-
Notifications
You must be signed in to change notification settings - Fork 2
77 lines (66 loc) · 2.75 KB
/
zxf-snyk-monitor.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
##
# Copyright (C) 2023-2024 Hedera Hashgraph, LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
name: "ZXF: Snyk Monitor"
# The purpose of this job is to run on each commit to the main branch and daily at midnight UTC on the most recent commit.
# This job is not intended to be run manually, but rather to be run when triggered by either a commit or the schedule.
on:
push:
branches:
- main
schedule:
- cron: "0 0 * * 0"
permissions:
contents: read
env:
GRADLE_CACHE_USERNAME: ${{ secrets.GRADLE_CACHE_USERNAME }}
GRADLE_CACHE_PASSWORD: ${{ secrets.GRADLE_CACHE_PASSWORD }}
jobs:
snyk:
name: Snyk Monitor
runs-on: solo-linux-medium
steps:
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Setup Java
uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
with:
distribution: temurin
java-version: 21.0.1
- name: Setup Gradle
uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
with:
gradle-version: wrapper
# Node.JS 16.x is required for the Snyk CLI.
- name: Setup NodeJS
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 16
# This step may be optional since Snyk analysis does not require the binary artifacts to be built first. However,
# Snyk will fail if the code does not compile and the error messages are less than helpful. Therefore, we will
# compile the code first and then run Snyk so that we can get diagnostic information if the code does not compile.
- name: Compile
uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
with:
gradle-version: wrapper
arguments: assemble --scan
- name: Setup Snyk
run: npm install -g snyk
# This step is what actually uploads the Snyk analysis to the Snyk Cloud. The Snyk token is stored as a secret
# in the Github repository and is passed to the Snyk CLI via the environment variable SNYK_TOKEN.
- name: Run Snyk Monitor
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: snyk monitor --all-projects