Added compound-java-check

th2-net · Dec 18, 2024 · 70797ed · 70797ed
1 parent 7c2e272
commit 70797ed
Show file tree

Hide file tree

Showing 4 changed files with 150 additions and 78 deletions.
diff --git a/.github/workflows/compound-java-check.properties.json b/.github/workflows/compound-java-check.properties.json
@@ -0,0 +1,5 @@
+{
+  "name": "Compound Java checks",
+  "description": "Combine vulnerability, license, integration test checks",
+  "iconName": "example-icon"
+}
diff --git a/.github/workflows/compound-java-check.yml b/.github/workflows/compound-java-check.yml
@@ -0,0 +1,95 @@
+name: Compound Java checks
+
+on:
+  workflow_call:
+    inputs:
+      runs-on:
+        required: false
+        type: string
+        default: 'ubuntu-latest'
+      app-version:
+        required: false
+        type: string
+        default: '0.0.0'
+      java-version:
+        required: false
+        type: string
+        default: '11'
+      java-vendor:
+        required: false
+        type: string
+        default: 'zulu'
+      scanner-enabled:
+        required: false
+        type: boolean
+        default: true
+        description: 'Whether vulnerabilities and license scanning are enabled'
+      strict-scanner:
+        required: false
+        type: boolean
+        default: true
+        description: 'Whether vulnerabilities and license scanning executions are strict'
+      multi-project:
+        required: false
+        type: boolean
+        default: false
+        description: 'false for dependencyCheckAnalyze, true for dependencyCheckAggregate'
+      integration-test-enabled:
+        required: false
+        type: boolean
+        default: false
+        description: 'Whether integration test is enabled'
+      integration-test-projects:
+        required: false
+        type: string
+        default: "['.']"
+        description: 'list of projects for running integration tests'
+      integration-test-task:
+        required: false
+        type: string
+        default: 'integrationTest'
+        description: "Gradle task name to run integration test"
+    secrets:
+      nvd-api-key:
+        required: false
+        description: 'API key to access NVD database'
+    outputs:
+      status:
+        description: "Aggregated status"
+        value: |
+            (inputs.strict-scanner && jobs.owasp-scan.result == 'success' || !inputs.strict-scanner) &&
+            (inputs.strict-scanner && jobs.license-check.result == 'success' || !inputs.strict-scanner) &&
+            (inputs.integration-test-enabled && jobs.integration-test == 'success' || !inputs.integration-test-enabled)
+
+jobs:
+  owasp-scan:
+    name: 'OWASP scan'
+    if: inputs.scanner-enabled
+    uses: th2-net/.github/.github/workflows/owasp-gradle-scan.yml@main
+    with:
+        multiproject: ${{ inputs.multi-project }}
+        java-version: ${{ inputs.java-version }}
+        java-vendor: ${{ inputs.java-vendor }}
+    secrets:
+        nvd-api-key: ${{ secrets.nvd-api-key }}
+
+  license-check:
+    name: 'License check'
+    if: inputs.scanner-enabled
+    uses: th2-net/.github/.github/workflows/license-check.yml@main
+    with:
+      version: ${{ inputs.app-version }}
+
+  integration-test:
+    name: 'Integration tests'
+    if: inputs.integration-test-enabled
+    strategy:
+      matrix:
+       integration-test-project: ${{ fromJson(inputs.integration-test-projects) }}
+    uses: th2-net/.github/.github/workflows/java-integration-test.yml@integration-tests # FIXME: switch to main branch
+    with:
+      runs-on: ${{ inputs.runs-on }}
+      java-version: ${{ inputs.java-version }}
+      java-vendor: ${{ inputs.java-vendor }}
+      projectPath: ${{ matrix.integration-test-project }}
+      integrationTestTask: ${{ inputs.integration-test-task }}
diff --git a/.github/workflows/compound-java-dev.yml b/.github/workflows/compound-java-dev.yml
@@ -94,14 +94,31 @@ jobs:
     with:
       runsOn: ${{ inputs.runsOn }}
 
