diff --git a/.github/workflows/maven-ci.yml b/.github/workflows/ci.yml similarity index 71% rename from .github/workflows/maven-ci.yml rename to .github/workflows/ci.yml index 867401a77..4a8a90919 100644 --- a/.github/workflows/maven-ci.yml +++ b/.github/workflows/ci.yml @@ -1,14 +1,15 @@ -name: Maven - CI +name: CI on: workflow_dispatch: push: - # Re-execute the CI on default branch only for status while ensuring it remains stable in any circumstances branches: - 'main' pull_request: branches: - 'main' + schedule: + - cron: '28 14 * * *' # At 14:28 every day permissions: {} @@ -18,7 +19,9 @@ jobs: runs-on: ubuntu-latest permissions: + actions: read contents: read + security-events: write steps: - name: Harden runner @@ -28,6 +31,9 @@ jobs: egress-policy: block allowed-endpoints: > github.com:443 + api.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 repo.maven.apache.org:443 jitpack.io:443 repo.papermc.io:443 @@ -43,8 +49,15 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - # SonarQube - Shallow clones should be disabled for a better relevancy of analysis + # Required by SonarCloud & Cocogitto fetch-depth: 0 + # Pick the PR HEAD instead of the merge commit (required by Cocogitto) + ref: ${{ github.event.pull_request.head.sha }} + + - name: Conventional commits check + uses: cocogitto/cocogitto-action@ac6260150ee57e3164cd95b47fc84cdee9e3444c # v3.5 + with: + check-latest-tag-only: true - name: Set up JDK 17 uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 @@ -63,6 +76,11 @@ jobs: key: sonar restore-keys: sonar + - name: Initialize CodeQL + uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + with: + languages: java + - name: Maven build & SonarCloud quality scan env: GITHUB_TOKEN: ${{ github.token }} @@ -76,3 +94,8 @@ jobs: -Dsonar.host.url="${SONAR_HOST_URL}" \ -Dsonar.organization="${SONAR_ORGANIZATION}" \ -Dsonar.projectKey="${SONAR_PROJECT_KEY}" + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + with: + category: /language:java diff --git a/.github/workflows/conventional-commits-check.yml b/.github/workflows/conventional-commits-check.yml deleted file mode 100644 index 48bc2f677..000000000 --- a/.github/workflows/conventional-commits-check.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: Conventional Commits - Check - -on: - workflow_dispatch: - pull_request: - branches: - - 'main' - -permissions: {} - -jobs: - check: - name: Check - runs-on: ubuntu-latest - - permissions: - contents: read - - steps: - - name: Harden runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - github.com:443 - objects.githubusercontent.com:443 - - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - # Required by Cocogitto - fetch-depth: 0 - # Pick the PR HEAD instead of the merge commit - ref: ${{ github.event.pull_request.head.sha }} - - - name: Check compliance - uses: cocogitto/cocogitto-action@ac6260150ee57e3164cd95b47fc84cdee9e3444c # v3.5 - with: - check-latest-tag-only: true diff --git a/.github/workflows/security-scan-scorecard.yml b/.github/workflows/openssf-scorecard-scan.yml similarity index 98% rename from .github/workflows/security-scan-scorecard.yml rename to .github/workflows/openssf-scorecard-scan.yml index 72164e2fa..3adf265aa 100644 --- a/.github/workflows/security-scan-scorecard.yml +++ b/.github/workflows/openssf-scorecard-scan.yml @@ -1,4 +1,4 @@ -name: Security Scan - Scorecard +name: OpenSSF Scorecard - Scan on: workflow_dispatch: diff --git a/.github/workflows/security-scan-codeql.yml b/.github/workflows/security-scan-codeql.yml deleted file mode 100644 index ceaa2f173..000000000 --- a/.github/workflows/security-scan-codeql.yml +++ /dev/null @@ -1,64 +0,0 @@ -name: Security scan - CodeQL - -on: - workflow_dispatch: - push: - # Re-execute the CI on default branch only for status while ensuring it remains stable in any circumstances - branches: - - 'main' - pull_request: - branches: - - 'main' - schedule: - - cron: '28 14 * * *' # At 14:28 every day - -permissions: {} - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - - permissions: - actions: read - contents: read - security-events: write - - steps: - - name: Harden runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - github.com:443 - api.github.com:443 - uploads.github.com:443 - repo.maven.apache.org:443 - jitpack.io:443 - repo.papermc.io:443 - - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - - name: Set up JDK 17 - uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 - with: - java-version: 17 - distribution: temurin - cache: maven - - - name: Initialize CodeQL - uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 - with: - languages: java - - - name: Build - run: mvn package --activate-profiles fast --batch-mode --errors --strict-checksums --update-snapshots --fail-fast - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 - with: - category: /language:java