Release branch update for v4.3.0 (#1241)

Author: BraisVQ

.github/dependabot.yml

@@ -0,0 +1,10 @@
+# Set update schedule for GitHub Actions
+
+version: 2
+updates:
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every week
+      interval: "weekly"

.github/workflows/changelog-enforcer.yml

@@ -8,8 +8,8 @@ jobs:
   changelog:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: dangoslen/changelog-enforcer@v2
+      - uses: actions/checkout@v3.5.3
+      - uses: dangoslen/changelog-enforcer@v3
         with:
           changeLogPath: 'CHANGELOG.md'
           skipLabels: 'skip changelog'

.github/workflows/codeql-analysis.yml

@@ -2,6 +2,8 @@ name: "Code scanning - action"
 
 on:
   push:
+    branches-ignore:
+      - "dependabot/**"
   pull_request:
   schedule:
     - cron: '0 15 * * 3'
@@ -13,7 +15,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3.5.3
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.

.github/workflows/continuous-integration-workflow.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
       -
         name: Checkout repository
-        uses: actions/checkout@v2.0.0
+        uses: actions/checkout@v3.5.3
       -
         name: Build UBI8 docker image
         run: |
@@ -27,7 +27,7 @@ jobs:
     steps:
       -
         name: Checkout repository
-        uses: actions/checkout@v2.0.0
+        uses: actions/checkout@v3.5.3
       - name: Build UBI8 docker image
         run: |
           ./.github/workflows/build-docker-image.sh \
@@ -56,7 +56,7 @@ jobs:
     steps:
       -
         name: Checkout repository
-        uses: actions/checkout@v2.0.0
+        uses: actions/checkout@v3.5.3
       -
         name: Check shell scripts
         run: |
@@ -72,7 +72,7 @@ jobs:
     steps:
       -
         name: Checkout repository
-        uses: actions/checkout@v2.0.0
+        uses: actions/checkout@v3.5.3
       -
         name: Check shell scripts
         run: |
@@ -88,10 +88,10 @@ jobs:
     steps:
       -
         name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v3.5.3
       -
         name: Setup Go 1.18
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: 1.18
       -
@@ -128,7 +128,7 @@ jobs:
     steps:
       -
         name: Checkout repository
-        uses: actions/checkout@v2.0.0
+        uses: actions/checkout@v3.5.3
       -
           name: Check shell scripts
           run: |
@@ -145,7 +145,7 @@ jobs:
     steps:
       -
         name: Checkout repository
-        uses: actions/checkout@v2.0.0
+        uses: actions/checkout@v3.5.3
       -
         name: Check jsl expectations
         run: |
@@ -163,7 +163,12 @@ jobs:
     steps:
       -
         name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v3.5.3
+      - 
+        name: Setup Go 1.18
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.18
       -
         name: Verify all Go files are formatted with gofmt
         working-directory: tests
@@ -202,7 +207,7 @@ jobs:
 #       run: jq . <<< "${GITHUB_CONTEXT}"
 #     -
 #       name: Checkout repository
-#       uses: actions/checkout@v2.0.0
+#       uses: actions/checkout@v3.5.3
 #       with:
 #         fetch-depth: 0
 #         path: 'ods-core'

CHANGELOG.md

@@ -2,6 +2,23 @@
 
 ## Unreleased
 
+## [4.3.0] - 2023-07-03
+
+### Added
+- Added webhook proxy feature to check for Jenkins availability ([#1221](https://github.com/opendevstack/ods-core/issues/1221))
+- Add SonarQube Rust plugin ([#1220](https://github.com/opendevstack/ods-core/issues/1220))
+- Added Trivy into jenkins agent base ([#1236](https://github.com/opendevstack/ods-core/issues/1236))
+
+### Changed
+- Jenkins maintenance, set durability to max performance and remove legacy plugin ([#1225](https://github.com/opendevstack/ods-core/pull/1225))
+- Jenkins maintenance, Update resources for deployment for optimal usage ([#1224](https://github.com/opendevstack/ods-core/issues/1224))
+- Jenkins maintenance, Update jenkins base image, plugins, git-lfs, aquacli ([#1224](https://github.com/opendevstack/ods-core/issues/1224))
+- Bump helm-diff plugin version ([#1226](https://github.com/opendevstack/ods-core/issues/1226))
+- Bump helm-diff plugin version to 3.8.1 ([#1239](https://github.com/opendevstack/ods-core/pull/1239))
+
+### Fixed
+- Memory malloc arena fix for Jenkins ([#1217](https://github.com/opendevstack/ods-core/pull/1217))
+
 ## [4.2.0] - 2023-02-21
 
