From bcd0e711811456c8fffc67bfd5f19566ac3760f7 Mon Sep 17 00:00:00 2001 From: Lisa Julia Nebel Date: Tue, 12 May 2026 19:51:41 +0200 Subject: [PATCH 1/6] Add blackduck and codeql scans --- .../actions/scan-with-blackduck/action.yaml | 44 ++++++++++------- .github/actions/scan-with-codeql/action.yml | 49 +++++++++++++++++++ .../workflows/main-build-and-deploy-oss.yml | 43 +++++++++++----- .github/workflows/main-build.yml | 42 +++++++++++----- 4 files changed, 134 insertions(+), 44 deletions(-) create mode 100644 .github/actions/scan-with-codeql/action.yml diff --git a/.github/actions/scan-with-blackduck/action.yaml b/.github/actions/scan-with-blackduck/action.yaml index 76be691..865e9cc 100644 --- a/.github/actions/scan-with-blackduck/action.yaml +++ b/.github/actions/scan-with-blackduck/action.yaml @@ -15,40 +15,48 @@ inputs: maven-version: description: "The Maven version the build shall run with." required: true + scan_mode: + description: The scan mode to use (FULL or RAPID) + default: 'RAPID' + required: false runs: using: composite steps: - name: Set up Java ${{ inputs.java-version }} - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: ${{ inputs.java-version }} distribution: sapmachine cache: maven - - name: Setup Maven ${{ inputs.maven-version }} - uses: stCarolas/setup-maven@v5 + - name: Set up Maven ${{ inputs.maven-version }} + uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 with: maven-version: ${{ inputs.maven-version }} - - name: Get Major Version - id: get-major-version + - name: Get Revision + id: get-revision run: | echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT shell: bash - - name: Print Version Number - run: echo "${{ steps.get-major-version.outputs.REVISION }}" - shell: bash - - - name: BlackDuck Scan - uses: SAP/project-piper-action@main + - name: BlackDuck Security Scan + uses: blackduck-inc/black-duck-security-scan@659a0742e793a093377fab3117b0d90f23b04bfa # v2.9.0 with: - step-name: detectExecuteScan - flags: \ - --githubToken=$GITHUB_token \ - --version=${{ steps.get-major-version.outputs.REVISION }} + blackducksca_url: https://sap.blackducksoftware.com/ + blackducksca_token: ${{ inputs.blackduck_token }} + blackducksca_scan_full: ${{ inputs.scan_mode == 'FULL' }} + github_token: ${{ inputs.github_token }} + detect_args: > + --detect.project.name=com.sap.cds.feature.auditlog-ng + --detect.project.version.name=${{ steps.get-revision.outputs.REVISION }} + --detect.included.detector.types=MAVEN + --detect.excluded.directories=**/node_modules,**/*test*,**/localrepo,**/target/site,**/*-site.jar,**/samples/** + --detect.tools=DETECTOR,BINARY_SCAN + --detect.risk.report.pdf=false + --logging.level.detect=INFO env: - PIPER_token: ${{ inputs.blackduck_token }} - GITHUB_token: ${{ inputs.github_token }} - SCAN_MODE: FULL + BLACKDUCKSCA_TOKEN: ${{ inputs.blackduck_token }} + BLACKDUCKSCA_URL: https://sap.blackducksoftware.com/ + BLACKDUCK_API_TOKEN: ${{ inputs.blackduck_token }} diff --git a/.github/actions/scan-with-codeql/action.yml b/.github/actions/scan-with-codeql/action.yml new file mode 100644 index 0000000..bdaca32 --- /dev/null +++ b/.github/actions/scan-with-codeql/action.yml @@ -0,0 +1,49 @@ +name: Scan with CodeQL +description: Scans the project with CodeQL + +inputs: + java-version: + description: The Java version to use for the build. + required: true + maven-version: + description: The Maven version to use for the build. + required: true + +runs: + using: composite + steps: + - name: Set up Java ${{ inputs.java-version }} + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 + with: + java-version: ${{ inputs.java-version }} + distribution: sapmachine + cache: maven + + - name: Set up Maven ${{ inputs.maven-version }} + uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 + with: + maven-version: ${{ inputs.maven-version }} + + - name: Initialize CodeQL + uses: github/codeql-action/init@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 + with: + languages: java-kotlin + build-mode: manual + queries: security-extended + + - name: Install @sap/cds-dk + run: npm i -g @sap/cds-dk + shell: bash + + - name: Install npm dependencies + run: npm install + shell: bash + + - name: Build Java code + run: mvn clean compile -B -ntp -Dcds.install-node.skip + shell: bash + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 + with: + category: "/language:java-kotlin" diff --git a/.github/workflows/main-build-and-deploy-oss.yml b/.github/workflows/main-build-and-deploy-oss.yml index 7d90b69..0050d2a 