snowplow · spenes · Nov 27, 2023 · Nov 22, 2023 · Nov 23, 2023 · Nov 23, 2023
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,123 @@
+name: CI
+
+on:
+  push:
+    tags:
+      - '*'
+    branches:
+      - master
+      - develop
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@v2
+        with:
+          java-version: 11
+          distribution: adopt
+
+      - name: Install LZO
+        run: sudo apt-get install -y lzop liblzo2-dev
+
+      - name: Run tests
+        run: |
+          sbt "project main" test
+          sbt "project lzo" test
+
+      - name: Check formatting
+        run: sbt scalafmtCheck
+
+  publish_docker:
+    needs: test
+    if: startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        app:
+          - main
+          - lzo
+          - distroless
+        include:
+          - suffix: ""
+          - app: lzo
+            run_snyk: ${{ !contains(github.ref, 'rc') }}
+          - app: distroless
+            run_snyk: ${{ !contains(github.ref, 'rc') }}
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@v2
+        with:
+          java-version: 11
+          distribution: adopt
+
+      - name: Install LZO
+        run: sudo apt-get install -y lzop liblzo2-dev
+
+      - name: Login to Docker Hub
+        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Publish to Docker Hub
+        run: sbt "project ${{ matrix.app }}" docker:publish
+
+      - name: Build local image, which is needed to run Snyk
+        if: matrix.run_snyk
+        run: sbt "project ${{ matrix.app }}" docker:publishLocal
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/docker@master
+        if: matrix.run_snyk
+        with:
+          image: "snowplow/snowplow-s3-loader:${{ github.ref_name }}-${{ matrix.app }}"
+          args: "--app-vulns --org=data-processing-new"
+          command: monitor
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+  create_release:
+    needs: test
+    if: ${{ startsWith(github.ref, 'refs/tags/') && !contains(github.ref, 'rc') }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@v2
+        with:
+          java-version: 11
+          distribution: adopt
+
+      - name: Install LZO
+        run: sudo apt-get install -y lzop liblzo2-dev
+
+      - name: Build artifacts
+        run: |
+          sbt assembly
+      - name: Get current version
+        id: ver
+        run: |
+          export PROJECT_VERSION=$(sbt version -Dsbt.log.noformat=true | perl -ne 'print "$1\n" if /info.*(\d+\.\d+\.\d+[^\r\n]*)/' | tail -n 1 | tr -d '\n')
+          echo "::set-output name=project_version::$PROJECT_VERSION"
+      - name: Create GitHub release and attach artifacts
+        uses: softprops/action-gh-release@v1
+        with:
+          draft: true
+          prerelease: true
+          name: Version ${{ steps.ver.outputs.project_version }}
+          tag_name: ${{ steps.ver.outputs.project_version }}
+          files: |
+            modules/main/target/scala-2.13/snowplow-s3-loader-${{ steps.ver.outputs.project_version }}.jar
+            modules/lzo/target/scala-2.13/snowplow-s3-loader-lzo-${{ steps.ver.outputs.project_version }}.jar
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
diff --git a/.github/workflows/test_and_publish.yml b/.github/workflows/test_and_publish.yml
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,10 @@
+Version 2.2.8 (2023-11-24)
+--------------------------
+Scan Docker images in Snyk Github action (#285)
+Bump pureconfig to 0.15.0 (#286)
+Bump reload4j to 1.2.22 (#286)
+Bump snappy-java to 1.1.10.4 (#286)
+
 Version 2.2.7 (2023-04-14)
 --------------------------
 Bump sbt-snowplow-release to 0.3.1 (#282)

diff --git a/README.md b/README.md
@@ -45,7 +45,7 @@ limitations under the License.
 [travis-image]: https://travis-ci.org/snowplow/snowplow-s3-loader.png?branch=master
 [travis]: http://travis-ci.org/snowplow/snowplow-s3-loader
 
-[release-image]: http://img.shields.io/badge/release-2.2.7-blue.svg?style=flat
+[release-image]: http://img.shields.io/badge/release-2.2.8-blue.svg?style=flat
 [releases]: https://github.com/snowplow/snowplow-s3-loader/releases
 
 [license-image]: http://img.shields.io/badge/license-Apache--2-blue.svg?style=flat

diff --git a/project/Dependencies.scala b/project/Dependencies.scala
@@ -34,6 +34,8 @@ object Dependencies {
     val collections      = "3.2.2" // Address vulnerability
     val jaxbApi          = "2.3.1"
     val protobuf         = "3.21.12"
+    val reload4j         = "1.2.22" // Address vulnerability
+    val snappyJava       = "1.1.10.4" // Address vulnerability
     // Thrift (test only)
     val collectorPayload = "0.0.0"
     val thrift           = "0.15.0" // Address vulnerabilities
@@ -42,7 +44,7 @@ object Dependencies {
     val circe           = "0.13.0"
     val snowplowTracker = "0.7.0"
     val snowplowBadrows = "2.1.0"
-    val pureconfig      = "0.14.1"
+    val pureconfig      = "0.15.0"
     val igluCore        = "1.0.0"
     // Scala (test only)
     val specs2          = "4.10.5"
@@ -61,6 +63,8 @@ object Dependencies {
     val hadoopMapReduce  = "org.apache.hadoop"                %  "hadoop-mapreduce-client-core" % V.hadoop
     val hadoop           = "org.apache.hadoop"                %  "hadoop-common"                % V.hadoop
     val protobuf         = "com.google.protobuf"              % "protobuf-java"                 % V.protobuf
+    val reload4j         = "ch.qos.reload4j"                  % "reload4j"                      % V.reload4j
+    val snappyJava       = "org.xerial.snappy"                % "snappy-java"                   % V.snappyJava
 
     val collections      = "commons-collections"              % "commons-collections"                % V.collections
     val jaxbApi          = "javax.xml.bind"                   % "jaxb-api"                           % V.jaxbApi       % Runtime
@@ -93,6 +97,8 @@ object Dependencies {
       Libraries.sentry,
       Libraries.jaxbApi,
       Libraries.protobuf,
+      Libraries.reload4j,
+      Libraries.snappyJava,
       // Scala
       Libraries.decline,
       Libraries.circe,