[BRMO-384] Fix Resolving XML external entity in user-controlled data #4622
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 'Ubuntu PostgreSQL build' | |
on: | |
push: | |
branches: | |
- 'master' | |
pull_request: | |
concurrency: # cancel on PR pushes | |
# More info: https://stackoverflow.com/a/68422069/253468 | |
group: ${{ github.workflow }}-${{ ( github.ref == 'refs/heads/master' || github.ref == 'refs/heads/release' ) && format('ci-master-{0}', github.sha) || format('ci-master-{0}', github.ref) }} | |
cancel-in-progress: true | |
env: | |
MAVEN_OPTS: -Djava.awt.headless=true -Xms8G -Xmx12G -Dmaven.wagon.httpconnectionManager.ttlSeconds=25 -Dmaven.wagon.http.retryHandler.count=3 -Dtest.persistence.unit=brmo.persistence.postgresql | |
PGPASSWORD: postgres | |
PGUSER: postgres | |
PGDATABASE: postgres | |
MAVEN_VERSION: '3.9.9' | |
jobs: | |
build: | |
name: "Java ${{ matrix.java }} / PostGIS ${{ matrix.postgis }}" | |
runs-on: ubuntu-22.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
java: [ 17 ] | |
java-dist: [ 'temurin' ] | |
# docker image tags from https://hub.docker.com/r/postgis/postgis/tags?page=1&ordering=last_updated | |
# zie ook https://www.postgresql.org/support/versioning/ | |
postgis: | |
# t/m november 2025 | |
- 13-3.5-alpine | |
# t/m november 2027 | |
- 15-3.5-alpine | |
# t/m november 2028 | |
- 16-3.5-alpine | |
# t/m november 2029 | |
- 17-3.5-alpine | |
include: | |
- java: 21 | |
java-dist: 'temurin' | |
postgis: 17-3.5-alpine | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
lfs: true | |
- name: 'Cache test data' | |
uses: actions/cache@v4 | |
with: | |
path: ~/downloads | |
key: downloads-${{ hashFiles('**/pom.xml') }} | |
restore-keys: | | |
downloads- | |
- name: 'Set up JDK' | |
uses: actions/setup-java@v4 | |
with: | |
distribution: ${{ matrix.java-dist }} | |
java-version: ${{ matrix.java }} | |
cache: 'maven' | |
- name: 'Set up Maven' | |
uses: stCarolas/setup-maven@v5 | |
with: | |
maven-version: ${{ env.MAVEN_VERSION }} | |
- name: 'Install extra software' | |
run: sudo apt install -y --no-install-recommends xmlstarlet | |
- name: 'Priming build' | |
run: | | |
mvn clean install -Dmaven.test.skip=true -Ddocker.skip=true -Dtest.onlyITs= -B -V -fae -Ppostgresql -DskipQA=true | |
projectversion=$(grep "<version>.*<.version>" -m1 pom.xml | sed -e "s/^.*<version/<version/" | cut -f2 -d">"| cut -f1 -d"<") | |
echo $projectversion | |
export PROJECTVERSION=$projectversion | |
sed -i s/\${project.version}/$projectversion/g ./brmo-persistence/db/create-brmo-persistence-postgresql.sql | |
sed -i s/\${project.version}/$projectversion/g ./datamodel/brk/brk2.0_postgresql.sql | |
- name: 'Set up PostgreSQL' | |
run: | | |
.build/ci/pgsql-start-docker.sh ${{ matrix.postgis }} | |
psql --version | |
psql -U postgres -h localhost -c 'SELECT version();' | |
.build/ci/pgsql-create-databases.sh | |
.build/ci/pgsql-setup.sh | |
- name: 'Prepare TopNL Data' | |
run: | | |
.build/ci/data-prepare-topnl.sh | |
- name: 'Test' | |
run: | | |
mvn -e test -B -Ppostgresql -pl '!brmo-dist' -Dtest.onlyITs=false -DskipQA=true | |
- name: 'Verify bag2-loader' | |
run: | | |
mvn -e verify -B -Ppostgresql -T1 -Dtest.onlyITs=true -pl 'bag2-loader' -DskipQA=true | |
.build/ci/pgsql-setup-bag2_views.sh | |
mvn resources:testResources compiler:testCompile surefire:test -Ppostgresql -pl datamodel -Dtest='!*UpgradeTest' -DskipQA=true | |
- name: 'Verify bgt-loader' | |
run: mvn -e verify -B -Ppostgresql -T1 -Dtest.onlyITs=true -pl 'bgt-loader' -DskipQA=true | |
- name: 'Verify brmo-loader' | |
run: mvn -e verify -B -Ppostgresql -Dtest.onlyITs=true -pl 'brmo-loader' -DskipQA=true | |
- name: 'Verify brmo-service' | |
run: mvn -e verify -B -Ppostgresql -Dtest.onlyITs=true -pl 'brmo-service' -DskipQA=true | |
- name: 'Verify brmo-stufbg204' | |
run: mvn -e verify -B -Ppostgresql -Dtest.onlyITs=true -pl 'brmo-stufbg204' -DskipQA=true | |
- name: 'Verify brmo-commandline' | |
run: mvn -e verify -B -Ppostgresql -Dtest.onlyITs=true -pl 'brmo-commandline' -DskipQA=true | |
- name: 'Verify nhr-loader' | |
