-
Notifications
You must be signed in to change notification settings - Fork 2
167 lines (150 loc) · 6.4 KB
/
default.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
# This is the workflow pipeline that runs the default build and checks that are
# needed for this repository. It is triggered by commits on the base branches
# and in pull requests to execute the differential checks that are required the
# pull request. Furthermore, it is triggered regularly to notify about recent
# security issues or other external changes that may break the project checks.
name: Default Pipeline
on:
push:
branches: [ main, 'maintenance-[0-9]+.[0-9]+' ]
pull_request:
# For the CodeQL workflow, the branches below must be a subset of the branches above.
branches: [ main, 'maintenance-[0-9]+.[0-9]+' ]
paths-ignore: [ '**/*.md' ]
schedule:
- cron: '27 11 * * 4'
workflow_dispatch:
permissions:
actions: read
contents: write
security-events: write
jobs:
build-and-check:
name: Build and Check
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/[email protected]
- name: Initialize internal configuration
id: config
run: |
if [[ -n "${{ secrets.MSTEAMS_WORKFLOW_POST_URL }}" ]]; then
echo "has_msteams_workflow_post_url=true" >> "$GITHUB_OUTPUT"
else
echo "::notice::Secret MSTEAMS_WORKFLOW_POST_URL is not set. Won't send any failure notifications to Teams."
fi
MVN_ARGS='--batch-mode --fail-at-end'
if [[ -z "${{ runner.debug }}" ]]; then
MVN_ARGS="${MVN_ARGS} --no-transfer-progress"
fi
echo "mvn_args=${MVN_ARGS}" >> "$GITHUB_OUTPUT"
- name: Set up JDK
uses: actions/[email protected]
with:
java-version: 17
distribution: corretto
cache: ${{ !env.ACT && 'maven' || '' }}
- name: Overwrite Maven settings
run: cp .github/workflows/config/settings.xml ${HOME}/.m2/settings.xml
- name: Initialize CodeQL
uses: github/codeql-action/[email protected]
with:
languages: java
queries: security-and-quality
- name: Run Maven Build
run: |
mvn ${{ steps.config.outputs.mvn_args }} \
install javadoc:javadoc \
-Pintegration-test,default-image,docs-third-party \
-Dapplication.image-prefix=coremedia \
-Dapplication.image-suffix=headless-server-commerce \
-Dapplication.image-tag=${{ github.sha }} \
-Dsort.verifyFail=stop \
| tee mvn-output.log
[[ ${PIPESTATUS} -eq 0 ]] || exit ${PIPESTATUS}
env:
NEXUS_GITHUB_ACTIONS_READONLY_USERNAME: ${{ secrets.NEXUS_GITHUB_ACTIONS_READONLY_USERNAME }}
NEXUS_GITHUB_ACTIONS_READONLY_TOKEN: ${{ secrets.NEXUS_GITHUB_ACTIONS_READONLY_TOKEN }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/[email protected]
with:
category: '/language:java'
- name: Run Trivy vulnerability scanner
if: github.event_name != 'pull_request'
uses: aquasecurity/[email protected]
with:
scan-type: image
image-ref: "coremedia/headless-server-commerce:${{ github.sha }}"
trivy-config: .github/workflows/config/trivy.yml
format: sarif
output: trivy-results.sarif
limit-severities-for-sarif: true
- name: Upload Trivy scan results to GitHub Security tab
if: github.event_name != 'pull_request'
uses: github/codeql-action/[email protected]
with:
sarif_file: trivy-results.sarif
- name: Update dependency graph
if: github.ref_name == github.event.repository.default_branch
uses: advanced-security/[email protected]
- name: Check for deprecated API usages
if: github.ref_name == github.event.repository.default_branch || github.base_ref == github.event.repository.default_branch
run: |
cat mvn-output.log | grep '^\[WARNING\]' | grep 'has been deprecated' > deprecated.log || true
grep -Fvf .github/workflows/config/ignored-deprecations.txt deprecated.log > violations.log || true
if [[ -s violations.log ]]; then
cat violations.log
echo "::error::Deprecated API calls are not allowed!"
exit 1
fi
echo "::notice::No deprecated API calls found"
- name: Send failure notification to MS Teams Workflow
if: ${{ !success() && github.event_name == 'schedule' && steps.config.outputs.has_msteams_workflow_post_url }}
run: |
cat .github/workflows/config/teams-notification-card-template.json \
| jq -c . \
| sed "s|@GITHUB_REPOSITORY@|${{ github.repository }}|g" \
| sed "s|@GITHUB_WORKFLOW@|${{ github.workflow }}|g" \
| sed "s|@GITHUB_RUN_ID@|${{ github.run_id }}|g" \
| sed "s|@GITHUB_SERVER_URL@|${{ github.server_url }}|g" \
> notification-card.json
curl "${{ secrets.MSTEAMS_WORKFLOW_POST_URL }}" \
-X POST \
-H 'Content-Type: application/json' \
-d @'notification-card.json' \
> notification-result.json
if [[ -s notification-result.json ]]; then
echo "Notification card post result:"
cat notification-result.json | jq -r '.error // empty'
exit 1
fi
- name: Debug GitHub contexts (only when debug logging is enabled)
if: always() && runner.debug
run: |
echo "::group::Dump GitHub context"
echo '${{ toJSON(github) }}'
echo "::endgroup::"
echo "::group::Dump job context"
echo '${{ toJSON(job) }}'
echo "::endgroup::"
echo "::group::Dump steps context"
echo '${{ toJSON(steps) }}'
echo "::endgroup::"
echo "::group::Dump runner context"
echo '${{ toJSON(runner) }}'
echo "::endgroup::"
echo "::group::Dump strategy context"
echo '${{ toJSON(strategy) }}'
echo "::endgroup::"
echo "::group::Dump matrix context"
echo '${{ toJSON(matrix) }}'
echo "::endgroup::"
echo "::group::Dump vars context"
echo '${{ toJSON(vars) }}'
echo "::endgroup::"
echo "::group::Dump env context"
echo '${{ toJSON(env) }}'
echo "::endgroup::"
echo "::group::Dump OS environment"
env | sort
echo "::endgroup::"