fix: pom.xml to reduce vulnerabilities #112
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Project CI | |
| on: | |
| push: | |
| branches: | |
| - '*' | |
| - '*/*' | |
| - '**' | |
| tags-ignore: | |
| - '**' | |
| jobs: | |
| cancel-prev-runs: | |
| name: Cancel Previous Runs | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: n1hility/cancel-previous-runs@v2 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| validate: | |
| name: Validate Code | |
| runs-on: ubuntu-latest | |
| needs: | |
| - cancel-prev-runs | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: actions/cache@v2 | |
| with: | |
| path: | | |
| ~/.m2 | |
| key: ${{ runner.os }}-maven-test-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-maven-test- | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v2 | |
| with: | |
| java-version: '17' | |
| distribution: 'adopt' | |
| - name: Code Validation | |
| run: mvn -B validate --file pom.xml | |
| - name: Archive CycloneDX | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: cyclone | |
| path: target/bom.json | |
| retention-days: 5 | |
| - name: Code Compilation | |
| run: mvn -B clean compile --file pom.xml | |
| - name: Checkstyle | |
| run: mvn -B checkstyle:checkstyle -Dcheckstyle.skip=false --file pom.xml | |
| - name: Archive Checkstyle | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: checkstyle | |
| path: target/site/checkstyle.html | |
| retention-days: 5 | |
| test: | |
| name: Test Code | |
| runs-on: ubuntu-latest | |
| needs: | |
| - validate | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: actions/cache@v2 | |
| with: | |
| path: | | |
| ~/.m2 | |
| key: ${{ runner.os }}-maven-test-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-maven-test- | |
| - name: Cache SonarCloud packages | |
| uses: actions/cache@v2 | |
| with: | |
| path: ~/.sonar/cache | |
| key: ${{ runner.os }}-sonar | |
| restore-keys: ${{ runner.os }}-sonar | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v2 | |
| with: | |
| java-version: '17' | |
| distribution: 'adopt' | |
| - name: Unit Tests | |
| run: mvn -B test --file pom.xml | |
| - name: Integration Tests | |
| run: mvn -B verify -P integration-test --file pom.xml | |
| - name: Code Coverage | |
| run: mvn -B clean verify -P all-tests --file pom.xml | |
| - name: Check Run Report | |
| uses: check-run-reporter/action@v2.11.1 | |
| with: | |
| token: ${{ secrets.CHECK_RUN_REPORTER_TOKEN }} | |
| report: 'target/**/TEST-*.xml' | |
| - name: Report results to DeepSource | |
| if: ${{ always() }} | |
| run: | | |
| curl https://deepsource.io/cli | sh | |
| ./bin/deepsource report --analyzer test-coverage --key java --value-file ./target/coverage-reports/merged-test-report/jacoco.xml | |
| env: | |
| DEEPSOURCE_DSN: ${{ secrets.DEEPSOURCE_DSN }} | |
| - name: Generate JaCoCo Badge | |
| uses: cicirello/jacoco-badge-generator@v2 | |
| id: jacoco | |
| with: | |
| generate-branches-badge: true | |
| jacoco-csv-file: target/coverage-reports/merged-test-report/jacoco.csv | |
| - name: Log coverage percentage | |
| run: | | |
| echo "coverage = ${{ steps.jacoco.outputs.coverage }}" | |
| echo "branch coverage = ${{ steps.jacoco.outputs.branches }}" | |
| - name: Commit the badge (if it changed) | |
| run: | | |
| if [[ `git status --porcelain` ]]; then | |
| git config --global user.name 'CI Bot' | |
| git config --global user.email 'cibot@users.noreply.github.com' | |
| git add -A | |
| git commit -m "ci: autogenerated JaCoCo coverage badge" | |
| git push | |
| fi | |
| - name: Upload JaCoCo coverage report | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: jacoco-report | |
| path: target/coverage-reports/merged-test-report/ | |
| - name: Qualitygate | |
| run: mvn -B clean verify -P all-tests package sonar:sonar -Dsonar.projectKey=paulushcgcj_database-evo -Dsonar.coverage.jacoco.xmlReportPaths=target/coverage-reports/merged-test-report/jacoco.xml --file pom.xml | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| security: | |
| name: Security checks | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| needs: | |
| - validate | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: actions/cache@v2 | |
| with: | |
| path: | | |
| ~/.m2 | |
| key: ${{ runner.os }}-maven-test-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-maven-test- | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v2 | |
| with: | |
| languages: java | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v2 | |
| with: | |
| java-version: '17' | |
| distribution: 'adopt' | |
| - name: Code Compilation | |
| run: mvn -B clean compile --file pom.xml | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v2 | |
| - name: Run Snyk to check for vulnerabilities | |
| uses: snyk/actions/maven@master | |
| continue-on-error: true | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| args: --severity-threshold=high --sarif-file-output=snyk.sarif | |
| release: | |
| name: Release | |
| runs-on: ubuntu-latest | |
| if: github.ref_name == 'main' | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: actions/cache@v2 | |
| with: | |
| path: | | |
| ~/.m2 | |
| key: ${{ runner.os }}-maven-test-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-maven-test- | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v2 | |
| with: | |
| java-version: '17' | |
| distribution: 'adopt' | |
| - name: Backing up Changelog | |
| run: | | |
| mv CHANGELOG.md OLD.CHANGELOG.md | |
| touch CHANGELOG.md | |
| - name: Conventional Changelog Update | |
| uses: TriPSs/conventional-changelog-action@v3 | |
| id: changelog | |
| with: | |
| github-token: ${{ github.token }} | |
| output-file: 'CHANGELOG.md' | |
| skip-version-file: 'true' | |
| skip-commit: 'true' | |
| git-push: 'false' | |
| - name: Set new version | |
| run: mvn versions:set -DnewVersion='${{ steps.changelog.outputs.version }}' -f pom.xml -DskipTests -Dtests.skip=true -Dskip.unit.tests=true | |
| - name: Update POM | |
| run: mvn versions:commit | |
| - name: Updating Compose version | |
| run: sed -i -E "s/DBEVO=.*/DBEVO=${{ steps.changelog.outputs.version }}/g" docs/environment/.env | |
| - name: Merging Changelog | |
| run: | | |
| mv CHANGELOG.md RELEASE.md | |
| cat RELEASE.md OLD.CHANGELOG.md > CHANGELOG.md | |
| - name: Update resources | |
| uses: test-room-7/action-update-file@v1 | |
| with: | |
| file-path: | | |
| pom.xml | |
| CHANGELOG.md | |
| docs/environment/.env | |
| commit-msg: "doc: updating pom to ${{ steps.changelog.outputs.version }} [ci skip]" | |
| github-token: ${{ secrets.PAT }} | |
| - name: Create Release | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.PAT }} | |
| with: | |
| tag_name: ${{ steps.changelog.outputs.tag }} | |
| release_name: ${{ steps.changelog.outputs.tag }} | |
| body: ${{ steps.changelog.outputs.clean_changelog }} |