[Snyk] Security upgrade build.buf:protovalidate from 0.2.1 to 0.4.2 #105
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: ci | |
on: | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
inputs: | |
proto_ref: | |
proto_sha: | |
push: | |
branches: | |
- main | |
- v* | |
# Publish `v1.2.3` tags as releases. | |
tags: | |
- v* | |
# Run tests for PRs | |
pull_request: | |
env: | |
VAULT_ADDR: https://vault.eng.aserto.com/ | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- | |
name: Read configuration | |
uses: hashicorp/vault-action@v3 | |
id: vault | |
with: | |
url: ${{ env.VAULT_ADDR }} | |
token: ${{ secrets.VAULT_TOKEN }} | |
secrets: | | |
kv/data/github "USERNAME" | GH_USERNAME; | |
kv/data/github "READ_WRITE_TOKEN" | GH_TOKEN; | |
kv/data/buf.build "ASERTO_BUF_USER" | BUF_USER; | |
kv/data/buf.build "ASERTO_BUF_TOKEN" | BUF_TOKEN; | |
kv/data/MavenCentral "USERNAME" | MAVEN_USERNAME; | |
kv/data/MavenCentral "PASSWORD" | MAVEN_CENTRAL_TOKEN; | |
kv/data/MavenCentral "GPG_PASSPHRASE" | MAVEN_GPG_PASSPHRASE; | |
kv/data/MavenCentral "PRIVATE_GPG_KEY" | MAVEN_GPG_PRIVATE_KEY; | |
kv/data/MavenCentral "TOKEN_USERNAME" | TOKEN_USERNAME; | |
kv/data/MavenCentral "TOKEN_PASSWORD" | TOKEN_PASSWORD; | |
- | |
name: Info | |
run: echo "Using proto ${{ github.event.inputs.proto_ref }} with sha ${{ github.event.inputs.proto_sha }}" | |
- | |
uses: actions/create-github-app-token@v1 | |
id: app-token | |
with: | |
app-id: ${{ vars.CODEGEN_APP_ID }} | |
private-key: ${{ secrets.CODEGEN_APP_KEY }} | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
token: ${{ steps.app-token.outputs.token }} | |
- | |
name: Install deps | |
run: make deps | |
- | |
name: Clean Generated Code | |
run: make clean-gen | |
- | |
name: Generate Code | |
run: make buf-generate | |
- | |
name: Build | |
run: make build | |
- | |
name: Commit changes | |
if: github.event_name == 'workflow_dispatch' | |
uses: EndBug/add-and-commit@v9 | |
with: | |
default_author: github_actions | |
add: 'pom.xml src' | |
push: origin HEAD:main | |
test: | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- | |
name: Read configuration | |
uses: hashicorp/vault-action@v3 | |
id: vault | |
with: | |
url: ${{ env.VAULT_ADDR }} | |
token: ${{ secrets.VAULT_TOKEN }} | |
secrets: | | |
kv/data/github "USERNAME" | GH_USERNAME; | |
kv/data/github "READ_WRITE_TOKEN" | GH_TOKEN; | |
kv/data/buf.build "ASERTO_BUF_USER" | BUF_USER; | |
kv/data/buf.build "ASERTO_BUF_TOKEN" | BUF_TOKEN; | |
kv/data/MavenCentral "USERNAME" | MAVEN_USERNAME; | |
kv/data/MavenCentral "PASSWORD" | MAVEN_CENTRAL_TOKEN; | |
kv/data/MavenCentral "GPG_PASSPHRASE" | MAVEN_GPG_PASSPHRASE; | |
kv/data/MavenCentral "PRIVATE_GPG_KEY" | MAVEN_GPG_PRIVATE_KEY; | |
kv/data/MavenCentral "TOKEN_USERNAME" | TOKEN_USERNAME; | |
kv/data/MavenCentral "TOKEN_PASSWORD" | TOKEN_PASSWORD; | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- | |
name: Set up Java for publishing to Maven Central Repository | |
uses: actions/setup-java@v4 | |
with: | |
java-version: 8 | |
distribution: temurin | |
- | |
name: Import GPG key | |
uses: crazy-max/ghaction-import-gpg@v6 | |
with: | |
gpg_private_key: ${{ env.MAVEN_GPG_PRIVATE_KEY }} | |
passphrase: MAVEN_GPG_PASSPHRASE | |
- | |
name: Install deps | |
run: make deps | |
- | |
name: Install package | |
run: make install | |
- | |
name: Setup Homebrew | |
uses: Homebrew/actions/setup-homebrew@master | |
- | |
name: Install topaz | |
run: | | |
brew tap aserto-dev/tap && brew install aserto-dev/tap/topaz && topaz install && topaz templates install todo --no-console --force | |
- | |
name: Build examples | |
working-directory: examples | |
run: mvn --no-transfer-progress clean package | |
- | |
name: Run examples | |
working-directory: examples | |
run: | | |
cp assets/.env.topaz-directory.example .env | |
java -jar target/examples-1.0.0-SNAPSHOT-shaded.jar | |
release: | |
runs-on: ubuntu-latest | |
needs: test | |
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') | |
name: Release to maven central | |
steps: | |
- | |
name: Read configuration | |
uses: hashicorp/vault-action@v3 | |
id: vault | |
with: | |
url: ${{ env.VAULT_ADDR }} | |
token: ${{ secrets.VAULT_TOKEN }} | |
secrets: | | |
kv/data/github "USERNAME" | GH_USERNAME; | |
kv/data/github "READ_WRITE_TOKEN" | GH_TOKEN; | |
kv/data/buf.build "ASERTO_BUF_USER" | BUF_USER; | |
kv/data/buf.build "ASERTO_BUF_TOKEN" | BUF_TOKEN; | |
kv/data/MavenCentral "USERNAME" | MAVEN_USERNAME; | |
kv/data/MavenCentral "PASSWORD" | MAVEN_CENTRAL_TOKEN; | |
kv/data/MavenCentral "GPG_PASSPHRASE" | MAVEN_GPG_PASSPHRASE; | |
kv/data/MavenCentral "PRIVATE_GPG_KEY" | MAVEN_GPG_PRIVATE_KEY; | |
kv/data/MavenCentral "TOKEN_USERNAME" | TOKEN_USERNAME; | |
kv/data/MavenCentral "TOKEN_PASSWORD" | TOKEN_PASSWORD; | |
- | |
uses: actions/create-github-app-token@v1 | |
id: app-token | |
with: | |
app-id: ${{ vars.CODEGEN_APP_ID }} | |
private-key: ${{ secrets.CODEGEN_APP_KEY }} | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
token: ${{ steps.app-token.outputs.token }} | |
- | |
name: Set up Java for publishing to Maven Central Repository | |
uses: actions/setup-java@v4 | |
with: | |
java-version: 8 | |
distribution: temurin | |
server-id: ossrh | |
server-username: TOKEN_USERNAME | |
server-password: TOKEN_PASSWORD | |
gpg-private-key: ${{ env.MAVEN_GPG_PRIVATE_KEY }} | |
gpg-passphrase: MAVEN_GPG_PASSPHRASE | |
- | |
name: Build | |
run: make build | |
- | |
name: Create release | |
uses: ncipollo/release-action@v1 | |
with: | |
allowUpdates: true | |
artifacts: "${{ github.workspace }}/target/*.jar" | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- | |
name: Publish to the Maven Central Repository | |
run: make deploy | |
- | |
name: Bump to the next version | |
run: make bump | |
- | |
name: Commit changes | |
uses: EndBug/add-and-commit@v9 | |
with: | |
default_author: github_actions | |
message: 'Bump to next version' | |
add: 'pom.xml' | |
push: origin HEAD:main |