run: mvn -e verify -B -Ppostgresql -Dtest.onlyITs=true -pl 'nhr-loader' -DskipQA=true | |
- name: 'Upload coverage to Codecov' | |
uses: codecov/codecov-action@v5 | |
with: | |
fail_ci_if_error: true | |
token: ${{ secrets.CODECOV_TOKEN }} | |
javadoc: | |
name: 'JavaDoc Check' | |
runs-on: ubuntu-latest | |
needs: qacheck | |
permissions: | |
contents: read | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
lfs: false | |
- name: 'Set up JDK' | |
uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: 17 | |
cache: 'maven' | |
- name: 'Set up Maven' | |
uses: stCarolas/setup-maven@v5 | |
with: | |
maven-version: ${{ env.MAVEN_VERSION }} | |
- name: 'Javadoc' | |
run: mvn compile javadoc:javadoc -DskipQA=true | |
- name: 'Test Javadoc' | |
run: mvn test-compile javadoc:test-javadoc -DskipQA=true | |
dependency-review: | |
name: 'Dependency Review' | |
if: ${{ github.event_name == 'pull_request' }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- name: 'Checkout Repository' | |
uses: actions/checkout@v4 | |
with: | |
lfs: false | |
- name: 'Dependency Review' | |
uses: actions/dependency-review-action@v4 | |
qacheck: | |
name: 'QA checks' | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
lfs: false | |
- name: 'Set up JDK' | |
uses: actions/setup-java@v4 | |
with: | |
java-version: 17 | |
distribution: 'temurin' | |
cache: 'maven' | |
- name: 'Set up Maven' | |
uses: stCarolas/setup-maven@v5 | |
with: | |
maven-version: ${{ env.MAVEN_VERSION }} | |
- name: 'QA build with Maven' | |
run: mvn -B -V -fae -DskipQA=false -Dfmt.action=check -Dpom.fmt.action=verify -Ddocker.skip=true -Dtest.onlyITs= -Dmaven.test.skip=true clean package | |
deploy: | |
name: 'Deploy docker images' | |
if: ${{ github.repository == 'B3Partners/brmo' && github.ref == 'refs/heads/master' && github.event_name == 'push' }} | |
needs: [ build, qacheck ] | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
lfs: false | |
- name: 'Set up JDK (ghcr.io)' | |
uses: actions/setup-java@v4 | |
with: | |
distribution: temurin | |
java-version: 17 | |
cache: 'maven' | |
server-id: 'ghcr.io' | |
server-username: GITHUB_ACTOR | |
server-password: GITHUB_TOKEN | |
- name: 'Set up Maven' | |
uses: stCarolas/setup-maven@v5 | |
with: | |
maven-version: ${{ env.MAVEN_VERSION }} | |
- name: 'Build and Push docker images' | |
env: | |
GITHUB_ACTOR: ${{ secrets.GITHUB_ACTOR }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
mvn -pl docker,datamodel -am -Dmaven.test.skip=true -Dtest.onlyITs= -B -V -fae -DskipQA=true -Ddocker.skip=true install | |
mvn -pl docker -Dmaven.test.skip=true -Dtest.onlyITs= -B -V -fae -DskipQA=true deploy | |
- name: 'Deploy brmo-service SBOM' | |
uses: DependencyTrack/gh-upload-sbom@v3 | |
with: | |
serverhostname: ${{ secrets.DEPENDENCY_TRACK_HOSTNAME }} | |
apikey: ${{ secrets.DEPENDENCY_TRACK_APIKEY }} | |
project: 'ae922e6c-e182-46c4-b3fe-272eaeee6d9c' | |
bomfilename: 'brmo-service/target/bom.xml' | |
- name: 'Deploy brmo-stufbg204 SBOM' | |
uses: DependencyTrack/gh-upload-sbom@v3 | |
with: | |
serverhostname: ${{ secrets.DEPENDENCY_TRACK_HOSTNAME }} | |
apikey: ${{ secrets.DEPENDENCY_TRACK_APIKEY }} | |
project: '72254d7c-c584-4821-b1e7-c806ebcd967e' | |
bomfilename: 'brmo-stufbg204/target/bom.xml' | |
- name: 'Set up JDK (repo.b3p.nl)' | |
uses: actions/setup-java@v4 | |
with: | |
distribution: temurin | |
java-version: 17 | |
cache: 'maven' | |
server-id: 'repo.b3p.nl' | |
server-username: B3P_DEPLOY_ACTOR | |
server-password: B3P_DEPLOY_TOKEN | |
- name: 'Deploy Maven artifacts' | |
env: | |
B3P_DEPLOY_ACTOR: ${{ secrets.B3P_DEPLOY_ACTOR }} | |
B3P_DEPLOY_TOKEN: ${{ secrets.B3P_DEPLOY_TOKEN }} | |
run: | | |
mvn -Ddocker.skip=true -Dmaven.test.skip=true -Dtest.onlyITs= -B -V -fae -DskipQA=true deploy | |
cleanup: | |
name: 'Maven cache cleanup' | |
if: ${{ always() }} | |
needs: [ build, javadoc, qacheck ] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/cache@v4 | |
with: | |
path: ~/.m2/repository | |
key: maven-${{ hashFiles('**/pom.xml') }} | |
restore-keys: | | |
maven- | |
- name: 'Cleanup snapshot cache' | |
run: | | |
find ~/.m2/repository -name "*SNAPSHOT*" -type d | xargs rm -rf {} |