MDACA 3.0.1

.gitattributes

@@ -8,8 +8,8 @@
 *.js text
 *.vm text
 *.properties text
-
 *.png binary
 *.jpeg binary
 *.jpg binary
 *.gif binary
+*.war filter=lfs diff=lfs merge=lfs -text

.github/workflows/ci.yaml

@@ -1,132 +1,131 @@
-# Continuous integration
-name: CI
+name: Docker Maven Build and Push Docker Image to MDACA ECR
 
-# Run in master and dev branches and in all pull requests to those branches
 on:
+  schedule:
+    - cron: '0 23 * * 0'
   push:
-    branches: [ master ]
-  pull_request:
-    branches: [ master ]
-
-env:
-  DOCKER_IMAGE: ohdsi/webapi
+    branches:
+      - mdaca-3.0.1
 
 jobs:
-  # Build and test the code
   build:
-    # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
-    env:
-      MAVEN_PROFILE: webapi-postgresql
-
-    # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - name: Checkout repository
+        uses: actions/checkout@v3
 
-      - uses: actions/setup-java@v1
-        with:
-            java-version: 8
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and Push Docker Image
+        env:
+          IMAGE_TAG: 3.0.2.2
+          ECR_REPOSITORY: mdaca/ohdsi/webapi
+          AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          CODEARTIFACT_DOMAIN: ${{ secrets.CODEARTIFACT_DOMAIN }}
+        run: |
+          # Set AWS credentials for ECR and CodeArtifact
+          aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
+          aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
+          aws configure set default.region $AWS_REGION
 
-      - name: Maven cache
-        uses: actions/cache@v2
-        with:
-            # Cache gradle directories
-            path: ~/.m2
-            # Key for restoring and saving the cache
-            key: ${{ runner.os }}-maven-${{ hashFiles('pom.xml') }}
-            restore-keys: |
-              ${{ runner.os }}-maven-
-
-      - name: Build code
-        run: mvn -B -DskipTests=true -DskipUnitTests=true -P${{ env.MAVEN_PROFILE }} package
-
-      - name: Test
-        # Skipping unit and integration tests for now, because they keep failing.
-        run: mvn -B -DskipUnitTests=true -DskipITtests=true -P${{ env.MAVEN_PROFILE }} test
-
-  # Check that the docker image builds correctly
-  # Push to ohdsi/atlas:master for commits on master.
-  docker:
-    # The type of runner that the job will run on
+          echo "Running Maven Build"
+          CODEARTIFACT_TOKEN_FILE=${{ github.workspace }}/codeartifact-auth
+
+          # Fetch CodeArtifact authorization token
+          aws codeartifact get-authorization-token \
+            --domain $CODEARTIFACT_DOMAIN \
+            --domain-owner $AWS_ACCOUNT_ID \
+            --region $AWS_REGION \
+            --query authorizationToken \
+            --output text > $CODEARTIFACT_TOKEN_FILE
+
+          export CODEARTIFACT_AUTH_TOKEN=$(cat $CODEARTIFACT_TOKEN_FILE)
+          echo "$CODEARTIFACT_AUTH_TOKEN"
+
+          # Login to ECR
+          aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com
+
+          REGISTRY=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com
+
+          # Build the Docker image
+          docker build --build-arg CODEARTIFACT_AUTH_TOKEN=$CODEARTIFACT_AUTH_TOKEN -f Dockerfile-mvn-no-local -t $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
+
+          # Push the Docker image to ECR
+          docker push $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+
+          # Tag the image as 'latest'
+          docker tag $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG $REGISTRY/$ECR_REPOSITORY:latest
+
+          # Push the 'latest' tag to ECR
+          docker push $REGISTRY/$ECR_REPOSITORY:latest
+
+
+  security:
     runs-on: ubuntu-latest
+    needs: build
 
-    # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - name: Checkout repository
+        uses: actions/checkout@v3
 
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
-
-      # Add Docker labels and tags
-      - name: Docker meta
-        id: docker_meta
-        uses: crazy-max/ghaction-docker-meta@v1
-        with:
-          images: ${{ env.DOCKER_IMAGE }}
 
