feat: put packet writing behind debug env var, pin workflow steps, rename api->dashboard

- instead of writing push request bodies to files based on logging level set to DEBUG (we want
  to continue using debug logs for troubleshooting separately), expose an env var (`GITPROXY_DEBUG_PACKET`)
  to enable writing request bodies to disk. This was useful during early iteration but in general is
  discouraged from use unless necessary for tracing network problems or inspecting payloads for
  development purposes.
- enhance the client test scripts to pass in the git repo, git user & password (don't assume my local
  setup) so that the tests can be ran on any arbitrary repo & credentials
- rename the jgit-proxy-api module to "jgit-proxy-dashboard" to align more with what its used for
- update hard-coded commitconfig with generic example.com git user email instead of my personal
  ones

Author: coopernetes

.github/workflows/ci.yml

@@ -10,9 +10,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
 
-      - uses: actions/setup-java@v4
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # ratchet:actions/setup-java@v5
         with:
           distribution: temurin
           java-version: 21
@@ -23,7 +23,7 @@ jobs:
 
       - name: Publish test results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # ratchet:actions/upload-artifact@v7
         with:
           name: test-reports
           path: "**/build/reports/tests/test/"
@@ -39,9 +39,9 @@ jobs:
       github.event_name == 'pull_request'
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
 
-      - uses: actions/setup-java@v4
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # ratchet:actions/setup-java@v5
         with:
           distribution: temurin
           java-version: 21
@@ -52,7 +52,7 @@ jobs:
 
       - name: Publish e2e test results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # ratchet:actions/upload-artifact@v7
         with:
           name: e2e-test-reports
           path: "jgit-proxy-server/build/reports/tests/e2eTest/"

.github/workflows/cve.yml

@@ -0,0 +1,33 @@
+name: CVE Scanning
+
+on:
+  push:
+
+jobs:
+  depcheck:
+    runs-on: ubuntu-latest
+    name: depecheck
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
+      - name: Build project with Gradle
+        run: ./gradlew clean build
+      - name: Depcheck
+        uses: dependency-check/Dependency-Check_Action@1e54355a8b4c8abaa8cc7d0b70aa655a3bb15a6c
+        id: Depcheck
+        with:
+          project: 'jgit-proxy'
+          path: '.'
+          format: 'HTML'
+          out: 'reports' # this is the default, no need to specify unless you wish to override it
+          args: >
+            --suppression ./gradle/allow-list.xml
+            --failOnCVSS 5
+            --enableRetired
+
+      - name: Upload Test results
+        if: ${{ always() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # ratchet:actions/upload-artifact@v7
+        with:
+          name: Depcheck report
+          path: ${{ github.workspace }}/reports

jgit-proxy-core/src/main/java/org/finos/gitproxy/servlet/filter/ParseGitRequestFilter.java

@@ -99,7 +99,7 @@ public GitRequestDetails parse(RequestBodyWrapper request) {
                 gr.setCommitFrom(pushInfo.getOldCommit());
                 gr.setCommitTo(pushInfo.getNewCommit());
 
-                if (log.isDebugEnabled()) {
+                if (null != System.getenv("GITPROXY_DEBUG_PACKET")) {
                     logPushDetails(gr.getId(), packetLine, packData);
                 }
             } catch (IOException e) {

jgit-proxy-api/build.gradle jgit-proxy-dashboard/build.gradlejgit-proxy-api/build.gradle renamed to jgit-proxy-dashboard/build.gradle

@@ -16,7 +16,7 @@ java {
 }
 
 application {
-    mainClass = 'org.finos.gitproxy.api.GitProxyWithDashboardApplication'
+    mainClass = 'org.finos.gitproxy.dashboard.GitProxyWithDashboardApplication'
     applicationDefaultJvmArgs = ["-Djgitproxy.pidfile=${buildDir}/jgit-proxy.pid"]
 }
 

…pi/GitProxyWithDashboardApplication.java …rd/GitProxyWithDashboardApplication.javajgit-proxy-api/src/main/java/org/finos/gitproxy/api/GitProxyWithDashboardApplication.java renamed to jgit-proxy-dashboard/src/main/java/org/finos/gitproxy/dashboard/GitProxyWithDashboardApplication.java jgit-proxy-api/src/main/java/org/finos/gitproxy/api/GitProxyWithDashboardApplication.java renamed to jgit-proxy-dashboard/src/main/java/org/finos/gitproxy/dashboard/GitProxyWithDashboardApplication.java

