This repository has been archived by the owner on Jul 23, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0dec1f4
commit 0eafdfd
Showing
4 changed files
with
318 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| # 🏃♀️ Continuous Integration and Delivery: Branch Testing | ||
| # ====================================================== | ||
|
|
||
|
|
||
| --- | ||
|
|
||
| name: 🔁 Branch integration testing | ||
|
|
||
|
|
||
| # Driving Event | ||
| # ------------- | ||
| # | ||
| # What event starts this workflow: a push to any branch other than main | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - '**' | ||
| - '!main' | ||
|
|
||
|
|
||
| # What to Do | ||
| # ---------- | ||
| # | ||
| # Test the software with mvn test | ||
|
|
||
| jobs: | ||
| branch-testing: | ||
| name: 🪵 Branch Testing | ||
| runs-on: ubuntu-latest | ||
| if: github.actor != 'pdsen-ci' | ||
|
|
||
| strategy: | ||
| matrix: | ||
| java-version: [11, 17] | ||
|
|
||
| steps: | ||
| - | ||
| name: 💳 Checkout | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| lfs: true | ||
| fetch-depth: 0 | ||
| token: ${{secrets.ADMIN_GITHUB_TOKEN}} | ||
| - | ||
| name: 💵 Maven Cache | ||
| uses: actions/cache@v3 | ||
| with: | ||
| path: ~/.m2/repository | ||
| # The "key" used to indicate a set of cached files is the operating system runner | ||
| # plus "mvn" for Maven-specific builds, plus a hash of the `pom.xml` files, which | ||
| # should uniquely identify the dependent jars; plus "pds" because we pds-prefix | ||
| # everything with "pds" in PDS—even when the context is obvious! 😅 | ||
| key: pds-${{runner.os}}-mvn-${{hashFiles('**/pom.xml')}} | ||
| # To restore a set of files, we only need to match a prefix of the saved key. | ||
| restore-keys: pds-${{runner.os}}-mvn- | ||
| - | ||
| name: ☕️ Set up OpenJDK | ||
| uses: actions/setup-java@v3 | ||
| with: | ||
| distribution: 'adopt' | ||
| java-version: ${{matrix.java-version}} | ||
| - | ||
| name: 🩺 Test Software | ||
| run: mvn test | ||
|
|
||
| ... | ||
|
|
||
| # -*- mode: yaml; indent: 4; fill-column: 120; coding: utf-8 -*- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| name: "CodeQL" | ||
|
|
||
| on: | ||
| schedule: | ||
| - cron: '0 0 * * 0' | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| analyze: | ||
| name: Analyze | ||
| runs-on: ubuntu-latest | ||
| if: github.actor != 'pdsen-ci' | ||
|
|
||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| # Override automatic language detection by changing the below list | ||
| # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] | ||
| # language: ['java', 'python'] | ||
| language: ['java'] | ||
| # Learn more... | ||
| # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| # We must fetch at least the immediate parents so that if this is | ||
| # a pull request then we can checkout the head. | ||
| fetch-depth: 2 | ||
|
|
||
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v2 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
| queries: security-and-quality, security-extended | ||
|
|
||
| # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | ||
| # If this step fails, then you should remove it and run the build manually (see below) | ||
| - name: Autobuild | ||
| uses: github/codeql-action/autobuild@v2 | ||
|
|
||
| # ℹ️ Command-line programs to run using the OS shell. | ||
| # 📚 https://git.io/JvXDl | ||
|
|
||
| # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines | ||
| # and modify them (or add more) to build your code if your project | ||
| # uses a compiled language | ||
|
|
||
| # - run: | | ||
| # mvn clean compile site -DskipTests | ||
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v2 | ||
|
|
||
| - run: | | ||
| pip install nasa-scrub | ||
| results_dir=`realpath ${{ github.workspace }}/../results` | ||
| sarif_files=`find $results_dir -name '*.sarif'` | ||
| for sarif_file in $sarif_files | ||
| do | ||
| output_file="$results_dir/$(basename $sarif_file .sarif).scrub" | ||
| python3 -m scrub.tools.parsers.translate_results $sarif_file $output_file ${{ github.workspace }} scrub | ||
| done | ||
| python3 -m scrub.tools.parsers.csv_parser $results_dir | ||
| echo "RESULTS_DIR=$results_dir" >> $GITHUB_ENV | ||
| - name: Upload CodeQL Artifacts | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: codeql-artifacts | ||
| path: ${{ env.RESULTS_DIR }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| # 🏃♀️ Continuous Integration and Delivery: Stable | ||
| # =============================================== | ||
| # | ||
| # Note: for this workflow to succeed, the following secrets must be installed | ||
| # in the repository: | ||
| # | ||
| # ``ADMIN_GITHUB_TOKEN`` | ||
| # A personal access token of a user with collaborator or better access to | ||
| # the project repository. You can generate this by visiting GitHub → | ||
| # Settings → Developer settings → Personal access tokens → Generate new | ||
| # token. Give the token scopes on ``repo``, ``write:packages``, | ||
| # ``delete:packages``, ``workflow``, and ``read:gpg_key``. | ||
| # ``CODE_SIGNING_KEY`` | ||
