Update release pipeline (#689)

- Adds Nexus plugin to have automatic releases - Adds Licensee plugin for dependency license verification - Adds CycloneDX plugin to generate SBOM - Adds Grunt plugin to collect dependency licenses - Includes LICENSE, SBOM, Licensee Report and NodeJS dependency licenses in META-INF - Switches to Setup Gradle action from deprecated Gradle Build Action - Names earlier unnamed Steps of the workflows - Trims dependency verification metadata {patch} Signed-off-by: Esta Nagy <[email protected]>
nagyesta · May 5, 2024 · a797107 · a797107
1 parent 3e5e743
commit a797107
Show file tree

Hide file tree

Showing 15 changed files with 1,193 additions and 1,539 deletions.
diff --git a/.github/workflows/add-index-exclusion.yml b/.github/workflows/add-index-exclusion.yml
@@ -14,22 +14,24 @@ jobs:
     name: Add OSS Index Exclusion action
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - name: Checkout
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
           token: ${{ secrets.PUBLISH_KEY }}
-      - name: "Add exclusion"
+      - name: Add exclusion
         run: |
           echo "${{ github.event.inputs.exclusion }}" >> config/ossindex/exclusions.txt
-      - name: "git branch"
+      - name: Create git branch
         run: |
           git config --global user.name 'Esta Nagy'
           git config --global user.email '[email protected]'
           git checkout -b feature/exclude-vulnerability-run-${{ github.run_number }}
           git add config/ossindex/exclusions.txt
           git commit -asm "Excluding vulnerability ${{ github.event.inputs.exclusion }} {patch}"
           git push -f --set-upstream origin feature/exclude-vulnerability-run-${{ github.run_number }}
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - name: Create PR
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.PUBLISH_KEY }}
           script: |

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -52,7 +52,6 @@ on:
       - '.github/pr-labeler.yml'
       - 'renovate.json'
       - '.whitesource'
-      - 'gradle/libs.versions.toml'
 
 permissions:
   # required for all workflows
@@ -81,18 +80,13 @@ jobs:
         uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
         with:
           languages: 'java'
-          # If you wish to specify custom queries, you can do so here or in a config file.
-          # By default, queries listed here will override any specified in a config file.
-          # Prefix the list here with "+" to use these queries and those in the config file.
-          # queries: ./path/to/local/query, your-org/your-repo/queries@main
-      - name: Build with Gradle
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
         with:
           cache-disabled: true
-          arguments: build -x test
+      - name: Build with Gradle
+        run: ./gradlew build -x test
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
       - name: Check dependencies with Gradle
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
-        with:
-          arguments: ossIndexAudit -PossIndexUsername=${{ secrets.OSS_INDEX_USER }} -PossIndexPassword=${{ secrets.OSS_INDEX_PASSWORD }}
+        run: ./gradlew ossIndexAudit -PossIndexUsername=${{ secrets.OSS_INDEX_USER }} -PossIndexPassword=${{ secrets.OSS_INDEX_PASSWORD }}
diff --git a/.github/workflows/gradle-ci.yml b/.github/workflows/gradle-ci.yml
@@ -33,7 +33,6 @@ on:
       - '.github/pr-labeler.yml'
       - 'renovate.json'
       - '.whitesource'
-      - 'gradle/libs.versions.toml'
       - 'config/ossindex/exclusions.txt'
 
 permissions: read-all
@@ -47,38 +46,39 @@ jobs:
 
