From b76ce3f6123eacbc7370e4ee3b69495bdfe872bc Mon Sep 17 00:00:00 2001 From: nirpel-sys Date: Tue, 20 Jan 2026 11:48:54 +0200 Subject: [PATCH 01/19] Create main.yml with OIDC token Signed-off-by: nirpel-sys --- .github/workflows/main.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 000000000..d94828947 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,23 @@ +jobs: + build-and-publish: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # MANDATORY: Required to request the JWT from GitHub + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + + # Setup JFrog CLI using OIDC instead of Secrets + - name: Set up JFrog CLI + uses: jfrog/setup-jfrog-cli@v4 + env: + JF_URL: ${{ secrets.JF_URL }} # Still need the URL, but no token needed! + with: + version: latest + oidc-provider-name: github-oidc-provider # Must match name in JFrog + oidc-audience: jfrog-github # Must match audience in JFrog + + - name: Run JFrog Command + run: jf rt ping # This now works without any manual JF_ACCESS_TOKEN From f50fa2fd992ee1859c939fab776fd1cea8289967 Mon Sep 17 00:00:00 2001 From: nirpel-sys Date: Tue, 20 Jan 2026 12:03:31 +0200 Subject: [PATCH 02/19] Update main.yml with bp command to RT Signed-off-by: nirpel-sys --- .github/workflows/main.yml | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d94828947..5a95655dc 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -19,5 +19,20 @@ jobs: oidc-provider-name: github-oidc-provider # Must match name in JFrog oidc-audience: jfrog-github # Must match audience in JFrog - - name: Run JFrog Command - run: jf rt ping # This now works without any manual JF_ACCESS_TOKEN + # 1. Configure the build tool (Example for a Node.js project) + - name: Configure NPM + run: | + jf npm-config --repo-resolve=npm-virtual --repo-deploy=npm-local + + # 2. Run the build and collect "Build-Info" + # The 'jf' wrapper automatically records dependencies and environment variables + - name: Build and Collect Info + run: | + jf npm install --build-name=petclinic-ci --build-number=${{ github.run_number }} + jf npm publish --build-name=petclinic-ci --build-number=${{ github.run_number }} + + # 3. Publish the Build-Info to Artifactory + # This is the command that makes the build appear in the "Builds" tab + - name: Publish Build Info + run: | + jf rt bp petclinic-ci ${{ github.run_number }} From 6b6ddbf3215d431a70fe61c19f3eefb61db590d8 Mon Sep 17 00:00:00 2001 From: nirpel-sys Date: Tue, 20 Jan 2026 12:08:40 +0200 Subject: [PATCH 03/19] Update main.yml Signed-off-by: nirpel-sys --- .github/workflows/main.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5a95655dc..031e9cf70 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,4 +1,9 @@ -jobs: +name: PetClinic JFrog CI + +on: + push: + branches: [ "main" ] # Triggers on every push to main + workflow_dispatch: # Adds a "Run workflow" button in the GitHub UIjobs: build-and-publish: runs-on: ubuntu-latest permissions: From 94280bd6dd1a5060dfe1c6ab9a8190c1311ade7a Mon Sep 17 00:00:00 2001 From: nirpel-sys Date: Tue, 20 Jan 2026 12:13:37 +0200 Subject: [PATCH 04/19] Update main.yml Signed-off-by: nirpel-sys --- .github/workflows/main.yml | 59 ++++++++++++++++++++++++-------------- 1 file changed, 38 insertions(+), 21 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 031e9cf70..fcfbe7c2a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,43 +1,60 @@ -name: PetClinic JFrog CI +name: PetClinic to Artifactory on: push: - branches: [ "main" ] # Triggers on every push to main - workflow_dispatch: # Adds a "Run workflow" button in the GitHub UIjobs: + branches: [ "main" ] + workflow_dispatch: + +jobs: build-and-publish: runs-on: ubuntu-latest permissions: contents: read - id-token: write # MANDATORY: Required to request the JWT from GitHub + id-token: write steps: - name: Checkout Code uses: actions/checkout@v4 - # Setup JFrog CLI using OIDC