Merge pull request 'Release 2026-07: aria (develop → main)' (#11) from develop into main
This commit was merged in pull request #11.
This commit is contained in:
@@ -6,7 +6,7 @@ on:
|
||||
- develop
|
||||
|
||||
jobs:
|
||||
build-and-deploy:
|
||||
build-and-scan:
|
||||
runs-on: ubuntu-latest
|
||||
env:
|
||||
GIT_SSL_NO_VERIFY: 'true'
|
||||
@@ -19,16 +19,8 @@ jobs:
|
||||
- name: Clean runner disk
|
||||
run: docker system prune -f 2>/dev/null || true
|
||||
|
||||
- name: Install Java 21 and Maven
|
||||
run: |
|
||||
apt-get update -qq
|
||||
apt-get install -y -qq wget apt-transport-https gnupg
|
||||
wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor -o /usr/share/keyrings/adoptium.gpg
|
||||
echo "deb [signed-by=/usr/share/keyrings/adoptium.gpg] https://packages.adoptium.net/artifactory/deb $(. /etc/os-release && echo $VERSION_CODENAME) main" | tee /etc/apt/sources.list.d/adoptium.list
|
||||
apt-get update -qq
|
||||
apt-get install -y -qq temurin-21-jdk maven
|
||||
java -version
|
||||
mvn -version
|
||||
- name: Verify toolchain
|
||||
run: java -version && mvn -version && trivy --version
|
||||
|
||||
- name: Configure Maven settings
|
||||
run: |
|
||||
@@ -73,15 +65,13 @@ jobs:
|
||||
- name: Build JAR
|
||||
run: mvn clean package -DskipTests -B
|
||||
|
||||
- name: Install Trivy
|
||||
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
|
||||
|
||||
- name: Trivy vulnerability scan
|
||||
run: |
|
||||
trivy fs \
|
||||
--exit-code 1 \
|
||||
--severity HIGH,CRITICAL \
|
||||
--ignore-unfixed \
|
||||
--skip-db-update \
|
||||
--scanners vuln \
|
||||
--format table \
|
||||
target/
|
||||
@@ -114,22 +104,36 @@ jobs:
|
||||
docker build -t ${{ secrets.DEV_REGISTRY_URL }}/hiveiq-aria:dev .
|
||||
docker push ${{ secrets.DEV_REGISTRY_URL }}/hiveiq-aria:dev
|
||||
|
||||
- name: Deploy to bcos.dev
|
||||
# Posts a ✅/🔴 card to #hiveops-dev-deploy on every run, so a build is never silent.
|
||||
# if: always() → failures are announced too. continue-on-error → a notify hiccup must
|
||||
# NEVER fail the build. SLACK_WEBHOOK_URL is an org secret; unset → the step no-ops.
|
||||
- name: Notify Slack (#hiveops-dev-deploy)
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
env:
|
||||
DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
|
||||
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
|
||||
JOB_STATUS: ${{ job.status }}
|
||||
ACTOR: ${{ github.actor }}
|
||||
REF_NAME: ${{ github.ref_name }}
|
||||
SHA: ${{ github.sha }}
|
||||
RUN_NUMBER: ${{ github.run_number }}
|
||||
RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
|
||||
COMMIT_MSG: ${{ github.event.head_commit.message }}
|
||||
run: |
|
||||
apt-get install -y -qq openssh-client
|
||||
mkdir -p ~/.ssh
|
||||
echo "$DEPLOY_SSH_KEY" > ~/.ssh/deploy_key
|
||||
chmod 600 ~/.ssh/deploy_key
|
||||
ssh-keyscan -H ${{ secrets.DEV_HOST }} >> ~/.ssh/known_hosts 2>&1
|
||||
ssh -i ~/.ssh/deploy_key ${{ secrets.DEPLOY_USER }}@${{ secrets.DEV_HOST }} \
|
||||
"cd ~/hiveiq/hiveops-openmetal/hiveops/instances/dev && \
|
||||
REGISTRY_URL=${{ secrets.DEV_REGISTRY_URL }} ARIA_VERSION=dev \
|
||||
docker compose pull hiveiq-aria && \
|
||||
REGISTRY_URL=${{ secrets.DEV_REGISTRY_URL }} ARIA_VERSION=dev \
|
||||
docker compose up -d hiveiq-aria"
|
||||
- name: Cleanup
|
||||
if: always()
|
||||
run: rm -f ~/.ssh/deploy_key
|
||||
[ -z "$SLACK_WEBHOOK_URL" ] && { echo "no SLACK_WEBHOOK_URL secret — skipping"; exit 0; }
|
||||
SHORT="${SHA:0:8}"
|
||||
FIRST="${COMMIT_MSG%%$'\n'*}"
|
||||
SUBJECT="$(printf '%s' "$FIRST" | tr -d '"\\' | cut -c1-100)"
|
||||
if [ "$JOB_STATUS" = "success" ]; then
|
||||
COLOR="#2eb67d"
|
||||
TITLE=":white_check_mark: aria — cd-develop OK · image built & pushed"
|
||||
NEXT="*Not deployed* — this pipeline only builds. Deploy \`:dev\` to bcos.dev (.251) when ready."
