diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml
new file mode 100644
index 0000000..a9ff7cd
--- /dev/null
+++ b/.github/workflows/cd.yaml
@@ -0,0 +1,54 @@
+name: CD
+
+on:
+ push:
+ branches:
+ - main
+
+jobs:
+ release-please:
+ name: Release
+ runs-on: ubuntu-latest
+ permissions:
+ contents: write
+ pull-requests: write
+ outputs:
+ tag_name: ${{ steps.release.outputs.tag_name }}
+ release_created: ${{ steps.release.outputs.release_created }}
+ steps:
+ - uses: google-github-actions/release-please-action@v4
+ id: release
+ with:
+ release-type: maven
+
+ call-build-maven:
+ needs: release-please
+ name: build with Maven
+ uses: ./.github/workflows/maven_build.yaml
+
+ publish:
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ packages: write
+ needs:
+ - release-please
+ - call-build-maven
+ steps:
+ - name: checkout code
+ uses: actions/checkout@v4
+
+ - name: Set up JDK 11
+ uses: actions/setup-java@v4
+ with:
+ java-version: '11'
+ distribution: 'corretto'
+ cache: 'maven'
+
+ - name: Publish to GitHub Packages Apache Maven
+ if: ${{needs.release-please.outputs.release_created}}
+ run: mvn --batch-mode deploy
+ env:
+ GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+
\ No newline at end of file
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..72604eb
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,17 @@
+name: CI
+
+on:
+ pull_request:
+
+jobs:
+ security:
+ name: Security
+ uses: ./.github/workflows/security.yaml
+ secrets: inherit
+
+ build-maven:
+ name: build with Maven
+ uses: ./.github/workflows/maven_build.yaml
+ needs: security
+
+
diff --git a/.github/workflows/maven_build.yaml b/.github/workflows/maven_build.yaml
new file mode 100644
index 0000000..72d2b9f
--- /dev/null
+++ b/.github/workflows/maven_build.yaml
@@ -0,0 +1,19 @@
+name: Maven Build
+
+on:
+ workflow_call:
+
+permissions:
+ contents: read
+ packages: write
+
+jobs:
+ build:
+ name: build
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - run: mvn -B -P github package
+
+
\ No newline at end of file
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
new file mode 100644
index 0000000..e3cb84b
--- /dev/null
+++ b/.github/workflows/security.yaml
@@ -0,0 +1,39 @@
+name: Security Scan
+
+on:
+ workflow_call:
+ inputs:
+ severity-threshold:
+ description: "Severity threshold"
+ required: false
+ default: "high"
+ type: string
+ secrets:
+ SNYK_TOKEN:
+ description: "Snyk token"
+ required: true
+ schedule:
+ # Weekly on Monday at 00:00 UTC
+ - cron: 0 0 * * 1
+
+permissions:
+ contents: read
+ packages: read
+
+jobs:
+ scan:
+ name: scan
+ runs-on: ubuntu-latest
+ steps:
+
+ - uses: actions/checkout@v4
+ - uses: snyk/actions/setup@master
+ - uses: actions/setup-java@v4
+ with:
+ distribution: "corretto"
+ java-version: "11"
+ cache: maven
+
+ - run: snyk test --severity-threshold=${{ inputs.severity-threshold || 'high' }}
+ env:
+ SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 2b47e00..29bc5d4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -12,7 +12,7 @@
1.13.0
UTF-8
3.8.1
- https://nexus.olcs.dev-dvsacloud.uk/repository/maven-releases
+ https://maven.pkg.github.com/dvsa/vol-app-security-lib
@@ -46,11 +46,12 @@
-
+
- maven-releases
- ${nexus.releases}
+ github
+ GitHub dvsa Apache Maven Packages
+ ${github.url}
-
+