-
Notifications
You must be signed in to change notification settings - Fork 0
170 lines (160 loc) · 5.8 KB
/
Copy pathci-maven-deploy.yml
File metadata and controls
170 lines (160 loc) · 5.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
# Workflow Name: Maven build and publish to GitHub packages
#
# Owner: Digdir Platform team / Digdir development teams
#
# Purpose:
# This workflow is designed to perform a Maven build of a Java application,
# and publish the built artifact to GitHub packages. It should be used when
# you have no internal Maven dependencies in your project. The workflow will
# optionally run mvn versions:set to set the version of the package, and can
# be configured to deploy to a specific repository. The workflow will also
# run a Trivy vulnerability 'fs' scan to detect vulnerabilities fast. If you
# have internal dependencies, please use the ci-maven-install-deploy-lib.yml
# workflow instead, which supports this use case.
#
# Flow:
# 1. Checkout repository
# 2. Set up JDK
# 3. Run Trivy vulnerability scanner ('fs' scan)
#. 4. Optionally set version with `mvn versions:set`
# 5. Build with Maven
# 6. Deploy to Maven GitHub packages repository
# 7. Run Trivy SBOM generation
#
# Trigger:
# Triggered by workflow calls (workflow_call)
#
# Inputs:
# See input section
#
# Outputs:
# None
#
name: Maven build and publish to GitHub packages
permissions: {}
on:
workflow_call:
inputs:
java-version:
description: Main version of java
default: '25'
required: false
type: string
java-distribution:
description: Java distribution to use
default: "liberica"
required: false
type: string
sbom-path:
description: DEPRECATED - Target directory for SBOM generation
default: ./target/
required: false
type: string
package-version:
description: Version to use for maven package
default: ""
required: false
type: string
deployment-repository:
description: Set deployment repo
default: ""
required: false
type: string
cache-path:
description: Path to cache dependencies, relative to the repository root
default: "**/pom.xml"
required: false
type: string
application-path:
description: Path to the application directory to scan with Trivy, relative to the repository root
default: "./"
required: false
type: string
trivy-library-disable-scan:
description: Disable Trivy library scan
type: boolean
required: false
default: false
trivy-library-ignore-unfixed:
description: Ignore unfixed vulnerabilities in Trivy library scan
type: boolean
required: false
default: true
trivy-library-severity:
description: When to fail the scan with Trivy library vulnerabilities
type: string
required: false
default: 'HIGH,CRITICAL'
trivy-version:
description: Version of Trivy to use for scanning
type: string
required: false
default: ''
jobs:
inputs-to-summary:
runs-on: ubuntu-latest
steps:
- name: Write inputs to summary
uses: felleslosninger/github-workflows/.github/actions/json-to-summary@main
with:
json-payload: ${{ toJson(inputs) }}
build-publish-package:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # pin@v6.0.2
- name: Set up JDK ${{ inputs.java-version }}
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # pin@v5.2.0
with:
distribution: "${{ inputs.java-distribution }}"
java-version: ${{ inputs.java-version }}
cache: maven
cache-dependency-path: ${{ inputs.cache-path }}
server-id: github
server-username: GITHUB_ACTOR
server-password: GITHUB_TOKEN
- name: Run Trivy vulnerability scanner (fs)
uses: felleslosninger/github-workflows/.github/actions/trivy-scan@main
with:
scan-type: "fs"
application-path: ${{ inputs.application-path }}
library-disable-scan: ${{ inputs.trivy-library-disable-scan }}
library-ignore-unfixed: ${{ inputs.trivy-library-ignore-unfixed }}
library-severity: ${{ inputs.trivy-library-severity }}
trivy-version: ${{ inputs.trivy-version }}
- name: Set version
env:
GITHUB_ACTOR: ${{ github.actor }}
GITHUB_TOKEN: ${{ github.token }}
PACKAGE_VERSION: ${{ inputs.package-version }}
run: |
if [ "$PACKAGE_VERSION" != "" ]; then
mvn versions:set -B -DnewVersion="$PACKAGE_VERSION"
echo "- \`mvn versions\` was executed" >> "$GITHUB_STEP_SUMMARY"
else
echo "- \`mvn versions\` was not executed" >> "$GITHUB_STEP_SUMMARY"
fi
- name: Deploy to Maven GitHub packages repository
env:
GITHUB_ACTOR: ${{ github.actor }}
GITHUB_TOKEN: ${{ github.token }}
DEPLOYMENT_REPO: ${{ inputs.deployment-repository }}
run: |
if [ "$DEPLOYMENT_REPO" != "" ]; then
mvn -B deploy -DaltDeploymentRepository="github::https://maven.pkg.github.com/$DEPLOYMENT_REPO"
echo "- \`mvn deploy\` was executed with custom repository" >> "$GITHUB_STEP_SUMMARY"
else
mvn -B deploy
echo "- \`mvn deploy\` was executed without repository override" >> "$GITHUB_STEP_SUMMARY"
fi
- name: Run Trivy SBOM generation
uses: felleslosninger/github-workflows/.github/actions/trivy-sbom@main
with:
scan-type: fs
artifact-id: ${{ github.event.repository.name }}
application-path: ${{ inputs.application-path }}
version: ${{ inputs.package-version }}
# This is already done in Trivy vuln scan step
skip-setup: true