-
Notifications
You must be signed in to change notification settings - Fork 2
162 lines (138 loc) · 5.33 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
name: CI
on:
workflow_dispatch:
push:
branches: [main, 'release/v*', next, next-major, beta, alpha]
pull_request:
branches: [main, 'release/v*', next, next-major, beta, alpha]
schedule:
- cron: '28 14 * * *' # At 14:28 every day
permissions: {}
jobs:
build-and-test:
name: Build & Test
runs-on: ubuntu-22.04
timeout-minutes: 300
permissions:
contents: read
env:
COMMITLINT_CONFIG_FILE: ${{ github.workspace }}/.github/commitlint.config.js
steps:
- name: Harden runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
api.github.com:443
objects.githubusercontent.com:443
repo.maven.apache.org:443
jitpack.io:443
repo.papermc.io:443
api.nuget.org:443
registry.npmjs.org:443
auth.docker.io:443
registry-1.docker.io:443
production.cloudflare.docker.com:443
sonarcloud.io:443
scanner.sonarcloud.io:443
ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443
sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
fetch-depth: 0 # Required by SonarCloud and commitlint
- name: Setup Node.js
uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with:
node-version: lts/iron
cache: npm
cache-dependency-path: .github/package-lock.json
- name: Install commitlint
working-directory: .github/
run: npm clean-install
- name: Validate current commit (last commit) with commitlint
if: ${{ github.event_name != 'pull_request' }}
working-directory: .github/
run: npx --no-install commitlint --config "${COMMITLINT_CONFIG_FILE}" --verbose --from HEAD~1 --to HEAD
- name: Validate PR commits with commitlint
if: ${{ github.event_name == 'pull_request' }}
working-directory: .github/
run: |
npx --no-install commitlint --config "${COMMITLINT_CONFIG_FILE}" --verbose \
--from ${{ github.event.pull_request.head.sha }}~${{ github.event.pull_request.commits }} \
--to ${{ github.event.pull_request.head.sha }}
- name: Setup Java
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
with:
java-version: 17
distribution: temurin
cache: maven
- name: Testcontainers - Enable reusable containers
run: echo 'testcontainers.reuse.enable=true' >> ~/.testcontainers.properties
- name: Cache SonarCloud packages
uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
with:
path: ~/.sonar/cache
key: sonar
restore-keys: sonar
- name: Maven build & SonarCloud quality scan
env:
GITHUB_TOKEN: ${{ github.token }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: https://sonarcloud.io
run: |
SONAR_ORGANIZATION="$(echo '${{ github.repository_owner }}' | awk '{print tolower($0)}')"
SONAR_PROJECT_KEY="$(echo '${{ github.repository }}' | sed 's/\//_/')"
mvn verify sonar:sonar --activate-profiles ci -Dstyle.color=always \
--batch-mode --errors --strict-checksums --update-snapshots \
-Dsonar.host.url="${SONAR_HOST_URL}" \
-Dsonar.organization="${SONAR_ORGANIZATION}" \
-Dsonar.projectKey="${SONAR_PROJECT_KEY}"
security-scan:
name: Security scan
runs-on: ubuntu-22.04
timeout-minutes: 300
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Harden runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
api.github.com:443
uploads.github.com:443
objects.githubusercontent.com
repo.maven.apache.org:443
jitpack.io:443
repo.papermc.io:443
api.nuget.org:443
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- name: Setup Java
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
with:
java-version: 17
distribution: temurin
cache: maven
- name: Initialize CodeQL
uses: github/codeql-action/init@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
with:
languages: java
- name: Build
run: |
mvn package --activate-profiles fast -Dstyle.color=always \
--batch-mode --errors --strict-checksums --update-snapshots --fail-fast
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
with:
category: /language:java