From 33c44b571684000eb9fae0243a34723e48b3fc30 Mon Sep 17 00:00:00 2001 From: Max Kadel Date: Mon, 8 Jun 2026 13:56:15 +0200 Subject: [PATCH 1/7] Update to use new github actions - Use web image for docker-compose - Build solr image in Dockerfile - Symlink whole solr directory from hyrax-webapp --- .github/workflows/build-test-lint.yaml | 17 +++++++++++------ .github/workflows/deploy.yaml | 2 +- Dockerfile | 10 +++++++++- docker-compose.yml | 4 ++-- solr | 1 + solr/security.json | 1 - 6 files changed, 24 insertions(+), 11 deletions(-) create mode 120000 solr delete mode 120000 solr/security.json diff --git a/.github/workflows/build-test-lint.yaml b/.github/workflows/build-test-lint.yaml index 9b982ee..97c1407 100644 --- a/.github/workflows/build-test-lint.yaml +++ b/.github/workflows/build-test-lint.yaml @@ -22,23 +22,28 @@ on: jobs: build: - uses: notch8/actions/.github/workflows/build.yaml@v1.0.7 + permissions: write-all + uses: notch8/actions/.github/workflows/build.yaml@v1.0.9 secrets: inherit with: + components: '["web","worker","solr"]' webTarget: hyku-web workerTarget: hyku-worker test: needs: build - uses: notch8/actions/.github/workflows/test.yaml@v1.0.7 + uses: notch8/actions/.github/workflows/test.yaml@v1.0.9 with: confdir: '/app/samvera/hyrax-webapp/solr/conf' rspec_cmd: "cd .. && gem install semaphore_test_boosters && bundle && rspec_booster --job $CI_NODE_INDEX/$CI_NODE_TOTAL" lint: needs: build - uses: notch8/actions/.github/workflows/lint.yaml@v1.0.7 + uses: notch8/actions/.github/workflows/lint.yaml@v1.0.9 with: - webTarget: hyku-web - workerTarget: hyku-worker - rubocop_cmd: "cd .. && bundle && bundle exec rubocop --parallel --format progress --format junit --out rubocop.xml" \ No newline at end of file + rubocop_cmd: "cd .. && bundle && bundle exec rubocop --parallel --format progress --format junit --out rubocop.xml" + + reports: + if: always() + needs: [test, lint] + uses: notch8/actions/.github/workflows/report.yaml@v1.0.9 diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index a63463d..3080d9d 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -19,5 +19,5 @@ on: jobs: deploy: - uses: notch8/actions/.github/workflows/deploy.yaml@v1.0.7 + uses: notch8/actions/.github/workflows/deploy.yaml@v1.0.9 secrets: inherit diff --git a/Dockerfile b/Dockerfile index ecb6274..de2de63 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,4 +26,12 @@ RUN RAILS_ENV=production SECRET_KEY_BASE=`bin/rake secret` DB_ADAPTER=nulldb DB_ CMD ./bin/web FROM hyku-web AS hyku-worker -CMD ./bin/worker \ No newline at end of file +CMD ./bin/worker + +# Use a Solr version with patched Log4j to address CVE-2021-44228 +FROM solr:8.11.2 AS hyku-solr +ENV SOLR_USER="solr" \ + SOLR_GROUP="solr" +USER root +COPY --chown=solr:solr solr/security.json /var/solr/data/security.json +USER $SOLR_USER diff --git a/docker-compose.yml b/docker-compose.yml index 85c8c9e..8598354 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,11 +3,11 @@ x-app: &app context: . target: hyku-web cache_from: - - ghcr.io/notch8/adventist_knapsack:latest + - ghcr.io/notch8/adventist_knapsack/web:latest args: BUILDKIT_INLINE_CACHE: 1 APP_PATH: ./hyrax-webapp - image: ghcr.io/notch8/adventist_knapsack:${TAG:-latest} + image: ghcr.io/notch8/adventist_knapsack/web:${TAG:-latest} env_file: - .env - .env.development diff --git a/solr b/solr new file mode 120000 index 0000000..f4d7d66 --- /dev/null +++ b/solr @@ -0,0 +1 @@ +hyrax-webapp/solr \ No newline at end of file diff --git a/solr/security.json b/solr/security.json deleted file mode 120000 index 52228fd..0000000 --- a/solr/security.json +++ /dev/null @@ -1 +0,0 @@ -../hyrax-webapp/solr/security.json \ No newline at end of file From 3a209730063a4c3c37e296e4c7eadc1c063566fe Mon Sep 17 00:00:00 2001 From: Max Kadel Date: Mon, 8 Jun 2026 13:59:19 +0200 Subject: [PATCH 2/7] Update more actions --- .github/workflows/brakeman-audit.yaml | 4 ++-- .github/workflows/bundler-audit.