instead of Secrets + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + cache: 'maven' + + # Setup JFrog CLI using OIDC - name: Set up JFrog CLI uses: jfrog/setup-jfrog-cli@v4 env: - JF_URL: ${{ secrets.JF_URL }} # Still need the URL, but no token needed! + JF_URL: ${{ secrets.JF_URL }} with: version: latest - oidc-provider-name: github-oidc-provider # Must match name in JFrog - oidc-audience: jfrog-github # Must match audience in JFrog + oidc-provider-name: github-oidc-provider + oidc-audience: jfrog-github - # 1. Configure the build tool (Example for a Node.js project) - - name: Configure NPM - run: | - jf npm-config --repo-resolve=npm-virtual --repo-deploy=npm-local + # 1 & 2: Compile and Run Tests + - name: Compile and Test + run: ./mvnw clean test - # 2. Run the build and collect "Build-Info" - # The 'jf' wrapper automatically records dependencies and environment variables - - name: Build and Collect Info + # 3: Package as Docker image + - name: Build Docker Image run: | - jf npm install --build-name=petclinic-ci --build-number=${{ github.run_number }} - jf npm publish --build-name=petclinic-ci --build-number=${{ github.run_number }} + ./mvnw spring-boot:build-image \ + -Dspring-boot.build-image.imageName=petclinic-app:${{ github.run_number }} - # 3. Publish the Build-Info to Artifactory - # This is the command that makes the build appear in the "Builds" tab - - name: Publish Build Info + # 4: Publish to Artifactory + - name: Publish to Artifactory run: | - jf rt bp petclinic-ci ${{ github.run_number }} + # Extract hostname (e.g., myinstance.jfrog.io) + JF_HOST=$(echo ${{ secrets.JF_URL }} | sed 's|https://||') + DOCKER_REPO="docker-local" + + # Tag and Push + REMOTE_TAG=$JF_HOST/$DOCKER_REPO/petclinic-app:${{ github.run_number }} + docker tag petclinic-app:${{ github.run_number }} $REMOTE_TAG + + jf docker push $REMOTE_TAG --build-name=petclinic --build-number=${{ github.run_number }} + + # Publish Build Info + jf rt bp petclinic ${{ github.run_number }} From 9bdb5dd9dc1ee4e522b3365d4e47ceff2251db65 Mon Sep 17 00:00:00 2001 From: nirpel-sys Date: Tue, 20 Jan 2026 12:50:49 +0200 Subject: [PATCH 05/19] Update main.yml Signed-off-by: nirpel-sys --- .github/workflows/main.yml | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index fcfbe7c2a..5373393e7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -43,18 +43,32 @@ jobs: ./mvnw spring-boot:build-image \ -Dspring-boot.build-image.imageName=petclinic-app:${{ github.run_number }} - # 4: Publish to Artifactory - name: Publish to Artifactory run: | - # Extract hostname (e.g., myinstance.jfrog.io) - JF_HOST=$(echo ${{ secrets.JF_URL }} | sed 's|https://||') + # 1. Capture the URL from secrets into a local shell variable + # We use a fallback to 'MISSING' to catch empty secrets + RAW_URL="${{ secrets.JF_URL }}" + + # 2. Extract the hostname (remove https:// and any trailing slashes) + JF_HOST=$(echo "$RAW_URL" | sed 's|https://||' | sed 's|/||g') + + # 3. SAFETY CHECK: Stop the build if the hostname is missing + if [ -z "$JF_HOST" ]; then + echo "::error::JF_URL is empty! Check your GitHub Repository Secrets." + exit 1 + fi + + echo "Targeting JFrog Host: $JF_HOST" + DOCKER_REPO="docker-local" + IMAGE_TAG="petclinic-app:${{ github.run_number }}" + REMOTE_TAG="$JF_HOST/$DOCKER_REPO/$IMAGE_TAG" - # Tag and Push - REMOTE_TAG=$JF_HOST/$DOCKER_REPO/petclinic-app:${{ github.run_number }} - docker tag petclinic-app:${{ github.run_number }} $REMOTE_TAG + # 4. Perform the Tag and Push + docker tag "petclinic-app:${{ github.run_number }}" "$REMOTE_TAG" - jf docker push $REMOTE_TAG --build-name=petclinic --build-number=${{ github.run_number }} + # Use the 'jf' command which handles OIDC authentication automatically + jf docker push "$REMOTE_TAG" --build-name=petclinic --build-number=${{ github.run_number }} - # Publish Build Info + # 5. Publish