Skip to content

Extra workflows #12226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
landreev merged 12 commits into from
Mar 18, 2026
Merged

Extra workflows #12226

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
e851566
A deployment workflow for dataverse-internal.iq.dataverse.edu; largel…
landreev Mar 18, 2026
e9610de
removing an offending line from the workflow
landreev Mar 18, 2026
67d7028
and one more fix
landreev Mar 18, 2026
7639a3a
adding workflow_dispatch
landreev Mar 18, 2026
5ef6665
an experiment
landreev Mar 18, 2026
acaabde
an experiment
landreev Mar 18, 2026
04a63db
warfile-building workflow, with an optional build number label
landreev Mar 18, 2026
ec01449
assorted fixes; makes it possible to add arbitrary labels to the vers…
landreev Mar 18, 2026
df15374
Potential fix for code scanning alert no. 369: Use of a known vulnera…
landreev Mar 18, 2026
1703f21
Potential fix for code scanning alert no. 371: Workflow does not cont…
landreev Mar 18, 2026
0c5ef01
fixing, or hiding the test error.
landreev Mar 18, 2026
8ed62f6
Merge branch 'extra_workflows' of https://github.com/IQSS/dataverse i…
landreev Mar 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 90 additions & 0 deletions .github/workflows/deploy_to_internal.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
name: 'Deploy to dataverse-internal.iq.harvard.edu'

on:
workflow_dispatch:
inputs:
buildlabel:
description: 'Custom label that will appear after the version number (the equivalent of the old "build number" entry).'
type: string
required: false

permissions:
contents: read

concurrency:
group: deploy-to-internal
cancel-in-progress: false

jobs:
build:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6

- uses: actions/setup-java@v5
with:
distribution: 'zulu'
java-version: '21'

- name: Set build number
run: scripts/installer/custom-build-number ${{ github.event.inputs.buildlabel }}

- name: Build application war
run: mvn package

- name: Get war file name
working-directory: target
run: echo "war_file=$(ls *.war | head -1)">> $GITHUB_ENV

- name: Upload war artifact
uses: actions/upload-artifact@v7
with:
name: built-app
path: ./target/${{ env.war_file }}

deploy-to-payara:
Comment thread Fixed
needs: build
if: ${{ github.repository_owner == 'IQSS' }}
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6

- name: Download war artifact
uses: actions/download-artifact@v8
with:
name: built-app
path: ./

- name: Get war file name
run: echo "war_file=$(ls *.war | head -1)">> $GITHUB_ENV

- name: Copy war file to remote instance
uses: appleboy/scp-action@master
with:
host: ${{ secrets.INTERNAL_PAYARA_INSTANCE_HOST }}
username: ${{ secrets.INTERNAL_PAYARA_INSTANCE_USERNAME }}
key: ${{ secrets.INTERNAL_PAYARA_INSTANCE_SSH_PRIVATE_KEY }}
source: './${{ env.war_file }}'
target: '/home/${{ secrets.INTERNAL_PAYARA_INSTANCE_USERNAME }}'
overwrite: true

- name: Execute payara war deployment remotely
uses: appleboy/ssh-action@v1.2.5
env:
INPUT_WAR_FILE: ${{ env.war_file }}
with:
host: ${{ secrets.INTERNAL_PAYARA_INSTANCE_HOST }}
username: ${{ secrets.INTERNAL_PAYARA_INSTANCE_USERNAME }}
key: ${{ secrets.INTERNAL_PAYARA_INSTANCE_SSH_PRIVATE_KEY }}
envs: INPUT_WAR_FILE
script: |
APPLICATION_NAME=dataverse-backend
ASADMIN='/usr/local/payara7/bin/asadmin --user admin'
$ASADMIN undeploy $APPLICATION_NAME
#$ASADMIN stop-domain
#$ASADMIN start-domain
$ASADMIN deploy --name $APPLICATION_NAME $INPUT_WAR_FILE
#$ASADMIN stop-domain
#$ASADMIN start-domain
Comment thread Fixed
41 changes: 41 additions & 0 deletions .github/workflows/generate_war_file.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: 'Generate dataverse war file'

on:
workflow_dispatch:
inputs:
buildlabel:
description: 'Custom label that will appear after the version number (the equivalent of the old "build number" entry).'
type: string
required: false

jobs:
build:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6

- uses: actions/setup-java@v5
with:
distribution: 'zulu'
java-version: '21'