| # A *private* key with which we can sign artifacts. | ||
| # ``OSSRH_USERNAME`` | ||
| # Username for the Central Repository. | ||
| # ``OSSRH_USERNAME`` | ||
| # Password for the Central Repository. | ||
| # | ||
|
|
||
|
|
||
| --- | ||
|
|
||
| name: 😌 Stable integration & delivery | ||
|
|
||
|
|
||
| # Driving Event | ||
| # ------------- | ||
| # | ||
| # What event starts this workflow: a push of a release tag. Note: according to | ||
| # https://git.io/JJZQt we have been doing our tag matching wrong. It's not | ||
| # regexp, it's not glob…it's more like…glob++ 😮 | ||
|
|
||
| on: | ||
| push: | ||
| tags: | ||
| - 'release/*' | ||
| concurrency: roundup | ||
|
|
||
|
|
||
| # What to Do | ||
| # ---------- | ||
| # | ||
| # Round up, yee-haw! | ||
|
|
||
| jobs: | ||
| stable-assembly: | ||
| name: 🐴 Stable Assembly | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - | ||
| name: 💳 Checkout | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| lfs: true | ||
| token: ${{secrets.ADMIN_GITHUB_TOKEN}} | ||
| fetch-depth: 0 | ||
| - | ||
| name: 💵 Maven Cache | ||
| uses: actions/cache@v3 | ||
| with: | ||
| path: ~/.m2/repository | ||
| # The "key" used to indicate a set of cached files is the operating system runner | ||
| # plus "mvn" for Maven-specific builds, plus a hash of the `pom.xml` files, which | ||
| # should uniquely identify the dependent jars; plus "pds" because we pds-prefix | ||
| # everything with "pds" in PDS—even when the context is obvious! 😅 | ||
| key: pds-${{runner.os}}-mvn-${{hashFiles('**/pom.xml')}} | ||
| # To restore a set of files, we only need to match a prefix of the saved key. | ||
| restore-keys: pds-${{runner.os}}-mvn- | ||
| - | ||
| name: 🤠 Roundup | ||
| uses: NASA-PDS/roundup-action@stable | ||
| with: | ||
| assembly: stable | ||
| packages: openjdk11-jdk | ||
| env: | ||
| ossrh_username: ${{secrets.OSSRH_USERNAME}} | ||
| ossrh_password: ${{secrets.OSSRH_PASSWORD}} | ||
| CODE_SIGNING_KEY: ${{secrets.CODE_SIGNING_KEY}} | ||
| ADMIN_GITHUB_TOKEN: ${{secrets.ADMIN_GITHUB_TOKEN}} | ||
|
|
||
| ... | ||
|
|
||
| # -*- mode: yaml; indent: 4; fill-column: 120; coding: utf-8 -*- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,86 @@ | ||
| # 🏃♀️ Continuous Integration and Delivery: Unstable | ||
| # ================================================= | ||
| # | ||
| # Note: for this workflow to succeed, the following secrets must be installed | ||
| # in the repository or inherited from the organization: | ||
| # | ||
| # ``ADMIN_GITHUB_TOKEN`` | ||
| # A personal access token of a user with collaborator or better access to | ||
| # the project repository. You can generate this by visiting GitHub → | ||
| # Settings → Developer settings → Personal access tokens → Generate new | ||
| # token. Give the token scopes on ``repo``, ``write:packages``, | ||
| # ``delete:packages``, ``workflow``, and ``read:gpg_key``. | ||
| # ``CODE_SIGNING_KEY`` | ||
| # A *private* key with which we can sign artifacts. | ||
| # ``OSSRH_USERNAME`` | ||
| # Username for the Central Repository. | ||
| # ``OSSRH_USERNAME`` | ||
| # Password for the Central Repository. | ||
|
|
||
|
|
||
| --- | ||
|
|
||
| name: 🤪 Unstable integration & delivery | ||
|
|
||
|
|
||
| # Driving Event | ||
| # ------------- | ||
| # | ||
| # What event starts this workflow: a push to ``main`` (or ``master`` in old | ||
| # parlance). | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| workflow_dispatch: | ||
| concurrency: roundup | ||
|
|
||
|
|
||
| # What to Do | ||
| # ---------- | ||
| # | ||
| # Round up, yee-haw! | ||
|
|
||
| jobs: | ||
| unstable-assembly: | ||
| name: 🧩 Unstable Assembly | ||
| runs-on: ubuntu-latest | ||
| if: github.actor != 'pdsen-ci' | ||
| steps: | ||
| - | ||
| name: 💳 Checkout | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| lfs: true | ||
| fetch-depth: 0 | ||
| token: ${{secrets.ADMIN_GITHUB_TOKEN}} | ||
| - | ||
| name: 💵 Maven Cache | ||
| uses: actions/cache@v3 | ||
| with: | ||
| path: ~/.m2/repository | ||
| # The "key" used to indicate a set of cached files is the operating system runner | ||
| # plus "mvn" for Maven-specific builds, plus a hash of the `pom.xml` files, which | ||
| # should uniquely identify the dependent jars; plus "pds" because we pds-prefix | ||
| # everything with "pds" in PDS—even when the context is obvious! 😅 | ||
| key: pds-${{runner.os}}-mvn-${{hashFiles('**/pom.xml')}} | ||
| # To restore a set of files, we only need to match a prefix of the saved key. | ||
| restore-keys: pds-${{runner.os}}-mvn- | ||
| - | ||
| name: 🤠 Roundup | ||
| uses: NASA-PDS/roundup-action@stable | ||
| with: | ||
| assembly: unstable | ||
| maven-doc-phases: package,site,site:stage,-DskipTests | ||
| maven-unstable-artifact-phases: clean,site,deploy,-DskipTests | ||
| packages: openjdk11-jdk | ||
| env: | ||
| ossrh_username: ${{secrets.OSSRH_USERNAME}} | ||
| ossrh_password: ${{secrets.OSSRH_PASSWORD}} | ||
| CODE_SIGNING_KEY: ${{secrets.CODE_SIGNING_KEY}} | ||
| ADMIN_GITHUB_TOKEN: ${{secrets.ADMIN_GITHUB_TOKEN}} | ||
|
|
||
| ... | ||
|
|
||
| # -*- mode: yaml; indent: 4; fill-column: 120; coding: utf-8 -*- |