diff --git a/.github/workflows/compound-java-check.properties.json b/.github/workflows/compound-java-check.properties.json new file mode 100644 index 0000000..f1da8b2 --- /dev/null +++ b/.github/workflows/compound-java-check.properties.json @@ -0,0 +1,5 @@ +{ + "name": "Compound Java checks", + "description": "Combine vulnerability, license, integration test checks", + "iconName": "example-icon" +} \ No newline at end of file diff --git a/.github/workflows/compound-java-check.yml b/.github/workflows/compound-java-check.yml new file mode 100644 index 0000000..629e6c9 --- /dev/null +++ b/.github/workflows/compound-java-check.yml @@ -0,0 +1,95 @@ +name: Compound Java checks + +on: + workflow_call: + inputs: + runs-on: + required: false + type: string + default: 'ubuntu-latest' + app-version: + required: false + type: string + default: '0.0.0' + java-version: + required: false + type: string + default: '11' + java-vendor: + required: false + type: string + default: 'zulu' + scanner-enabled: + required: false + type: boolean + default: true + description: 'Whether vulnerabilities and license scanning are enabled' + strict-scanner: + required: false + type: boolean + default: true + description: 'Whether vulnerabilities and license scanning executions are strict' + multi-project: + required: false + type: boolean + default: false + description: 'false for dependencyCheckAnalyze, true for dependencyCheckAggregate' + integration-test-enabled: + required: false + type: boolean + default: false + description: 'Whether integration test is enabled' + integration-test-projects: + required: false + type: string + default: "['.']" + description: 'list of projects for running integration tests' + integration-test-task: + required: false + type: string + default: 'integrationTest' + description: "Gradle task name to run integration test" + secrets: + nvd-api-key: + required: false + description: 'API key to access NVD database' + outputs: + status: + description: "Aggregated status" + value: | + (inputs.strict-scanner && jobs.owasp-scan.result == 'success' || !inputs.strict-scanner) && + (inputs.strict-scanner && jobs.license-check.result == 'success' || !inputs.strict-scanner) && + (inputs.integration-test-enabled && jobs.integration-test == 'success' || !inputs.integration-test-enabled) + +jobs: + owasp-scan: + name: 'OWASP scan' + if: inputs.scanner-enabled + uses: th2-net/.github/.github/workflows/owasp-gradle-scan.yml@main + with: + multiproject: ${{ inputs.multi-project }} + java-version: ${{ inputs.java-version }} + java-vendor: ${{ inputs.java-vendor }} + secrets: + nvd-api-key: ${{ secrets.nvd-api-key }} + + license-check: + name: 'License check' + if: inputs.scanner-enabled + uses: th2-net/.github/.github/workflows/license-check.yml@main + with: + version: ${{ inputs.app-version }} + + integration-test: + name: 'Integration tests' + if: inputs.integration-test-enabled + strategy: + matrix: + integration-test-project: ${{ fromJson(inputs.integration-test-projects) }} + uses: th2-net/.github/.github/workflows/java-integration-test.yml@integration-tests # FIXME: switch to main branch + with: + runs-on: ${{ inputs.runs-on }} + java-version: ${{ inputs.java-version }} + java-vendor: ${{ inputs.java-vendor }} + projectPath: ${{ matrix.integration-test-project }} + integrationTestTask: ${{ inputs.integration-test-task }} \ No newline at end of file diff --git a/.github/workflows/compound-java-dev.yml b/.github/workflows/compound-java-dev.yml index 39014e7..476cc83 100644 --- a/.github/workflows/compound-java-dev.yml +++ b/.github/workflows/compound-java-dev.yml @@ -94,14 +94,31 @@ jobs: with: runsOn: ${{ inputs.runsOn }} + java-check: + name: 'Java check' + needs: [prebuild-job] + uses: th2-net/.github/.github/workflows/compound-java-check.yml@integration-tests # FIXME: switch to main branch + with: + runs-on: ${{ inputs.runsOn }} + app-version: ${{ needs.prebuild-job.outputs.version }} + java-version: ${{ inputs.javaVersion }} + java-vendor: ${{ inputs.javaVendor }} + scanner-enabled: ${{ inputs.scanner-enabled }} + strict-scanner: ${{ inputs.strict-scanner }} + multi-project: ${{ inputs.multiproject }} + integration-test-enabled: ${{ inputs.integration-test-enabled }} + integration-test-projects: ${{ inputs.integration-test-projects }} + integration-test-task: ${{ inputs.integration-test-task }} + secrets: + nvd-api-key: ${{ secrets.nvd-api-key }} + # if Docker docker-push: name: Build Docker image and push to ghcr.io if: | - (contains(inputs.build-target, 'Docker') || contains(inputs.build-target, 'docker')) && !cancelled() && - (inputs.strict-scanner && needs.license-check.result == 'success' && needs.owasp-scan.result == 'success' || !inputs.strict-scanner) && - (inputs.integration-test-enabled && needs.integration-test.result == 'success' || !inputs.integration-test-enabled) - needs: [prebuild-job, owasp-scan, license-check, integration-test] + (contains(inputs.build-target, 'Docker') || contains(inputs.build-target, 'docker')) && + needs.java-check.outputs.status == 'true' + needs: [prebuild-job, java-check] uses: th2-net/.github/.github/workflows/compaund-java-docker-push.yml@main with: docker-username: ${{ inputs.docker-username }} @@ -125,11 +142,10 @@ jobs: # if Sonatype sonatype-push: if: | - (contains(inputs.build-target, 'Sonatype') || contains(inputs.build-target, 'sonatype')) && !cancelled() && - (inputs.strict-scanner && needs.license-check.result == 'success' && needs.owasp-scan.result == 'success' || !inputs.strict-scanner) && - (inputs.integration-test-enabled && needs.integration-test.result == 'success' || !inputs.integration-test-enabled) + (contains(inputs.build-target, 'Sonatype') || contains(inputs.build-target, 'sonatype')) && + needs.java-check.outputs.status == 'true' name: Build and Push Jar to Sonatype - needs: [ prebuild-job, owasp-scan, license-check, integration-test ] + needs: [ prebuild-job, java-check ] uses: th2-net/.github/.github/workflows/compaund-java-sonatype-push.yml@main with: runsOn: ${{ inputs.runsOn }} @@ -141,34 +157,4 @@ jobs: sonatypeUsername: ${{ secrets.sonatypeUsername }} sonatypePassword: ${{ secrets.sonatypePassword }} sonatypeSigningKey: ${{ secrets.sonatypeSigningKey }} - sonatypeSigningPassword: ${{ secrets.sonatypeSigningPassword }} - - owasp-scan: - if: inputs.scanner-enabled - uses: th2-net/.github/.github/workflows/owasp-gradle-scan.yml@main - with: - multiproject: ${{ inputs.multiproject }} - javaVersion: ${{ inputs.javaVersion }} - javaVendor: ${{ inputs.javaVendor }} - secrets: - nvd-api-key: ${{ secrets.nvd-api-key }} - - license-check: - if: inputs.scanner-enabled - uses: th2-net/.github/.github/workflows/license_check.yml@main - needs: [prebuild-job] - with: - version: ${{ needs.prebuild-job.outputs.version }} - - integration-test: - if: inputs.integration-test-enabled - strategy: - matrix: - integration-test-project: ${{ fromJson(inputs.integration-test-projects) }} - uses: th2-net/.github/.github/workflows/java-integration-test.yml@integration-tests # FIXME: switch to main branch - with: - runsOn: ${{ inputs.runsOn }} - javaVersion: ${{ inputs.javaVersion }} - javaVendor: ${{ inputs.javaVendor }} - projectPath: ${{ matrix.integration-test-project }} - integrationTestTask: ${{ inputs.integration-test-task }} \ No newline at end of file + sonatypeSigningPassword: ${{ secrets.sonatypeSigningPassword }} \ No newline at end of file diff --git a/.github/workflows/compound-java.yml b/.github/workflows/compound-java.yml index e96b8c2..e5d256a 100644 --- a/.github/workflows/compound-java.yml +++ b/.github/workflows/compound-java.yml @@ -105,14 +105,31 @@ jobs: runsOn: ${{ inputs.runsOn }} devRelease: ${{ inputs.devRelease }} + java-check: + name: 'Java check' + needs: [prebuild-job] + uses: