Java CI with Maven #276
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# This workflow will build a Java project with Maven | |
# For more information see: | |
# https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven | |
name: Java CI with Maven | |
env: | |
JAVA: 17 | |
PRIVILEGED_RUN: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/development') | |
|| github.event.pull_request.head.repo.full_name == github.repository }} | |
CODEQL_LANGUAGES: 'java' # FIXME(@JonasCir) add 'javascript' | |
on: | |
push: | |
branches: [ development, master, hotfix* ] | |
pull_request: | |
branches: [ development, hotfix* ] | |
workflow_dispatch: # run it manually from the GH Actions web console | |
schedule: | |
- cron: '35 1 * * 0' | |
jobs: | |
ci: | |
name: SORMAS CI | |
runs-on: ubuntu-latest | |
permissions: | |
security-events: write | |
steps: | |
- name: Checkout repository (with token) | |
# Check if PR results from the repository: if yes, we have access to the secrets. | |
# The token is only needed for privileged actions from within the repo, so no need | |
# to make it available on 3rd party PRs | |
if: ${{ fromJSON(env.PRIVILEGED_RUN) }} | |
uses: actions/checkout@v3 | |
with: | |
token: ${{ secrets.SORMAS_VITAGROUP_CI_TOKEN }} | |
- name: Checkout repository (without token) | |
# Check if PR results from a fork: if yes, we cannot access the token. | |
# The token is only needed for privileged actions from within the | |
# repo, so no need to make it available on 3rd party PRs | |
if: ${{ !fromJSON(env.PRIVILEGED_RUN) }} | |
uses: actions/checkout@v3 | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v2 | |
with: | |
languages: ${{ env.CODEQL_LANGUAGES }} | |
- name: Set up JDK ${{ env.JAVA }} | |
uses: actions/setup-java@v3 | |
with: | |
java-version: ${{ env.JAVA }} | |
distribution: 'zulu' | |
- name: Cache Maven packages | |
# Check if PR results from the repository: if yes, it is safe to cache dependencies. | |
# This is to keep us safe from cache poisoning through 3rd party PRs. | |
if: ${{ fromJSON(env.PRIVILEGED_RUN) }} | |
uses: actions/cache@v3 | |
with: | |
path: ~/.m2 | |
key: ${{ runner.os }}-java-${{ env.JAVA }}-m2-${{ hashFiles('**/pom.xml') }} | |
restore-keys: ${{ runner.os }}-java-${{ env.JAVA }}-m2 | |
- name: Cache SonarCloud packages | |
# Check if PR results from the repository: if yes, it is safe to cache dependencies. | |
# This is to keep us safe from cache poisoning through 3rd party PRs. | |
if: ${{ fromJSON(env.PRIVILEGED_RUN) }} | |
uses: actions/cache@v3 | |
with: | |
path: ~/.sonar/cache | |
key: ${{ runner.os }}-sonar | |
restore-keys: ${{ runner.os }}-sonar | |
- name: Run mvn verify and sonar analysis | |
# FIXME(@JonasCir) see https://github.com/sormas-foundation/SORMAS-Project/issues/3730#issuecomment-745165678 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
working-directory: ./sormas-base | |
run: mvn -B -ntp verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=SORMAS-Project | |
- name: Comment with SonarCloud analysis | |
uses: actions/github-script@v6 | |
if: github.event_name == 'pull_request' | |
with: | |
github-token: ${{ secrets.SORMAS_VITAGROUP_CI_TOKEN }} | |
script: | | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: `SonarCloud analysis: https://sonarcloud.io/dashboard?id=SORMAS-Project&pullRequest=${{ github.event.pull_request.number }}` | |
}) | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v2 | |
- name: Run Trivy vulnerability scanner in repo mode | |
uses: aquasecurity/[email protected] | |
with: | |
scan-type: 'fs' | |
ignore-unfixed: true | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
scanners: 'vuln,secret,config' | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: 'trivy-results.sarif' | |
# needed as codeQL also performs an upload, and they clash otherwise | |
category: 'code-scanning/trivy-repo' | |
- name: Commit openAPI spec to development | |
# Privileged action needing a secret token. Since this only runs on development in our own repo | |
# the token will be available through a privileged checkout. | |
if: github.event_name == 'push' && github.ref == 'refs/heads/development' | |
&& hashFiles('sormas-rest/target/swagger.yaml') != hashFiles('sormas-rest/swagger.yaml') | |
# https://stackoverflow.com/questions/59604922/authorize-bash-to-access-github-protected-branch | |
run: | | |
git config --global user.name "sormas-vitagroup" | |
git config --global user.email "[email protected]" | |
mkdir /tmp/openapi | |
cp sormas-rest/target/swagger.* /tmp/openapi | |
git fetch | |
git checkout development | |
git pull | |
rm -f sormas-rest/swagger.* | |
cp /tmp/openapi/swagger.* sormas-rest/ | |
git add sormas-rest/swagger.* | |
git commit -m "[GitHub Actions] Update openAPI spec files" | |
git push |