- name: Set build number
run: scripts/installer/custom-build-number ${{ github.event.inputs.buildlabel }}

- name: Get branch name
id: branch-name
uses: tj-actions/branch-names@v7.07

- name: Build application war
Comment thread Fixed
run: mvn package

- name: Get war file name
working-directory: target
run: echo "war_file=$(ls *.war | head -1)">> $GITHUB_ENV

- name: Upload war artifact
uses: actions/upload-artifact@v7
with:
name: built-app
path: ./target/${{ env.war_file }}
Comment on lines +13 to +41

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 2 months ago

In general, the fix is to explicitly define a permissions block in the workflow (either at the top level or under the specific job) granting only the minimal scopes required. This documents the workflow’s needs and prevents it from unintentionally inheriting broader defaults (such as full read-write on repo contents).

For this particular workflow, it only needs to read repository contents (for checkout) and use artifacts. None of the steps push commits, modify issues, or interact with pull requests, so we can safely restrict GITHUB_TOKEN to contents: read. We should add a root-level permissions block near the top of .github/workflows/generate_war_file.yml, right after the name: (or before/after on:) so that it applies to all jobs, including the build job on line 12. No imports or additional methods are needed; this is purely a YAML configuration change.

Concretely, in .github/workflows/generate_war_file.yml, insert:

permissions:
  contents: read

between the name: and on: keys (or equivalently between on: and jobs:), keeping indentation consistent. This will satisfy CodeQL and enforce least privilege without changing the workflow’s behavior.

Suggested changeset 1
.github/workflows/generate_war_file.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/generate_war_file.yml b/.github/workflows/generate_war_file.yml
--- a/.github/workflows/generate_war_file.yml
+++ b/.github/workflows/generate_war_file.yml
@@ -1,5 +1,8 @@
 name: 'Generate dataverse war file'
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
     inputs:
EOF
@@ -1,5 +1,8 @@
name: 'Generate dataverse war file'

permissions:
contents: read

on:
workflow_dispatch:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
2 changes: 1 addition & 1 deletion scripts/installer/custom-build-number-hook
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#!/bin/sh
# Git changes workdir to root of repo per git documentation
BRANCH_COMMIT=$(git rev-parse --abbrev-ref HEAD)-$(git log --oneline | head -1 | awk '{print $1}')
echo "build.number=$BRANCH_COMMIT" > src/main/java/BuildNumber.properties
echo "build.number=build $BRANCH_COMMIT" > src/main/java/BuildNumber.properties

# Based on https://stackoverflow.com/questions/25590267
# $6 = previous branch, $8 is next branch
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/edu/harvard/iq/dataverse/util/SystemConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ public String getVersion(boolean withBuildNumber) {
}

if (!buildNumber.equals("")) {
return appVersion + " build " + buildNumber;
return appVersion + " " + buildNumber;
}
}

Expand Down
3 changes: 2 additions & 1 deletion src/test/java/edu/harvard/iq/dataverse/util/SystemConfigTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,10 +93,11 @@ void testGetVersionWithBuild() {

// then
assertTrue(result.startsWith("100.100"), "'" + result + "' not starting with 100.100");
assertTrue(result.contains("build"));

// Cannot test this here - there might be the bundle file present which is not under test control
//assertTrue(result.endsWith("FOOBAR"), "'" + result + "' not ending with FOOBAR");
// Not sure what to do about this. The above is correct, if there is a BuildNumber.properties
// file present on the developer's system, it will take precedence. - L.A.
}

@Test
Expand Down
Loading