     steps:
       # Set up build environment
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - name: Checkout
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
       - name: Set up JDK 17
         uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
         with:
           distribution: temurin
           java-version: 17
-      - name: 'Decode key (if Ubuntu)'
+      - name: Decode key (if Ubuntu)
         if: ${{ matrix.os == 'ubuntu-latest' }}
         run: |
           mkdir -p ${{ runner.temp }}/.gnupg/
           echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}" | base64 --decode > ${{ runner.temp }}/.gnupg/secring.gpg
-      - name: 'Build with Gradle (if Ubuntu)'
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
-        if: ${{ matrix.os == 'ubuntu-latest' }}
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
         with:
-          arguments: |
-            printVersion build sign
-            -Psigning.keyId=${{ secrets.SIGNING_KEY_ID }}
-            -Psigning.password=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
-            -Psigning.secretKeyRingFile=${{ runner.temp }}/.gnupg/secring.gpg
-      - name: 'Build with Gradle (if Windows)'
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
+          cache-disabled: true
+      - name: Build with Gradle (if Ubuntu)
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: >
+          ./gradlew printVersion build sign
+          -Psigning.keyId=${{ secrets.SIGNING_KEY_ID }}
+          -Psigning.password=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
+          -Psigning.secretKeyRingFile=${{ runner.temp }}/.gnupg/secring.gpg
+      - name: Build with Gradle (if Windows)
         if: ${{ matrix.os != 'ubuntu-latest' }}
-        with:
-          arguments: printVersion build
-      - name: 'Clean-up GPG key (if Ubuntu)'
+        run: ./gradlew printVersion build
+      - name: Clean-up GPG key (if Ubuntu)
         if: ${{ matrix.os == 'ubuntu-latest' }}
         run: |
           rm -rf ${{ runner.temp }}/.gnupg/
-      - name: 'Upload Test reports - All'
+      - name: Upload Test reports - All
         if: always()
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:

diff --git a/.github/workflows/gradle-oss-index-scan.yml b/.github/workflows/gradle-oss-index-scan.yml
@@ -22,7 +22,9 @@ jobs:
         with:
           distribution: temurin
           java-version: 17
-      - name: Check dependencies with Gradle
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
         with:
-          arguments: ossIndexAudit -PossIndexUsername=${{ secrets.OSS_INDEX_USER }} -PossIndexPassword=${{ secrets.OSS_INDEX_PASSWORD }}
+          cache-disabled: true
+      - name: Check dependencies with Gradle
+        run: ./gradlew ossIndexAudit -PossIndexUsername=${{ secrets.OSS_INDEX_USER }} -PossIndexPassword=${{ secrets.OSS_INDEX_PASSWORD }}
diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
@@ -43,39 +43,40 @@ jobs:
 
     steps:
       # Set up build environment
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - name: Checkout
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
+          token: ${{ secrets.PUBLISH_KEY }}
       - name: Set up JDK 17
         uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
         with:
           distribution: temurin
           java-version: 17
-      - name: 'Build with Gradle'
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
         with:
-          gradle-home-cache-cleanup: true
-          arguments: |
-            tagVersion build
-            -PgithubUser=${{ secrets.PUBLISH_USER_NAME }}
-            -PgithubToken=${{ secrets.PUBLISH_KEY }}
+          cache-disabled: true
+      - name: Build with Gradle
+        run: >
+          ./gradlew tagVersion build
+          -PgithubUser=${{ secrets.PUBLISH_USER_NAME }}
+          -PgithubToken=${{ secrets.PUBLISH_KEY }}
       - name: Decode key
         run: |
           mkdir -p ${{ runner.temp }}/.gnupg/
           echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}" | base64 --decode > ${{ runner.temp }}/.gnupg/secring.gpg
-      - name: 'Publish with Gradle'
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
-        with:
-          arguments: |
-            publish
-            -PgithubUser=${{ secrets.PUBLISH_USER_NAME }}
-            -PgithubToken=${{ secrets.PUBLISH_KEY }}
-            -PossrhUsername=${{ secrets.OSSRH_USER }}
-            -PossrhPassword=${{ secrets.OSSRH_PASS }}
-            -Psigning.keyId=${{ secrets.SIGNING_KEY_ID }}
-            -Psigning.password=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
-            -Psigning.secretKeyRingFile=${{ runner.temp }}/.gnupg/secring.gpg
-      - name: 'Clean-up GPG key'
+      - name: Publish with Gradle
+        run: >
+          ./gradlew publish publishToSonatype closeAndReleaseSonatypeStagingRepository
+          -PgithubUser=${{ secrets.PUBLISH_USER_NAME }}
+          -PgithubToken=${{ secrets.PUBLISH_KEY }}
+          -PossrhUsername=${{ secrets.OSSRH_USER }}
+          -PossrhPassword=${{ secrets.OSSRH_PASS }}
+          -Psigning.keyId=${{ secrets.SIGNING_KEY_ID }}
+          -Psigning.password=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
+          -Psigning.secretKeyRingFile=${{ runner.temp }}/.gnupg/secring.gpg
+      - name: Clean-up GPG key
         if: always()
         run: |
           rm -rf ${{ runner.temp }}/.gnupg/

diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
@@ -9,7 +9,8 @@ jobs:
   pr-labeler:
     runs-on: ubuntu-latest
     steps:
-      - uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af # v5.0.0
+      - name: Label PR
+        uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af # v5.0.0
         with:
           configuration-path: .github/pr-labeler.yml # optional, .github/pr-labeler.yml is the default value
         env:

diff --git a/.github/workflows/release-draft.yml b/.github/workflows/release-draft.yml
@@ -9,7 +9,8 @@ jobs:
     name: Draft release action
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - name: Create PR
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             github.rest.repos.createRelease({

diff --git a/.github/workflows/release-trigger.yml b/.github/workflows/release-trigger.yml
@@ -18,11 +18,12 @@ jobs:
     name: Release trigger action
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - name: Checkout
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
           token: ${{ secrets.PUBLISH_KEY }}
-      - name: "Check existing tag"
+      - name: Check existing tag
         id: check
         run: |
           echo "::set-output name=has_tag::$(git log --format='format:%d' --decorate-refs="refs/tags/v*" -n 1 | grep tag | wc -l)"
@@ -33,11 +34,11 @@ jobs:
           echo "Execution: ${{ github.event.inputs.execution }}"
           echo "---"
           echo "Should run: ${{ steps.check.outputs.has_tag == 0 || github.event.inputs.execution == 'Manual' }}"
-      - name: "Update trigger"
+      - name: Update trigger
         if: ${{ steps.check.outputs.has_tag == 0 || github.event.inputs.execution == 'Manual' }}
         run: |
           date +%s > .release-trigger
-      - name: "git branch"
+      - name: Create git branch
         if: ${{ steps.check.outputs.has_tag == 0 || github.event.inputs.execution == 'Manual' }}
         run: |
           git config --global user.name 'Esta Nagy'
@@ -46,7 +47,8 @@ jobs:
           git add .release-trigger
           git commit -asm "Triggering a release {patch}"
           git push -f --set-upstream origin release/run-${{ github.run_number }}
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - name: Create PR
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         if: ${{ steps.check.outputs.has_tag == 0 || github.event.inputs.execution == 'Manual' }}
         with:
           github-token: ${{ secrets.PUBLISH_KEY }}

diff --git a/.github/workflows/update-dependency-checksums.yml b/.github/workflows/update-dependency-checksums.yml
@@ -9,7 +9,8 @@ jobs:
     name: Dependency checksum compaction action
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - name: Checkout
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
           token: ${{ secrets.PUBLISH_KEY }}
@@ -18,22 +19,24 @@ jobs:
         with:
           distribution: temurin
           java-version: 17
-      - name: "Remove previous version"
+      - name: Remove previous version
         run: cp gradle/verification-metadata-clean.xml gradle/verification-metadata.xml
-      - name: "Update checksums"
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
         with:
           cache-disabled: true
-          arguments: --write-verification-metadata sha256
-      - name: "Git commit"
+      - name: Update checksums
+        run: ./gradlew help licensee --write-verification-metadata sha256
+      - name: Git commit
         run: |
           git config --global user.name 'Esta Nagy'
           git config --global user.email '[email protected]'
           git checkout -b feature/update-dependency-checksums-${{ github.run_number }}
           git add gradle/verification-metadata.xml
           git commit -asm "Updating dependency checksums {patch}"
           git push -f --set-upstream origin feature/update-dependency-checksums-${{ github.run_number }}
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - name: Create PR
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.PUBLISH_KEY }}
           script: |