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/brakeman-audit.yaml b/.github/workflows/brakeman-audit.yaml index b584d85..203c920 100644 --- a/.github/workflows/brakeman-audit.yaml +++ b/.github/workflows/brakeman-audit.yaml @@ -11,7 +11,7 @@ on: jobs: brakeman-audit: - uses: notch8/actions/.github/workflows/brakeman-audit.yaml@v0.0.14 + uses: notch8/actions/.github/workflows/brakeman-audit.yaml@v1.0.9 with: webTarget: hyku-web - tag: latest \ No newline at end of file + tag: latest diff --git a/.github/workflows/bundler-audit.yaml b/.github/workflows/bundler-audit.yaml index 8318b25..9c517e4 100644 --- a/.github/workflows/bundler-audit.yaml +++ b/.github/workflows/bundler-audit.yaml @@ -11,7 +11,7 @@ on: jobs: bundler-audit: - uses: notch8/actions/.github/workflows/bundler-audit.yaml@v0.0.14 + uses: notch8/actions/.github/workflows/bundler-audit.yaml@v1.0.9 with: webTarget: hyku-web - tag: latest \ No newline at end of file + tag: latest From 78dc1cf264f04817ae974dcdf4c889db2db8370b Mon Sep 17 00:00:00 2001 From: Max Kadel Date: Mon, 8 Jun 2026 14:02:32 +0200 Subject: [PATCH 3/7] Fix build step --- .github/workflows/build-test-lint.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/build-test-lint.yaml b/.github/workflows/build-test-lint.yaml index 97c1407..ff41566 100644 --- a/.github/workflows/build-test-lint.yaml +++ b/.github/workflows/build-test-lint.yaml @@ -27,8 +27,6 @@ jobs: secrets: inherit with: components: '["web","worker","solr"]' - webTarget: hyku-web - workerTarget: hyku-worker test: needs: build From d0949fcaa4bc699686f3bf6b958acf1dc40cb40e Mon Sep 17 00:00:00 2001 From: Max Kadel Date: Mon, 8 Jun 2026 14:18:10 +0200 Subject: [PATCH 4/7] Update production docker to use correct image --- docker-compose.production.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.production.yml b/docker-compose.production.yml index e696b4b..4dfada8 100644 --- a/docker-compose.production.yml +++ b/docker-compose.production.yml @@ -1,6 +1,6 @@ x-app: &app user: root - image: ghcr.io/notch8/adventist_knapsack:${TAG:-latest} + image: ghcr.io/notch8/adventist_knapsack/web:${TAG:-latest} env_file: - .env.production environment: @@ -248,4 +248,4 @@ services: volumes: - /store/keep/redis_data:/data networks: - internal: \ No newline at end of file + internal: From f5437fb3bac70b85f0c3e1ff36944fee420b6667 Mon Sep 17 00:00:00 2001 From: Max Kadel Date: Mon, 8 Jun 2026 14:48:03 +0200 Subject: [PATCH 5/7] Revert solr changes --- .github/workflows/build-test-lint.yaml | 2 +- Dockerfile | 8 -------- solr | 1 - solr/security.json | 1 + 4 files changed, 2 insertions(+), 10 deletions(-) delete mode 120000 solr create mode 120000 solr/security.json diff --git a/.github/workflows/build-test-lint.yaml b/.github/workflows/build-test-lint.yaml index ff41566..6d633ed 100644 --- a/.github/workflows/build-test-lint.yaml +++ b/.github/workflows/build-test-lint.yaml @@ -26,7 +26,7 @@ jobs: uses: notch8/actions/.github/workflows/build.yaml@v1.0.9 secrets: inherit with: - components: '["web","worker","solr"]' + components: '["web","worker"]' test: needs: build diff --git a/Dockerfile b/Dockerfile index de2de63..2a33e25 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,11 +27,3 @@ CMD ./bin/web FROM hyku-web AS hyku-worker CMD ./bin/worker - -# Use a Solr version with patched Log4j to address CVE-2021-44228 -FROM solr:8.11.2 AS hyku-solr -ENV SOLR_USER="solr" \ - SOLR_GROUP="solr" -USER root -COPY --chown=solr:solr solr/security.json /var/solr/data/security.json -USER $SOLR_USER diff --git a/solr b/solr deleted file mode 120000 index