Build Info for full traceability jf rt bp petclinic ${{ github.run_number }} From 0c22a6226d69a54f6b456be657f72ac8885918f4 Mon Sep 17 00:00:00 2001 From: nirpel-sys Date: Tue, 20 Jan 2026 13:52:39 +0200 Subject: [PATCH 06/19] Update main.yml Signed-off-by: nirpel-sys --- .github/workflows/main.yml | 39 +++++++++++--------------------------- 1 file changed, 11 insertions(+), 28 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5373393e7..45a2456ba 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - id-token: write + id-token: write steps: - name: Checkout Code @@ -23,7 +23,6 @@ jobs: distribution: 'temurin' cache: 'maven' - # Setup JFrog CLI using OIDC - name: Set up JFrog CLI uses: jfrog/setup-jfrog-cli@v4 env: @@ -33,42 +32,26 @@ jobs: oidc-provider-name: github-oidc-provider oidc-audience: jfrog-github - # 1 & 2: Compile and Run Tests - - name: Compile and Test + - name: Build and Test run: ./mvnw clean test - # 3: Package as Docker image - name: Build Docker Image run: | ./mvnw spring-boot:build-image \ -Dspring-boot.build-image.imageName=petclinic-app:${{ github.run_number }} - - name: Publish to Artifactory + - name: Publish to JFrog run: | - # 1. Capture the URL from secrets into a local shell variable - # We use a fallback to 'MISSING' to catch empty secrets - RAW_URL="${{ secrets.JF_URL }}" - - # 2. Extract the hostname (remove https:// and any trailing slashes) - JF_HOST=$(echo "$RAW_URL" | sed 's|https://||' | sed 's|/||g') - - # 3. SAFETY CHECK: Stop the build if the hostname is missing - if [ -z "$JF_HOST" ]; then - echo "::error::JF_URL is empty! Check your GitHub Repository Secrets." - exit 1 - fi - - echo "Targeting JFrog Host: $JF_HOST" + # Clean URL to get Hostname (e.g., myinstance.jfrog.io) + JF_HOST=$(echo "${{ secrets.JF_URL }}" | sed 's|https://||' | sed 's|/||g') DOCKER_REPO="docker-local" - IMAGE_TAG="petclinic-app:${{ github.run_number }}" - REMOTE_TAG="$JF_HOST/$DOCKER_REPO/$IMAGE_TAG" + IMAGE_NAME="petclinic-app:${{ github.run_number }}" + REMOTE_TAG="$JF_HOST/$DOCKER_REPO/$IMAGE_NAME" - # 4. Perform the Tag and Push - docker tag "petclinic-app:${{ github.run_number }}" "$REMOTE_TAG" + # Tag, Push, and Publish Build Info + docker tag "$IMAGE_NAME" "$REMOTE_TAG" - # Use the 'jf' command which handles OIDC authentication automatically - jf docker push "$REMOTE_TAG" --build-name=petclinic --build-number=${{ github.run_number }} + jf docker push "$REMOTE_TAG" --build-name=petclinic-trial --build-number=${{ github.run_number }} - # 5. Publish Build Info for full traceability - jf rt bp petclinic ${{ github.run_number }} + jf rt bp petclinic-trial ${{ github.run_number }} From 18388c7fc9a4efe4b2805c6f27fc8f5da65bd8fb Mon Sep 17 00:00:00 2001 From: nirpel-sys Date: Tue, 20 Jan 2026 14:50:22 +0200 Subject: [PATCH 07/19] Update main.yml Signed-off-by: nirpel-sys --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 45a2456ba..fffd3d83f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -29,7 +29,7 @@ jobs: JF_URL: ${{ secrets.JF_URL }} with: version: latest - oidc-provider-name: github-oidc-provider + oidc-provider-name: github-oidc oidc-audience: jfrog-github - name: Build and Test From fb49bb063dbaac068a473acd09c9d7f92a49b334 Mon Sep 17 00:00:00 2001 From: nirpel-sys Date: Wed, 21 Jan 2026 12:13:19 +0200 Subject: [PATCH 08/19] Create Petclinic2Artifactory Signed-off-by: nirpel-sys --- .github/workflows/Petclinic2Artifactory | 64 +++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 .github/workflows/Petclinic2Artifactory diff --git a/.github/workflows/Petclinic2Artifactory b/.github/workflows/Petclinic2Artifactory new file mode 100644 index 000000000..e07ba8d19 --- /dev/null +++ b/.github/workflows/Petclinic2Artifactory @@ -0,0 +1,64 @@ +name: PetClinic to Artifactory + +on: + push: + branches: [ "main" ] + pull_request: # Added to allow Frogbot to scan incoming