th2-net/.github/.github/workflows/compound-java-check.yml@integration-tests # FIXME: switch to main branch + with: + runs-on: ${{ inputs.runsOn }} + app-version: ${{ needs.prebuild-job.outputs.version }} + java-version: ${{ inputs.javaVersion }} + java-vendor: ${{ inputs.javaVendor }} + scanner-enabled: ${{ inputs.scanner-enabled }} + strict-scanner: ${{ inputs.strict-scanner }} + multi-project: ${{ inputs.multiproject }} + integration-test-enabled: ${{ inputs.integration-test-enabled }} + integration-test-projects: ${{ inputs.integration-test-projects }} + integration-test-task: ${{ inputs.integration-test-task }} + secrets: + nvd-api-key: ${{ secrets.nvd-api-key }} + # if Docker docker-push: name: Build Docker image and push to ghcr.io if: | - (contains(inputs.build-target, 'Docker') || contains(inputs.build-target, 'docker')) && !cancelled() && - (inputs.strict-scanner && needs.license-check.result == 'success' && needs.owasp-scan.result == 'success' || !inputs.strict-scanner) && - (inputs.integration-test-enabled && needs.integration-test.result == 'success' || !inputs.integration-test-enabled) - needs: [prebuild-job, owasp-scan, license-check, integration-test ] + (contains(inputs.build-target, 'Docker') || contains(inputs.build-target, 'docker')) && + needs.java-check.outputs.status == 'true' + needs: [prebuild-job, java-check ] uses: th2-net/.github/.github/workflows/compaund-java-docker-push.yml@main with: docker-username: ${{ inputs.docker-username }} @@ -135,11 +152,10 @@ jobs: # if Sonatype sonatype-push: if: | - (contains(inputs.build-target, 'Sonatype') || contains(inputs.build-target, 'sonatype')) && !cancelled() && - (inputs.strict-scanner && needs.license-check.result == 'success' && needs.owasp-scan.result == 'success' || !inputs.strict-scanner) && - (inputs.integration-test-enabled && needs.integration-test.result == 'success' || !inputs.integration-test-enabled) + (contains(inputs.build-target, 'Sonatype') || contains(inputs.build-target, 'sonatype')) && + needs.java-check.outputs.status == 'true' name: Build and Push Jar to Sonatype - needs: [ prebuild-job, owasp-scan, license-check, integration-test ] + needs: [ prebuild-job, java-check ] uses: th2-net/.github/.github/workflows/compaund-java-sonatype-push.yml@main with: runsOn: ${{ inputs.runsOn }} @@ -153,16 +169,6 @@ jobs: sonatypeSigningKey: ${{ secrets.sonatypeSigningKey }} sonatypeSigningPassword: ${{ secrets.sonatypeSigningPassword }} - owasp-scan: - if: inputs.scanner-enabled - uses: th2-net/.github/.github/workflows/owasp-gradle-scan.yml@main - with: - multiproject: ${{ inputs.multiproject }} - javaVersion: ${{ inputs.javaVersion }} - javaVendor: ${{ inputs.javaVendor }} - secrets: - nvd-api-key: ${{ secrets.nvd-api-key }} - create-tag: if: inputs.createTag && !cancelled() && (needs.docker-push.result == 'success' || needs.sonatype-push.result == 'success') name: Create and push tag @@ -170,24 +176,4 @@ jobs: uses: th2-net/.github/.github/workflows/compaund-git-tag-push.yml@main with: runsOn: ${{ inputs.runsOn }} - tagName: ${{ needs.prebuild-job.outputs.version }} - - license-check: - if: inputs.scanner-enabled - uses: th2-net/.github/.github/workflows/license_check.yml@main - needs: [prebuild-job] - with: - version: ${{ needs.prebuild-job.outputs.version }} - - integration-test: - if: inputs.integration-test-enabled - strategy: - matrix: - integration-test-project: ${{ fromJson(inputs.integration-test-projects) }} - uses: th2-net/.github/.github/workflows/java-integration-test.yml@integration-tests # FIXME: switch to main branch - with: - runsOn: ${{ inputs.runsOn }} - javaVersion: ${{ inputs.javaVersion }} - javaVendor: ${{ inputs.javaVendor }} - projectPath: ${{ matrix.integration-test-project }} - integrationTestTask: ${{ inputs.integration-test-task }} \ No newline at end of file + tagName: ${{ needs.prebuild-job.outputs.version }} \ No newline at end of file