This is an automated email from the ASF dual-hosted git repository. adamsaghy pushed a commit to branch develop-hardened in repository https://gitbox.apache.org/repos/asf/fineract.git
commit d3cae68d82a7684ab304e12b513518e823d96e10 Author: Adam Saghy <[email protected]> AuthorDate: Thu Jan 8 21:38:55 2026 +0100 FINERACT-2421: Use hardened image --- .github/workflows/build-docker.yml | 10 ++++++++++ .github/workflows/build-e2e-tests.yml | 9 +++++++++ .github/workflows/publish-dockerhub.yml | 11 +++++++++++ .github/workflows/smoke-messaging.yml | 10 ++++++++++ build.gradle | 2 +- custom/docker/build.gradle | 8 +++++++- .../fineract/test/factory/LoanProductsRequestFactory.java | 2 +- fineract-provider/build.gradle | 8 +++++++- 8 files changed, 56 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index c47e644511..7fea2d90fe 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -24,6 +24,8 @@ jobs: env: DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} IMAGE_NAME: fineract + DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }} + DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5 @@ -39,6 +41,14 @@ jobs: - name: Setup Gradle uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0 + - name: Login to Docker Hardened Images registry + if: ${{ env.DOCKERHUB_USER != '' && env.DOCKERHUB_TOKEN != '' }} + uses: docker/login-action@v3 + with: + registry: dhi.io + username: ${{ env.DOCKERHUB_USER }} + password: ${{ env.DOCKERHUB_TOKEN }} + - name: Build the image run: ./gradlew --no-daemon --console=plain :fineract-provider:jibDockerBuild -Djib.to.image=$IMAGE_NAME -x test -x cucumber diff --git a/.github/workflows/build-e2e-tests.yml b/.github/workflows/build-e2e-tests.yml index 6a3436100d..7d37343304 100644 --- a/.github/workflows/build-e2e-tests.yml +++ b/.github/workflows/build-e2e-tests.yml @@ -30,6 +30,8 @@ jobs: EVENT_VERIFICATION_ENABLED: true ACTIVEMQ_BROKER_URL: tcp://localhost:61616 ACTIVEMQ_TOPIC_NAME: events + DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }} + DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} steps: - name: Checkout code @@ -56,6 +58,13 @@ jobs: echo "Shard ${{ matrix.shard_index }} feature files:" cat feature_shard_${{ matrix.shard_index }}.txt + - name: Login to Docker Hardened Images registry + if: ${{ env.DOCKERHUB_USER != '' && env.DOCKERHUB_TOKEN != '' }} + uses: docker/login-action@v3 + with: + registry: dhi.io + username: ${{ env.DOCKERHUB_USER }} + password: ${{ env.DOCKERHUB_TOKEN }} - name: Build the image run: ./gradlew --no-daemon --console=plain :fineract-provider:jibDockerBuild -Djib.to.image=$IMAGE_NAME -x test -x cucumber diff --git a/.github/workflows/publish-dockerhub.yml b/.github/workflows/publish-dockerhub.yml index e0e94f11c2..4566e47958 100644 --- a/.github/workflows/publish-dockerhub.yml +++ b/.github/workflows/publish-dockerhub.yml @@ -3,6 +3,7 @@ on: push: branches: - develop + - develop-hardened tags: - 1.* permissions: @@ -13,6 +14,8 @@ jobs: timeout-minutes: 60 env: DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} + DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }} + DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} steps: - name: Checkout Source Code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5 @@ -28,6 +31,14 @@ jobs: - name: Setup Gradle uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0 + - name: Login to Docker Hardened Images registry + if: ${{ env.DOCKERHUB_USER != '' && env.DOCKERHUB_TOKEN != '' }} + uses: docker/login-action@v3 + with: + registry: dhi.io + username: ${{ env.DOCKERHUB_USER }} + password: ${{ env.DOCKERHUB_TOKEN }} + - name: Get Git Hashes run: | echo "short_hash=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT diff --git a/.github/workflows/smoke-messaging.yml b/.github/workflows/smoke-messaging.yml index 01b7e18f62..0d6314a8b5 100644 --- a/.github/workflows/smoke-messaging.yml +++ b/.github/workflows/smoke-messaging.yml @@ -22,6 +22,8 @@ jobs: env: DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} IMAGE_NAME: fineract + DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }} + DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5 @@ -37,6 +39,14 @@ jobs: - name: Setup Gradle uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0 + - name: Login to Docker Hardened Images registry + if: ${{ env.DOCKERHUB_USER != '' && env.DOCKERHUB_TOKEN != '' }} + uses: docker/login-action@v3 + with: + registry: dhi.io + username: ${{ env.DOCKERHUB_USER }} + password: ${{ env.DOCKERHUB_TOKEN }} + - name: Build the image run: ./gradlew --no-daemon --console=plain :fineract-provider:jibDockerBuild -Djib.to.image=$IMAGE_NAME -x test -x cucumber diff --git a/build.gradle b/build.gradle index 17cee30737..28ef9fb6d6 100644 --- a/build.gradle +++ b/build.gradle @@ -108,7 +108,7 @@ plugins { id 'com.gorylenko.gradle-git-properties' version '2.4.2' apply false id 'org.asciidoctor.jvm.convert' version '4.0.5' apply false id 'org.asciidoctor.jvm.pdf' version '4.0.5' apply false - id 'com.google.cloud.tools.jib' version '3.4.5' apply false + id 'com.google.cloud.tools.jib' version '3.5.2' apply false id 'org.sonarqube' version '6.0.1.5171' id 'com.github.andygoossens.modernizer' version '1.10.0' apply false id 'com.github.spotbugs' version '6.0.26' apply false diff --git a/custom/docker/build.gradle b/custom/docker/build.gradle index 2822fe5376..c12873f5dd 100644 --- a/custom/docker/build.gradle +++ b/custom/docker/build.gradle @@ -24,7 +24,13 @@ apply from: "${rootDir}/buildSrc/src/main/groovy/org.apache.fineract.dependencie jib { from { - image = 'azul/zulu-openjdk-alpine:21' + def hasDockerCreds = + System.getenv("DOCKERHUB_USER")?.trim() && + System.getenv("DOCKERHUB_TOKEN")?.trim() + + image = hasDockerCreds + ? "dhi.io/azul:21-jdk-prime" + : "azul/zulu-openjdk-alpine:21" platforms { platform { architecture = System.getProperty("os.arch").equals("aarch64")?"arm64":"amd64" diff --git a/fineract-e2e-tests-core/src/test/java/org/apache/fineract/test/factory/LoanProductsRequestFactory.java b/fineract-e2e-tests-core/src/test/java/org/apache/fineract/test/factory/LoanProductsRequestFactory.java index f65f458d9a..0e2f3e5218 100644 --- a/fineract-e2e-tests-core/src/test/java/org/apache/fineract/test/factory/LoanProductsRequestFactory.java +++ b/fineract-e2e-tests-core/src/test/java/org/apache/fineract/test/factory/LoanProductsRequestFactory.java @@ -1853,7 +1853,7 @@ public class LoanProductsRequestFactory { .inArrearsTolerance(true)// .repaymentEvery(true)// .graceOnPrincipalAndInterestPayment(true)// - .graceOnArrearsAgeing(true))// + .graceOnArrearsAging(true))// .isEqualAmortization(false)// .delinquencyBucketId(DELINQUENCY_BUCKET_ID.longValue())// .enableDownPayment(false)// diff --git a/fineract-provider/build.gradle b/fineract-provider/build.gradle index e5751e020a..1e8a69fcd0 100644 --- a/fineract-provider/build.gradle +++ b/fineract-provider/build.gradle @@ -243,7 +243,13 @@ bootJar { jib { from { - image = 'azul/zulu-openjdk-alpine:21' + def hasDockerCreds = + System.getenv("DOCKERHUB_USER")?.trim() && + System.getenv("DOCKERHUB_TOKEN")?.trim() + + image = hasDockerCreds + ? "dhi.io/azul:21-jdk-prime" + : "azul/zulu-openjdk-alpine:21" platforms { platform { architecture = System.getProperty("os.arch").equals("aarch64")?"arm64":"amd64"