|
||||
else
|
||||
COLOR="#e01e5a"
|
||||
TITLE=":red_circle: aria — cd-develop FAILED ($JOB_STATUS)"
|
||||
NEXT="The image may not have been pushed — check the run before deploying anything."
|
||||
fi
|
||||
PAYLOAD=$(printf '{"attachments":[{"color":"%s","blocks":[{"type":"section","text":{"type":"mrkdwn","text":"*%s*"}},{"type":"section","fields":[{"type":"mrkdwn","text":"*Commit*\\n`%s` %s"},{"type":"mrkdwn","text":"*Tags*\\n`:dev`"},{"type":"mrkdwn","text":"*By*\\n%s"},{"type":"mrkdwn","text":"*Run*\\n#%s"}]},{"type":"section","text":{"type":"mrkdwn","text":"*Next*\\n%s"}},{"type":"actions","elements":[{"type":"button","text":{"type":"plain_text","text":"View run"},"url":"%s"}]}]}]}' \
|
||||
"$COLOR" "$TITLE" "$SHORT" "$SUBJECT" "$ACTOR" "$RUN_NUMBER" "$NEXT" "$RUN_URL")
|
||||
code=$(curl -s -o /dev/null -w '%{http_code}' --max-time 15 -X POST -H 'Content-type: application/json' --data "$PAYLOAD" "$SLACK_WEBHOOK_URL" || echo "curl-error")
|
||||
echo "slack notify HTTP: $code (200 = card posted)"
|
||||
|
||||
+68
-31
@@ -1,43 +1,80 @@
|
||||
# hiveops-aria frontend — CLAUDE.md
|
||||
|
||||
> ## ⛔ STOP — before writing ANY `.svelte`, use the template
|
||||
> 1. Read `hiveops-template/CLAUDE.md` (the design system).
|
||||
> 2. **Copy, don't write from scratch** — start from `hiveops-template/frontend/src/components/TablePage.svelte` (list/table pages) or `TemplatePage.svelte` (pages with status/severity badges).
|
||||
> 3. Header = **text only**. Action buttons (Add/Refresh/Compose) go in `.toolbar-right`, never in `.header`. *(hook-enforced)*
|
||||
> 4. Copy the filter-sidebar + table CSS **verbatim** — never simplify.
|
||||
> 5. Scoped `<style>` only — never `import './x.css'`. *(hook-enforced)*
|
||||
|
||||
ARIA — ATM threat intelligence & precursor-sequence detection (IOC catalog, threat events,
|
||||
attack sequences, device posture). Svelte frontend + Spring Boot 3.4 backend.
|
||||
Package `com.hiveops.aria`, DB `hiveiq_aria`.
|
||||
|
||||
| Sub-module | Port | Dev | Prod |
|
||||
|---|---|---|---|
|
||||
| `backend/` (repo root) | 8095 | `api.bcos.dev/aria/` | `api.bcos.cloud/aria/` |
|
||||
| `frontend/` | 5187 | `aria.bcos.dev` | `aria.bcos.cloud` |
|
||||
|
||||
## 📖 Architecture, endpoints, tables, Kafka, gotchas, testing → the Guide
|
||||
|
||||
The deep, **code-grounded** knowledge for this service lives in the HiveIQ **Guide** — kept in
|
||||
sync with code (unlike hand-written docs, which rot). Query it instead of duplicating here:
|
||||
|
||||
```bash
|
||||
TOKEN=$(curl -s https://api.bcos.dev/auth/api/login -H 'Content-Type: application/json' \
|
||||
-d '{"email":"<you>","password":"<pw>"}' | python3 -c 'import sys,json;print(json.load(sys.stdin)["token"])')
|
||||
|
||||
# service overview:
|
||||
curl -s https://api.bcos.dev/guide/api/v1/guide/modules/technical.aria -H "Authorization: Bearer $TOKEN"
|
||||
# per-module (Customer / Internal / Architect / Testing / Claude tabs) — read the "Claude" tab to act:
|
||||
curl -s https://api.bcos.dev/guide/api/v1/guide/modules/aria.threat-events -H "Authorization: Bearer $TOKEN"
|
||||
```
|
||||
|
||||
Modules: `aria.dashboard`, `aria.threat-events`, `aria.ioc-management`, `aria.ioc-feeds`,
|
||||
`aria.precursor-alerts`, `aria.device-posture`. Browse: **https://guide.bcos.dev** (admin login
|
||||
shows the internal tabs). The Guide is the source of truth for endpoints, DB tables, Kafka topics,
|
||||
roles, gotchas, and how to test — **this file stays thin on purpose.** When you change ARIA
|
||||
behaviour, update the Guide content, not this file.
