-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
e76a9d3
commit 9eb69c3
Showing
8 changed files
with
450 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| name: "> Main Pipeline" | ||
|
|
||
| on: | ||
| push: | ||
| branches: [ "main" ] | ||
| tags: | ||
| - '*' | ||
| pull_request: | ||
| branches: [ '*' ] | ||
| # workflow_dispatch: | ||
| # inputs: | ||
| # type: | ||
| # description: 'Release Library' | ||
| # required: true | ||
| # default: '...no release' | ||
| # type: choice | ||
| # options: | ||
| # - '...no release' | ||
| # - major | ||
| # - minor | ||
| # - patch | ||
|
|
||
| jobs: | ||
|
|
||
| build: | ||
| name: Build + unit tests | ||
| uses: ./.github/workflows/callable.build.yml | ||
| if: | # avoid unnecessary pipeline runs during artifact release process ('gradle release plugin') | ||
| !contains(github.event.head_commit.message, '[Gradle Release Plugin] - pre tag commit') | ||
| || github.ref_type == 'tag' | ||
| code_analysis: | ||
| name: Code Analysis (multi) | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
| uses: ./.github/workflows/callable.code-analysis.yml | ||
| needs: build | ||
| if: | | ||
| github.event_name != 'workflow_dispatch' | ||
| || inputs.type == '...no release' | ||
| # integration_test: | ||
| # name: Integration tests | ||
| # uses: ./.github/workflows/callable.integration-test.yml | ||
| # needs: build | ||
|
|
||
| # gradle_release: | ||
| # name: Create release | ||
| # uses: ./.github/workflows/callable.gradle-release.yml | ||
| # secrets: inherit | ||
| # with: | ||
| # type: ${{ inputs.type }} | ||
| # needs: build | ||
| # if: | | ||
| # github.event_name == 'workflow_dispatch' | ||
| # && inputs.type != '...no release' | ||
|
|
||
| publish_sonatype: | ||
| name: Publish artifact (Maven Central) | ||
| uses: ./.github/workflows/callable.publish-central-portal.yml | ||
| secrets: inherit | ||
| needs: build | ||
| if: | | ||
| ( | ||
| github.event_name != 'workflow_dispatch' | ||
| || inputs.type == '...no release' | ||
| ) && ( | ||
| github.ref == 'refs/heads/main' | ||
| || github.ref_type == 'tag' | ||
| ) | ||
| publish_javadoc: | ||
| name: Publish javadoc (GitHub Pages) | ||
| permissions: | ||
| contents: write | ||
| uses: ./.github/workflows/callable.publish-javadoc.yml | ||
| needs: build | ||
| if: | | ||
| ( | ||
| github.ref == 'refs/heads/main' | ||
| && ( inputs.type == '' || inputs.type == '...no release' ) | ||
| ) || github.ref_type == 'tag' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| name: ">> Scheduled Code Analysis" | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| schedule: | ||
| - cron: '23 1 * * 6' # weekly, on Saturday at 01:23 UTC | ||
|
|
||
| jobs: | ||
| code_analysis: | ||
| name: Code Analysis (multi) | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
| uses: ./.github/workflows/callable.code-analysis.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| name: Gradle Build | ||
|
|
||
| on: | ||
| workflow_call: | ||
|
|
||
| jobs: | ||
| build: | ||
| name: gradle build test | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout project sources | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - uses: actions/setup-java@v4 | ||
| with: | ||
| distribution: 'corretto' | ||
| java-version: '21' | ||
| - uses: gradle/actions/wrapper-validation@v3 | ||
| - name: Setup Gradle | ||
| uses: gradle/actions/setup-gradle@v3.3.2 | ||
| with: | ||
| cache-write-only: true | ||
| - name: Run build (incl. test) | ||
| # run: ./gradlew build -x intTest --no-daemon | ||
| run: ./gradlew build --no-daemon | ||
|
|
||
| - name: Publish Test Report | ||
| uses: mikepenz/action-junit-report@v4 | ||
| if: success() || failure() # always run even if the previous step fails | ||
| with: | ||
| report_paths: '**/build/test-results/test/TEST-*.xml' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| name: CodeQL Analysis | ||
|
|
||
| on: | ||
| workflow_call: | ||
|
|
||
| jobs: | ||
| analyze: | ||
| name: CodeQL Analysis | ||
| # Runner size impacts CodeQL analysis time. To learn more, please see: | ||
| # - https://gh.io/recommended-hardware-resources-for-running-codeql | ||
| # - https://gh.io/supported-runners-and-hardware-resources | ||
| # - https://gh.io/using-larger-runners | ||
| # Consider using larger runners for possible analysis time improvements. | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 360 | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v3 | ||
| with: | ||
| languages: java | ||
