diff --git a/.github/actions/deploy-release/action.yml b/.github/actions/deploy-release/action.yml deleted file mode 100644 index 1c97ab2..0000000 --- a/.github/actions/deploy-release/action.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: Deploy Release to Maven Central -description: "Deploys released artifacts to Maven Central repository." - -inputs: - user: - description: "The user used for the upload (technical user for maven central upload)" - required: true - password: - description: "The password used for the upload (technical user for maven central upload)" - required: true - pgp-pub-key: - description: "The public pgp key ID" - required: true - pgp-private-key: - description: "The private pgp key" - required: true - pgp-passphrase: - description: "The passphrase for pgp" - required: true - revision: - description: "The revision of cds-feature-auditlog-ng" - required: true - maven-version: - description: "The Maven version the build shall run with." - required: true - -runs: - using: composite - steps: - - name: Echo Inputs - run: | - echo "user: ${{ inputs.user }}" - echo "revision: ${{ inputs.revision }}" - shell: bash - - - name: Set up Java - uses: actions/setup-java@v4 - with: - distribution: sapmachine - java-version: '17' - cache: maven - server-id: central - server-username: MAVEN_CENTRAL_USER - server-password: MAVEN_CENTRAL_PASSWORD - - - name: Set up Maven ${{ inputs.maven-version }} - uses: stCarolas/setup-maven@v5 - with: - maven-version: ${{ inputs.maven-version }} - - - name: Import GPG Key - run: | - echo "${{ inputs.pgp-private-key }}" | gpg --batch --passphrase "$PASSPHRASE" --import - shell: bash - env: - PASSPHRASE: ${{ inputs.pgp-passphrase }} - - - name: Deploy to Maven Central - run: > - mvn -B -ntp --show-version - -Dmaven.install.skip=true - -Dmaven.test.skip=true - -Dgpg.passphrase="$GPG_PASSPHRASE" - -Dgpg.keyname="$GPG_PUB_KEY" - clean deploy -P deploy-release - shell: bash - env: - MAVEN_CENTRAL_USER: ${{ inputs.user }} - MAVEN_CENTRAL_PASSWORD: ${{ inputs.password }} - GPG_PASSPHRASE: ${{ inputs.pgp-passphrase }} - GPG_PUB_KEY: ${{ inputs.pgp-pub-key }} diff --git a/.github/actions/scan-with-blackduck/action.yaml b/.github/actions/scan-with-blackduck/action.yaml deleted file mode 100644 index 76be691..0000000 --- a/.github/actions/scan-with-blackduck/action.yaml +++ /dev/null @@ -1,54 +0,0 @@ -name: "Scan with BlackDuck" -description: "Scans the project with BlackDuck" - -inputs: - blackduck_token: - description: "The token to use for BlackDuck authentication" - required: true - github_token: - description: "The token to use for GitHub authentication" - required: true - java-version: - description: "The version of Java to use" - default: '17' - required: false - maven-version: - description: "The Maven version the build shall run with." - required: true - -runs: - using: composite - steps: - - name: Set up Java ${{ inputs.java-version }} - uses: actions/setup-java@v4 - with: - java-version: ${{ inputs.java-version }} - distribution: sapmachine - cache: maven - - - name: Setup Maven ${{ inputs.maven-version }} - uses: stCarolas/setup-maven@v5 - with: - maven-version: ${{ inputs.maven-version }} - - - name: Get Major Version - id: get-major-version - run: | - echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT - shell: bash - - - name: Print Version Number - run: echo "${{ steps.get-major-version.outputs.REVISION }}" - shell: bash - - - name: BlackDuck Scan - uses: SAP/project-piper-action@main - with: - step-name: detectExecuteScan - flags: \ - --githubToken=$GITHUB_token \ - --version=${{ steps.get-major-version.outputs.REVISION }} - env: - PIPER_token: ${{ inputs.blackduck_token }} - GITHUB_token: ${{ inputs.github_token }} - SCAN_MODE: FULL diff --git a/.github/actions/scan-with-sonar/action.yaml b/.github/actions/scan-with-sonar/action.yaml deleted file mode 100644 index 34522cf..0000000 --- a/.github/actions/scan-with-sonar/action.yaml +++ /dev/null @@ -1,48 +0,0 @@ -name: Scan with SonarQube -description: Scans the project with SonarQube - -inputs: - sonarq-token: - description: The token to use for SonarQube authentication - required: true - github-token: - description: The token to use for GitHub authentication - required: true - java-version: - description: The version of Java to use - required: true - maven-version: - description: The version of Maven to use - required: true - -runs: - using: composite - - steps: - - name: Set up Java ${{inputs.java-version}} - uses: actions/setup-java@v4 - with: - java-version: ${{inputs.java-version}} - distribution: sapmachine - cache: maven - - - name: Set up Maven ${{inputs.maven-version}} - uses: stCarolas/setup-maven@v5 - with: - maven-version: ${{inputs.maven-version}} - - - name: Get Revision - id: get-revision - run: | - echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT - shell: bash - - - name: Print Revision - run: echo "${{steps.get-revision.outputs.REVISION}}" - shell: bash - - - name: SonarQube Scan - uses: SAP/project-piper-action@main - with: - step-name: sonarExecuteScan - flags: --token=${{inputs.sonarq-token}} --githubToken=${{inputs.github-token}} --version=${{steps.get-revision.outputs.REVISION}} --inferJavaBinaries=true diff --git a/.github/workflows/main-build-and-deploy-oss.yml b/.github/workflows/main-build-and-deploy-oss.yml index 275e6f7..efd1bd8 100644 --- a/.github/workflows/main-build-and-deploy-oss.yml +++ b/.github/workflows/main-build-and-deploy-oss.yml @@ -2,26 +2,50 @@ name: Deploy to Maven Central env: JAVA_VERSION: '17' - MAVEN_VERSION: '3.6.3' + MAVEN_VERSION: '3.9.15' on: release: types: [ "released" ] jobs: - #blackduck: - # name: Blackduck Scan - # runs-on: ubuntu-latest - # timeout-minutes: 15 - # steps: - # - name: Checkout - # uses: actions/checkout@v6 - # - name: Scan With Black Duck - # uses: ./.github/actions/scan-with-blackduck - # with: - # blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} - # github_token: ${{ secrets.GITHUB_TOKEN }} - # maven-version: ${{ env.MAVEN_VERSION }} + blackduck: + name: Blackduck Scan + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - name: Scan With Black Duck + uses: cap-java/.github/actions/scan-with-blackduck@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main + with: + blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} + maven-version: ${{ env.MAVEN_VERSION }} + project-name: com.sap.cds.feature.auditlog-ng + included-modules: cds-feature-auditlog-ng + scan_mode: FULL + codeql: + name: CodeQL Scan + runs-on: ubuntu-latest + timeout-minutes: 60 + permissions: + contents: read + actions: read + security-events: write + packages: read + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Scan With CodeQL + uses: cap-java/.github/actions/scan-with-codeql@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main + with: + maven-version: ${{ env.MAVEN_VERSION }} + java-version: ${{ env.JAVA_VERSION }} + language: java-kotlin + queries: security-extended # update-version: # name: Update Version @@ -43,6 +67,7 @@ jobs: # path: . # include-hidden-files: true # retention-days: 1 + requires-approval: runs-on: ubuntu-latest name: "Waiting for release approval" @@ -66,12 +91,12 @@ jobs: - name: Checkout uses: actions/checkout@v6 - name: Build - uses: ./.github/actions/build + uses: cap-java/cds-feature-auditlog-ng/.github/actions/build@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: java-version: ${{ env.JAVA_VERSION }} maven-version: ${{ env.MAVEN_VERSION }} #- name: Sonar Scan - # uses: ./.github/actions/scan-with-sonar + # uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-sonar@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main # with: # java-version: ${{ env.JAVA_VERSION }} # maven-version: ${{ env.MAVEN_VERSION }} @@ -97,13 +122,13 @@ jobs: with: name: root-build - name: Deploy - uses: ./.github/actions/deploy-release + uses: cap-java/.github/actions/deploy-release@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: user: ${{ secrets.CAP_JAVA_CDS_FEATURE_AUDITLOG_NG_USER }} password: ${{ secrets.CAP_JAVA_CDS_FEATURE_AUDITLOG_NG_PASS }} - pgp-pub-key: ${{ secrets.PGP_PUBKEY_ID }} - pgp-private-key: ${{ secrets.PGP_PRIVATE_KEY }} - pgp-passphrase: ${{ secrets.PGP_PASSPHRASE }} + gpg-pub-key: ${{ secrets.PGP_PUBKEY_ID }} + gpg-private-key: ${{ secrets.PGP_PRIVATE_KEY }} + gpg-passphrase: ${{ secrets.PGP_PASSPHRASE }} revision: ${{ github.event.release.tag_name }} maven-version: ${{ env.MAVEN_VERSION }} - name: Echo Status diff --git a/.github/workflows/main-build.yml b/.github/workflows/main-build.yml index a5fa86c..889c472 100644 --- a/.github/workflows/main-build.yml +++ b/.github/workflows/main-build.yml @@ -2,7 +2,7 @@ name: Main build and deploy env: JAVA_VERSION: '17' - MAVEN_VERSION: '3.6.3' + MAVEN_VERSION: '3.9.15' on: push: @@ -20,13 +20,13 @@ jobs: uses: actions/checkout@v6 - name: Build - uses: ./.github/actions/build + uses: cap-java/cds-feature-auditlog-ng/.github/actions/build@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: java-version: ${{ matrix.java-version }} maven-version: ${{ env.MAVEN_VERSION }} #- name: SonarQube Scan - # uses: ./.github/actions/scan-with-sonar + # uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-sonar@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main # if: ${{ matrix.java-version == 17 }} # with: # java-version: ${{ matrix.java-version }} @@ -34,19 +34,44 @@ jobs: # sonarq-token: ${{ secrets.SONARQ_TOKEN }} # github-token: ${{ secrets.GITHUB_TOKEN }} - # scan: - # name: Blackduck Scan - # runs-on: ubuntu-latest - # timeout-minutes: 15 - # steps: - # - name: Checkout - # uses: actions/checkout@v6 - # - name: Scan - # uses: ./.github/actions/scan-with-blackduck - # with: - # blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} - # github_token: ${{ secrets.GITHUB_TOKEN }} - # maven-version: ${{ env.MAVEN_VERSION }} + blackduck: + name: Blackduck Scan + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Scan With Black Duck + uses: cap-java/.github/actions/scan-with-blackduck@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main + with: + blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} + maven-version: ${{ env.MAVEN_VERSION }} + project-name: com.sap.cds.feature.auditlog-ng + included-modules: cds-feature-auditlog-ng + scan_mode: FULL + codeql: + name: CodeQL Scan + runs-on: ubuntu-latest + timeout-minutes: 60 + permissions: + contents: read + actions: read + security-events: write + packages: read + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Scan With CodeQL + uses: cap-java/.github/actions/scan-with-codeql@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main + with: + maven-version: ${{ env.MAVEN_VERSION }} + java-version: ${{ env.JAVA_VERSION }} + language: java-kotlin + queries: security-extended deploy-snapshot: name: Deploy snapshot to Artifactory diff --git a/.github/workflows/pull-request-build.yml b/.github/workflows/pull-request-build.yml index 2c6ea53..7943f1f 100644 --- a/.github/workflows/pull-request-build.yml +++ b/.github/workflows/pull-request-build.yml @@ -1,13 +1,41 @@ name: Pull Request Voter +permissions: + actions: read + contents: read + packages: read + security-events: write + env: - MAVEN_VERSION: '3.6.3' + MAVEN_VERSION: '3.9.15' on: + workflow_dispatch: pull_request: branches: [ "main" ] + types: [reopened, synchronize, opened] jobs: + blackduck: + name: Blackduck Scan + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Scan With Black Duck + uses: cap-java/.github/actions/scan-with-blackduck@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main + with: + blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} + maven-version: ${{ env.MAVEN_VERSION }} + project-name: com.sap.cds.feature.auditlog-ng + included-modules: cds-feature-auditlog-ng + scan_mode: RAPID + rapid_compare_mode: BOM_COMPARE # PRs might only be blocked by things they introduce, not by pre-existing issues that could have appeared in the main branch in the meantime + build: runs-on: ubuntu-latest @@ -21,13 +49,13 @@ jobs: uses: actions/checkout@v6 - name: Build - uses: ./.github/actions/build + uses: cap-java/cds-feature-auditlog-ng/.github/actions/build@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: java-version: ${{ matrix.java-version }} maven-version: ${{ env.MAVEN_VERSION }} #- name: SonarQube Scan - # uses: ./.github/actions/scan-with-sonar + # uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-sonar@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main # if: ${{ matrix.java-version == 17 }} # with: # java-version: ${{ matrix.java-version }} diff --git a/.pipeline/config.yml b/.pipeline/config.yml index 9881379..528f6b8 100644 --- a/.pipeline/config.yml +++ b/.pipeline/config.yml @@ -21,7 +21,7 @@ steps: verbose: true scanProperties: - --detect.included.detector.types=MAVEN - - --detect.excluded.directories='**/node_modules,**/*test*,**/localrepo,**/target/site,**/*-site.jar' + - --detect.excluded.directories='**/node_modules,**/*test*,**/target/site' - --detect.maven.build.command='-pl com.sap.cds:cds-feature-auditlog-ng' # https://www.project-piper.io/steps/detectExecuteScan/#dockerimage # If empty, Docker is not used and the command is executed directly on the Jenkins system.