|
||||
|
||||
## Before writing ANY new component
|
||||
|
||||
Read an existing sibling component first. Mandatory. Use `IocManagement.svelte` or `DevicePosture.svelte` as the reference.
|
||||
Read an existing sibling component first. Mandatory. Use `IocManagement.svelte` or
|
||||
`DevicePosture.svelte` as the reference. Poll the STATUS endpoint only (never trigger a refresh
|
||||
from `setInterval`), and always `onDestroy(() => clearInterval(interval))`.
|
||||
|
||||
## Canonical patterns (copy exactly, no variations)
|
||||
## Dev / build
|
||||
|
||||
**Header** — text only, no buttons:
|
||||
```svelte
|
||||
<div class="header">
|
||||
<div class="header-text">
|
||||
<h1>Page Title</h1>
|
||||
<p>Subtitle</p>
|
||||
</div>
|
||||
</div>
|
||||
```bash
|
||||
# backend (repo root)
|
||||
./mvnw clean package -DskipTests
|
||||
# frontend
|
||||
cd frontend && npm install && npm run dev # http://localhost:5187
|
||||
```
|
||||
|
||||
**Toolbar** — all buttons go here, never in the header:
|
||||
```svelte
|
||||
<div class="form-card">
|
||||
<div class="toolbar">
|
||||
<div class="toolbar-left"><span class="count">N items</span></div>
|
||||
<div class="toolbar-right">
|
||||
<button class="btn btn-secondary btn-sm">Refresh</button>
|
||||
<button class="btn btn-primary btn-sm">+ Add</button>
|
||||
</div>
|
||||
</div>
|
||||
## Build & deploy
|
||||
|
||||
```bash
|
||||
# backend image (hiveiq-aria) — root build.sh; frontend image (hiveiq-aria-frontend) built from frontend/Dockerfile
|
||||
./build.sh --registry registry.bcos.dev --push # dev (:dev tag, bcos.dev / .251)
|
||||
./build.sh --registry registry.bcos.cloud --push # prod (:latest; CI/CD on merge to main, manual only if CI broken)
|
||||
|
||||
# deploy dev: ssh .251 → ~/hiveiq/hiveops-openmetal/hiveops/instances/dev
|
||||
docker compose pull hiveiq-aria hiveiq-aria-frontend && docker compose up -d hiveiq-aria hiveiq-aria-frontend
|
||||
# prod: same on 173.231.195.250 with registry.bcos.cloud
|
||||
```
|
||||
CI: `.gitea/workflows/cd-develop.yml` (push → develop, deploys to bcos.dev), `cd-main.yml`.
|
||||
|
||||
**Buttons** — always global classes, never custom button CSS:
|
||||
- `btn btn-primary` / `btn btn-primary btn-sm`
|
||||
- `btn btn-secondary` / `btn btn-secondary btn-sm`
|
||||
## Env vars
|
||||
|
||||
**Table** — inside `.table-wrapper > .table-container`:
|
||||
- `thead` background: `#f9fafb`, sticky
|
||||
- `th` color: `#374151`, uppercase, `font-size: 0.78rem`
|
||||
- `td` color: `#1f2937`
|
||||
- `tbody tr:hover` background: `#eff6ff`
|
||||
```
|
||||
# backend — hiveiq_aria on hiveiq-postgres
|
||||
DB_URL DB_USERNAME DB_PASSWORD # ddl-auto=validate; Flyway owns schema (db/migration)
|
||||
JWT_SECRET (shared w/ auth) KAFKA_BOOTSTRAP_SERVERS CORS_ALLOWED_ORIGINS
|
||||
```
|
||||
Frontend: `VITE_API_URL` = `https://api.bcos.dev/aria` (dev) / `https://api.bcos.cloud/aria` (prod).
|
||||
Injected at container runtime into `dist/config.js` (`window.__APP_CONFIG__.apiUrl`) via `entrypoint.sh`.
|
||||
|
||||
## Auto-poll
|
||||
- Poll the STATUS endpoint only — never trigger a refresh from setInterval
|
||||
- Use `onDestroy(() => clearInterval(interval))` always
|
||||
## What's New
|
||||
|
||||
Edit `hiveops-release/releases.json` → `./deploy.sh` in that repo.
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
<parent>
|
||||
<groupId>com.hiveops</groupId>
|
||||
<artifactId>hiveops-bom</artifactId>
|
||||
<version>1.0.2</version>
|
||||
<version>1.0.8</version>
|
||||
<relativePath/>
|
||||
</parent>
|
||||
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
{
|
||||
"status": "failed",
|
||||
"failedTests": []
|
||||
}
|
||||
Reference in New Issue
Block a user