| # If you wish to specify custom queries, you can do so here or in a config file. | ||
| # By default, queries listed here will override any specified in a config file. | ||
| # Prefix the list here with "+" to use these queries and those in the config file. | ||
|
|
||
| # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | ||
| # queries: security-extended,security-and-quality | ||
| queries: security-extended,security-and-quality | ||
|
|
||
| - uses: actions/setup-java@v4 | ||
| with: | ||
| distribution: 'corretto' | ||
| java-version: '21' | ||
| - uses: gradle/actions/wrapper-validation@v3 | ||
| - name: Setup Gradle | ||
| uses: gradle/actions/setup-gradle@v3.3.2 | ||
| with: | ||
| cache-read-only: true | ||
| - name: Run build with Gradle Wrapper | ||
| # run: | | ||
| # ./gradlew build -x intTest --no-daemon | ||
| # # ignore ./.gradle folder for analysis | ||
| # rm -Rf .gradle | ||
| run: | | ||
| ./gradlew build --no-daemon | ||
| # ignore ./.gradle folder for analysis | ||
| rm -Rf .gradle | ||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v3 | ||
| with: | ||
| category: "/language:${{matrix.language}}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| name: Trivy Security Scan | ||
|
|
||
| on: | ||
| workflow_call: | ||
|
|
||
| jobs: | ||
| analyze: | ||
| name: Trivy scan (JVM) | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 360 | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - uses: actions/setup-java@v4 | ||
| with: | ||
| distribution: 'corretto' | ||
| java-version: '21' | ||
| - uses: gradle/actions/wrapper-validation@v3 | ||
| - name: Setup Gradle | ||
| uses: gradle/actions/setup-gradle@v3.3.2 | ||
| with: | ||
| cache-read-only: true | ||
|
|
||
| - name: Generate gradle.lockfile for trivy scan | ||
| run: gradle dependencies --write-locks | ||
|
|
||
| - name: Run Trivy vulnerability scanner in repo mode | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| scan-type: 'fs' | ||
| severity: 'CRITICAL,HIGH' | ||
| format: 'sarif' | ||
| output: 'trivy-results.sarif' | ||
|
|
||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: 'trivy-results.sarif' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| name: Code Analysis | ||
|
|
||
| on: | ||
| workflow_call: | ||
|
|
||
| jobs: | ||
| github_codeql_analysis: | ||
| name: GitHub CodeQL Analysis | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
| uses: ./.github/workflows/callable.code-analysis.codeql.yml | ||
| trivy_scan: | ||
| name: Trivy Security Scan | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
| uses: ./.github/workflows/callable.code-analysis.trivy.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| name: Publish to Sonatype (Maven Central) | ||
| on: | ||
| workflow_call: | ||
|
|
||
| jobs: | ||
| publish: | ||
| name: gradle publish (Maven Central) | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout project sources | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - uses: actions/setup-java@v4 | ||
| with: | ||
| distribution: 'corretto' | ||
| java-version: '21' | ||
| - uses: gradle/actions/wrapper-validation@v3 | ||
| - name: Setup Gradle | ||
| uses: gradle/actions/setup-gradle@v3.3.2 | ||
| with: | ||
| cache-read-only: true | ||
|
|
||
| # note the following two steps are identical but different names for better DX in GitHub Actions UI | ||
| - name: Publish SNAPSHOT to Central Portal | ||
| if: github.ref == 'refs/heads/main' | ||
| run: ./gradlew publishAllPublicationsToMavenCentralRepository | ||
| env: | ||
| ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.mavenCentralUsername }} | ||
| ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.mavenCentralPassword }} | ||
| ORG_GRADLE_PROJECT_signingInMemoryKey: ${{ secrets.signingInMemoryKey }} | ||
| ORG_GRADLE_PROJECT_signingInMemoryKeyId: ${{ secrets.signingInMemoryKeyId }} | ||
| ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.signingInMemoryKeyPassword }} | ||
| - name: Publish RELEASE to Central Portal | ||
| if: github.ref_type == 'tag' | ||
| run: ./gradlew publishAndReleaseToMavenCentral --no-configuration-cache | ||
| env: | ||
| ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.mavenCentralUsername }} | ||
| ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.mavenCentralPassword }} | ||
| ORG_GRADLE_PROJECT_signingInMemoryKey: ${{ secrets.signingInMemoryKey }} | ||
| ORG_GRADLE_PROJECT_signingInMemoryKeyId: ${{ secrets.signingInMemoryKeyId }} | ||
| ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.signingInMemoryKeyPassword }} |
Oops, something went wrong.