Skip to content

Commit

Permalink
Update ci.yml
Browse files Browse the repository at this point in the history
  • Loading branch information
@gouthamvadi
gouthamvadi authored May 27, 2024
1 parent 86e6370 commit 83c3127
Showing 1 changed file with 14 additions and 101 deletions.
115 changes: 14 additions & 101 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,18 +6,12 @@
name: Java CI with Maven

env:
JAVA: 17
PRIVILEGED_RUN: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/development')
|| github.event.pull_request.head.repo.full_name == github.repository }}
JAVA: 11
PRIVILEGED_RUN: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/development') || github.event.pull_request.head.repo.full_name == github.repository }}
CODEQL_LANGUAGES: 'java' # FIXME(@JonasCir) add 'javascript'
on:
push:
branches: [ development, master, hotfix* ]
pull_request:
branches: [ development, hotfix* ]
workflow_dispatch: # run it manually from the GH Actions web console
schedule:
- cron: '35 1 * * 0'

on: push

jobs:
ci:
name: SORMAS CI
Expand All @@ -26,112 +20,31 @@ jobs:
security-events: write

steps:
- name: Checkout repository (with token)
- name: Checkout repository
#(with token)
# Check if PR results from the repository: if yes, we have access to the secrets.
# The token is only needed for privileged actions from within the repo, so no need
# to make it available on 3rd party PRs
if: ${{ fromJSON(env.PRIVILEGED_RUN) }}
uses: actions/checkout@v3
with:
token: ${{ secrets.SORMAS_VITAGROUP_CI_TOKEN }}

- name: Checkout repository (without token)
# Check if PR results from a fork: if yes, we cannot access the token.
# The token is only needed for privileged actions from within the
# repo, so no need to make it available on 3rd party PRs
if: ${{ !fromJSON(env.PRIVILEGED_RUN) }}
uses: actions/checkout@v3
uses: actions/checkout@v2

- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@v1
with:
languages: ${{ env.CODEQL_LANGUAGES }}

- name: Set up JDK ${{ env.JAVA }}
uses: actions/setup-java@v3
uses: actions/setup-java@v1
with:
java-version: ${{ env.JAVA }}
distribution: 'zulu'

- name: Cache Maven packages
# Check if PR results from the repository: if yes, it is safe to cache dependencies.
# This is to keep us safe from cache poisoning through 3rd party PRs.
if: ${{ fromJSON(env.PRIVILEGED_RUN) }}
uses: actions/cache@v3
#if: ${{ fromJSON(env.PRIVILEGED_RUN) }}
# FIXME(@JonasCir) #3733 remove '**/*.pom' once serverlib pom is renamed
uses: actions/cache@v2
with:
path: ~/.m2
key: ${{ runner.os }}-java-${{ env.JAVA }}-m2-${{ hashFiles('**/pom.xml') }}
key: ${{ runner.os }}-java-${{ env.JAVA }}-m2-${{ hashFiles('**/pom.xml', '**/*.pom') }}
restore-keys: ${{ runner.os }}-java-${{ env.JAVA }}-m2

- name: Cache SonarCloud packages
# Check if PR results from the repository: if yes, it is safe to cache dependencies.
# This is to keep us safe from cache poisoning through 3rd party PRs.
if: ${{ fromJSON(env.PRIVILEGED_RUN) }}
uses: actions/cache@v3
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Run mvn verify and sonar analysis
# FIXME(@JonasCir) see https://github.com/sormas-foundation/SORMAS-Project/issues/3730#issuecomment-745165678
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
working-directory: ./sormas-base
run: mvn -B -ntp verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=SORMAS-Project

- name: Comment with SonarCloud analysis
uses: actions/github-script@v6
if: github.event_name == 'pull_request'
with:
github-token: ${{ secrets.SORMAS_VITAGROUP_CI_TOKEN }}
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `SonarCloud analysis: https://sonarcloud.io/dashboard?id=SORMAS-Project&pullRequest=${{ github.event.pull_request.number }}`
})
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2

- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
scanners: 'vuln,secret,config'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
# needed as codeQL also performs an upload, and they clash otherwise
category: 'code-scanning/trivy-repo'

- name: Commit openAPI spec to development
# Privileged action needing a secret token. Since this only runs on development in our own repo
# the token will be available through a privileged checkout.
if: github.event_name == 'push' && github.ref == 'refs/heads/development'
&& hashFiles('sormas-rest/target/swagger.yaml') != hashFiles('sormas-rest/swagger.yaml')
# https://stackoverflow.com/questions/59604922/authorize-bash-to-access-github-protected-branch
run: |
git config --global user.name "sormas-vitagroup"
git config --global user.email "[email protected]"
mkdir /tmp/openapi
cp sormas-rest/target/swagger.* /tmp/openapi
git fetch
git checkout development
git pull
rm -f sormas-rest/swagger.*
cp /tmp/openapi/swagger.* sormas-rest/
git add sormas-rest/swagger.*
git commit -m "[GitHub Actions] Update openAPI spec files"
git push

0 comments on commit 83c3127

Please sign in to comment.