f4d7d66..0000000 --- a/solr +++ /dev/null @@ -1 +0,0 @@ -hyrax-webapp/solr \ No newline at end of file diff --git a/solr/security.json b/solr/security.json new file mode 120000 index 0000000..213b280 --- /dev/null +++ b/solr/security.json @@ -0,0 +1 @@ +hyrax-webapp/solr/security.json \ No newline at end of file From d7ca7fe7ff688f8425a610418ca8d170521f3b77 Mon Sep 17 00:00:00 2001 From: Max Kadel Date: Mon, 8 Jun 2026 16:50:02 +0200 Subject: [PATCH 6/7] Pin gems in bundler.d to keep tests passing --- bundler.d/ci_gem_pins.rb | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 bundler.d/ci_gem_pins.rb diff --git a/bundler.d/ci_gem_pins.rb b/bundler.d/ci_gem_pins.rb new file mode 100644 index 0000000..56ca542 --- /dev/null +++ b/bundler.d/ci_gem_pins.rb @@ -0,0 +1,10 @@ +# frozen_string_literal: true + +# Pin gems that resolve to incompatible versions when bundled from the project +# root (which has no Gemfile.lock). Remove these once upstream Hyku PRs land: +# - blacklight_advanced_search 8.0 adds :facets_for_advanced_search_form to +# the default processor chain, breaking adv_search_builder_spec +# - json 2.13+ raises TypeError on JSON.load(Hash), breaking account_settings +# factory setup in tests +override_gem 'blacklight_advanced_search', '~> 7.0' +ensure_gem 'json', '~> 2.12.2' From d98fe2d1eebe835824997ca03ebffa167acb7db5 Mon Sep 17 00:00:00 2001 From: Max Kadel Date: Mon, 8 Jun 2026 17:46:02 +0200 Subject: [PATCH 7/7] Remove accidentally committed notes --- README.md | 54 ------------------------------------------------------ 1 file changed, 54 deletions(-) diff --git a/README.md b/README.md index 3eccdfa..e2b39d6 100644 --- a/README.md +++ b/README.md @@ -241,57 +241,3 @@ Contribution directions go here. ## License The gem is available as open source under the terms of the [Apache 2.0](https://opensource.org/license/apache-2-0/). - - - - - -# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8). -# Do not edit. -# -# This file might be symlinked as /etc/resolv.conf. If you're looking at -# /etc/resolv.conf and seeing this text, you have followed the symlink. -# -# This is a dynamic resolv.conf file for connecting local clients to the -# internal DNS stub resolver of systemd-resolved. This file lists all -# configured search domains. -# -# Run "resolvectl status" to see details about the uplink DNS servers -# currently in use. -# -# Third party programs should typically not access this file directly, but only -# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a -# different way, replace this symlink by a static file or a different symlink. -# -# See man:systemd-resolved.service(8) for details about the supported modes of -# operation for /etc/resolv.conf. - -nameserver 127.0.0.53 -options edns0 trust-ad -search us-east-2.compute.internal - - -root@adl-staging01:~# cat /etc/resolv.conf -# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8). -# Do not edit. -# -# This file might be symlinked as /etc/resolv.conf. If you're looking at -# /etc/resolv.conf and seeing this text, you have followed the symlink. -# -# This is a dynamic resolv.conf file for connecting local clients to the -# internal DNS stub resolver of systemd-resolved. This file lists all -# configured search domains. -# -# Run "resolvectl status" to see details about the uplink DNS servers -# currently in use. -# -# Third party programs should typically not access this file directly, but only -# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a -# different way, replace this symlink by a static file or a different symlink. -# -# See man:systemd-resolved.service(8) for details about the supported modes of -# operation for /etc/resolv.conf. - -nameserver 127.0.0.53 -options edns0 trust-ad -search . \ No newline at end of file