+  java-check:
+    name: 'Java check'
+    needs: [prebuild-job]
+    uses: th2-net/.github/.github/workflows/compound-java-check.yml@integration-tests # FIXME: switch to main branch
+    with:
+      runs-on: ${{ inputs.runsOn }}
+      app-version: ${{ needs.prebuild-job.outputs.version }}
+      java-version: ${{ inputs.javaVersion }}
+      java-vendor: ${{ inputs.javaVendor }}
+      scanner-enabled: ${{ inputs.scanner-enabled }}
+      strict-scanner: ${{ inputs.strict-scanner }}
+      multi-project: ${{ inputs.multiproject }}
+      integration-test-enabled: ${{ inputs.integration-test-enabled }}
+      integration-test-projects: ${{ inputs.integration-test-projects }}
+      integration-test-task: ${{ inputs.integration-test-task }}
+    secrets:
+      nvd-api-key: ${{ secrets.nvd-api-key }}
+
   # if Docker
   docker-push:
     name: Build Docker image and push to ghcr.io
     if: |
-      (contains(inputs.build-target, 'Docker') || contains(inputs.build-target, 'docker')) && !cancelled() &&
-      (inputs.strict-scanner && needs.license-check.result == 'success' && needs.owasp-scan.result == 'success' || !inputs.strict-scanner) &&
-      (inputs.integration-test-enabled && needs.integration-test.result == 'success' || !inputs.integration-test-enabled)
-    needs: [prebuild-job, owasp-scan, license-check, integration-test]
+      (contains(inputs.build-target, 'Docker') || contains(inputs.build-target, 'docker')) && 
+      needs.java-check.outputs.status == 'true'
+    needs: [prebuild-job, java-check]
     uses: th2-net/.github/.github/workflows/compaund-java-docker-push.yml@main
     with:
       docker-username: ${{ inputs.docker-username }}
@@ -125,11 +142,10 @@ jobs:
 # if Sonatype
   sonatype-push:
     if: |
-      (contains(inputs.build-target, 'Sonatype') || contains(inputs.build-target, 'sonatype')) && !cancelled() &&
-      (inputs.strict-scanner && needs.license-check.result == 'success' && needs.owasp-scan.result == 'success' || !inputs.strict-scanner) &&
-      (inputs.integration-test-enabled && needs.integration-test.result == 'success' || !inputs.integration-test-enabled)
+      (contains(inputs.build-target, 'Sonatype') || contains(inputs.build-target, 'sonatype')) &&
+      needs.java-check.outputs.status == 'true'
     name: Build and Push Jar to Sonatype
-    needs: [ prebuild-job, owasp-scan, license-check, integration-test ]
+    needs: [ prebuild-job, java-check ]
     uses: th2-net/.github/.github/workflows/compaund-java-sonatype-push.yml@main
     with:
       runsOn: ${{ inputs.runsOn }}
@@ -141,34 +157,4 @@ jobs:
       sonatypeUsername: ${{ secrets.sonatypeUsername }}
       sonatypePassword: ${{ secrets.sonatypePassword }}
       sonatypeSigningKey: ${{ secrets.sonatypeSigningKey }}
-      sonatypeSigningPassword: ${{ secrets.sonatypeSigningPassword }}
-
-  owasp-scan:
-    if: inputs.scanner-enabled
-    uses: th2-net/.github/.github/workflows/owasp-gradle-scan.yml@main
-    with:
-      multiproject: ${{ inputs.multiproject }}
-      javaVersion: ${{ inputs.javaVersion }}
-      javaVendor: ${{ inputs.javaVendor }}
-    secrets:
-      nvd-api-key: ${{ secrets.nvd-api-key }}
-
-  license-check:
-    if: inputs.scanner-enabled
-    uses: th2-net/.github/.github/workflows/license_check.yml@main
-    needs: [prebuild-job]
-    with:
-      version: ${{ needs.prebuild-job.outputs.version }}
-
-  integration-test:
-    if: inputs.integration-test-enabled
-    strategy:
-      matrix:
-        integration-test-project: ${{ fromJson(inputs.integration-test-projects) }}
-    uses: th2-net/.github/.github/workflows/java-integration-test.yml@integration-tests # FIXME: switch to main branch
-    with:
-      runsOn: ${{ inputs.runsOn }}
-      javaVersion: ${{ inputs.javaVersion }}
-      javaVendor: ${{ inputs.javaVendor }}
-      projectPath: ${{ matrix.integration-test-project }}
-      integrationTestTask: ${{ inputs.integration-test-task }}
+      sonatypeSigningPassword: ${{ secrets.sonatypeSigningPassword }}
diff --git a/.github/workflows/compound-java.yml b/.github/workflows/compound-java.yml
@@ -105,14 +105,31 @@ jobs:
       runsOn: ${{ inputs.runsOn }}
       devRelease: ${{ inputs.devRelease }}
 
