Skip to content

Fix CVEs

Fix CVEs #157

Workflow file for this run

# This file was generated by Project Keeper.
name: CI Build
on:
push:
branches: [
main
]
pull_request: null
workflow_dispatch: null
jobs:
build:
runs-on: ubuntu-latest
defaults:
run: {
shell: bash
}
permissions: {
contents: read,
issues: read
}
concurrency: {
group: '${{ github.workflow }}-${{ github.ref }}',
cancel-in-progress: true
}
outputs: {
release-required: '${{ steps.check-release.outputs.release-required }}'
}
steps:
- name: Free Disk Space
id: free-disk-space
if: ${{ false }}
run: |
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
- name: Checkout the repository
id: checkout
uses: actions/checkout@v4
with: {
fetch-depth: 0
}
- name: Set up JDKs
id: setup-java
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: |
11
17
cache: maven
- id: setup-node
uses: actions/setup-node@v4
with: {
node-version: '22',
cache: npm,
cache-dependency-path: javascript-test/package-lock.json
}
- name: Run JavaScript tests
id: run-javascript-tests
run: |
cd javascript-test
npm ci
npm run test
- {
name: Build connectors,
id: build-connectors,
run: ./tools/package_connector.sh
}
- name: Retrieve code signing certificate
id: retrieve-code-signing-certificate
run: echo $CODE_SIGNING_CERTIFICATE_BASE64 | base64 --decode > target/cert.p12
env: {
CODE_SIGNING_CERTIFICATE_BASE64: '${{ secrets.CODE_SIGNING_CERTIFICATE_BASE64 }}'
}
- name: Retrieve code signing certificate chain
id: retrieve-code-signing-certificate-chain
run: echo $CODE_SIGNING_CERTIFICATE_CHAIN_BASE64 | base64 --decode > target/cert_chain.p7b
env: {
CODE_SIGNING_CERTIFICATE_CHAIN_BASE64: '${{ secrets.CODE_SIGNING_CERTIFICATE_CHAIN_BASE64 }}'
}
- name: Sign connectors
id: sign-connectors
run: ./tools/sign_connector.sh target/cert.p12 target/cert_chain.p7b
env: {
CODE_SIGNING_CERTIFICATE_PASSWORD: '${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }}'
}
- name: Cache SonarCloud packages
id: cache-sonar
uses: actions/cache@v4
with: {
path: ~/.sonar/cache,
key: '${{ runner.os }}-sonar',
restore-keys: '${{ runner.os }}-sonar'
}
- {
name: Enable testcontainer reuse,
id: enable-testcontainer-reuse,
run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties"
}
- {
name: Project Keeper Verify,
id: build-pk-verify,
run: 'mvn --batch-mode -DtrimStackTrace=false --projects . test com.exasol:project-keeper-maven-plugin:verify'
}
- {
name: Generate dummy error code report,
id: generate-dummy-error-code-report,
run: 'echo ''{"$schema":"https://schemas.exasol.com/error_code_report-1.0.0.json","errorCodes":[]}'' > target/error_code_report.json'
}
- name: Sonar analysis
id: sonar-analysis
if: ${{ env.SONAR_TOKEN != null }}
run: |
mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
-DtrimStackTrace=false \
-Dsonar.token=$SONAR_TOKEN
env: {
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}',
SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
}
- name: Verify Release Artifacts
id: verify-release-artifacts
run: "print_message() {\n local -r message=$1\n echo \"$message\"\n echo \"$message\" >> \"$GITHUB_STEP_SUMMARY\"\n}\n\nprint_message \"### Release Artifacts\"\n\nIFS=$'\\n' artifacts_array=($ARTIFACTS)\nmissing_files=()\nfor file in \"${artifacts_array[@]}\";\ndo \n echo \"Checking if file $file exists...\"\n if ! [[ -f \"$file\" ]]; then\n print_message \"* ⚠️ \\`$file\\` does not exist ⚠️\"\n echo \"Content of directory $(dirname \"$file\"):\"\n ls \"$(dirname \"$file\")\"\n missing_files+=(\"$file\")\n else\n print_message \"* \\`$file\\` ✅\" \n fi\ndone\nprint_message \"\"\nnumber_of_missing_files=${#missing_files[@]}\nif [[ $number_of_missing_files -gt 0 ]]; then\n print_message \"⚠️ $number_of_missing_files release artifact(s) missing ⚠️\"\n exit 1\nfi\n"
env: {
ARTIFACTS: '${{ steps.build-pk-verify.outputs.release-artifacts }}'
}
- name: Upload artifacts
id: upload-artifacts
uses: actions/upload-artifact@v4
with: {
name: artifacts,
path: '${{ steps.build-pk-verify.outputs.release-artifacts }}',
retention-days: 5
}
- name: Check if release is needed
id: check-release
if: ${{ github.ref == 'refs/heads/main' }}
run: |
if mvn --batch-mode com.exasol:project-keeper-maven-plugin:verify-release --projects .; then
echo "### ✅ Release preconditions met, start release" >> "$GITHUB_STEP_SUMMARY"
echo "release-required=true" >> "$GITHUB_OUTPUT"
else
echo "### 🛑 Release precondition not met, skipping release" >> "$GITHUB_STEP_SUMMARY"
echo "See log output for details." >> "$GITHUB_STEP_SUMMARY"
echo "release-required=false" >> "$GITHUB_OUTPUT"
fi
env: {
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
}
start_release:
needs: build
if: ${{ github.ref == 'refs/heads/main' && needs.build.outputs.release-required == 'true' }}
concurrency: {
cancel-in-progress: false,
group: release
}
secrets: inherit
permissions: {
contents: write,
actions: read,
issues: read
}
uses: ./.github/workflows/release.yml
with: {
started-from-ci: true
}