Bump commons-io:commons-io from 2.14.0 to 2.17.0 (#938) #865
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Gytheio CI | |
on: | |
pull_request: | |
branches: | |
- master | |
- SP/** | |
- HF/** | |
- ACS-** | |
- feature/** | |
push: | |
branches: | |
- master | |
- SP/** | |
- HF/** | |
- ACS-** | |
- feature/** | |
schedule: | |
- cron: '0 5 * * 3' | |
workflow_dispatch: | |
env: | |
MAVEN_USERNAME: ${{ secrets.NEXUS_USERNAME }} | |
MAVEN_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} | |
GIT_USERNAME: ${{ secrets.BOT_GITHUB_USERNAME }} | |
GIT_PASSWORD: ${{ secrets.BOT_GITHUB_TOKEN }} | |
AWS_REGION: eu-west-1 | |
jobs: | |
veracode_sca: | |
name: "Source Clear Scan (SCA)" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/veracode@v7.0.0 | |
continue-on-error: true | |
with: | |
srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }} | |
veracode_sast: | |
name: "Pipeline SAST Scan" | |
runs-on: ubuntu-latest | |
if: > | |
(github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/') || github.event_name == 'pull_request') && | |
github.actor != 'dependabot[bot]' && | |
!contains(github.event.head_commit.message, '[skip build]') | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 | |
- name: "Login to Docker Hub" | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: "Login to Quay.io" | |
uses: docker/login-action@v3 | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_USERNAME }} | |
password: ${{ secrets.QUAY_PASSWORD }} | |
- uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v7.0.0 | |
with: | |
token: ${{ secrets.BOT_GITHUB_TOKEN }} | |
repository: "Alfresco/veracode-baseline-archive" | |
file-path: "gytheio/gytheio-baseline.json" | |
target: "baseline.json" | |
- name: "Build" | |
run: mvn -B -U install -DskipTests | |
- name: Create zip | |
run: find gytheio*/gytheio*/target gytheio*/target -name '*.jar' -exec zip -y -r to-scan.zip {} + | |
- name: "Run SAST Scan" | |
uses: veracode/Veracode-pipeline-scan-action@v1.0.16 | |
with: | |
vid: ${{ secrets.VERACODE_API_ID }} | |
vkey: ${{ secrets.VERACODE_API_KEY }} | |
file: "to-scan.zip" | |
fail_build: true | |
project_name: gytheio | |
issue_details: true | |
veracode_policy_name: Alfresco Default | |
summary_output: true | |
summary_output_file: results.json | |
summary_display: true | |
baseline_file: baseline.json | |
- name: Upload scan result | |
if: success() || failure() | |
run: zip readable_output.zip results.json | |
- name: Upload Artifact | |
if: success() || failure() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: Veracode Pipeline-Scan Results (Human Readable) | |
path: readable_output.zip | |
build: | |
name: "Build" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 | |
- name: "Remove SNAPSHOT artifacts" | |
run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf | |
- name: "Install ImageMagick to parse PDFs" | |
run: | | |
sudo apt-get update | |
sudo apt-get install -q -y imagemagick ghostscript ffmpeg | |
# ImageMagick6's default security policy doesn't allow it to parse PDFs | |
sudo sed -i '/PDF/s/none/read|write/' /etc/ImageMagick-6/policy.xml | |
- name: "Configure AWS credentials" | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_S3_BUCKET_CREATE_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_S3_BUCKET_CREATE_SECRET_ACCESS_KEY }} | |
aws-region: ${{ env.AWS_REGION }} | |
- name: "Build and test" | |
run: bash _ci/build.sh | |
release: | |
name: "Release" | |
needs: [veracode_sca, build] | |
runs-on: ubuntu-latest | |
if: > | |
contains(github.event.head_commit.message, '[release]') && | |
github.event_name != 'pull_request' && | |
(github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/')) | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/configure-git-author@v7.0.0 | |
with: | |
username: ${{ secrets.BOT_GITHUB_USERNAME }} | |
email: ${{ secrets.BOT_GITHUB_EMAIL }} | |
- name: "Remove SNAPSHOT artifacts" | |
run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf | |
- name: "Release" | |
run: bash _ci/release.sh |