Merge pull request #73 from siemens/dependabot/maven/dependabot-depen… #11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Run various code quality checks when pushing to main or when opening pull requests. | |
# - This will run the tests, as well as | |
# - Perform an analysis via SonarCloud | |
# - Examine whether any of the dependencies contain known vulnerabilities | |
name: Code quality checks | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
types: [opened, synchronize, reopened] | |
jobs: | |
analyze_sonar: | |
name: Run unit tests and Sonar analysis | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v3 | |
with: | |
java-version: 17 | |
distribution: 'temurin' | |
- name: Cache SonarCloud packages | |
uses: actions/cache@v3 | |
with: | |
path: ~/.sonar/cache | |
key: ${{ runner.os }}-sonar | |
restore-keys: ${{ runner.os }}-sonar | |
- name: Cache Maven packages | |
uses: actions/cache@v3 | |
with: | |
path: ~/.m2 | |
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | |
restore-keys: ${{ runner.os }}-m2 | |
- name: Analyze code quality | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
# note that we deliberately turn off the OWASP dependency checker here, it will run in a separate job, | |
# such that its results can be viewed independently of what Sonar has to say | |
run: | | |
mvn -B verify sonar:sonar -Dsonar.projectKey=siemens_LightweightCmpRa -Ddependency-check.skip=true | |
analyze_dependencies_owasp: | |
name: Check dependencies with OWASP | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Set up JDK 11 | |
uses: actions/setup-java@v3 | |
with: | |
java-version: 11 | |
distribution: 'temurin' | |
- name: Cache Maven packages | |
uses: actions/cache@v3 | |
with: | |
path: ~/.m2 | |
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | |
restore-keys: ${{ runner.os }}-m2 | |
- name: Analyze dependencies | |
env: | |
NVD_API_KEY: ${{ secrets.NVD_TOKEN }} | |
# this will run the OWASP dependency checker only | |
run: mvn -B verify -DskipTests |