Skip to content

Update dependency org.codehaus.mojo:exec-maven-plugin to v3.4.0 #617

Update dependency org.codehaus.mojo:exec-maven-plugin to v3.4.0

Update dependency org.codehaus.mojo:exec-maven-plugin to v3.4.0 #617

Workflow file for this run

name: "Build, Analyze and Test"
on: [ push, pull_request ]
# Declare default permissions as read only.
permissions: read-all
jobs:
build:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4
with:
distribution: "temurin"
java-version: 21
- name: Dependency Review
if: github.event_name == 'pull_request'
uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4
- uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven
restore-keys: |
${{ runner.os }}-maven
- name: Collect dependencies
run: |
./mvnw dependency:go-offline --batch-mode
./mvnw verify --fail-never --batch-mode
- name: Build
run: ./mvnw clean install --batch-mode
- name: Build native
run: ./mvnw clean install -Pnative --batch-mode
- name: Run help
run: target/github-stats-*-runner help
- name: Upload target
uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4
with:
name: target
path: target/
if-no-files-found: error
- name: Upload runner binary
uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4
with:
name: runner
path: target/github-stats-*-runner
if-no-files-found: error
- name: Generate hashes
shell: bash
id: hash
run: |
echo "hashes=$(sha256sum target/github-stats-*-runner | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Get image tags
id: image_tags
uses: redhat-cop/github-actions/get-image-version@e4729075dcd3f34946b80df6b1bfb952b9fee166 # v4
with:
IMAGE_CONTEXT_DIR: src/main/docker
- name: Build image
id: build_image
uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2
with:
dockerfiles: src/main/docker/Dockerfile.native
image: github-stats
oci: true
tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}"
- name: Push to ghcr.io
if: startsWith(github.ref, 'refs/tags/')
uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2
id: push_image
with:
image: ${{ steps.build_image.outputs.image }}
registry: ghcr.io/${{ github.repository }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
tags: ${{ steps.build_image.outputs.tags }}
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
image_repo: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}"
image_digest: "${{ steps.push_image.outputs.digest }}"
image_uri: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}@${{ steps.push_image.outputs.digest }}"
analyze:
needs: [ build ]
runs-on: ubuntu-latest
permissions:
security-events: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4
with:
distribution: "temurin"
java-version: 21
- name: Initialize CodeQL
uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
with:
languages: java
- name: Autobuild
uses: github/codeql-action/autobuild@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
with:
category: "/language:java"
- name: Submit Dependency Snapshot
uses: advanced-security/maven-dependency-submission-action@bb3f7338b5bd0e3b225d8082e26b7b6289e17ef3 # v4
test:
needs: [ build ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Download target
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: target
- name: Make github-stats-*-runner executable
run: chmod +x github-stats-*-runner
- name: Run 'collect-stats' for UKI
env:
GITHUB_LOGIN: ${{ github.repository_owner }}
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
run: |
touch /tmp/stats.csv
./github-stats-*-runner stats collect-stats --organization=RedHat-Consulting-UK --csv-output=/tmp/stats.csv --validate-org-config=false --required-limit=400
- name: Run 'collect-members-from-ldap' for UKI
env:
GITHUB_LOGIN: ${{ github.repository_owner }}
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
run: |
touch /tmp/members.csv
./github-stats-*-runner users collect-members-from-ldap --organization=RedHat-Consulting-UK --csv-output=/tmp/members.csv --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --fail-if-no-vpn=false --guess=false
- name: Run 'create-who-are-you-issues' for UKI
env:
GITHUB_LOGIN: ${{ github.repository_owner }}
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
run: ./github-stats-*-runner users create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --permission=admin --guess=false --fail-if-no-vpn=false
- name: Upload /tmp/*.csv
uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4
with:
name: outputs.csv
path: /tmp/*.csv
if-no-files-found: error
- name: Run create-who-are-you-issues for UKI
env:
GITHUB_LOGIN: ${{ github.repository_owner }}
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
run: ./github-stats-*-runner users create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --permission=write --guess=false --fail-if-no-vpn=false
sign-image:
needs: [ build ]
permissions:
id-token: write
packages: write
if: startsWith(github.ref, 'refs/tags/')
env:
image_uri: ${{ needs.build.outputs.image_uri }}
runs-on: ubuntu-latest
steps:
- name: Setup cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3
- name: Cosign login
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | cosign login --username ${{ github.repository_owner }} --password-stdin ghcr.io
- name: Sign Image
run: |
cosign sign --yes ${image_uri}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
env:
TRIVY_USERNAME: ${{ github.repository_owner }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
scan-type: image
image-ref: ${{ env.image_uri }}
format: "cosign-vuln"
output: "cosign-vuln.json"
- name: Run Trivy SBOM generator
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
env:
TRIVY_USERNAME: ${{ github.repository_owner }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
scan-type: image
image-ref: ${{ env.image_uri }}
format: "spdx-json"
output: "spdx-json.json"
- name: Attach attestations
run: |
cosign attest --yes --type vuln --predicate cosign-vuln.json ${image_uri}
cosign attest --yes --type cyclonedx --predicate spdx-json.json ${image_uri}
provenance_binary:
needs: [ build ]
if: startsWith(github.ref, 'refs/tags/')
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v2.0.0
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: true
provenance_image:
needs: [ build ]
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
if: startsWith(github.ref, 'refs/tags/')
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v2.0.0
with:
image: ${{ needs.build.outputs.image_repo }}
digest: ${{ needs.build.outputs.image_digest }}
registry-username: ${{ github.repository_owner }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
release:
needs: [ build ]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
permissions:
contents: write
steps:
- name: Download runner
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: runner
- name: Upload assets to release
uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
with:
files: |
github-stats-*-runner