feat: Add support for AWS Security Hub (#75) #97
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
push: | |
branches: | |
- '**' | |
env: | |
DIST_DIR: ${{ github.workspace }}/build/dist | |
name: CI | |
jobs: | |
ci: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check-out source code | |
uses: actions/checkout@v2 | |
- name: PROD - Prepare GitHub release | |
id: create_prod_release | |
uses: GoogleCloudPlatform/release-please-action@v2 | |
if: github.ref == 'refs/heads/main' | |
with: | |
command: github-release | |
release-type: simple | |
package-name: ${{ github.event.repository.name }} | |
- name: PROD - Define release info | |
if: steps.create_prod_release.outputs.release_created | |
run: | | |
tag=${{steps.create_prod_release.outputs.tag_name}} | |
version=${{steps.create_prod_release.outputs.version}} | |
major=${{steps.create_prod_release.outputs.major}} | |
minor=${{steps.create_prod_release.outputs.minor}} | |
patch=${{steps.create_prod_release.outputs.patch}} | |
echo DO_BUILD=true >> $GITHUB_ENV | |
echo DO_RELEASE=true >> $GITHUB_ENV | |
echo DO_PROD_RELEASE=true >> $GITHUB_ENV | |
echo RELEASE_TAG=${tag} >> $GITHUB_ENV | |
echo RELEASE_VERSION=${version} >> $GITHUB_ENV | |
echo DOCKER_TAG=${version} >> $GITHUB_ENV | |
echo DOCKER_EXTRA_TAGS=latest,stable,v${version},${major}.${minor},v${major}.${minor},${major},v${major} >> $GITHUB_ENV | |
- name: DEV - Define release info | |
if: startsWith(github.ref, 'refs/heads/') && !env.DO_PROD_RELEASE | |
run: | | |
branch="${GITHUB_REF#refs/heads/}" | |
tag="dev_${branch//[^a-zA-Z0-9_.-]/.}" # Replace all special characters by a dot | |
version="0.$(date +'%Y%m%d.%H%M%S')-${tag}" | |
echo DO_BUILD=true >> $GITHUB_ENV # We always want to do a build if we're building a branch | |
echo BRANCH=${branch} >> $GITHUB_ENV | |
echo RELEASE_TAG=${tag} >> $GITHUB_ENV | |
echo RELEASE_VERSION=${version} >> $GITHUB_ENV | |
echo DOCKER_TAG=${tag} >> $GITHUB_ENV | |
if [ "${branch}" == "main" ]; then | |
echo DOCKER_EXTRA_TAGS=latest_rc >> $GITHUB_ENV | |
fi | |
if git ls-remote --exit-code origin refs/tags/${tag} >/dev/null 2>&1; then | |
echo "Found tag ${tag}, development release will be published" | |
echo DO_RELEASE=true >> $GITHUB_ENV | |
echo DO_DEV_RELEASE=true >> $GITHUB_ENV | |
else | |
echo "Tag ${tag} does not exist, no development release will be published" | |
fi | |
- name: DEV - Prepare GitHub release | |
if: env.DO_DEV_RELEASE | |
run: | | |
gh release delete ${{ env.RELEASE_TAG }} -y || true | |
gh release create ${{ env.RELEASE_TAG }} -p -t "Development Release - ${{ env.BRANCH }} branch" -n 'See `Assets` section below for latest build artifacts' | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Update documentation resources | |
if: env.DO_BUILD | |
run: bash doc-resources/update-repo-docs.sh | |
- name: Build release ${{env.RELEASE_VERSION}} | |
if: env.DO_BUILD | |
run: ./gradlew dist distThirdParty -Pversion=${{env.RELEASE_VERSION}} | |
- name: Publish build artifacts | |
if: env.DO_BUILD | |
uses: actions/upload-artifact@v2 | |
with: | |
name: build_artifacts | |
path: ${{ env.DIST_DIR }} | |
- name: Publish Docker image | |
if: env.DO_RELEASE | |
run: ./gradlew jib -Pversion=${{env.RELEASE_VERSION}} -PjibImageTag=${{env.DOCKER_TAG}} -PjibExtraImageTags=${{env.DOCKER_EXTRA_TAGS}} | |
env: | |
DOCKER_HUB_USER: ${{ secrets.DOCKER_HUB_USER }} | |
DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }} | |
- name: PROD - Prepare release PR | |
uses: GoogleCloudPlatform/release-please-action@v2 | |
if: github.ref == 'refs/heads/main' | |
with: | |
command: release-pr | |
release-type: simple | |
package-name: ${{ github.event.repository.name }} | |
- name: DEV - Update ${{ env.RELEASE_TAG }} tag | |
uses: richardsimko/update-tag@v1 | |
if: env.DO_DEV_RELEASE | |
with: | |
tag_name: ${{ env.RELEASE_TAG }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Upload assets to release | |
if: env.DO_RELEASE | |
run: | | |
files=$(find "${{ env.DIST_DIR }}" -type f -printf "%p ") | |
gh release upload "${{ env.RELEASE_TAG }}" $files --clobber | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
test_artifacts_java: | |
runs-on: ubuntu-latest | |
needs: ci | |
strategy: | |
matrix: | |
java: [ '8', '11', '17'] | |
steps: | |
- name: Setup java | |
uses: actions/setup-java@v2 | |
with: | |
distribution: 'adopt' | |
java-version: ${{ matrix.java }} | |
- name: Download artifacts | |
uses: actions/download-artifact@v2 | |
with: | |
name: build_artifacts | |
- name: Test distribution | |
run: | | |
unzip FortifyVulnerabilityExporter.zip | |
echo '[{"hello": "world"}]' > test.json | |
java -jar FortifyVulnerabilityExporter.jar --export.from=raw --export.to=raw --raw.input=test.json --raw.output.stdout=true | |