Update release workflows (#239)

- Migrates to Setup Gradle action - Adds Licensee for automatic dependency license verification - Adds CycloneDX plugin to generate SBOMs - Adds Nexus Publishing plugin to automatically close and release artifacts - Includes legal files into the Jar artifacts - Updates verification metadata {patch} Signed-off-by: Esta Nagy <[email protected]>
nagyesta · May 9, 2024 · 263d98d · 263d98d
1 parent 587af02
commit 263d98d
Show file tree

Hide file tree

Showing 15 changed files with 714 additions and 858 deletions.
diff --git a/.github/workflows/add-index-exclusion.yml b/.github/workflows/add-index-exclusion.yml
@@ -14,22 +14,24 @@ jobs:
     name: Add OSS Index Exclusion action
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      - name: Checkout
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
           fetch-depth: 0
           token: ${{ secrets.PUBLISH_KEY }}
-      - name: "Add exclusion"
+      - name: Add exclusion
         run: |
           echo "${{ github.event.inputs.exclusion }}" >> config/ossindex/exclusions.txt
-      - name: "git branch"
+      - name: Create git branch
         run: |
           git config --global user.name 'Esta Nagy'
           git config --global user.email '[email protected]'
           git checkout -b feature/exclude-vulnerability-run-${{ github.run_number }}
           git add config/ossindex/exclusions.txt
           git commit -asm "Excluding vulnerability ${{ github.event.inputs.exclusion }} {patch}"
           git push -f --set-upstream origin feature/exclude-vulnerability-run-${{ github.run_number }}
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - name: Create Pull Request
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.PUBLISH_KEY }}
           script: |

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -77,14 +77,13 @@ jobs:
         uses: github/codeql-action/init@ccf74c947955fd1cf117aef6a0e4e66191ef6f61 # v3.25.4
         with:
           languages: 'java'
-      - name: Build with Gradle
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
         with:
           cache-disabled: true
-          arguments: build -x test
+      - name: Build with Gradle
+        run: ./gradlew build -x test
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@ccf74c947955fd1cf117aef6a0e4e66191ef6f61 # v3.25.4
       - name: Check dependencies with Gradle
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
-        with:
-          arguments: ossIndexAudit -PossIndexUsername=${{ secrets.OSS_INDEX_USER }} -PossIndexPassword=${{ secrets.OSS_INDEX_PASSWORD }}
+        run: ./gradlew ossIndexAudit -PossIndexUsername=${{ secrets.OSS_INDEX_USER }} -PossIndexPassword=${{ secrets.OSS_INDEX_PASSWORD }}
diff --git a/.github/workflows/gradle-ci.yml b/.github/workflows/gradle-ci.yml
@@ -31,7 +31,6 @@ on:
       - '.github/pr-labeler.yml'
       - 'renovate.json'
       - '.whitesource'
-      - 'gradle/libs.versions.toml'
       - 'config/ossindex/exclusions.txt'
 
 permissions: read-all
@@ -45,29 +44,26 @@ jobs:
 
     steps:
       # Set up build environment
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      - name: Checkout
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
           fetch-depth: 0
       - name: Set up JDK 17
         uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
         with:
           distribution: temurin
           java-version: 17
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
+        with:
+          cache-disabled: true
       - name: Build with Gradle (if Ubuntu)
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
         if: ${{ matrix.os == 'ubuntu-latest' }}
-        with:
-          arguments: |
-            printVersion build
-            -Pci
+        run: ./gradlew printVersion build -Pci
       - name: Build with Gradle (if Windows)
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
         if: ${{ matrix.os != 'ubuntu-latest' }}
-        with:
-          arguments: |
-            printVersion build -x :file-barj-core:jacocoTestCoverageVerification
-            -Pci
-      - name: 'Upload Test reports - Core'
+        run: ./gradlew printVersion build -x :file-barj-core:jacocoTestCoverageVerification -Pci
+      - name: Upload Test reports - Core
         if: always()
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
@@ -76,7 +72,7 @@ jobs:
             file-barj-core/build/reports/tests/test
             file-barj-core/build/reports/abort-mission/abort-mission-report.html
           retention-days: 5
-      - name: 'Upload Test reports - Job'
+      - name: Upload Test reports - Job
         if: always()
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
@@ -85,7 +81,7 @@ jobs:
             file-barj-job/build/reports/tests/test
             file-barj-job/build/reports/abort-mission/abort-mission-report.html
           retention-days: 5
-      - name: 'Upload Test reports - Stream IO'
+      - name: Upload Test reports - Stream IO
         if: always()
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:

