uses: actions/upload-artifact@v4
         with:
           name: coverage-frontend
           path: ${{ github.workspace }}/app/frontend/coverage
           retention-days: 1
+      - name: Monitor Coverage
+        if: "matrix.node-version == '20.x' && ! github.event.pull_request.head.repo.fork"
+        uses: slavcodev/coverage-monitor-action@v1
+        with:
+          comment_mode: update
+          comment_footer: false
+          comment_context: Coverage Report (Frontend)
+          coverage_path: app/frontend/coverage/clover.xml
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          threshold_alert: 50
+          threshold_warning: 80
   test-coverage:
+    name: Publish to Code Climate
     needs:
       - test-app
       - test-frontend
+    if: needs.test-app.outputs.HAS_CC_SECRETS == 'true'
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - name: Check Workflow Secrets
-        id: check-secrets
-        run: |
-          unset HAS_SECRETS
-          if [ -n "$CC_TEST_REPORTER_ID" ]; then HAS_SECRETS='true'; fi
-          echo ::set-output name=HAS_SECRETS::${HAS_SECRETS}
-        env:
-          CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
       - name: Checkout Repository
-        if: steps.check-secrets.outputs.HAS_SECRETS
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@v4
       - name: Restore Coverage Results
-        if: steps.check-secrets.outputs.HAS_SECRETS
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
       - name: Publish code coverage
-        if: steps.check-secrets.outputs.HAS_SECRETS
-        uses: paambaati/codeclimate-action@v2.7.5
+        uses: paambaati/codeclimate-action@v5
         env:
           CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
         with: