chore: update flow to 24.0.11 and spring.boot to 3.0.8 (24.0) #1326
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: SBOM | |
| on: | |
| push: | |
| branches: ["master", "24.0", "23.3"] | |
| pull_request: | |
| types: [opened, synchronize, reopened, edited] | |
| paths: ["versions.json", "**/pom.xml", ".github/workflows/sbom.yml", "scripts/generateAndCheckSBOM.js", "scripts/generator/templates/*.xml"] | |
| release: | |
| types: ["published"] | |
| workflow_dispatch: | |
| inputs: | |
| useSnapshots: | |
| description: 'Use snapthots for all vaadin products' | |
| required: false | |
| type: boolean | |
| default: false | |
| useBomber: | |
| description: 'Use bomber' | |
| required: false | |
| type: boolean | |
| default: true | |
| useOSV: | |
| description: 'Use osv-scanner' | |
| required: false | |
| type: boolean | |
| default: true | |
| useOWASP: | |
| description: 'Use owasp:dependency-check-maven' | |
| required: false | |
| type: boolean | |
| default: true | |
| useFullOWASP: | |
| description: 'Use full owasp:dependency-check' | |
| required: false | |
| type: boolean | |
| default: false | |
| version: | |
| description: 'Use set Platform Version to:' | |
| required: false | |
| type: string | |
| default: '' | |
| forcePushReports: | |
| description: 'Push the SBOM to release note' | |
| required: false | |
| type: boolean | |
| default: false | |
| jobs: | |
| run: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - run: | | |
| [ -z "${{secrets.TB_LICENSE}}" ] \ | |
| && echo "🚫 **TB_LICENSE** is not defined, check that **${{github.repository}}** repo has a valid secret" \ | |
| | tee -a $GITHUB_STEP_SUMMARY && exit 1 || exit 0 | |
| name: Check secrets | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: '18' | |
| - uses: actions/setup-java@v3 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| - uses: stCarolas/setup-maven@v4.5 | |
| with: | |
| maven-version: '3.8.2' | |
| - uses: actions/setup-go@v3 | |
| with: | |
| go-version: 'stable' | |
| - run: go install github.com/google/osv-scanner/cmd/osv-scanner@v1 | |
| - run: | | |
| wget -q https://github.com/devops-kung-fu/bomber/releases/download/v0.4.4/bomber_0.4.4_linux_amd64.deb | |
| sudo dpkg -i bomber_0.4.4_linux_amd64.deb | |
| name: Install bomber-0.4.4 | |
| - run: | | |
| # Install dependency-check-8.2.1 | |
| cd /tmp | |
| wget -q https://github.com/jeremylong/DependencyCheck/releases/download/v8.2.1/dependency-check-8.2.1-release.zip | |
| unzip dependency-check-8.2.1-release.zip | |
| sudo ln -s /tmp/dependency-check/bin/dependency-check.sh /usr/bin/dependency-check | |
| name: Install dependency-check-8.2.1 | |
| - run: | | |
| mkdir -p ~/.vaadin/ | |
| echo '{"username":"'`echo ${{secrets.TB_LICENSE}} | cut -d / -f1`'","proKey":"'`echo ${{secrets.TB_LICENSE}} | cut -d / -f2`'"}' > ~/.vaadin/proKey | |
| name: Install proKey | |
| - run: | | |
| [ false = "${{github.event.inputs.useBomber}}" ] && A="$A --disable-bomber" | |
| [ false = "${{github.event.inputs.useOSV}}" ] && A="$A --disable-osv-scan" | |
| [ false = "${{github.event.inputs.useOWASP}}" ] && A="$A --disable-owasp" | |
| [ true = "${{github.event.inputs.useFullOWASP}}" ] && A="$A --enable-full-owasp" | |
| [ true = "${{github.event.inputs.useSnapshots}}" ] && A="$A --useSnapshots" | |
| V="${{ github.event.inputs.version || github.event.release.tag_name }}" | |
| [ -n "$V" ] && A="--version $V" | |
| cmd="scripts/generateAndCheckSBOM.js $A" | |
| echo "Running: $cmd" | |
| $cmd | |
| name: Generate And Check SBOM | |
| env: | |
| OSSINDEX_USER: ${{secrets.OSSINDEX_USER}} | |
| OSSINDEX_TOKEN: ${{secrets.OSSINDEX_TOKEN}} | |
| - if: ${{always() && env.DEPENDENCIES_REPORT && github.event.pull_request}} | |
| uses: thollander/actions-comment-pull-request@v2 | |
| with: | |
| message: "${{env.DEPENDENCIES_REPORT}}\n[[Click for more Details](${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}})]" | |
| comment_tag: dependencies_report | |
| - if: ${{always()}} | |
| uses: actions/upload-artifact@v3.1.1 | |
| with: | |
| name: files | |
| path: | | |
| **/target/bom-vaadin.json | |
| **/target/*-report.json | |
| **/target/tree-*.txt | |
| **/target/dependencies.html | |
| if-no-files-found: error | |
| retention-days: 60 | |
| - if: ${{(success() || github.event.inputs.forcePushReports) && (github.event.inputs.version || github.event.release.tag_name)}} | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| file: vaadin-platform-sbom/target/bom-vaadin.json | |
| asset_name: "Software.Bill.Of.Materials.json" | |
| tag: ${{ github.event.inputs.version || github.event.release.tag_name }} | |
| overwrite: true | |
| - if: ${{(success() || github.event.inputs.forcePushReports) && (github.event.inputs.version || github.event.release.tag_name)}} | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| file: vaadin-platform-sbom/target/dependencies.html | |
| asset_name: "Dependencies.Report.html" | |
| tag: ${{ github.event.inputs.version || github.event.release.tag_name }} | |
| overwrite: true | |