From 5d0cc8f6f23d36f7dd9260127a2e3dabf2053418 Mon Sep 17 00:00:00 2001
From: soletsdev <soletsdev@github>
Date: Thu, 26 Sep 2024 09:47:37 -0700
Subject: [PATCH] github actions updates + dependabot

---
 .github/dependabot.yml                               | 11 +++++++++++
 .github/workflows/ci-api-build.and.test.yml          | 12 ++++++------
 .github/workflows/deploy-to.openshift-dev.yml        |  9 ++++-----
 .github/workflows/deploy-to.openshift-prod.yml       |  7 +++----
 .github/workflows/deploy-to.openshift-test.yml       |  6 +++---
 .../workflows/tag-create.git.and.imagestream.tag.yml |  6 +++---
 6 files changed, 30 insertions(+), 21 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..0a53f11
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
\ No newline at end of file
diff --git a/.github/workflows/ci-api-build.and.test.yml b/.github/workflows/ci-api-build.and.test.yml
index eef6e6c..2787f03 100644
--- a/.github/workflows/ci-api-build.and.test.yml
+++ b/.github/workflows/ci-api-build.and.test.yml
@@ -25,14 +25,14 @@ jobs:
         working-directory: api
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           java-version: 17
           distribution: oracle
-      - uses: actions/cache@v3
+      - uses: actions/cache@v4
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
@@ -41,7 +41,7 @@ jobs:
       - name: Run unit tests
         run: mvn -f pom.xml clean package
       - name: Cache SonarCloud packages
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
@@ -54,7 +54,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ github.token }}
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.12.0
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: 'fs'
           ignore-unfixed: true
@@ -63,6 +63,6 @@ jobs:
           severity: 'CRITICAL'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/deploy-to.openshift-dev.yml b/.github/workflows/deploy-to.openshift-dev.yml
index 6e1cdee..d5b4334 100644
--- a/.github/workflows/deploy-to.openshift-dev.yml
+++ b/.github/workflows/deploy-to.openshift-dev.yml
@@ -47,7 +47,6 @@ on:
 jobs:
   build-and-deploy-dev:
     name: Build and deploy to OpenShift DEV
-    # ubuntu-20.04 can also be used.
     runs-on: ubuntu-22.04
     environment: dev
 
@@ -57,7 +56,7 @@ jobs:
 
     steps:
       - name: Check for required secrets
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
             const secrets = {
@@ -91,7 +90,7 @@ jobs:
               core.info(`✅ All the required secrets are set`);
             }
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Determine image tags
         if: env.IMAGE_TAGS == ''
@@ -136,7 +135,7 @@ jobs:
           oc: 4
 
         # https://github.com/redhat-actions/oc-login#readme
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Deploy API
         run: |
@@ -163,6 +162,6 @@ jobs:
           # Get status, returns 0 if rollout is successful
           oc rollout status dc/${{ env.SPRING_BOOT_IMAGE_NAME }}
       - name: ZAP Scan
-        uses: zaproxy/action-api-scan@v0.7.0
+        uses: zaproxy/action-api-scan@v0.8.0
         with:
           target: 'https://${{ env.APP_NAME }}-${{ env.OPENSHIFT_NAMESPACE_DEV }}.apps.silver.devops.gov.bc.ca/v3/api-docs'
diff --git a/.github/workflows/deploy-to.openshift-prod.yml b/.github/workflows/deploy-to.openshift-prod.yml
index 5ba70fc..67b4f89 100644
--- a/.github/workflows/deploy-to.openshift-prod.yml
+++ b/.github/workflows/deploy-to.openshift-prod.yml
@@ -41,7 +41,6 @@ on:
 jobs:
   openshift-ci-cd:
     name: Deploy to OpenShift PROD
-    # ubuntu-20.04 can also be used.
     runs-on: ubuntu-22.04
     environment: production
 
@@ -51,7 +50,7 @@ jobs:
 
     steps:
       - name: Check for required secrets
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
             const secrets = {
@@ -89,7 +88,7 @@ jobs:
             }
 
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Get latest tag
         uses: actions-ecosystem/action-get-latest-tag@v1
@@ -101,7 +100,7 @@ jobs:
           oc: 4
 
         # https://github.com/redhat-actions/oc-login#readme
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Deploy API
         run: |
diff --git a/.github/workflows/deploy-to.openshift-test.yml b/.github/workflows/deploy-to.openshift-test.yml
index 64a7556..181f691 100644
--- a/.github/workflows/deploy-to.openshift-test.yml
+++ b/.github/workflows/deploy-to.openshift-test.yml
@@ -58,7 +58,7 @@ jobs:
 
     steps:
       - name: Check for required secrets
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
             const secrets = {
@@ -96,7 +96,7 @@ jobs:
             }
 
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Install oc
         uses: redhat-actions/openshift-tools-installer@v1
@@ -129,6 +129,6 @@ jobs:
           oc rollout status dc/${{ env.SPRING_BOOT_IMAGE_NAME }}
 
       - name: ZAP Scan
-        uses: zaproxy/action-api-scan@v0.7.0
+        uses: zaproxy/action-api-scan@v0.8.0
         with:
           target: 'https://${{ env.APP_NAME }}-${{ env.OPENSHIFT_NAMESPACE_TEST }}.apps.silver.devops.gov.bc.ca/v3/api-docs'
diff --git a/.github/workflows/tag-create.git.and.imagestream.tag.yml b/.github/workflows/tag-create.git.and.imagestream.tag.yml
index 40f21a0..d4d8f23 100644
--- a/.github/workflows/tag-create.git.and.imagestream.tag.yml
+++ b/.github/workflows/tag-create.git.and.imagestream.tag.yml
@@ -33,10 +33,10 @@ jobs:
 
     steps:
     - name: Check out repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Create tag
-      uses: actions/github-script@v6
+      uses: actions/github-script@v7
       with:
         script: |
           github.rest.git.createRef({
@@ -52,7 +52,7 @@ jobs:
         oc: 4
 
       # https://github.com/redhat-actions/oc-login#readme
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Tag in OpenShift
       run: |
         set -eux