github actions updates + dependabot

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/ci-api-build.and.test.yml

@@ -25,14 +25,14 @@ jobs:
         working-directory: api
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           java-version: 17
           distribution: oracle
-      - uses: actions/cache@v3
+      - uses: actions/cache@v4
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
@@ -41,7 +41,7 @@ jobs:
       - name: Run unit tests
         run: mvn -f pom.xml clean package
       - name: Cache SonarCloud packages
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
@@ -54,7 +54,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ github.token }}
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.12.0
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: 'fs'
           ignore-unfixed: true
@@ -63,6 +63,6 @@ jobs:
           severity: 'CRITICAL'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/deploy-to.openshift-dev.yml

@@ -47,7 +47,6 @@ on:
 jobs:
   build-and-deploy-dev:
     name: Build and deploy to OpenShift DEV
-    # ubuntu-20.04 can also be used.
     runs-on: ubuntu-22.04
     environment: dev
 
@@ -57,7 +56,7 @@ jobs:
 
     steps:
       - name: Check for required secrets
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
             const secrets = {
@@ -91,7 +90,7 @@ jobs:
               core.info(`✅ All the required secrets are set`);
             }
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Determine image tags
         if: env.IMAGE_TAGS == ''
@@ -136,7 +135,7 @@ jobs:
           oc: 4
 
         # https://github.com/redhat-actions/oc-login#readme
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Deploy API
         run: |
@@ -163,6 +162,6 @@ jobs:
           # Get status, returns 0 if rollout is successful
           oc rollout status dc/${{ env.SPRING_BOOT_IMAGE_NAME }}
       - name: ZAP Scan
-        uses: zaproxy/action-api-scan@v0.7.0
+        uses: zaproxy/action-api-scan@v0.8.0
         with:
           target: 'https://${{ env.APP_NAME }}-${{ env.OPENSHIFT_NAMESPACE_DEV }}.apps.silver.devops.gov.bc.ca/v3/api-docs'

.github/workflows/deploy-to.openshift-prod.yml

@@ -41,7 +41,6 @@ on:
 jobs:
   openshift-ci-cd:
     name: Deploy to OpenShift PROD
-    # ubuntu-20.04 can also be used.
     runs-on: ubuntu-22.04
     environment: production
 
@@ -51,7 +50,7 @@ jobs:
 
     steps:
       - name: Check for required secrets
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
             const secrets = {
@@ -89,7 +88,7 @@ jobs:
             }
 
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Get latest tag
         uses: actions-ecosystem/action-get-latest-tag@v1
@@ -101,7 +100,7 @@ jobs:
           oc: 4
 
         # https://github.com/redhat-actions/oc-login#readme
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Deploy API
         run: |

.github/workflows/deploy-to.openshift-test.yml

@@ -58,7 +58,7 @@ jobs:
 
     steps:
       - name: Check for required secrets
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
             const secrets = {
@@ -96,7 +96,7 @@ jobs:
             }
 
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Install oc
         uses: redhat-actions/openshift-tools-installer@v1
@@ -129,6 +129,6 @@ jobs:
           oc rollout status dc/${{ env.SPRING_BOOT_IMAGE_NAME }}
 
       - name: ZAP Scan
-        uses: zaproxy/action-api-scan@v0.7.0
+        uses: zaproxy/action-api-scan@v0.8.0
         with:
           target: 'https://${{ env.APP_NAME }}-${{ env.OPENSHIFT_NAMESPACE_TEST }}.apps.silver.devops.gov.bc.ca/v3/api-docs'

.github/workflows/tag-create.git.and.imagestream.tag.yml

@@ -33,10 +33,10 @@ jobs:
 
     steps:
     - name: Check out repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Create tag
-      uses: actions/github-script@v6
+      uses: actions/github-script@v7
       with:
         script: |
           github.rest.git.createRef({
@@ -52,7 +52,7 @@ jobs:
         oc: 4
 
       # https://github.com/redhat-actions/oc-login#readme
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Tag in OpenShift
       run: |
         set -eux