diff --git a/.github/workflows/gradle-oss-index-scan.yml b/.github/workflows/gradle-oss-index-scan.yml
@@ -23,7 +23,9 @@ jobs:
         with:
           distribution: temurin
           java-version: 17
-      - name: Check dependencies with Gradle
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
         with:
-          arguments: ossIndexAudit -PossIndexUsername=${{ secrets.OSS_INDEX_USER }} -PossIndexPassword=${{ secrets.OSS_INDEX_PASSWORD }}
+          cache-disabled: true
+      - name: Check dependencies with Gradle
+        run: ./gradlew ossIndexAudit -PossIndexUsername=${{ secrets.OSS_INDEX_USER }} -PossIndexPassword=${{ secrets.OSS_INDEX_PASSWORD }}
diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
@@ -39,39 +39,42 @@ jobs:
 
     steps:
       # Set up build environment
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      - name: Checkout
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
           fetch-depth: 0
+          token: ${{ secrets.PUBLISH_KEY }}
       - name: Set up JDK 17
         uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
         with:
           distribution: temurin
           java-version: 17
-      - uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
         with:
-          gradle-home-cache-cleanup: true
-          arguments: |
-            tagVersion build
-            -Pci
-            -PgithubUser=${{ secrets.PUBLISH_USER_NAME }}
-            -PgithubToken=${{ secrets.PUBLISH_KEY }}
+          cache-disabled: true
+      - name: Build with Gradle
+        run: >
+          ./gradlew tagVersion build
+          -Pci
+          -PgithubUser=${{ secrets.PUBLISH_USER_NAME }}
+          -PgithubToken=${{ secrets.PUBLISH_KEY }}
       - name: Decode key
         run: |
           mkdir -p ${{ runner.temp }}/.gnupg/
           echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}" | base64 --decode > ${{ runner.temp }}/.gnupg/secring.gpg
-      - uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
-        with:
-          arguments: |
-            publish -x test
-            -Pci
-            -PgithubUser=${{ secrets.PUBLISH_USER_NAME }}
-            -PgithubToken=${{ secrets.PUBLISH_KEY }}
-            -PossrhUsername=${{ secrets.OSSRH_USER }}
-            -PossrhPassword=${{ secrets.OSSRH_PASS }}
-            -Psigning.keyId=${{ secrets.SIGNING_KEY_ID }}
-            -Psigning.password=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
-            -Psigning.secretKeyRingFile=${{ runner.temp }}/.gnupg/secring.gpg
-      - name: 'Clean-up GPG key'
+      - name: Publish with Gradle
+        run: >
+          ./gradlew publish -x test publishToSonatype closeAndReleaseSonatypeStagingRepository
+          -Pci
+          -PgithubUser=${{ secrets.PUBLISH_USER_NAME }}
+          -PgithubToken=${{ secrets.PUBLISH_KEY }}
+          -PossrhUsername=${{ secrets.OSSRH_USER }}
+          -PossrhPassword=${{ secrets.OSSRH_PASS }}
+          -Psigning.keyId=${{ secrets.SIGNING_KEY_ID }}
+          -Psigning.password=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
+          -Psigning.secretKeyRingFile=${{ runner.temp }}/.gnupg/secring.gpg
+      - name: Clean-up GPG key
         if: always()
         run: |
           rm -rf ${{ runner.temp }}/.gnupg/

diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
@@ -9,7 +9,8 @@ jobs:
   pr-labeler:
     runs-on: ubuntu-latest
     steps:
-      - uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af # v5.0.0
+      - name: Label PR
+        uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af # v5.0.0
         with:
           configuration-path: .github/pr-labeler.yml # optional, .github/pr-labeler.yml is the default value
         env:

diff --git a/.github/workflows/release-draft.yml b/.github/workflows/release-draft.yml
@@ -9,7 +9,8 @@ jobs:
     name: Draft release action
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - name: Create release
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             github.rest.repos.createRelease({

diff --git a/.github/workflows/release-trigger.yml b/.github/workflows/release-trigger.yml
@@ -18,11 +18,12 @@ jobs:
     name: Release trigger action
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      - name: Checkout
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
           fetch-depth: 0
           token: ${{ secrets.PUBLISH_KEY }}
-      - name: "Check existing tag"
+      - name: Check existing tag
         id: check
         run: |
           echo "::set-output name=has_tag::$(git log --format='format:%d' --decorate-refs="refs/tags/v*" -n 1 | grep tag | wc -l)"
@@ -33,11 +34,11 @@ jobs:
           echo "Execution: ${{ github.event.inputs.execution }}"
           echo "---"
           echo "Should run: ${{ steps.check.outputs.has_tag == 0 || github.event.inputs.execution == 'Manual' }}"
-      - name: "Update trigger"
+      - name: Update trigger
         if: ${{ steps.check.outputs.has_tag == 0 || github.event.inputs.execution == 'Manual' }}
         run: |
           date +%s > .release-trigger
-      - name: "git branch"
+      - name: Creat git branch
         if: ${{ steps.check.outputs.has_tag == 0 || github.event.inputs.execution == 'Manual' }}
         run: |
           git config --global user.name 'Esta Nagy'
@@ -46,7 +47,8 @@ jobs:
           git add .release-trigger
           git commit -asm "Triggering a release {patch}"
           git push -f --set-upstream origin release/run-${{ github.run_number }}
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - name: Create Pull Request
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         if: ${{ steps.check.outputs.has_tag == 0 || github.event.inputs.execution == 'Manual' }}
         with:
           github-token: ${{ secrets.PUBLISH_KEY }}

