From 4ed324f07866af072c49d3235ac614a9aea79208 Mon Sep 17 00:00:00 2001 From: Adam Saghy Date: Thu, 8 Jan 2026 21:53:12 +0100 Subject: [PATCH] FINERACT-2421: Use hardened image --- .github/workflows/build-docker.yml | 10 ++++++++++ .github/workflows/build-e2e-tests.yml | 9 +++++++++ .github/workflows/publish-dockerhub.yml | 11 +++++++++++ .github/workflows/smoke-messaging.yml | 10 ++++++++++ build.gradle | 3 ++- custom/docker/build.gradle | 8 +++++++- .../test/factory/LoanProductsRequestFactory.java | 2 +- fineract-provider/build.gradle | 8 +++++++- 8 files changed, 57 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index c47e644511c..7fea2d90fe3 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -24,6 +24,8 @@ jobs: env: DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} IMAGE_NAME: fineract + DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }} + DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5 @@ -39,6 +41,14 @@ jobs: - name: Setup Gradle uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0 + - name: Login to Docker Hardened Images registry + if: ${{ env.DOCKERHUB_USER != '' && env.DOCKERHUB_TOKEN != '' }} + uses: docker/login-action@v3 + with: + registry: dhi.io + username: ${{ env.DOCKERHUB_USER }} + password: ${{ env.DOCKERHUB_TOKEN }} + - name: Build the image run: ./gradlew --no-daemon --console=plain :fineract-provider:jibDockerBuild -Djib.to.image=$IMAGE_NAME -x test -x cucumber diff --git a/.github/workflows/build-e2e-tests.yml b/.github/workflows/build-e2e-tests.yml index 6a3436100d3..7d37343304f 100644 --- a/.github/workflows/build-e2e-tests.yml +++ b/.github/workflows/build-e2e-tests.yml @@ -30,6 +30,8 @@ jobs: EVENT_VERIFICATION_ENABLED: true ACTIVEMQ_BROKER_URL: tcp://localhost:61616 ACTIVEMQ_TOPIC_NAME: events + DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }} + DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} steps: - name: Checkout code @@ -56,6 +58,13 @@ jobs: echo "Shard ${{ matrix.shard_index }} feature files:" cat feature_shard_${{ matrix.shard_index }}.txt + - name: Login to Docker Hardened Images registry + if: ${{ env.DOCKERHUB_USER != '' && env.DOCKERHUB_TOKEN != '' }} + uses: docker/login-action@v3 + with: + registry: dhi.io + username: ${{ env.DOCKERHUB_USER }} + password: ${{ env.DOCKERHUB_TOKEN }} - name: Build the image run: ./gradlew --no-daemon --console=plain :fineract-provider:jibDockerBuild -Djib.to.image=$IMAGE_NAME -x test -x cucumber diff --git a/.github/workflows/publish-dockerhub.yml b/.github/workflows/publish-dockerhub.yml index e0e94f11c20..4566e47958e 100644 --- a/.github/workflows/publish-dockerhub.yml +++ b/.github/workflows/publish-dockerhub.yml @@ -3,6 +3,7 @@ on: push: branches: - develop + - develop-hardened tags: - 1.* permissions: @@ -13,6 +14,8 @@ jobs: timeout-minutes: 60 env: DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} + DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }} + DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} steps: - name: Checkout Source Code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5 @@ -28,6 +31,14 @@ jobs: - name: Setup Gradle uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0 + - name: Login to Docker Hardened Images registry + if: ${{ env.DOCKERHUB_USER != '' && env.DOCKERHUB_TOKEN != '' }} + uses: docker/login-action@v3 + with: + registry: dhi.io + username: ${{ env.DOCKERHUB_USER }} + password: ${{ env.DOCKERHUB_TOKEN }} + - name: Get Git Hashes run: | echo "short_hash=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT diff --git a/.github/workflows/smoke-messaging.yml b/.github/workflows/smoke-messaging.yml index 01b7e18f628..0d6314a8b58 100644 --- a/.github/workflows/smoke-messaging.yml +++ b/.github/workflows/smoke-messaging.yml @@ -22,6 +22,8 @@ jobs: env: DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} IMAGE_NAME: fineract + DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }} + DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5 @@ -37,6 +39,14 @@ jobs: - name: Setup Gradle uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0 + - name: Login to Docker Hardened Images registry + if: ${{ env.DOCKERHUB_USER != '' && env.DOCKERHUB_TOKEN != '' }} + uses: docker/login-action@v3 + with: + registry: dhi.io + username: ${{ env.DOCKERHUB_USER }} + password: ${{ env.DOCKERHUB_TOKEN }} + - name: Build the image run: ./gradlew --no-daemon --console=plain :fineract-provider:jibDockerBuild -Djib.to.image=$IMAGE_NAME -x test -x cucumber diff --git a/build.gradle b/build.gradle index 17cee30737a..e3d67faf108 100644 --- a/build.gradle +++ b/build.gradle @@ -90,6 +90,7 @@ buildscript { classpath 'org.apache.commons:commons-lang3:3.18.0' classpath 'io.swagger.core.v3:swagger-jaxrs2-jakarta:2.2.22' classpath 'jakarta.servlet:jakarta.servlet-api:6.1.0' + classpath "com.github.luben:zstd-jni:1.5.7-6" } } @@ -108,7 +109,7 @@ plugins { id 'com.gorylenko.gradle-git-properties' version '2.4.2' apply false id 'org.asciidoctor.jvm.convert' version '4.0.5' apply false id 'org.asciidoctor.jvm.pdf' version '4.0.5' apply false - id 'com.google.cloud.tools.jib' version '3.4.5' apply false + id 'com.google.cloud.tools.jib' version '3.5.2' apply false id 'org.sonarqube' version '6.0.1.5171' id 'com.github.andygoossens.modernizer' version '1.10.0' apply false id 'com.github.spotbugs' version '6.0.26' apply false diff --git a/custom/docker/build.gradle b/custom/docker/build.gradle index 2822fe5376a..c12873f5dd6 100644 --- a/custom/docker/build.gradle +++ b/custom/docker/build.gradle @@ -24,7 +24,13 @@ apply from: "${rootDir}/buildSrc/src/main/groovy/org.apache.fineract.dependencie jib { from { - image = 'azul/zulu-openjdk-alpine:21' + def hasDockerCreds = + System.getenv("DOCKERHUB_USER")?.trim() && + System.getenv("DOCKERHUB_TOKEN")?.trim() + + image = hasDockerCreds + ? "dhi.io/azul:21-jdk-prime" + : "azul/zulu-openjdk-alpine:21" platforms { platform { architecture = System.getProperty("os.arch").equals("aarch64")?"arm64":"amd64" diff --git a/fineract-e2e-tests-core/src/test/java/org/apache/fineract/test/factory/LoanProductsRequestFactory.java b/fineract-e2e-tests-core/src/test/java/org/apache/fineract/test/factory/LoanProductsRequestFactory.java index f65f458d9ad..0e2f3e52180 100644 --- a/fineract-e2e-tests-core/src/test/java/org/apache/fineract/test/factory/LoanProductsRequestFactory.java +++ b/fineract-e2e-tests-core/src/test/java/org/apache/fineract/test/factory/LoanProductsRequestFactory.java @@ -1853,7 +1853,7 @@ public PostLoanProductsRequest defaultLoanProductsRequestLP2EmiUSD() { .inArrearsTolerance(true)// .repaymentEvery(true)// .graceOnPrincipalAndInterestPayment(true)// - .graceOnArrearsAgeing(true))// + .graceOnArrearsAging(true))// .isEqualAmortization(false)// .delinquencyBucketId(DELINQUENCY_BUCKET_ID.longValue())// .enableDownPayment(false)// diff --git a/fineract-provider/build.gradle b/fineract-provider/build.gradle index e5751e020a7..1e8a69fcd08 100644 --- a/fineract-provider/build.gradle +++ b/fineract-provider/build.gradle @@ -243,7 +243,13 @@ bootJar { jib { from { - image = 'azul/zulu-openjdk-alpine:21' + def hasDockerCreds = + System.getenv("DOCKERHUB_USER")?.trim() && + System.getenv("DOCKERHUB_TOKEN")?.trim() + + image = hasDockerCreds + ? "dhi.io/azul:21-jdk-prime" + : "azul/zulu-openjdk-alpine:21" platforms { platform { architecture = System.getProperty("os.arch").equals("aarch64")?"arm64":"amd64"