PRs + workflow_dispatch: + +jobs: + build-and-publish: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + pull-requests: write # Required for Frogbot to comment on PRs + security-events: write + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + cache: 'maven' + + - name: Set up JFrog CLI + uses: jfrog/setup-jfrog-cli@v4 + env: + JF_URL: ${{ secrets.JF_URL }} + with: + version: latest + oidc-provider-name: github-oidc + oidc-audience: jfrog-github + + # --- START FROGBOT SCAN --- + - name: Frogbot Scan + uses: jfrog/frogbot@v2 + env: + JF_URL: ${{ secrets.JF_URL }} + # Frogbot uses the OIDC configuration from the setup-jfrog-cli step + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # --- END FROGBOT SCAN --- + + - name: Build and Test + run: ./mvnw clean test + + - name: Build Docker Image + run: | + ./mvnw spring-boot:build-image \ + -Dspring-boot.build-image.imageName=petclinic-app:${{ github.run_number }} + + - name: Publish to JFrog + run: | + JF_HOST=$(echo "${{ secrets.JF_URL }}" | sed 's|https://||' | sed 's|/||g') + DOCKER_REPO="docker-local" + IMAGE_NAME="petclinic-app:${{ github.run_number }}" + REMOTE_TAG="$JF_HOST/$DOCKER_REPO/$IMAGE_NAME" + + docker tag "$IMAGE_NAME" "$REMOTE_TAG" + jf docker push "$REMOTE_TAG" --build-name=petclinic-trial --build-number=${{ github.run_number }} + jf rt bp petclinic-trial ${{ github.run_number }} From d99129a9c8d1fb268f694469ba4b67e76f4f94f2 Mon Sep 17 00:00:00 2001 From: nirpel-sys Date: Thu, 22 Jan 2026 11:54:13 +0200 Subject: [PATCH 09/19] Rename Petclinic2Artifactory to Petclinic CI Signed-off-by: nirpel-sys --- .github/workflows/{Petclinic2Artifactory => Petclinic CI} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename .github/workflows/{Petclinic2Artifactory => Petclinic CI} (98%) diff --git a/.github/workflows/Petclinic2Artifactory b/.github/workflows/Petclinic CI similarity index 98% rename from .github/workflows/Petclinic2Artifactory rename to .github/workflows/Petclinic CI index e07ba8d19..b04ba24cf 100644 --- a/.github/workflows/Petclinic2Artifactory +++ b/.github/workflows/Petclinic CI @@ -1,4 +1,4 @@ -name: PetClinic to Artifactory +name: PetClinic CI on: push: From dd9b2f6ac35810ff02a255d82886c09a03d53bf7 Mon Sep 17 00:00:00 2001 From: nirpel-sys Date: Fri, 30 Jan 2026 15:49:52 +0200 Subject: [PATCH 10/19] Add files via upload Signed-off-by: nirpel-sys --- .../workflows/frogbot-scan-pull-request.yaml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/frogbot-scan-pull-request.yaml diff --git a/.github/workflows/frogbot-scan-pull-request.yaml b/.github/workflows/frogbot-scan-pull-request.yaml new file mode 100644 index 000000000..680d083d7 --- /dev/null +++ b/.github/workflows/frogbot-scan-pull-request.yaml @@ -0,0 +1,30 @@ +name: "Frogbot Scan Pull Request" +on: + pull_request_target: + types: [opened, synchronize] +permissions: + pull-requests: write + contents: read + id-token: write +jobs: + scan-pull-request: + runs-on: ubuntu-latest + steps: + - uses: jfrog/frogbot@v2 + env: + # [Mandatory] + JF_URL: ${{ secrets.JF_URL }} + + # [Mandatory] + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Optional] Xray Watches to apply + JF_WATCHES: "build-watch" + + # [Optional] Show all vulnerabilities, not just the ones introduced in the PR + JF_INCLUDE_ALL_VULNERABILITIES: "true" + + # [Mandatory if using OIDC authentication protocol instead of JF_ACCESS_TOKEN] + with: + oidc-provider-name: yanirw/CI-demo@github + From c2a4fe6b959ac7099f288db851be58fc1038bdf6 Mon Sep 17 00:00:00 2001 From: nirpel-sys Date: Fri, 30 Jan 2026 16:00:04 +0200 Subject: [PATCH 11/19] Change OIDC provider to github-oidc Updated OIDC provider configuration in workflow. Signed-off-by: nirpel-sys --- .github/workflows/frogbot-scan-pull-request.