@@ -1,4 +1,4 @@
-package org.finos.gitproxy.api;
+package org.finos.gitproxy.dashboard;
 
 import java.nio.file.Files;
 import java.util.List;
@@ -41,7 +41,7 @@ public static void main(String[] args) throws Exception {
         var configBuilder = new JettyConfigurationBuilder(configLoader);
 
         var threadPool = new QueuedThreadPool();
-        threadPool.setName("jgit-proxy-api");
+        threadPool.setName("jgit-proxy-dashboard");
 
         var server = new Server(threadPool);
         var connector = new ServerConnector(server);

…/finos/gitproxy/api/SpringWebConfig.java …/gitproxy/dashboard/SpringWebConfig.javajgit-proxy-api/src/main/java/org/finos/gitproxy/api/SpringWebConfig.java renamed to jgit-proxy-dashboard/src/main/java/org/finos/gitproxy/dashboard/SpringWebConfig.java jgit-proxy-api/src/main/java/org/finos/gitproxy/api/SpringWebConfig.java renamed to jgit-proxy-dashboard/src/main/java/org/finos/gitproxy/dashboard/SpringWebConfig.java

@@ -1,4 +1,4 @@
-package org.finos.gitproxy.api;
+package org.finos.gitproxy.dashboard;
 
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.databind.SerializationFeature;
@@ -17,7 +17,7 @@
 
 @Configuration
 @EnableWebMvc
-@ComponentScan("org.finos.gitproxy.api.controller")
+@ComponentScan("org.finos.gitproxy.dashboard.controller")
 public class SpringWebConfig implements WebMvcConfigurer {
 
     @Override

…oxy/api/controller/HealthController.java …shboard/controller/HealthController.javajgit-proxy-api/src/main/java/org/finos/gitproxy/api/controller/HealthController.java renamed to jgit-proxy-dashboard/src/main/java/org/finos/gitproxy/dashboard/controller/HealthController.java jgit-proxy-api/src/main/java/org/finos/gitproxy/api/controller/HealthController.java renamed to jgit-proxy-dashboard/src/main/java/org/finos/gitproxy/dashboard/controller/HealthController.java

@@ -1,4 +1,4 @@
-package org.finos.gitproxy.api.controller;
+package org.finos.gitproxy.dashboard.controller;
 
 import java.time.Instant;
 import java.util.Map;

…y/api/controller/ProviderController.java …board/controller/ProviderController.javajgit-proxy-api/src/main/java/org/finos/gitproxy/api/controller/ProviderController.java renamed to jgit-proxy-dashboard/src/main/java/org/finos/gitproxy/dashboard/controller/ProviderController.java jgit-proxy-api/src/main/java/org/finos/gitproxy/api/controller/ProviderController.java renamed to jgit-proxy-dashboard/src/main/java/org/finos/gitproxy/dashboard/controller/ProviderController.java

@@ -1,10 +1,8 @@
-package org.finos.gitproxy.api.controller;
+package org.finos.gitproxy.dashboard.controller;
 
 import jakarta.annotation.Resource;
 import java.util.List;
-
 import org.finos.gitproxy.config.ProviderConfigurationSource;
-import org.finos.gitproxy.provider.GitProxyProvider;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -26,6 +24,5 @@ public List<ProviderInfo> list() {
                 .toList();
     }
 
-    public record ProviderInfo(
-            String name, String uri, String host, String pushPath, String proxyPath) {}
+    public record ProviderInfo(String name, String uri, String host, String pushPath, String proxyPath) {}
 }

…proxy/api/controller/PushController.java …dashboard/controller/PushController.javajgit-proxy-api/src/main/java/org/finos/gitproxy/api/controller/PushController.java renamed to jgit-proxy-dashboard/src/main/java/org/finos/gitproxy/dashboard/controller/PushController.java jgit-proxy-api/src/main/java/org/finos/gitproxy/api/controller/PushController.java renamed to jgit-proxy-dashboard/src/main/java/org/finos/gitproxy/dashboard/controller/PushController.java

@@ -1,4 +1,4 @@
-package org.finos.gitproxy.api.controller;
+package org.finos.gitproxy.dashboard.controller;
 
 import java.util.List;
 import java.util.Map;