 - Maintenance, update nexus to version 3.45.1 ([#1201](https://github.com/opendevstack/ods-core/pull/1201))
@@ -36,7 +53,7 @@
 - Add plugins necessary to upgrade to 4.9 base image in the list of managed plugins ([#1121](https://github.com/opendevstack/ods-core/pull/1121))
 - Upgraded atlassian suite to 8.20.6 and added functionality to upgrade without reinstalling all the box.
 - Upgrades needed by Github and Jenkins pipelines to work again. Includes some pipeline modifications to detect errors early.
-- Upgrades atlassian suite ([#1138](https://github.com/opendevstack/ods-core/issues/1138)) 
+- Upgrades atlassian suite ([#1138](https://github.com/opendevstack/ods-core/issues/1138))
 - deploy.sh checks that services started are up and ensures resolv.conf is updated if service ip changes ([#1152](https://github.com/opendevstack/ods-core/pull/1152))
 - Remove Jcenter from Nexus ([#804](https://github.com/opendevstack/ods-quickstarters/issues/804))
 - Needed changes to run CI again, ported from task/upgrade-atlassian-stack. Run quickstarters in parallel, typos.

configuration-sample/ods-core.env.sample

@@ -185,13 +185,13 @@ CONFLUENCE_URL=http://192.168.56.31:8090
 # For UBI8-based images (OpenShift 4):
 # - RHEL variant: https://catalog.redhat.com/software/containers/openshift4/ose-jenkins/5cdd918ad70cc57c44b2d279
 # -      Example: registry.redhat.io/openshift4/ose-jenkins:v4.6
+# -      Last tested: registry.redhat.io/openshift4/ose-jenkins:v4.10.0-202305170515.p0.g2988625.assembly.stream
 # - Community variant: https://quay.io/repository/openshift/origin-jenkins?tab=tags
 # -           Example: quay.io/openshift/origin-jenkins:4.6
 # For RHEL7-based images (OpenShift 3.11):
 # - Available tags listed at: https://catalog.redhat.com/software/containers/openshift3/jenkins-2-rhel7/581d2f4500e5d05639b6517b
 # - Example: registry.access.redhat.com/openshift3/jenkins-2-rhel7:v3.11
-# - Latest tested tag: v3.11.248 (v3.11 is a moving target)
-JENKINS_MASTER_BASE_FROM_IMAGE=registry.access.redhat.com/openshift3/jenkins-2-rhel7:v3.11
+JENKINS_MASTER_BASE_FROM_IMAGE=registry.redhat.io/openshift4/ose-jenkins:v4.10.0-202305170515.p0.g2988625.assembly.stream
 
 # Dockerfile to use for Jenkins master.
 # Use "Dockerfile.ubi8" for both OpenShift 3.11 and 4  (UBI8 base image)
@@ -201,13 +201,14 @@ JENKINS_MASTER_DOCKERFILE_PATH=Dockerfile.ubi8
 # For UBI8-based images (OpenShift 4):
 # - RHEL variant: https://catalog.redhat.com/software/containers/openshift4/ose-jenkins-agent-base/5cdd8e2fbed8bd5717d66e77
 # -      Example: registry.redhat.io/openshift4/ose-jenkins-agent-base:v4.6
+# -      Last tested: registry.redhat.io/openshift4/ose-jenkins:v4.10.0-202305170515.p0.g2988625.assembly.stream
 # - Community variant: https://quay.io/repository/openshift/origin-jenkins-agent-base?tab=tags
 # -           Example: quay.io/openshift/origin-jenkins-agent-base:4.6
 # For RHEL7-based images (OpenShift 3.11):
 # - Available tags listed at: https://catalog.redhat.com/software/containers/openshift3/jenkins-slave-base-rhel7/581d2f3f00e5d05639b6515b.
 # - Example: registry.access.redhat.com/openshift3/jenkins-slave-base-rhel7:v3.11
 # - Latest tested tag: v3.11.248 (v3.11 is a moving target)
-JENKINS_AGENT_BASE_FROM_IMAGE=registry.access.redhat.com/openshift3/jenkins-slave-base-rhel7:v3.11
+JENKINS_AGENT_BASE_FROM_IMAGE=registry.redhat.io/openshift4/ose-jenkins:v4.10.0-202305170515.p0.g2988625.assembly.stream
 
 # Dockerfile to use for Jenkins agents.
 # Use "Dockerfile.ubi8" for both OpenShift 3.11 and 4  (UBI8 base image)
@@ -224,8 +225,8 @@ JENKINS_AGENT_BASE_SNYK_DISTRIBUTION_URL=https://github.com/snyk/snyk/releases/d
 # Releases are published at https://download.aquasec.com/scanner
 # Check Aqua versions backward compatibility at https://docs.aquasec.com/docs/version-compatibility-of-components#section-backward-compatibility-across-two-major-versions
 # To Download the aquaSec scanner cli and check their documentaion requires a valid account on aquasec.com
-# Latest tested version is 2022.4.98
-# Example: https://<USER>:<PASSWORD>@download.aquasec.com/scanner/2022.4.98/scannercli
+# Latest tested version is 2022.4.284
+# Example: https://<USER>:<PASSWORD>@download.aquasec.com/scanner/2022.4.284/scannercli
 JENKINS_AGENT_BASE_AQUASEC_SCANNERCLI_URL=
 