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/frogbot-scan-pull-request.yaml b/.github/workflows/frogbot-scan-pull-request.yaml index 680d083d7..68ab83e75 100644 --- a/.github/workflows/frogbot-scan-pull-request.yaml +++ b/.github/workflows/frogbot-scan-pull-request.yaml @@ -26,5 +26,8 @@ jobs: # [Mandatory if using OIDC authentication protocol instead of JF_ACCESS_TOKEN] with: - oidc-provider-name: yanirw/CI-demo@github + # oidc-provider-name: yanirw/CI-demo@github + version: latest + oidc-provider-name: github-oidc + oidc-audience: jfrog-github From eb2605ee0e9b16f78bb0aa789ba53adcfb1ad527 Mon Sep 17 00:00:00 2001 From: Nir Peleg Date: Fri, 30 Jan 2026 16:40:08 +0200 Subject: [PATCH 12/19] feature: test change in BaseEntity --- .../springframework/samples/petclinic/model/BaseEntity.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/main/java/org/springframework/samples/petclinic/model/BaseEntity.java b/src/main/java/org/springframework/samples/petclinic/model/BaseEntity.java index 6babed56d..eed0cfba2 100644 --- a/src/main/java/org/springframework/samples/petclinic/model/BaseEntity.java +++ b/src/main/java/org/springframework/samples/petclinic/model/BaseEntity.java @@ -48,4 +48,8 @@ public class BaseEntity implements Serializable { return this.id == null; } + public void helloWorld() { + System.out.println("Hello World!"); + } + } From 315856be93675243c410fe6efa0b6c004e6a1cf0 Mon Sep 17 00:00:00 2001 From: Nir Peleg Date: Sat, 31 Jan 2026 15:36:29 +0200 Subject: [PATCH 13/19] ci: add build-publish-scan workflow (build, publish to Artifactory, Frogbot Xray) --- .github/workflows/build-publish-scan.yml | 80 ++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 .github/workflows/build-publish-scan.yml diff --git a/.github/workflows/build-publish-scan.yml b/.github/workflows/build-publish-scan.yml new file mode 100644 index 000000000..63a297453 --- /dev/null +++ b/.github/workflows/build-publish-scan.yml @@ -0,0 +1,80 @@ +name: build-publish-scan + +on: + push: + branches: + - feature/test-change + workflow_dispatch: {} + +permissions: + contents: read + pull-requests: write + +jobs: + build-publish: + name: Build and Publish + runs-on: ubuntu-latest + strategy: + matrix: + java: [ '17' ] + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up JDK ${{ matrix.java }} + uses: actions/setup-java@v4 + with: + java-version: ${{ matrix.java }} + distribution: temurin + cache: maven + + - name: Build with Maven + run: ./mvnw -B -DskipTests package + + - name: Set up JFrog CLI + uses: jfrog/setup-jfrog-cli@v2 + with: + version: latest + + - name: Configure JFrog CLI + env: + JF_URL: ${{ secrets.JF_URL }} + JF_USER: ${{ secrets.JF_USER }} + JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + run: | + jfrog rt config --url "$JF_URL" --user "$JF_USER" --password "$JF_PASSWORD" --interactive=false + + - name: Publish artifact to Artifactory + env: + JF_REPO: ${{ secrets.JF_REPO }} + run: | + # Upload built artifacts (adjust path/pattern if needed) + jfrog rt u "target/*.jar" "$JF_REPO/{{ github.repository }}-${{ github.run_number }}/" --flat=false + # Publish build-info so Xray can scan the published build + jfrog rt bp build-publish-scan ${{ github.run_number }} + + frogbot-scan: + name: Run Frogbot Xray Scan + needs: build-publish + runs-on: ubuntu-latest + steps: + - name: Run Frogbot + uses: jfrog/frogbot@v2 + env: + # Mandatory: JFrog platform URL + JF_URL: ${{ secrets.JF_URL }} + + # Mandatory: token to allow Frogbot to post PR comments (use built-in GITHUB_TOKEN) + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # Optional: Xray Watches to apply + JF_WATCHES: "build-watch" + + # Optional: Show all vulnerabilities + JF_INCLUDE_ALL_VULNERABILITIES: "true" + + with: + version: latest + oidc-provider-name: github-oidc + oidc-audience: jfrog-github From a1948fb431370995ae8d210c7e4f9e5ff7a41019 Mon Sep 17 00:00:00 2001 From: Nir Peleg Date: Sat, 31 Jan 2026 16:17:26 +0200 Subject: [PATCH 14/19] modify workflow --- .github/workflows/build-publish-scan.yml | 74 +++++++++--------------- 1 file changed, 27 insertions(+), 47 deletions(-) diff --git a/.github/workflows/build-publish-scan.yml b/.github/workflows/build-publish-scan.yml index 63a297453..8ac50f4cd 100644 --- a/.github/workflows/build-publish-scan.yml +++ b/.github/workflows/build-publish-scan.yml @@ -9,72 +9,52 @@ on: permissions: contents: read pull-requests: write + id-token: write # Required for OIDC jobs: - build-publish: - name: Build and Publish + build-publish-scan: # Combined into one job for better OIDC context and speed + name: Build, Publish, and Scan runs-on: ubuntu-latest - strategy: - matrix: - java: [ '17' ] - + steps: - name: Checkout uses: actions/checkout@v4 - - name: Set up JDK ${{ matrix.java }} + - name: Set up JDK 17 uses: actions/setup-java@v4 with: - java-version: ${{ matrix.java }} - distribution: temurin + java-version: '17' + distribution: 'temurin' cache: maven + # 1. Setup CLI with OIDC + - name: Set up JFrog CLI + uses: jfrog/setup-jfrog-cli@v4 # Use v4 for better OIDC support + env: + JF_URL: ${{ secrets.JF_URL }} + with: + oidc-provider-name: github-oidc + oidc-audience: jfrog-github + - name: Build with Maven run: ./mvnw -B -DskipTests package - - name: Set up JFrog CLI - uses: jfrog/setup-jfrog-cli@v2 - with: - version: latest - - - name: Configure JFrog CLI - env: - JF_URL: ${{ secrets.JF_URL }} - JF_USER: ${{ secrets.JF_USER }} - JF_PASSWORD: ${{ secrets.JF_PASSWORD }} - run: | - jfrog rt config --url "$JF_URL" --user "$JF_USER" --password "$JF_PASSWORD" --interactive=false - + # 2. Upload using the modern 'jf' command - name: Publish artifact to Artifactory - env: - JF_REPO: ${{ secrets.JF_REPO }} run: | - # Upload built artifacts (adjust path/pattern if needed) - jfrog rt u "target/*.jar" "$JF_REPO/{{ github.repository }}-${{ github.run_number }}/" --flat=false - # Publish build-info so Xray can scan the published build - jfrog rt bp build-publish-scan ${{ github.run_number }} + # Use 'jf rt upload' which uses the OIDC config automatically + jf rt u "target/*.jar" "${{ secrets.JF_REPO }}/${{ github.run_number }}/" --build-name=maven-build --build-number=${{ github.run_number }} + + # Publish Build Info so Xray knows what to scan + jf rt bp maven-build ${{ github.run_number }} - frogbot-scan: - name: Run Frogbot Xray Scan - needs: build-publish - runs-on: ubuntu-latest - steps: - - name: Run Frogbot + # 3. Trigger the Scan via Frogbot + - name: Run Frogbot Scan uses: jfrog/frogbot@v2 env: - # Mandatory: JFrog platform URL JF_URL: ${{ secrets.JF_URL }} - - # Mandatory: token to allow Frogbot to post PR comments (use built-in GITHUB_TOKEN) JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - # Optional: Xray Watches to apply - JF_WATCHES: "build-watch" - - # Optional: Show all vulnerabilities - JF_INCLUDE_ALL_VULNERABILITIES: "true" - + # Frogbot will pick up the OIDC configuration from the 'with' block below with: - version: latest - oidc-provider-name: github-oidc - oidc-audience: jfrog-github + oidc-provider-name: github-oidc + oidc-audience: jfrog-github \ No newline at end of file From 17c918668a9d5a96a6acf3abf659d93a1780f8f0 Mon Sep 17 00:00:00 2001 From: Nir Peleg Date: Sat, 31 Jan 2026 16:23:48 +0200 Subject: [PATCH 15/19] Fix upload step --- .../workflows/frogbot-scan-pull-request.yaml | 86 +++++++++++++------ 1 file changed, 62 insertions(+), 24 deletions(-) diff --git a/.github/workflows/frogbot-scan-pull-request.yaml b/.github/workflows/frogbot-scan-pull-request.yaml index 68ab83e75..1e566ad1d 100644 --- a/.github/workflows/frogbot-scan-pull-request.yaml +++ b/.github/workflows/frogbot-scan-pull-request.yaml @@ -1,33 +1,71 @@ -name: "Frogbot Scan Pull Request" +name: build-publish-scan + on: - pull_request_target: - types: [opened, synchronize] + push: + branches: + - feature/test-change + workflow_dispatch: {} + permissions: - pull-requests: write contents: read - id-token: write + pull-requests: write + id-token: write # Required for OIDC authentication + jobs: - scan-pull-request: + build-and-scan: + name: Build, Publish, and Scan runs-on: ubuntu-latest + + # Setting environment variables at the job level for consistency + env: + JF_URL: ${{ secrets.JF_URL }} + JF_REPO: ${{ secrets.JF_REPO }} + BUILD_NAME: "maven-build-scan" + BUILD_NUMBER: ${{ github.run_number }} + steps: - - uses: jfrog/frogbot@v2 - env: - # [Mandatory] - JF_URL: ${{ secrets.JF_URL }} + - name: Checkout Code + uses: actions/checkout@v4 - # [Mandatory] - JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - # [Optional] Xray Watches to apply - JF_WATCHES: "build-watch" - - # [Optional] Show all vulnerabilities, not just the ones introduced in the PR - JF_INCLUDE_ALL_VULNERABILITIES: "true" - - # [Mandatory if using OIDC authentication protocol instead of JF_ACCESS_TOKEN] + - name: Set up JDK 17 + uses: actions/setup-java@v4 with: - # oidc-provider-name: yanirw/CI-demo@github - version: latest - oidc-provider-name: github-oidc - oidc-audience: jfrog-github + java-version: '17' + distribution: 'temurin' + cache: maven + # 1. Setup JFrog CLI using OIDC + - name: Set up JFrog CLI + uses: jfrog/setup-jfrog-cli@v4 + with: + oidc-provider-name: github-oidc + oidc-audience: jfrog-github + + - name: Build with Maven + run: ./mvnw -B -DskipTests package + + # 2. Upload Artifacts (Fixes the 405 error by using clean paths) + - name: Publish artifact to Artifactory + run: | + # Note: Ensure JF_URL does not have a trailing slash or '/artifactory' + jf rt upload "target/*.jar" "${{ env.JF_REPO }}/" \ + --build-name="${{ env.BUILD_NAME }}" \ + --build-number="${{ env.BUILD_NUMBER }}" \ + --flat=false + + # 3. Publish Build Info (Tells Xray exactly what to scan) + - name: Publish Build Info + run: | + jf rt build-collect-env ${{ env.BUILD_NAME }} ${{ env.BUILD_NUMBER }} + jf rt bp ${{ env.BUILD_NAME }} ${{ env.BUILD_NUMBER }} + + # 4. Trigger Frogbot Scan + # This will scan the PR/Branch and post security findings + - name: Run Frogbot Scan + uses: jfrog/frogbot@v2 + env: + JF_URL: ${{ env.JF_URL }} + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + oidc-provider-name: github-oidc + oidc-audience: jfrog-github \ No newline at end of file From 9ea7e19bf810f423436479add0ec6e00bb45176a Mon Sep 17 00:00:00 2001 From: Nir Peleg Date: Sat, 31 Jan 2026 16:29:57 +0200 Subject: [PATCH 16/19] Fix upload artifacts --- .github/workflows/frogbot-scan-pull-request.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/frogbot-scan-pull-request.yaml b/.github/workflows/frogbot-scan-pull-request.yaml index 1e566ad1d..a5e0a6e61 100644 --- a/.github/workflows/frogbot-scan-pull-request.yaml +++ b/.github/workflows/frogbot-scan-pull-request.yaml @@ -47,8 +47,10 @@ jobs: # 2. Upload Artifacts (Fixes the 405 error by using clean paths) - name: Publish artifact to Artifactory run: | - # Note: Ensure JF_URL does not have a trailing slash or '/artifactory' - jf rt upload "target/*.jar" "${{ env.JF_REPO }}/" \ + # We use jf rt upload. + # The target path should be: REPO_NAME/FOLDER_NAME/ + # If JF_REPO is "maven-dev-local", this uploads to maven-dev-local/builds/3/ + jf rt upload "target/*.jar" "${{ secrets.JF_REPO }}/builds/${{ github.run_number }}/" \ --build-name="${{ env.BUILD_NAME }}" \ --build-number="${{ env.BUILD_NUMBER }}" \ --flat=false From 5c9295b665aa62a45717193afbeded0cc6d2eef5 Mon Sep 17 00:00:00 2001 From: Nir Peleg Date: Sat, 31 Jan 2026 17:08:15 +0200 Subject: [PATCH 17/19] Fix upload artifacts to the maven-repo --- .github/workflows/build-publish-scan.yml | 41 +++++++++++++++--------- 1 file changed, 25 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build-publish-scan.yml