Bump org.apache.maven.plugins:maven-compiler-plugin from 3.11.0 to 3.13.0 #675
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Gytheio CI | |
on: | |
pull_request: | |
branches: | |
- master | |
- SP/** | |
- HF/** | |
- ACS-** | |
- feature/** | |
push: | |
branches: | |
- master | |
- SP/** | |
- HF/** | |
- ACS-** | |
- feature/** | |
schedule: | |
- cron: '0 5 * * 3' | |
workflow_dispatch: | |
env: | |
MAVEN_USERNAME: ${{ secrets.NEXUS_USERNAME }} | |
MAVEN_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} | |
GIT_USERNAME: ${{ secrets.BOT_GITHUB_USERNAME }} | |
GIT_PASSWORD: ${{ secrets.BOT_GITHUB_TOKEN }} | |
AWS_REGION: eu-west-1 | |
jobs: | |
veracode_sca: | |
name: "Source Clear Scan (SCA)" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
with: | |
srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }} | |
veracode_sast: | |
name: "Pipeline SAST Scan" | |
runs-on: ubuntu-latest | |
if: > | |
(github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/') || github.event_name == 'pull_request') && | |
github.actor != 'dependabot[bot]' && | |
!contains(github.event.head_commit.message, '[skip build]') | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- name: "Login to Docker Hub" | |
uses: docker/[email protected] | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: "Login to Quay.io" | |
uses: docker/[email protected] | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_USERNAME }} | |
password: ${{ secrets.QUAY_PASSWORD }} | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
with: | |
token: ${{ secrets.BOT_GITHUB_TOKEN }} | |
repository: "Alfresco/veracode-baseline-archive" | |
file-path: "gytheio/gytheio-baseline.json" | |
target: "baseline.json" | |
- name: "Build" | |
run: mvn -B -U install -DskipTests | |
- name: Create zip | |
run: find gytheio*/gytheio*/target gytheio*/target -name '*.jar' -exec zip -y -r to-scan.zip {} + | |
- name: "Run SAST Scan" | |
uses: veracode/[email protected] | |
with: | |
vid: ${{ secrets.VERACODE_API_ID }} | |
vkey: ${{ secrets.VERACODE_API_KEY }} | |
file: "to-scan.zip" | |
fail_build: true | |
project_name: gytheio | |
issue_details: true | |
veracode_policy_name: Alfresco Default | |
summary_output: true | |
summary_output_file: results.json | |
summary_display: true | |
baseline_file: baseline.json | |
- name: Upload scan result | |
if: success() || failure() | |
run: zip readable_output.zip results.json | |
- name: Upload Artifact | |
if: success() || failure() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: Veracode Pipeline-Scan Results (Human Readable) | |
path: readable_output.zip | |
build: | |
name: "Build" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- name: "Remove SNAPSHOT artifacts" | |
run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf | |
- name: "Install ImageMagick to parse PDFs" | |
run: | | |
sudo apt-get update | |
sudo apt-get install -q -y imagemagick ghostscript ffmpeg | |
# ImageMagick6's default security policy doesn't allow it to parse PDFs | |
sudo sed -i '/PDF/s/none/read|write/' /etc/ImageMagick-6/policy.xml | |
- name: "Configure AWS credentials" | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_S3_BUCKET_CREATE_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_S3_BUCKET_CREATE_SECRET_ACCESS_KEY }} | |
aws-region: ${{ env.AWS_REGION }} | |
- name: "Build and test" | |
run: bash _ci/build.sh | |
release: | |
name: "Release" | |
needs: [veracode_sca, build] | |
runs-on: ubuntu-latest | |
if: > | |
contains(github.event.head_commit.message, '[release]') && | |
github.event_name != 'pull_request' && | |
(github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/')) | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
persist-credentials: false | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
with: | |
username: ${{ secrets.BOT_GITHUB_USERNAME }} | |
email: ${{ secrets.BOT_GITHUB_EMAIL }} | |
- name: "Remove SNAPSHOT artifacts" | |
run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf | |
- name: "Release" | |
run: bash _ci/release.sh |