build(deps): allow dependabot to manage container-embedded mysql/postgres driver versions#8302
Open
chadlwilson wants to merge 3 commits intodependency-check:mainfrom
Open
Conversation
On MacOS /bin/bash is an ancient system bash (3.2) which is largely unusable :) Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
…y to scan Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
…gres driver versions Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
chadlwilson
force-pushed
the
manage-driver-versions-with-dependabot
branch
from
d8f5f70 to
d628eb3
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Docker build/publish tooling so the MySQL/PostgreSQL JDBC driver versions embedded in the container image are sourced from Maven POM properties (so Dependabot can update them), while also modernizing various helper scripts and speeding up Docker CI workflows.
Changes:
- Adds
driver.postgresql.version/driver.mysql.versionproperties to the parent POM and wires them into core integration-test profiles. - Updates Docker build/publish scripts + Dockerfile to pass driver versions as build args and download driver jars from a Maven repository path.
- Modernizes multiple shell scripts (
#!/usr/bin/env bash, strict mode) and tweaks GitHub workflows to build only what’s needed for Docker scan tests.
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
sha256_cli.sh |
Modernizes bash invocation/strict mode for the dependency-check CLI download helper. |
release_stats.sh |
Modernizes bash invocation/strict mode for GitHub release stats helper. |
publish-docker.sh |
Removed; publishing logic moved to docker-publish.sh. |
prepare-release.sh |
Uses mvn help:evaluate for version extraction; modern shebang/strict mode. |
pom.xml |
Introduces POM properties for Postgres/MySQL driver versions. |
list-changes.sh |
Modern shebang/strict mode; quotes git revision range. |
docker-test.sh |
Modern shebang/strict mode; uses mvn help:evaluate for version. |
docker-shell.sh |
Modern shebang/strict mode; uses mvn help:evaluate for version. |
docker-pullcount.sh |
Modern shebang/strict mode for Docker Hub pull count helper. |
docker-publish.sh |
New script: publishes multi-arch image using driver versions read from the POM. |
docker-build.sh |
Reads version + driver versions from the POM and passes them into the Docker build. |
coverity_scan.sh |
Removed legacy Travis/Coverity script. |
core/pom.xml |
Uses shared driver version properties for MySQL/Postgres integration-test profiles. |
README.md |
Updates docker build instructions to reference ./docker-build.sh. |
Dockerfile |
Removes hardcoded driver versions; downloads driver jars from Maven repo based on build args. |
.github/workflows/release.yml |
Switches to new docker scripts and builds only cli module for scan target. |
.github/workflows/pull_requests.yml |
Switches to new docker scripts and builds only cli module for scan target. |
.github/workflows/build.yml |
Switches to new docker scripts and builds only cli module for scan target. |
Comments suppressed due to low confidence (1)
docker-test.sh:3
- With
set -uenabled, this script can fail with an “unbound variable” error if$USERis not set in the environment (it’s referenced later when computing uid/gid and setting-e user=...). Consider avoiding$USERentirely (e.g., derive user/uid/gid viaid) or providing a default (${USER:-...}) so the script is robust in non-interactive/CI shells.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of Change
Changes docker scripting to extract versions from the Maven POM for the drivers; allowing them to be updated with dependabot for security reasons, and avoiding need for special manual PRs.
Related minor tweaks
exec-maven-plugin#!/usr/bin/env bash, largely to avoid using ancient bash on MacOS.Related issues
N/A
Have test cases been added to cover the new functionality?
yes (already there)