diff --git a/.github/workflows/update-dependency-checksums.yml b/.github/workflows/update-dependency-checksums.yml
@@ -9,7 +9,8 @@ jobs:
     name: Dependency checksum compaction action
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+      - name: Checkout
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
           fetch-depth: 0
           token: ${{ secrets.PUBLISH_KEY }}
@@ -18,14 +19,15 @@ jobs:
         with:
           distribution: temurin
           java-version: 17
-      - name: "Remove previous version"
+      - name: Remove previous version
         run: cp gradle/verification-metadata-clean.xml gradle/verification-metadata.xml
-      - name: "Update checksums"
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
         with:
           cache-disabled: true
-          arguments: clean file-barj-job:checkstyleMain --write-verification-metadata sha256
-      - name: "Git commit"
+      - name: Update checksums
+        run: ./gradlew clean file-barj-job:checkstyleMain licensee --write-verification-metadata sha256
+      - name: Git commit
         run: |
           git config --global user.name 'Esta Nagy'
           git config --global user.email '[email protected]'

diff --git a/build.gradle.kts b/build.gradle.kts
@@ -1,4 +1,5 @@
 import org.sonatype.gradle.plugins.scan.ossindex.OutputFormat
+import java.util.*
 
 plugins {
     id("java")
@@ -8,6 +9,8 @@ plugins {
     alias(libs.plugins.lombok) apply false
     alias(libs.plugins.index.scan)
     alias(libs.plugins.owasp.dependencycheck)
+    alias(libs.plugins.nexus.publish.plugin)
+    alias(libs.plugins.cyclonedx.bom)
 }
 
 group = "com.github.nagyesta.file-barj"
@@ -81,6 +84,7 @@ subprojects {
     apply(plugin = "io.freefair.lombok")
     apply(plugin = "org.sonatype.gradle.plugins.scan")
     apply(plugin = "org.owasp.dependencycheck")
+    apply(plugin = "org.cyclonedx.bom")
 
     group = rootProject.group
     version = rootProject.version
@@ -200,6 +204,38 @@ subprojects {
         @Suppress("UNCHECKED_CAST")
         excludeVulnerabilityIds = rootProject.extra.get("ossIndexExclusions") as MutableSet<String>
     }
+
+    tasks.cyclonedxBom {
+        if (project.name.endsWith("job")) {
+            setProjectType("application")
+        } else {
+            setProjectType("library")
+        }
+        setIncludeConfigs(listOf("runtimeClasspath"))
+        setSkipConfigs(listOf("compileClasspath", "testCompileClasspath"))
+        setSkipProjects(listOf())
+        setSchemaVersion("1.5")
+        setDestination(file("build/reports"))
+        setOutputName("bom")
+        setOutputFormat("json")
+        //noinspection UnnecessaryQualifiedReference
+        val attachmentText = org.cyclonedx.model.AttachmentText()
+        attachmentText.setText(
+                Base64.getEncoder().encodeToString(
+                        file("${project.rootProject.projectDir}/LICENSE").readBytes()
+                )
+        )
+        attachmentText.encoding = "base64"
+        attachmentText.contentType = "text/plain"
+        //noinspection UnnecessaryQualifiedReference
+        val license = org.cyclonedx.model.License()
+        license.name = "MIT License"
+        license.setLicenseText(attachmentText)
+        license.url = "https://raw.githubusercontent.com/nagyesta/file-barj/main/LICENSE"
+        setLicenseChoice {
+            it.addLicense(license)
+        }
+    }
 }
 
 ossIndexAudit {
@@ -228,3 +264,12 @@ tasks.jacocoTestReport {
         csv.required.set(false)
     }
 }
+
+nexusPublishing {
+    repositories {
+        sonatype {
+            username = rootProject.extra.get("ossrhUser").toString()
+            password = rootProject.extra.get("ossrhPass").toString()
+        }
+    }
+}