From 73c4dfd030f6ba2c36623916a6a9680dd8bc968f Mon Sep 17 00:00:00 2001 From: Denis Plotnikov Date: Tue, 7 Feb 2023 11:43:55 +0400 Subject: [PATCH] [TH2-4566] Reusable workflow with dependency check --- .../workflows/dev-java-publish-sonatype.yml | 73 +++++++------------ .github/workflows/java-publish-sonatype.yml | 42 +++++++---- .gitignore | 3 + build.gradle | 38 +++++++++- settings.gradle | 1 + 5 files changed, 96 insertions(+), 61 deletions(-) diff --git a/.github/workflows/dev-java-publish-sonatype.yml b/.github/workflows/dev-java-publish-sonatype.yml index eaa23d5d..38da564e 100644 --- a/.github/workflows/dev-java-publish-sonatype.yml +++ b/.github/workflows/dev-java-publish-sonatype.yml @@ -1,56 +1,39 @@ - name: Dev build and publish Java distributions to sonatype snapshot repository on: push: branches-ignore: - master - version-* - # paths: - # - gradle.properties jobs: - build: - runs-on: ubuntu-20.04 - permissions: - contents: read - packages: write + build-job: + uses: th2-net/.github/.github/workflows/compound-java-dev.yml@main + with: + scanner-enabled: false + build-target: 'Sonatype' + runsOn: ubuntu-latest + secrets: + sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }} + sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }} + sonatypeSigningKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }} + sonatypeSigningPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }} + scan-job: + runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - # Prepare custom build version - - name: Get branch name - id: branch - run: echo "branch_name=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT - - name: Get SHA of the commit - id: sha - run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - - name: Get release_version - id: ver - uses: christian-draeger/read-properties@1.1.1 - with: - path: gradle.properties - properties: release_version - - name: Build custom release version - id: release_ver - run: echo value="${{ steps.ver.outputs.release_version }}-${{ steps.branch.outputs.branch_name }}-${{ github.run_id }}-${{ steps.sha.outputs.sha_short }}-SNAPSHOT" >> $GITHUB_OUTPUT - - name: Write custom release version to file - uses: christian-draeger/write-properties@1.1.0 + - name: Checkout code + uses: actions/checkout@v3 + - name: Create lockfiles + run: ./gradlew createLockFiles + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master with: - path: gradle.properties - property: release_version - value: ${{ steps.release_ver.outputs.value }} - - name: Show custom release version - run: echo ${{ steps.release_ver.outputs.value }} -# Build and publish package - - name: Set up JDK 11 - uses: actions/setup-java@v3 + scan-type: 'fs' + ignore-unfixed: false + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + exit-code: '0' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 with: - java-version: '11' - distribution: 'zulu' - - name: Build with Gradle - run: ./gradlew --info clean build publish - env: - ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }} - ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }} - ORG_GRADLE_PROJECT_signingKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }} - ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }} - + sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/java-publish-sonatype.yml b/.github/workflows/java-publish-sonatype.yml index 2dd368c3..5d1e85f9 100644 --- a/.github/workflows/java-publish-sonatype.yml +++ b/.github/workflows/java-publish-sonatype.yml @@ -1,5 +1,4 @@ name: Build and release Java distributions to sonatype. - on: push: branches: @@ -10,18 +9,33 @@ on: jobs: build: - runs-on: ubuntu-20.04 - + uses: th2-net/.github/.github/workflows/compound-java.yml@main + with: + scanner-enabled: false + build-target: 'Sonatype' + runsOn: ubuntu-latest + secrets: + sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }} + sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }} + sonatypeSigningKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }} + sonatypeSigningPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }} + scan-job: + runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - name: Set up JDK 11 - uses: actions/setup-java@v3 + - name: Checkout code + uses: actions/checkout@v3 + - name: Create lockfiles + run: ./gradlew createLockFiles + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: false + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + exit-code: '0' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 with: - java-version: '11' - - name: Build with Gradle - run: ./gradlew --info clean build publish closeAndReleaseSonatypeStagingRepository - env: - ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }} - ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }} - ORG_GRADLE_PROJECT_signingKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }} - ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }} + sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/.gitignore b/.gitignore index 6fcf3455..edd45737 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,9 @@ /cradle-cassandra/.project /cradle-cassandra/.classpath /cradle-cassandra/build +/cradle-cassandra/gradle/ +/cradle-core/gradle/ +/gradle/dependency-locks/ /cradle-core/.classpath /cradle-core/.project /cradle-core/.settings diff --git a/build.gradle b/build.gradle index 2470ba15..dff98f9f 100644 --- a/build.gradle +++ b/build.gradle @@ -4,8 +4,8 @@ plugins { } ext { - slf4j_version = '1.7.26' - jackson_version = '2.9.7' + slf4j_version = '1.7.36' + jackson_version = '2.13.4' sharedDir = file("${project.rootDir}/shared") } @@ -13,6 +13,24 @@ ext { allprojects { version = release_version group = 'com.exactpro.th2' + + configurations { + compileClasspath { + resolutionStrategy.activateDependencyLocking() + } + } + + tasks.register('resolveAndLockAll') { + doFirst { + println gradle.startParameter.writeDependencyLocks + } + doLast { + configurations.findAll { + // Add any custom filtering on the configurations to be resolved + it.canBeResolved + }.each { it.resolve() } + } + } } subprojects { @@ -29,6 +47,22 @@ subprojects { resolutionStrategy.cacheDynamicVersionsFor 0, 'seconds' } } + + configurations { + compileClasspath { + resolutionStrategy.activateDependencyLocking() + } + } + + tasks.register('createLockFiles', Copy) { + dependsOn('resolveAndLockAll') + from "./gradle/dependency-locks/compileClasspath.lockfile" + into "./.." + + rename { String filename -> + return project.name + '-' + filename + } + } defaultTasks 'build' diff --git a/settings.gradle b/settings.gradle index f7f7a1a8..5ca681b5 100644 --- a/settings.gradle +++ b/settings.gradle @@ -4,3 +4,4 @@ include 'cradle-cassandra' // Defined names will be used for jar and artifact names project(':cradle-core').name = 'cradle-core' project(':cradle-cassandra').name = 'cradle-cassandra' +startParameter.setWriteDependencyLocks(true)