+  java-check:
+    name: 'Java check'
+    needs: [prebuild-job]
+    uses: th2-net/.github/.github/workflows/compound-java-check.yml@integration-tests # FIXME: switch to main branch
+    with:
+      runs-on: ${{ inputs.runsOn }}
+      app-version: ${{ needs.prebuild-job.outputs.version }}
+      java-version: ${{ inputs.javaVersion }}
+      java-vendor: ${{ inputs.javaVendor }}
+      scanner-enabled: ${{ inputs.scanner-enabled }}
+      strict-scanner: ${{ inputs.strict-scanner }}
+      multi-project: ${{ inputs.multiproject }}
+      integration-test-enabled: ${{ inputs.integration-test-enabled }}
+      integration-test-projects: ${{ inputs.integration-test-projects }}
+      integration-test-task: ${{ inputs.integration-test-task }}
+    secrets:
+      nvd-api-key: ${{ secrets.nvd-api-key }}
+
 # if Docker
   docker-push:
     name: Build Docker image and push to ghcr.io
     if: |
-      (contains(inputs.build-target, 'Docker') || contains(inputs.build-target, 'docker')) && !cancelled() &&
-      (inputs.strict-scanner && needs.license-check.result == 'success' && needs.owasp-scan.result == 'success' || !inputs.strict-scanner) &&
-      (inputs.integration-test-enabled && needs.integration-test.result == 'success' || !inputs.integration-test-enabled)
-    needs: [prebuild-job, owasp-scan, license-check, integration-test ]
+      (contains(inputs.build-target, 'Docker') || contains(inputs.build-target, 'docker')) &&
+      needs.java-check.outputs.status == 'true'
+    needs: [prebuild-job, java-check ]
     uses: th2-net/.github/.github/workflows/compaund-java-docker-push.yml@main
     with:
       docker-username: ${{ inputs.docker-username }}
@@ -135,11 +152,10 @@ jobs:
 # if Sonatype
   sonatype-push:
     if: |
-      (contains(inputs.build-target, 'Sonatype') || contains(inputs.build-target, 'sonatype')) && !cancelled() &&
-      (inputs.strict-scanner && needs.license-check.result == 'success' && needs.owasp-scan.result == 'success' || !inputs.strict-scanner) &&
-      (inputs.integration-test-enabled && needs.integration-test.result == 'success' || !inputs.integration-test-enabled)
+      (contains(inputs.build-target, 'Sonatype') || contains(inputs.build-target, 'sonatype')) &&
+      needs.java-check.outputs.status == 'true'
     name: Build and Push Jar to Sonatype
-    needs: [ prebuild-job, owasp-scan, license-check, integration-test ]
+    needs: [ prebuild-job, java-check ]
     uses: th2-net/.github/.github/workflows/compaund-java-sonatype-push.yml@main
     with:
       runsOn: ${{ inputs.runsOn }}
@@ -153,41 +169,11 @@ jobs:
       sonatypeSigningKey: ${{ secrets.sonatypeSigningKey }}
       sonatypeSigningPassword: ${{ secrets.sonatypeSigningPassword }}
 
-  owasp-scan:
-    if: inputs.scanner-enabled
-    uses: th2-net/.github/.github/workflows/owasp-gradle-scan.yml@main
-    with:
-      multiproject: ${{ inputs.multiproject }}
-      javaVersion: ${{ inputs.javaVersion }}
-      javaVendor: ${{ inputs.javaVendor }}
-    secrets:
-      nvd-api-key: ${{ secrets.nvd-api-key }}
-
   create-tag:
     if: inputs.createTag && !cancelled() && (needs.docker-push.result == 'success' || needs.sonatype-push.result == 'success')
     name: Create and push tag
     needs: [ prebuild-job, sonatype-push, docker-push ]
     uses: th2-net/.github/.github/workflows/compaund-git-tag-push.yml@main
     with:
       runsOn: ${{ inputs.runsOn }}
-      tagName: ${{ needs.prebuild-job.outputs.version }}
-
-  license-check:
-    if: inputs.scanner-enabled
-    uses: th2-net/.github/.github/workflows/license_check.yml@main
-    needs: [prebuild-job]
-    with:
-      version: ${{ needs.prebuild-job.outputs.version }}
-
-  integration-test:
-    if: inputs.integration-test-enabled
-    strategy:
-      matrix:
-        integration-test-project: ${{ fromJson(inputs.integration-test-projects) }}
-    uses: th2-net/.github/.github/workflows/java-integration-test.yml@integration-tests # FIXME: switch to main branch
-    with:
-      runsOn: ${{ inputs.runsOn }}
-      javaVersion: ${{ inputs.javaVersion }}
-      javaVendor: ${{ inputs.javaVendor }}
-      projectPath: ${{ matrix.integration-test-project }}
-      integrationTestTask: ${{ inputs.integration-test-task }}
+      tagName: ${{ needs.prebuild-job.outputs.version }}