Skip to content
Default Pipeline

Bump github/codeql-action from 3.27.5 to 3.28.0 #796

Sign in to view logs

Bump github/codeql-action from 3.27.5 to 3.28.0

Bump github/codeql-action from 3.27.5 to 3.28.0 #796

Workflow file for this run

.github/workflows/default.yml at 819690e
# This is the workflow pipeline that runs the default build and checks that are
# needed for this repository. It is triggered by commits on the base branches
# and in pull requests to execute the differential checks that are required the
# pull request. Furthermore, it is triggered regularly to notify about recent
# security issues or other external changes that may break the project checks.
name: Default Pipeline
on:
push:
branches: [ main, 'maintenance-[0-9]+.[0-9]+' ]
pull_request:
# For the CodeQL workflow, the branches below must be a subset of the branches above.
branches: [ main, 'maintenance-[0-9]+.[0-9]+' ]
paths-ignore: [ '**/*.md' ]
schedule:
- cron: '27 11 * * 4'
workflow_dispatch:
permissions:
actions: read
contents: write
security-events: write
jobs:
build-and-check:
name: Build and Check
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/[email protected]
- name: Initialize internal configuration
id: config
run: |
if [[ -n "${{ secrets.MSTEAMS_WORKFLOW_POST_URL }}" ]]; then
echo "has_msteams_workflow_post_url=true" >> "$GITHUB_OUTPUT"
else
echo "::notice::Secret MSTEAMS_WORKFLOW_POST_URL is not set. Won't send any failure notifications to Teams."
fi
MVN_ARGS='--batch-mode --fail-at-end'
if [[ -z "${{ runner.debug }}" ]]; then
MVN_ARGS="${MVN_ARGS} --no-transfer-progress"
fi
echo "mvn_args=${MVN_ARGS}" >> "$GITHUB_OUTPUT"
- name: Set up JDK
uses: actions/[email protected]
with:
java-version: 17
distribution: corretto
cache: ${{ !env.ACT && 'maven' || '' }}
- name: Overwrite Maven settings
run: cp .github/workflows/config/settings.xml ${HOME}/.m2/settings.xml
- name: Initialize CodeQL
uses: github/codeql-action/[email protected]
with:
languages: java
queries: security-and-quality
- name: Run Maven Build
run: |
mvn ${{ steps.config.outputs.mvn_args }} \
install javadoc:javadoc \
-Pintegration-test,default-image,docs-third-party \
-Dapplication.image-prefix=coremedia \
-Dapplication.image-suffix=headless-server-commerce \
-Dapplication.image-tag=${{ github.sha }} \
-Dsort.verifyFail=stop \
| tee mvn-output.log
[[ ${PIPESTATUS} -eq 0 ]] || exit ${PIPESTATUS}
env:
NEXUS_GITHUB_ACTIONS_READONLY_USERNAME: ${{ secrets.NEXUS_GITHUB_ACTIONS_READONLY_USERNAME }}
NEXUS_GITHUB_ACTIONS_READONLY_TOKEN: ${{ secrets.NEXUS_GITHUB_ACTIONS_READONLY_TOKEN }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/[email protected]
with:
category: '/language:java'
- name: Run Trivy vulnerability scanner
if: github.event_name != 'pull_request'
uses: aquasecurity/[email protected]
with:
scan-type: image
image-ref: "coremedia/headless-server-commerce:${{ github.sha }}"
trivy-config: .github/workflows/config/trivy.yml
format: sarif
output: trivy-results.sarif
limit-severities-for-sarif: true
- name: Upload Trivy scan results to GitHub Security tab
if: github.event_name != 'pull_request'
uses: github/codeql-action/[email protected]
with:
sarif_file: trivy-results.sarif
- name: Update dependency graph
if: github.ref_name == github.event.repository.default_branch
uses: advanced-security/[email protected]
- name: Check for deprecated API usages
if: github.ref_name == github.event.repository.default_branch || github.base_ref == github.event.repository.default_branch
run: |
cat mvn-output.log | grep '^\[WARNING\]' | grep 'has been deprecated' > deprecated.log || true
grep -Fvf .github/workflows/config/ignored-deprecations.txt deprecated.log > violations.log || true
if [[ -s violations.log ]]; then
cat violations.log
echo "::error::Deprecated API calls are not allowed!"
exit 1
fi
echo "::notice::No deprecated API calls found"
- name: Send failure notification to MS Teams Workflow
if: ${{ !success() && github.event_name == 'schedule' && steps.config.outputs.has_msteams_workflow_post_url }}
run: |
cat .github/workflows/config/teams-notification-card-template.json \
| jq -c . \
| sed "s|@GITHUB_REPOSITORY@|${{ github.repository }}|g" \
| sed "s|@GITHUB_WORKFLOW@|${{ github.workflow }}|g" \
| sed "s|@GITHUB_RUN_ID@|${{ github.run_id }}|g" \
| sed "s|@GITHUB_SERVER_URL@|${{ github.server_url }}|g" \
> notification-card.json
curl "${{ secrets.MSTEAMS_WORKFLOW_POST_URL }}" \
-X POST \
-H 'Content-Type: application/json' \
-d @'notification-card.json' \
> notification-result.json
if [[ -s notification-result.json ]]; then
echo "Notification card post result:"
cat notification-result.json | jq -r '.error // empty'
exit 1
fi
- name: Debug GitHub contexts (only when debug logging is enabled)
if: always() && runner.debug
run: |
echo "::group::Dump GitHub context"
echo '${{ toJSON(github) }}'
echo "::endgroup::"
echo "::group::Dump job context"
echo '${{ toJSON(job) }}'
echo "::endgroup::"
echo "::group::Dump steps context"
echo '${{ toJSON(steps) }}'
echo "::endgroup::"
echo "::group::Dump runner context"
echo '${{ toJSON(runner) }}'
echo "::endgroup::"
echo "::group::Dump strategy context"
echo '${{ toJSON(strategy) }}'
echo "::endgroup::"
echo "::group::Dump matrix context"
echo '${{ toJSON(matrix) }}'
echo "::endgroup::"
echo "::group::Dump vars context"
echo '${{ toJSON(vars) }}'
echo "::endgroup::"
echo "::group::Dump env context"
echo '${{ toJSON(env) }}'
echo "::endgroup::"
echo "::group::Dump OS environment"
env | sort
echo "::endgroup::"