Merge pull request #223 from CoreMedia/dependabot/maven/io.netty-nett… #635
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is the workflow pipeline that runs the default build and checks that are | |
| # needed for this repository. It is triggered by commits on the base branches | |
| # and in pull requests to execute the differential checks that are required the | |
| # pull request. Furthermore, it is triggered regularly to notify about recent | |
| # security issues or other external changes that may break the project checks. | |
| name: Default Pipeline | |
| on: | |
| push: | |
| branches: [ main, 'maintenance-[0-9]+.[0-9]+' ] | |
| pull_request: | |
| # For the CodeQL workflow, the branches below must be a subset of the branches above. | |
| branches: [ main, 'maintenance-[0-9]+.[0-9]+' ] | |
| paths-ignore: [ '**/*.md' ] | |
| schedule: | |
| - cron: '27 11 * * 4' | |
| permissions: | |
| actions: read | |
| contents: write | |
| security-events: write | |
| jobs: | |
| build-and-check: | |
| name: Build and Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/[email protected] | |
| - name: Set up JDK | |
| uses: actions/[email protected] | |
| with: | |
| java-version: 17 | |
| distribution: corretto | |
| cache: ${{ !env.ACT && 'maven' || '' }} | |
| - name: Overwrite Maven settings | |
| run: cp .github/workflows/config/settings.xml ${HOME}/.m2/settings.xml | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/[email protected] | |
| with: | |
| languages: java | |
| queries: security-and-quality | |
| - name: Run Maven Build | |
| run: | | |
| mvn --batch-mode --fail-at-end \ | |
| install javadoc:javadoc \ | |
| -Pintegration-test,default-image,docs-third-party \ | |
| -Dapplication.image-prefix=coremedia \ | |
| -Dapplication.image-suffix=headless-server-commerce \ | |
| -Dapplication.image-tag=${{ github.sha }} \ | |
| -Dsort.verifyFail=stop | |
| env: | |
| NEXUS_GITHUB_ACTIONS_READONLY_USERNAME: ${{ secrets.NEXUS_GITHUB_ACTIONS_READONLY_USERNAME }} | |
| NEXUS_GITHUB_ACTIONS_READONLY_TOKEN: ${{ secrets.NEXUS_GITHUB_ACTIONS_READONLY_TOKEN }} | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/[email protected] | |
| with: | |
| category: '/language:java' | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/[email protected] | |
| with: | |
| scan-type: image | |
| image-ref: "coremedia/headless-server-commerce:${{ github.sha }}" | |
| trivy-config: .github/workflows/config/trivy.yml | |
| format: sarif | |
| output: trivy-results.sarif | |
| limit-severities-for-sarif: true | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/[email protected] | |
| with: | |
| sarif_file: trivy-results.sarif | |
| - name: Update dependency graph | |
| if: github.ref_name == github.event.repository.default_branch | |
| uses: advanced-security/[email protected] | |
| - name: Send failure notification to MS Teams | |
| if: ${{ !success() && github.event_name == 'schedule' }} | |
| uses: aliencube/[email protected] | |
| with: | |
| webhook_uri: ${{ secrets.TEAMS_WEBHOOK_TOKO_CI_NOTIFICATIONS }} | |
| summary: "Workflow **${{ github.workflow }}** failed." | |
| theme_color: d9534f | |
| sections: | | |
| [ | |
| { | |
| "activityTitle": "Notification from ${{ github.repository }}", | |
| "activitySubtitle": "Workflow **${{ github.workflow }}** failed." | |
| } | |
| ] | |
| actions: | | |
| [ | |
| { | |
| "@type": "OpenUri", "name": "View Workflow Run", | |
| "targets": [ | |
| { "os": "default", "uri": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" } | |
| ] | |
| } | |
| ] |