From 266102843f87b35c7f33c5c8dbb70a03df7554d5 Mon Sep 17 00:00:00 2001 From: Shaun Hare Date: Thu, 9 May 2024 09:32:42 +0100 Subject: [PATCH] added workflows and amended pom --- .github/workflows/cd.yaml | 54 +++++++++++++++++++++++++++++ .github/workflows/ci.yaml | 17 +++++++++ .github/workflows/maven-publish.yml | 38 -------------------- .github/workflows/maven.yml | 35 +++++++++++++++++++ .github/workflows/maven_build.yaml | 18 ++++++++++ .github/workflows/security.yaml | 38 ++++++++++++++++++++ pom.xml | 8 ++--- 7 files changed, 166 insertions(+), 42 deletions(-) create mode 100644 .github/workflows/cd.yaml create mode 100644 .github/workflows/ci.yaml delete mode 100644 .github/workflows/maven-publish.yml create mode 100644 .github/workflows/maven.yml create mode 100644 .github/workflows/maven_build.yaml create mode 100644 .github/workflows/security.yaml diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml new file mode 100644 index 0000000..a9ff7cd --- /dev/null +++ b/.github/workflows/cd.yaml @@ -0,0 +1,54 @@ +name: CD + +on: + push: + branches: + - main + +jobs: + release-please: + name: Release + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + outputs: + tag_name: ${{ steps.release.outputs.tag_name }} + release_created: ${{ steps.release.outputs.release_created }} + steps: + - uses: google-github-actions/release-please-action@v4 + id: release + with: + release-type: maven + + call-build-maven: + needs: release-please + name: build with Maven + uses: ./.github/workflows/maven_build.yaml + + publish: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + needs: + - release-please + - call-build-maven + steps: + - name: checkout code + uses: actions/checkout@v4 + + - name: Set up JDK 11 + uses: actions/setup-java@v4 + with: + java-version: '11' + distribution: 'corretto' + cache: 'maven' + + - name: Publish to GitHub Packages Apache Maven + if: ${{needs.release-please.outputs.release_created}} + run: mvn --batch-mode deploy + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + + \ No newline at end of file diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..72604eb --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,17 @@ +name: CI + +on: + pull_request: + +jobs: + security: + name: Security + uses: ./.github/workflows/security.yaml + secrets: inherit + + build-maven: + name: build with Maven + uses: ./.github/workflows/maven_build.yaml + needs: security + + diff --git a/.github/workflows/maven-publish.yml b/.github/workflows/maven-publish.yml deleted file mode 100644 index b735f8e..0000000 --- a/.github/workflows/maven-publish.yml +++ /dev/null @@ -1,38 +0,0 @@ -# This workflow will build a package using Maven and then publish it to GitHub packages when a release is created -# For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#apache-maven-with-a-settings-path - -name: Maven Package - -on: - push: - branches: - - gitHubPackages - -jobs: - build: - - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - - steps: - - uses: actions/checkout@v4 - - name: Set up JDK 11 - uses: actions/setup-java@v3 - with: - java-version: '11' - distribution: 'temurin' - server-id: github # Value of the distributionManagement/repository/id field of the pom.xml - settings-path: ${{ github.workspace }} # location for the settings.xml file - server-username: GITHUB_USER_REF # env variable name for username - server-password: GITHUB_TOKEN_REF # env variable name for GitHub Personal Access Token - - - name: Build with Maven - run: mvn -B -Pgithub package --file pom.xml - - - name: Publish to GitHub Packages Apache Maven - run: mvn deploy -s $GITHUB_WORKSPACE/settings.xml - env: - GITHUB_USER_REF: ${{ secrets.GH_PACKAGE_REPO_USERNAME }} - GITHUB_TOKEN_REF: ${{ secrets.GH_PACKAGE_REPO_PASSWORD }} diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml new file mode 100644 index 0000000..e669f16 --- /dev/null +++ b/.github/workflows/maven.yml @@ -0,0 +1,35 @@ +# This workflow will build a package using Maven and then publish it to GitHub packages when a release is created +# For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#apache-maven-with-a-settings-path + +name: Maven Package + +on: + push: + branches: + - master + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + + steps: + - uses: actions/checkout@v4 + - name: Set up JDK 11 + uses: actions/setup-java@v3 + with: + java-version: '11' + distribution: 'temurin' + server-id: github # Value of the distributionManagement/repository/id field of the pom.xml + settings-path: ${{ github.workspace }} # location for the settings.xml file + + - name: Build with Maven + run: mvn -B package --file pom.xml + + - name: Publish to GitHub Packages Apache Maven + run: mvn deploy -s $GITHUB_WORKSPACE/settings.xml + env: + GITHUB_TOKEN: ${{ github.token }} diff --git a/.github/workflows/maven_build.yaml b/.github/workflows/maven_build.yaml new file mode 100644 index 0000000..7d01df2 --- /dev/null +++ b/.github/workflows/maven_build.yaml @@ -0,0 +1,18 @@ +name: Maven Build + +on: + workflow_call: + +permissions: + contents: read + +jobs: + build: + name: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - run: mvn -B -P github package + + \ No newline at end of file diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml new file mode 100644 index 0000000..49861eb --- /dev/null +++ b/.github/workflows/security.yaml @@ -0,0 +1,38 @@ +name: Security Scan + +on: + workflow_call: + inputs: + severity-threshold: + description: "Severity threshold" + required: false + default: "high" + type: string + secrets: + SNYK_TOKEN: + description: "Snyk token" + required: true + schedule: + # Weekly on Monday at 00:00 UTC + - cron: 0 0 * * 1 + +permissions: + contents: read + packages: read + +jobs: + scan: + name: scan + runs-on: ubuntu-latest + steps: + + - uses: actions/checkout@v4 + - uses: snyk/actions/setup@master + - uses: actions/setup-java@v4 + with: + distribution: "corretto" + java-version: "11" + cache: maven + - run: snyk test --severity-threshold=${{ inputs.severity-threshold || 'high' }} -- -P github + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} \ No newline at end of file diff --git a/pom.xml b/pom.xml index 8a5f4be..fce99a9 100644 --- a/pom.xml +++ b/pom.xml @@ -21,6 +21,7 @@ 0.9.11 2.22.0 2.22.0 + https://maven.pkg.github.com/dvsa/vol-accessibility-lib @@ -90,12 +91,11 @@ compile - - - maven-releases - ${nexus.releases} + github + GitHub dvsa Apache Maven Packages + ${github.url} \ No newline at end of file