 # Repository of shared library

docs/modules/jenkins/pages/agent-base.adoc

@@ -12,6 +12,7 @@ The base image contains the following customizations:
 * https://github.com/containers/skopeo[Skopeo]
 * https://snyk.io[Snyk] - used to scan and monitor projects vulnerable third-party dependencies (only installed if `SNYK_DISTRIBUTION_URL` is configured)
 * https://aquasec.com[Aqua Scanner CLI] - used to scan local images and interact with the Aqua Server (only installed if `AQUASEC_SCANNERCLI_URL` is configured)
+* https://trivy.dev[Trivy Scanner] - used to scan filesystem and generate “software bill of materials” https://cyclonedx.org/capabilities/sbom[SBOM] report
 * Setting of enterprise proxy (based on `HTTP_PROXY` presence)
 * Support for custom certificates (based on `APP_DNS` presence)
 

jenkins/agent-base/Dockerfile.ubi8

@@ -6,10 +6,11 @@ ENV SONAR_SCANNER_VERSION=4.7.0.2747 \
     CNES_REPORT_VERSION=4.1.2 \
     TAILOR_VERSION=1.3.4 \
     SOPS_VERSION=3.7.3 \
-    HELM_VERSION=3.11.0 \
-    HELM_PLUGIN_DIFF_VERSION=3.6.0 \
+    HELM_VERSION=3.11.3 \
+    HELM_PLUGIN_DIFF_VERSION=3.8.1 \
     HELM_PLUGIN_SECRETS_VERSION=4.2.2 \
-    GIT_LFS_VERSION=2.6.1 \
+    GIT_LFS_VERSION=3.3.0 \
+    TRIVY_VERSION=0.42.0 \
     JAVA_GC_OPTS="-XX:+UseParallelGC -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90"
 
 ARG APP_DNS
@@ -88,7 +89,7 @@ RUN cd /tmp \
     && mkdir -p /tmp/git-lfs \
     && curl -sSLO https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-amd64-v${GIT_LFS_VERSION}.tar.gz \
     && tar -zxvf git-lfs-linux-amd64-v${GIT_LFS_VERSION}.tar.gz -C /tmp/git-lfs \
-    && bash /tmp/git-lfs/install.sh \
+    && bash /tmp/git-lfs/git-lfs-${GIT_LFS_VERSION}/install.sh \
     && git lfs version \
     && rm -rf /tmp/git-lfs*
 
@@ -114,6 +115,11 @@ RUN if [ -z $AQUASEC_SCANNERCLI_URL ] ; then echo 'Skipping AquaSec installation
     && echo 'AquaSec installation completed!'; \
     fi
 
+# Install Trivy.
+RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v$TRIVY_VERSION \
+    && echo 'Trivy CLI version:' \
+    && trivy version
+
 # Set java proxy var.
 COPY set_java_proxy.sh /tmp/set_java_proxy.sh
 RUN . /tmp/set_java_proxy.sh && echo $JAVA_OPTS

jenkins/master/Dockerfile.ubi8

@@ -10,6 +10,7 @@ ARG SONAR_EDITION
 ARG SONAR_VERSION
 ARG APP_DNS
 ENV TAILOR_VERSION=1.3.4
+ENV JENKINS_JAVA_OVERRIDES="-Dhudson.tasks.MailSender.SEND_TO_UNKNOWN_USERS=true -Dhudson.tasks.MailSender.SEND_TO_USERS_WITHOUT_READ=true"
 
 USER root
 
@@ -38,9 +39,10 @@ RUN chown :0 /etc/pki/java/cacerts && chmod ugo+w /etc/pki/java/cacerts
 RUN cd /tmp \
 	&& curl -LOv https://github.com/opendevstack/tailor/releases/download/v${TAILOR_VERSION}/tailor-linux-amd64 \
 	&& mv tailor-linux-amd64 /usr/local/bin/tailor \
-	&& chmod a+x /usr/local/bin/tailor
+	&& chmod a+x /usr/local/bin/tailor \
+    && tailor version
 
 USER jenkins
 
-ENV JENKINS_JAVA_OVERRIDES="-Dhudson.tasks.MailSender.SEND_TO_UNKNOWN_USERS=true -Dhudson.tasks.MailSender.SEND_TO_USERS_WITHOUT_READ=true"
-RUN tailor version
+
+

jenkins/master/configuration/init.groovy.d/flow-durability-hint.groovy

@@ -2,7 +2,7 @@ import jenkins.model.Jenkins;
 import org.jenkinsci.plugins.workflow.flow.*;
 
 // See comments in https://github.com/opendevstack/ods-core/pull/1161
-FlowDurabilityHint fdh = FlowDurabilityHint.SURVIVABLE_NONATOMIC;
+FlowDurabilityHint fdh = FlowDurabilityHint.PERFORMANCE_OPTIMIZED;
 
 println("\nAvailable values: ")
 for (FlowDurabilityHint maybeHint : FlowDurabilityHint.values()) {