diff --git a/.github/workflows/build-project.yml b/.github/workflows/build-project.yml index af51bfdd..b8f088eb 100644 --- a/.github/workflows/build-project.yml +++ b/.github/workflows/build-project.yml @@ -18,19 +18,21 @@ jobs: name: Build runs-on: ubuntu-latest timeout-minutes: 15 - + permissions: + contents: read + steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 #v4 with: distribution: 'zulu' java-version: '17' - name: Create custom Maven Settings.xml - uses: whelk-io/maven-settings-xml-action@v22 + uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d #v22 with: output_file: custom_maven_settings.xml servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]' diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 6de4934f..dea7f70b 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -16,7 +16,7 @@ jobs: release_please: runs-on: ubuntu-latest steps: - - uses: google-github-actions/release-please-action@v4 + - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee #v4 id: release with: release-type: maven @@ -25,7 +25,7 @@ jobs: - if: ${{ steps.release.outputs.release_created }} name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - name: Extract tag name if: ${{ steps.release.outputs.release_created }} @@ -35,14 +35,14 @@ jobs: run: echo "##[set-output name=tagname;]$(echo ${GITHUB_REF##*/})" - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 #v4 if: ${{ steps.release.outputs.release_created }} with: distribution: 'zulu' java-version: '17' - name: Create custom Maven Settings.xml - uses: whelk-io/maven-settings-xml-action@v22 + uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d #v22 if: ${{ steps.release.outputs.release_created }} with: output_file: custom_maven_settings.xml diff --git a/.github/workflows/release-project.yml b/.github/workflows/release-project.yml index de54c90a..1bf5e200 100644 --- a/.github/workflows/release-project.yml +++ b/.github/workflows/release-project.yml @@ -16,7 +16,7 @@ jobs: packages: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - name: Extract tag name id: extract_tagname @@ -25,13 +25,13 @@ jobs: run: echo "##[set-output name=tagname;]$(echo ${GITHUB_REF##*/})" - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 #v4 with: distribution: 'zulu' java-version: '17' - name: Create custom Maven Settings.xml - uses: whelk-io/maven-settings-xml-action@v22 + uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d #v22 with: output_file: custom_maven_settings.xml servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]' diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml index 58204bb7..af7168af 100644 --- a/.github/workflows/reuse.yml +++ b/.github/workflows/reuse.yml @@ -11,6 +11,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - name: REUSE Compliance Check - uses: fsfe/reuse-action@v3 + uses: fsfe/reuse-action@a46482ca367aef4454a87620aa37c2be4b2f8106 #v3 diff --git a/.github/workflows/sonarcloud-analysis.yml b/.github/workflows/sonarcloud-analysis.yml index 13685985..baca12f9 100644 --- a/.github/workflows/sonarcloud-analysis.yml +++ b/.github/workflows/sonarcloud-analysis.yml @@ -14,96 +14,91 @@ jobs: runs-on: ubuntu-latest if: github.event.workflow_run.conclusion == 'success' timeout-minutes: 15 + permissions: + contents: read + actions: read + pull-requests: read steps: - - name: echo event - run: cat $GITHUB_EVENT_PATH - - name: Download PR number artifact - if: github.event.workflow_run.event == 'pull_request' - uses: dawidd6/action-download-artifact@v3 - with: - workflow: SonarCloud Build - run_id: ${{ github.event.workflow_run.id }} - name: PR_NUMBER - - name: Read PR_NUMBER.txt - if: github.event.workflow_run.event == 'pull_request' - id: pr_number - uses: juliangruber/read-file-action@v1 - with: - path: ./PR_NUMBER.txt - - name: Request GitHub API for PR data - if: github.event.workflow_run.event == 'pull_request' - uses: octokit/request-action@v2.x - id: get_pr_data - with: - route: GET /repos/{full_name}/pulls/{number} - number: ${{ steps.pr_number.outputs.content }} - full_name: ${{ github.event.repository.full_name }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/checkout@v4 - with: - repository: ${{ github.event.workflow_run.head_repository.full_name }} - ref: ${{ github.event.workflow_run.head_branch }} - fetch-depth: 0 - - name: Checkout base branch - if: github.event.workflow_run.event == 'pull_request' - run: | - git remote add upstream ${{ github.event.repository.clone_url }} - git fetch upstream - git checkout -B ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} upstream/${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} - git checkout ${{ github.event.workflow_run.head_branch }} - git clean -ffdx && git reset --hard HEAD - - name: Cache SonarCloud packages - uses: actions/cache@v4 - with: - path: ~/.sonar/cache - key: ${{ runner.os }}-sonar - restore-keys: ${{ runner.os }}-sonar - - name: Cache Maven packages - uses: actions/cache@v4 - with: - path: ~/.m2 - key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} - restore-keys: ${{ runner.os }}-m2 + - name: echo event + run: cat $GITHUB_EVENT_PATH + - name: Download PR number artifact + if: github.event.workflow_run.event == 'pull_request' + uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21 + with: + workflow: SonarCloud Build + run_id: ${{ github.event.workflow_run.id }} + name: PR_NUMBER + - name: Read PR_NUMBER.txt + if: github.event.workflow_run.event == 'pull_request' + id: pr_number + uses: juliangruber/read-file-action@271ff311a4947af354c6abcd696a306553b9ec18 # v1 + with: + path: ./PR_NUMBER.txt + - name: Request GitHub API for PR data + if: github.event.workflow_run.event == 'pull_request' + uses: octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae # v3.0.0 + id: get_pr_data + with: + route: GET /repos/{full_name}/pulls/{number} + number: ${{ steps.pr_number.outputs.content }} + full_name: ${{ github.event.repository.full_name }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + fetch-depth: 0 + - name: Download build artifacts + uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21 + with: + workflow: SonarCloud Build + run_id: ${{ github.event.workflow_run.id }} + name: build-artifacts + - name: Cache SonarCloud packages + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + with: + path: ~/.sonar/cache + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar - - name: Set up JDK 17 - uses: actions/setup-java@v4 - with: - distribution: 'zulu' - java-version: '17' + - name: Set up JDK 17 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 + with: + distribution: 'zulu' + java-version: '17' + cache: 'maven' - - name: Set Common Sonar Variables - id: sonar_env - run: | - echo "##[set-output name=sonar_opts;]$(echo -Dsonar.host.url=https://sonarcloud.io \ - -Dsonar.projectKey=com-pas_compas-core \ - -Dsonar.organization=com-pas )" - - name: Create custom Maven Settings.xml - uses: whelk-io/maven-settings-xml-action@v22 - with: - output_file: custom_maven_settings.xml - servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]' - - name: Build and analyze (Pull Request) - if: ${{ github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target') }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - run: | - ./mvnw -B -s custom_maven_settings.xml -Psonar \ - ${{ steps.sonar_env.outputs.sonar_opts }} \ - -Dsonar.pullrequest.branch=${{ fromJson(steps.get_pr_data.outputs.data).head.ref }} \ - -Dsonar.pullrequest.key=${{ fromJson(steps.get_pr_data.outputs.data).number }} \ - -Dsonar.pullrequest.base=${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} \ - -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \ - clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar - - name: Build and analyze (Push) - if: ${{ github.event.workflow_run.event == 'push' }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - run: | - ./mvnw -B -s custom_maven_settings.xml -Psonar \ - ${{ steps.sonar_env.outputs.sonar_opts }} \ - -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \ - -Dsonar.branch.name=${{ github.event.workflow_run.head_branch }} \ - clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar + - name: Set Common Sonar Variables + id: sonar_env + run: | + echo "sonar_opts=-Dsonar.host.url=https://sonarcloud.io \ + -Dsonar.projectKey=com-pas_compas-core \ + -Dsonar.organization=com-pas" >> $GITHUB_OUTPUT + - name: Create custom Maven Settings.xml + uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d # v22 + with: + output_file: custom_maven_settings.xml + servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]' + - name: Build and analyze (Pull Request) + if: ${{ github.event.workflow_run.event == 'pull_request' }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: | + mvn -B -s custom_maven_settings.xml -Psonar \ + ${{ steps.sonar_env.outputs.sonar_opts }} \ + -Dsonar.pullrequest.branch=${{ fromJson(steps.get_pr_data.outputs.data).head.ref }} \ + -Dsonar.pullrequest.key=${{ fromJson(steps.get_pr_data.outputs.data).number }} \ + -Dsonar.pullrequest.base=${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} \ + -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \ + org.sonarsource.scanner.maven:sonar-maven-plugin:sonar + - name: Build and analyze (Push) + if: ${{ github.event.workflow_run.event == 'push' }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: | + mvn -B -s custom_maven_settings.xml -Psonar \ + ${{ steps.sonar_env.outputs.sonar_opts }} \ + -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \ + -Dsonar.branch.name=${{ github.event.workflow_run.head_branch }} \ + org.sonarsource.scanner.maven:sonar-maven-plugin:sonar diff --git a/.github/workflows/sonarcloud-build.yml b/.github/workflows/sonarcloud-build.yml index 25d4d8c8..b41aa974 100644 --- a/.github/workflows/sonarcloud-build.yml +++ b/.github/workflows/sonarcloud-build.yml @@ -12,66 +12,71 @@ on: branches: - 'main' - 'develop' - pull_request_target: - branches: - - 'main' - - 'develop' jobs: precheck-build: name: Pre Check Build runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + contents: read - if: ${{ (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]') || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Cache SonarCloud packages - uses: actions/cache@v4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ~/.sonar/cache key: ${{ runner.os }}-sonar restore-keys: ${{ runner.os }}-sonar - - name: Cache Maven packages - uses: actions/cache@v4 - with: - path: ~/.m2 - key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} - restore-keys: ${{ runner.os }}-m2 - - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: 'zulu' java-version: '17' + cache: 'maven' - name: Create custom Maven Settings.xml - uses: whelk-io/maven-settings-xml-action@v22 + uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d # v22 with: output_file: custom_maven_settings.xml servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]' - - name: Build and analyze (Pull Request) - if: ${{ github.event_name == 'pull_request' || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }} + + - name: Build env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - ./mvnw -B -s custom_maven_settings.xml clean verify - - name: Build and analyze (Push) - if: ${{ github.event_name == 'push' }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - ./mvnw -B -s custom_maven_settings.xml clean verify + ./mvnw -B -s custom_maven_settings.xml -Psonar clean verify + - name: Upload build artifacts + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: build-artifacts + path: | + commons/src/ + commons/target/ + rest-commons/src/ + rest-commons/target/ + scl-extension/src/ + scl-extension/target/ + scl2003/src/ + scl2003/target/ + scl2007b/src/ + scl2007b/target/ + scl2007b4/src/ + scl2007b4/target/ + websocket-commons/src/ + websocket-commons/target/ + retention-days: 1 - name: Save PR number to file if: github.event_name == 'pull_request' - run: echo ${{ github.event.number }} > PR_NUMBER.txt + run: echo ${{ github.event.pull_request.number }} > PR_NUMBER.txt - name: Archive PR number if: github.event_name == 'pull_request' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: PR_NUMBER path: PR_NUMBER.txt