-
Notifications
You must be signed in to change notification settings - Fork 54
139 lines (118 loc) · 4.56 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: build
on:
push:
branches:
- main
paths-ignore:
- 'README.adoc'
- 'CONTRIBUTING.adoc'
pull_request:
paths-ignore:
- 'README.adoc'
- 'CONTRIBUTING.adoc'
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: 'Set up JDK'
uses: actions/setup-java@v3
with:
distribution: zulu
java-version: 17
- name: 'Cache Maven packages'
uses: actions/cache@v3
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}-${{ github.sha }}
- name: 'Enable Sonar for local PRs not from Dependabot'
if: ${{ github.event.sender.login != 'dependabot[bot]' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
run: echo "USE_SONAR=sonar" >> $GITHUB_ENV
- name: 'Disable Sonar for foreign PRs or from Dependabot'
if: ${{ github.event.sender.login == 'dependabot[bot]' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) }}
run: echo "USE_SONAR=-sonar" >> $GITHUB_ENV
- name: 'Cache SonarQube packages'
uses: actions/cache@v3
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: 'Enable reusable Testcontainers'
run: echo "testcontainers.reuse.enable=true" > ~/.testcontainers.properties
- name: 'Checkout'
uses: actions/checkout@v3
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: 'Clean and verify'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
run: >
./mvnw --no-transfer-progress
-P$USE_SONAR -Dsonar.projectKey=neo4j-jdbc -Dsonar.projectName='neo4j-jdbc'
-am -pl neo4j-jdbc -pl neo4j-jdbc-bundle -pl neo4j-jdbc-full-bundle
clean install
integration_tests:
name: Integration tests using Java ${{ matrix.java }}
runs-on: ubuntu-latest
strategy:
matrix:
java: [ '17', '21' ]
needs: build
steps:
- name: 'Set up JDK'
uses: actions/setup-java@v3
with:
distribution: zulu
java-version: ${{ matrix.java }}
- name: 'Cache Maven packages'
uses: actions/cache@v3
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}-${{ github.sha }}
- name: 'Enable reusable Testcontainers'
run: echo "testcontainers.reuse.enable=true" > ~/.testcontainers.properties
- name: 'Checkout'
uses: actions/checkout@v3
- name: 'Ensure read permissions for neo4j.conf'
run: chmod 640 neo4j-jdbc-it/neo4j-jdbc-it-cp/src/test/resources/cc/neo4j.conf
- name: 'Run integration tests'
run: >
./mvnw --no-transfer-progress
-DskipUTs
-f neo4j-jdbc-it
clean verify
native_build:
name: Test using native image
runs-on: ubuntu-latest
needs: build
steps:
- name: 'Setup GraalVM'
uses: graalvm/setup-graalvm@v1
with:
distribution: 'graalvm-community'
java-version: '17'
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: 'Cache Maven packages'
uses: actions/cache@v3
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}-${{ github.sha }}
- name: 'Enable reusable Testcontainers'
run: echo "testcontainers.reuse.enable=true" > ~/.testcontainers.properties
- name: 'Checkout'
uses: actions/checkout@v3
- name: 'Run native tests'
run: ./mvnw --no-transfer-progress -DskipUTs -Dnative clean verify -pl neo4j-jdbc-it/neo4j-jdbc-it-cp
security_test:
runs-on: ubuntu-latest
if: ${{ github.event.sender.login != 'dependabot[bot]' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
steps:
- name: 'Checkout'
uses: actions/checkout@v3
- name: 'Run Snyk to check for vulnerabilities'
uses: snyk/actions/maven@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high --all-projects --exclude=dist,docs,etc,neo4j-jdbc-bundle,neo4j-jdbc-full-bundle,neo4j-jdbc-it,neo4j-jdbc-test-results