-
Notifications
You must be signed in to change notification settings - Fork 0
166 lines (158 loc) · 5.63 KB
/
Copy pathci-maven-build-lib.yml
File metadata and controls
166 lines (158 loc) · 5.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# Workflow Name: Maven build java (PR)
#
# PS! This workflow is deprecated, and should not be used for new projects. The
# ci-pr-checks.yml workflow have been updated to support all functionality of
# this workflow, and should be used instead. This workflow will remain
# available for existing projects that have not yet migrated to the
# ci-pr-checks.yml workflow, but will be removed in the future. Please reach
# out to the Digdir Platform team if you have any questions or need assistance
# with migration.
#
# Owner: Digdir Platform team / Digdir development teams
#
# Purpose:
# This workflow is designed to perform a Maven build of a Java application,
# run a Trivy vulnerability 'fs' scan to detect vulnerabilities fast in a PR.
# It runs 2 jobs in parallel: one to verify the pull request title, and
# another to perform the build and scan.
#
# Flow:
# 1. Checkout repository
# 2. Set up JDK
# 3. Build with Maven
# 4. Run Trivy vulnerability scanner ('fs' scan)
#
# Trigger:
# Triggered by workflow calls (workflow_call)
#
# Inputs:
# See input section
#
# Outputs:
# None
#
name: Maven build java (PR)
permissions: {}
on:
workflow_call:
inputs:
java-version:
description: Main version of java
default: '25'
required: false
type: string
java-distribution:
description: Java distribution to use
default: "liberica"
required: false
type: string
sbom-path:
description: DEPRECATED - Target directory for SBOM generation
default: ./target/
required: false
type: string
cache-path:
description: Path to cache dependencies, relative to the repository root
default: "**/pom.xml"
required: false
type: string
application-path:
description: Path to the application directory to scan with Trivy, relative to the repository root
default: "./"
required: false
type: string
enable-pr-title-verify:
description: Set to true to enable PR title verification
type: boolean
default: true
pull-request-title:
description: Optional override for PR title (defaults to actual PR title)
type: string
required: false
default: ''
pull-request-allowed-prefixes:
description: Override allowed prefixes (defaults to standard prefixes)
type: string
required: false
default: ''
pull-request-min-length-title:
description: Override minimum length (defaults to 10)
type: string
required: false
default: ''
pull-request-max-length-title:
description: Override maximum length (defaults to 100, -1 to disable)
type: string
required: false
default: ''
pull-request-case-sensitive-prefix:
description: Override case sensitivity ('true' or 'false'). Leave empty to use the standard default (false)
type: string
required: false
default: ''
trivy-library-disable-scan:
description: Disable Trivy library scan
type: boolean
required: false
default: false
trivy-library-ignore-unfixed:
description: Ignore unfixed vulnerabilities in Trivy library scan
type: boolean
required: false
default: true
trivy-library-severity:
description: When to fail the scan with Trivy library vulnerabilities
type: string
required: false
default: 'HIGH,CRITICAL'
trivy-version:
description: Version of Trivy to use for scanning
type: string
required: false
default: ''
jobs:
validate-pr-title:
if: |
inputs.enable-pr-title-verify == true &&
github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Validate PR title
uses: felleslosninger/github-workflows/.github/actions/validate-pr-title@main
with:
pull-request-title: ${{ inputs.pull-request-title }}
allowed-prefixes: ${{ inputs.pull-request-allowed-prefixes }}
min-length-title: ${{ inputs.pull-request-min-length-title }}
max-length-title: ${{ inputs.pull-request-max-length-title }}
case-sensitive-prefix: ${{ inputs.pull-request-case-sensitive-prefix }}
build:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2
- name: Set up JDK ${{ inputs.java-version }}
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # pin@v5.2.0
with:
distribution: "${{ inputs.java-distribution }}"
java-version: ${{ inputs.java-version }}
cache: maven
cache-dependency-path: ${{ inputs.cache-path }}
server-id: github
server-username: GH_PACKAGES_READ_USER
server-password: GH_PACKAGES_READ_PAT
- name: Build with Maven
env:
GH_PACKAGES_READ_USER: ${{ secrets.GH_PACKAGES_READ_USER }}
GH_PACKAGES_READ_PAT: ${{ secrets.GH_PACKAGES_READ_PAT }}
run: |
mvn -B clean install --update-snapshots
- name: Run Trivy vulnerability scanner (fs)
uses: felleslosninger/github-workflows/.github/actions/trivy-scan@main
with:
scan-type: "fs"
application-path: ${{ inputs.application-path }}
library-disable-scan: ${{ inputs.trivy-library-disable-scan }}
library-ignore-unfixed: ${{ inputs.trivy-library-ignore-unfixed }}
library-severity: ${{ inputs.trivy-library-severity }}
trivy-version: ${{ inputs.trivy-version }}