From 747ab23a6ff72a182bdcd19bd38c67b6ae3d0541 Mon Sep 17 00:00:00 2001 From: Shaun Hare Date: Thu, 9 May 2024 09:26:47 +0100 Subject: [PATCH] amended pom and added ci cd workflows --- .github/workflows/cd.yaml | 54 ++++++++++++++++++++++++++++++ .github/workflows/ci.yaml | 17 ++++++++++ .github/workflows/maven_build.yaml | 19 +++++++++++ .github/workflows/security.yaml | 39 +++++++++++++++++++++ pom.xml | 11 +++--- 5 files changed, 135 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/cd.yaml create mode 100644 .github/workflows/ci.yaml create mode 100644 .github/workflows/maven_build.yaml create mode 100644 .github/workflows/security.yaml diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml new file mode 100644 index 0000000..a9ff7cd --- /dev/null +++ b/.github/workflows/cd.yaml @@ -0,0 +1,54 @@ +name: CD + +on: + push: + branches: + - main + +jobs: + release-please: + name: Release + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + outputs: + tag_name: ${{ steps.release.outputs.tag_name }} + release_created: ${{ steps.release.outputs.release_created }} + steps: + - uses: google-github-actions/release-please-action@v4 + id: release + with: + release-type: maven + + call-build-maven: + needs: release-please + name: build with Maven + uses: ./.github/workflows/maven_build.yaml + + publish: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + needs: + - release-please + - call-build-maven + steps: + - name: checkout code + uses: actions/checkout@v4 + + - name: Set up JDK 11 + uses: actions/setup-java@v4 + with: + java-version: '11' + distribution: 'corretto' + cache: 'maven' + + - name: Publish to GitHub Packages Apache Maven + if: ${{needs.release-please.outputs.release_created}} + run: mvn --batch-mode deploy + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + + \ No newline at end of file diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..72604eb --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,17 @@ +name: CI + +on: + pull_request: + +jobs: + security: + name: Security + uses: ./.github/workflows/security.yaml + secrets: inherit + + build-maven: + name: build with Maven + uses: ./.github/workflows/maven_build.yaml + needs: security + + diff --git a/.github/workflows/maven_build.yaml b/.github/workflows/maven_build.yaml new file mode 100644 index 0000000..72d2b9f --- /dev/null +++ b/.github/workflows/maven_build.yaml @@ -0,0 +1,19 @@ +name: Maven Build + +on: + workflow_call: + +permissions: + contents: read + packages: write + +jobs: + build: + name: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - run: mvn -B -P github package + + \ No newline at end of file diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml new file mode 100644 index 0000000..e3cb84b --- /dev/null +++ b/.github/workflows/security.yaml @@ -0,0 +1,39 @@ +name: Security Scan + +on: + workflow_call: + inputs: + severity-threshold: + description: "Severity threshold" + required: false + default: "high" + type: string + secrets: + SNYK_TOKEN: + description: "Snyk token" + required: true + schedule: + # Weekly on Monday at 00:00 UTC + - cron: 0 0 * * 1 + +permissions: + contents: read + packages: read + +jobs: + scan: + name: scan + runs-on: ubuntu-latest + steps: + + - uses: actions/checkout@v4 + - uses: snyk/actions/setup@master + - uses: actions/setup-java@v4 + with: + distribution: "corretto" + java-version: "11" + cache: maven + + - run: snyk test --severity-threshold=${{ inputs.severity-threshold || 'high' }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} \ No newline at end of file diff --git a/pom.xml b/pom.xml index 2b47e00..29bc5d4 100644 --- a/pom.xml +++ b/pom.xml @@ -12,7 +12,7 @@ 1.13.0 UTF-8 3.8.1 - https://nexus.olcs.dev-dvsacloud.uk/repository/maven-releases + https://maven.pkg.github.com/dvsa/vol-app-security-lib @@ -46,11 +46,12 @@ - + - maven-releases - ${nexus.releases} + github + GitHub dvsa Apache Maven Packages + ${github.url} - +