b/.github/workflows/build-publish-scan.yml index 8ac50f4cd..40374550e 100644 --- a/.github/workflows/build-publish-scan.yml +++ b/.github/workflows/build-publish-scan.yml @@ -9,15 +9,21 @@ on: permissions: contents: read pull-requests: write - id-token: write # Required for OIDC + id-token: write # Required for OIDC handshake jobs: - build-publish-scan: # Combined into one job for better OIDC context and speed + build-and-scan: name: Build, Publish, and Scan runs-on: ubuntu-latest + env: + JF_URL: ${{ secrets.JF_URL }} + JF_REPO: "maven-repo" # Using your newly created repo + BUILD_NAME: "spring-petclinic-build" + BUILD_NUMBER: ${{ github.run_number }} + steps: - - name: Checkout + - name: Checkout Code uses: actions/checkout@v4 - name: Set up JDK 17 @@ -27,34 +33,37 @@ jobs: distribution: 'temurin' cache: maven - # 1. Setup CLI with OIDC + # 1. Setup JFrog CLI with OIDC - name: Set up JFrog CLI - uses: jfrog/setup-jfrog-cli@v4 # Use v4 for better OIDC support - env: - JF_URL: ${{ secrets.JF_URL }} + uses: jfrog/setup-jfrog-cli@v4 with: oidc-provider-name: github-oidc oidc-audience: jfrog-github + # 2. Build Project - name: Build with Maven run: ./mvnw -B -DskipTests package - # 2. Upload using the modern 'jf' command + # 3. Publish Artifact (Fixes the 405 error by using the explicit repo key) - name: Publish artifact to Artifactory run: | - # Use 'jf rt upload' which uses the OIDC config automatically - jf rt u "target/*.jar" "${{ secrets.JF_REPO }}/${{ github.run_number }}/" --build-name=maven-build --build-number=${{ github.run_number }} - - # Publish Build Info so Xray knows what to scan - jf rt bp maven-build ${{ github.run_number }} + jf rt upload "target/*.jar" "${{ env.JF_REPO }}/petclinic/${{ env.BUILD_NUMBER }}/" \ + --build-name="${{ env.BUILD_NAME }}" \ + --build-number="${{ env.BUILD_NUMBER }}" \ + --flat=false - # 3. Trigger the Scan via Frogbot + # 4. Publish Build Info (Required for Xray to scan the build) + - name: Publish Build Info + run: | + jf rt build-collect-env ${{ env.BUILD_NAME }} ${{ env.BUILD_NUMBER }} + jf rt bp ${{ env.BUILD_NAME }} ${{ env.BUILD_NUMBER }} + + # 5. Run Frogbot Xray Scan - name: Run Frogbot Scan uses: jfrog/frogbot@v2 env: - JF_URL: ${{ secrets.JF_URL }} + JF_URL: ${{ env.JF_URL }} JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # Frogbot will pick up the OIDC configuration from the 'with' block below with: oidc-provider-name: github-oidc oidc-audience: jfrog-github \ No newline at end of file From a65da200bf60ee3d40e8c5a05c81a659d5f3fd58 Mon Sep 17 00:00:00 2001 From: Nir Peleg Date: Sat, 31 Jan 2026 17:26:50 +0200 Subject: [PATCH 18/19] test --- .github/workflows/build-publish-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-scan.yml b/.github/workflows/build-publish-scan.yml index 40374550e..b82222004 100644 --- a/.github/workflows/build-publish-scan.yml +++ b/.github/workflows/build-publish-scan.yml @@ -18,7 +18,7 @@ jobs: env: JF_URL: ${{ secrets.JF_URL }} - JF_REPO: "maven-repo" # Using your newly created repo + JF_REPO: "maven-repo-virtual" # Using your newly created repo BUILD_NAME: "spring-petclinic-build" BUILD_NUMBER: ${{ github.run_number }} From 0213a72b79b10f73fea872eb95dcd513d9a3d9e5 Mon Sep 17 00:00:00 2001 From: Nir Peleg Date: Sat, 31 Jan 2026 17:56:36 +0200 Subject: [PATCH 19/19] Fix upload artifacts to the maven-repo --- .github/workflows/build-publish-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-scan.yml b/.github/workflows/build-publish-scan.yml index b82222004..40374550e 100644 --- a/.github/workflows/build-publish-scan.yml +++ b/.github/workflows/build-publish-scan.yml @@ -18,7 +18,7 @@ jobs: env: JF_URL: ${{ secrets.JF_URL }} - JF_REPO: "maven-repo-virtual" # Using your newly created repo + JF_REPO: "maven-repo" # Using your newly created repo BUILD_NAME: "spring-petclinic-build" BUILD_NUMBER: ${{ github.run_number }}