-      # Setup docker build environment
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+      - name: Download Docker Image from ECR
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          IMAGE_TAG: 3.0.2.2
+          ECR_REPOSITORY: mdaca/ohdsi/webapi
+        run: |
+          # Set ENV for AW Cred
+          aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
+          aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
+          aws configure set default.region $AWS_REGION
+
+          # Get token from ECR and Docker login
+          aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com
+          IMAGE_TAG=3.0.2.2
+
+          docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG
+          docker images
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
+
+      - name: Scan Docker Image with Trivy
+        env:
+          AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          IMAGE_TAG: 3.0.2.2
+          ECR_REPOSITORY: mdaca/ohdsi/webapi
 
-      - name: Set build parameters
-        id: build_params
         run: |
-          echo "::set-output name=sha8::${GITHUB_SHA::8}"
-          if [ ${{ github.event_name == 'pull_request' }} ]; then
-            echo "::set-output name=push::false"
-            echo "::set-output name=load::true"
-            echo "::set-output name=platforms::linux/amd64"
-          else
-            echo "::set-output name=push::true"
-            echo "::set-output name=load::false"
-            echo "::set-output name=platforms::linux/amd64,linux/arm64"
-          fi
-
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        if: steps.build_params.outputs.push == 'true'
-        with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          trivy image $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG
+          trivy image --format json $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > OHDSI-Webapi.json
+          jq -r '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | [.SeveritySource, .VulnerabilityID, .PkgName, .PkgPath, .InstalledVersion, .FixedVersion, .Status, .Severity] | @csv' OHDSI-Webapi.json > OHDSI-Webapi-Trivy.csv
+      - name: Install Syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin
+
+      - name: Generate SBOM with Syft
+        env:
+          AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          IMAGE_TAG: 3.0.2.2
+          ECR_REPOSITORY: mdaca/ohdsi/webapi
+        run: |
+          syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG
+          syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG  > OHDSI-Webapi-sbom.tf
 
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
+      - name: Upload Reports
+        uses: actions/upload-artifact@v4
         with:
-          context: ./
-          file: ./Dockerfile
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache,mode=max
-          platforms: ${{ steps.build_params.outputs.platforms }}
-          push: ${{ steps.build_params.outputs.push }}
-          load: ${{ steps.build_params.outputs.load }}
-          build-args: |
-            GIT_BRANCH=${{ steps.docker_meta.outputs.version }}
-            GIT_COMMIT_ID_ABBREV=${{ steps.build_params.outputs.sha8 }}
-          tags: ${{ steps.docker_meta.outputs.tags }}
-          # Use runtime labels from docker_meta as well as fixed labels
-          labels: |
-            ${{ steps.docker_meta.outputs.labels }}
-            maintainer=Joris Borgdorff <[email protected]>, Lee Evans - www.ltscomputingllc.com
-            org.opencontainers.image.authors=Joris Borgdorff <[email protected]>, Lee Evans - www.ltscomputingllc.com
-            org.opencontainers.image.vendor=OHDSI
-            org.opencontainers.image.licenses=Apache-2.0
-
-      # If the image was pushed, we need to pull it again to inspect it
-      - name: Pull image
-        if: steps.build_params.outputs.push == 'true'
-        run: docker pull ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }}
-
-      - name: Inspect image
-        run: |
-          docker image inspect ${{ env.DOCKER_IMAGE }}:${{ steps.docker_meta.outputs.version }}
+          name: trivy-and-sbom-reports
+          path: |
+            OHDSI-Webapi-Trivy.csv
+            OHDSI-Webapi-sbom.tf

.m2/settings.xml

@@ -0,0 +1,24 @@
+<settings>
+  <servers>
+    <server>
+      <id>codeartifact</id>
+      <username>aws</username>
+      <password>${env.CODEARTIFACT_AUTH_TOKEN}</password>
+    </server>
+  </servers>
+
+  <profiles>
+    <profile>
+      <id>codeartifact</id>
+      <activation>
+        <activeByDefault>true</activeByDefault>
+      </activation>
+      <repositories>
+        <repository>
+          <id>mdaca-OHDSI</id>
+          <url>https://mdaca-201959883603.d.codeartifact.us-east-2.amazonaws.com/maven/OHDSI/</url>
+        </repository>
+      </repositories>
+    </profile>
+  </profiles>
+</settings>