-
Notifications
You must be signed in to change notification settings - Fork 9
143 lines (137 loc) · 5.26 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: Gytheio CI
on:
pull_request:
branches:
- master
- SP/**
- HF/**
- ACS-**
- feature/**
push:
branches:
- master
- SP/**
- HF/**
- ACS-**
- feature/**
schedule:
- cron: '0 5 * * 3'
workflow_dispatch:
env:
MAVEN_USERNAME: ${{ secrets.NEXUS_USERNAME }}
MAVEN_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
GIT_USERNAME: ${{ secrets.BOT_GITHUB_USERNAME }}
GIT_PASSWORD: ${{ secrets.BOT_GITHUB_TOKEN }}
AWS_REGION: eu-west-1
jobs:
veracode_sca:
name: "Source Clear Scan (SCA)"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
- uses: Alfresco/alfresco-build-tools/.github/actions/veracode@v7.0.0
continue-on-error: true
with:
srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }}
veracode_sast:
name: "Pipeline SAST Scan"
runs-on: ubuntu-latest
if: >
(github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/') || github.event_name == 'pull_request') &&
github.actor != 'dependabot[bot]' &&
!contains(github.event.head_commit.message, '[skip build]')
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
- name: "Login to Docker Hub"
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: "Login to Quay.io"
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v7.0.0
with:
token: ${{ secrets.BOT_GITHUB_TOKEN }}
repository: "Alfresco/veracode-baseline-archive"
file-path: "gytheio/gytheio-baseline.json"
target: "baseline.json"
- name: "Build"
run: mvn -B -U install -DskipTests
- name: Create zip
run: find gytheio*/gytheio*/target gytheio*/target -name '*.jar' -exec zip -y -r to-scan.zip {} +
- name: "Run SAST Scan"
uses: veracode/Veracode-pipeline-scan-action@v1.0.16
with:
vid: ${{ secrets.VERACODE_API_ID }}
vkey: ${{ secrets.VERACODE_API_KEY }}
file: "to-scan.zip"
fail_build: true
project_name: gytheio
issue_details: true
veracode_policy_name: Alfresco Default
summary_output: true
summary_output_file: results.json
summary_display: true
baseline_file: baseline.json
- name: Upload scan result
if: success() || failure()
run: zip readable_output.zip results.json
- name: Upload Artifact
if: success() || failure()
uses: actions/upload-artifact@v4
with:
name: Veracode Pipeline-Scan Results (Human Readable)
path: readable_output.zip
build:
name: "Build"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
- name: "Remove SNAPSHOT artifacts"
run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf
- name: "Install ImageMagick to parse PDFs"
run: |
sudo apt-get update
sudo apt-get install -q -y imagemagick ghostscript ffmpeg
# ImageMagick6's default security policy doesn't allow it to parse PDFs
sudo sed -i '/PDF/s/none/read|write/' /etc/ImageMagick-6/policy.xml
- name: "Configure AWS credentials"
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_S3_BUCKET_CREATE_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_S3_BUCKET_CREATE_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: "Build and test"
run: bash _ci/build.sh
release:
name: "Release"
needs: [veracode_sca, build]
runs-on: ubuntu-latest
if: >
contains(github.event.head_commit.message, '[release]') &&
github.event_name != 'pull_request' &&
(github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/'))
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
- uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
- uses: Alfresco/alfresco-build-tools/.github/actions/configure-git-author@v7.0.0
with:
username: ${{ secrets.BOT_GITHUB_USERNAME }}
email: ${{ secrets.BOT_GITHUB_EMAIL }}
- name: "Remove SNAPSHOT artifacts"
run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf
- name: "Release"
run: bash _ci/release.sh