-
Notifications
You must be signed in to change notification settings - Fork 143
137 lines (120 loc) · 5.46 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
---
# This workflow will build a Java project with Maven
# For more information see:
# https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
name: Java CI with Maven
env:
JAVA: 17
PRIVILEGED_RUN: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/development')
|| github.event.pull_request.head.repo.full_name == github.repository }}
CODEQL_LANGUAGES: 'java' # FIXME(@JonasCir) add 'javascript'
on:
push:
branches: [ development, master, hotfix* ]
pull_request:
branches: [ development, hotfix* ]
workflow_dispatch: # run it manually from the GH Actions web console
schedule:
- cron: '35 1 * * 0'
jobs:
ci:
name: SORMAS CI
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout repository (with token)
# Check if PR results from the repository: if yes, we have access to the secrets.
# The token is only needed for privileged actions from within the repo, so no need
# to make it available on 3rd party PRs
if: ${{ fromJSON(env.PRIVILEGED_RUN) }}
uses: actions/checkout@v3
with:
token: ${{ secrets.SORMAS_VITAGROUP_CI_TOKEN }}
- name: Checkout repository (without token)
# Check if PR results from a fork: if yes, we cannot access the token.
# The token is only needed for privileged actions from within the
# repo, so no need to make it available on 3rd party PRs
if: ${{ !fromJSON(env.PRIVILEGED_RUN) }}
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ env.CODEQL_LANGUAGES }}
- name: Set up JDK ${{ env.JAVA }}
uses: actions/setup-java@v3
with:
java-version: ${{ env.JAVA }}
distribution: 'zulu'
- name: Cache Maven packages
# Check if PR results from the repository: if yes, it is safe to cache dependencies.
# This is to keep us safe from cache poisoning through 3rd party PRs.
if: ${{ fromJSON(env.PRIVILEGED_RUN) }}
uses: actions/cache@v3
with:
path: ~/.m2
key: ${{ runner.os }}-java-${{ env.JAVA }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-java-${{ env.JAVA }}-m2
- name: Cache SonarCloud packages
# Check if PR results from the repository: if yes, it is safe to cache dependencies.
# This is to keep us safe from cache poisoning through 3rd party PRs.
if: ${{ fromJSON(env.PRIVILEGED_RUN) }}
uses: actions/cache@v3
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Run mvn verify and sonar analysis
# FIXME(@JonasCir) see https://github.com/sormas-foundation/SORMAS-Project/issues/3730#issuecomment-745165678
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
working-directory: ./sormas-base
run: mvn -B -ntp verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=SORMAS-Project
- name: Comment with SonarCloud analysis
uses: actions/github-script@v6
if: github.event_name == 'pull_request'
with:
github-token: ${{ secrets.SORMAS_VITAGROUP_CI_TOKEN }}
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `SonarCloud analysis: https://sonarcloud.io/dashboard?id=SORMAS-Project&pullRequest=${{ github.event.pull_request.number }}`
})
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
scanners: 'vuln,secret,config'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
# needed as codeQL also performs an upload, and they clash otherwise
category: 'code-scanning/trivy-repo'
- name: Commit openAPI spec to development
# Privileged action needing a secret token. Since this only runs on development in our own repo
# the token will be available through a privileged checkout.
if: github.event_name == 'push' && github.ref == 'refs/heads/development'
&& hashFiles('sormas-rest/target/swagger.yaml') != hashFiles('sormas-rest/swagger.yaml')
# https://stackoverflow.com/questions/59604922/authorize-bash-to-access-github-protected-branch
run: |
git config --global user.name "sormas-vitagroup"
git config --global user.email "[email protected]"
mkdir /tmp/openapi
cp sormas-rest/target/swagger.* /tmp/openapi
git fetch
git checkout development
git pull
rm -f sormas-rest/swagger.*
cp /tmp/openapi/swagger.* sormas-rest/
git add sormas-rest/swagger.*
git commit -m "[GitHub Actions] Update openAPI spec files"
git push