100644 --- a/.github/workflows/main-build-and-deploy-oss.yml +++ b/.github/workflows/main-build-and-deploy-oss.yml @@ -9,20 +9,37 @@ on: types: [ "released" ] jobs: - #blackduck: - # name: Blackduck Scan - # runs-on: ubuntu-latest - # timeout-minutes: 15 - # steps: - # - name: Checkout - # uses: actions/checkout@v6 - # - name: Scan With Black Duck - # uses: ./.github/actions/scan-with-blackduck - # with: - # blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} - # github_token: ${{ secrets.GITHUB_TOKEN }} - # maven-version: ${{ env.MAVEN_VERSION }} + blackduck: + name: Blackduck Scan + runs-on: ubuntu-latest + timeout-minutes: 30 + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - name: Scan With Black Duck + uses: ./.github/actions/scan-with-blackduck + with: + blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} + github_token: ${{ secrets.GITHUB_TOKEN }} + maven-version: ${{ env.MAVEN_VERSION }} + scan_mode: RAPID + + codeql: + name: CodeQL Scan + runs-on: ubuntu-latest + timeout-minutes: 60 + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Scan With CodeQL + continue-on-error: true + uses: ./.github/actions/scan-with-codeql + with: + maven-version: ${{ env.MAVEN_VERSION }} + java-version: ${{ env.JAVA_VERSION }} + update-version: name: Update Version runs-on: ubuntu-latest diff --git a/.github/workflows/main-build.yml b/.github/workflows/main-build.yml index a5fa86c..4fdf9bd 100644 --- a/.github/workflows/main-build.yml +++ b/.github/workflows/main-build.yml @@ -34,19 +34,35 @@ jobs: # sonarq-token: ${{ secrets.SONARQ_TOKEN }} # github-token: ${{ secrets.GITHUB_TOKEN }} - # scan: - # name: Blackduck Scan - # runs-on: ubuntu-latest - # timeout-minutes: 15 - # steps: - # - name: Checkout - # uses: actions/checkout@v6 - # - name: Scan - # uses: ./.github/actions/scan-with-blackduck - # with: - # blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} - # github_token: ${{ secrets.GITHUB_TOKEN }} - # maven-version: ${{ env.MAVEN_VERSION }} + blackduck: + name: Blackduck Scan + runs-on: ubuntu-latest + timeout-minutes: 30 + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Scan With Black Duck + uses: ./.github/actions/scan-with-blackduck + with: + blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} + github_token: ${{ secrets.GITHUB_TOKEN }} + maven-version: ${{ env.MAVEN_VERSION }} + scan_mode: RAPID + codeql: + name: CodeQL Scan + runs-on: ubuntu-latest + timeout-minutes: 60 + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Scan With CodeQL + continue-on-error: true + uses: ./.github/actions/scan-with-codeql + with: + maven-version: ${{ env.MAVEN_VERSION }} + java-version: ${{ env.JAVA_VERSION }} deploy-snapshot: name: Deploy snapshot to Artifactory From 02e4ade4e14b606da15b55111bcaec249cf3f073 Mon Sep 17 00:00:00 2001 From: Lisa Julia Nebel Date: Tue, 12 May 2026 19:52:06 +0200 Subject: [PATCH 2/6] Update mvn version --- .github/actions/scan-with-codeql/action.yml | 4 ---- .github/workflows/main-build-and-deploy-oss.yml | 2 +- .github/workflows/main-build.yml | 2 +- .github/workflows/pull-request-build.yml | 2 +- 4 files changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/actions/scan-with-codeql/action.yml b/.github/actions/scan-with-codeql/action.yml index bdaca32..88e7f91 100644 --- a/.github/actions/scan-with-codeql/action.yml +++ b/.github/actions/scan-with-codeql/action.yml @@ -35,10 +35,6 @@ runs: run: npm i -g @sap/cds-dk shell: bash - - name: Install npm dependencies - run: npm install - shell: bash - - name: Build Java code run: mvn clean compile -B -ntp -Dcds.install-node.skip shell: bash diff --git a/.github/workflows/main-build-and-deploy-oss.yml b/.github/workflows/main-build-and-deploy-oss.yml index 0050d2a..473d900 100644 --- a/.github/workflows/main-build-and-deploy-oss.yml +++ b/.github/workflows/main-build-and-deploy-oss.yml @@ -2,7 +2,7 @@ name: Deploy to Maven Central env: JAVA_VERSION: '17' - MAVEN_VERSION: '3.6.3' + MAVEN_VERSION: '3.9.15' on: release: diff --git a/.github/workflows/main-build.yml b/.github/workflows/main-build.yml index 4fdf9bd..7725c2c 100644 --- a/.github/workflows/main-build.yml +++ b/.github/workflows/main-build.yml @@ -2,7 +2,7 @@ name: Main build and deploy env: JAVA_VERSION: '17' - MAVEN_VERSION: '3.6.3' + MAVEN_VERSION: '3.9.15' on: push: diff --git a/.github/workflows/pull-request-build.yml b/.github/workflows/pull-request-build.yml index 2c6ea53..86e05a9 100644 --- a/.github/workflows/pull-request-build.yml +++ b/.github/workflows/pull-request-build.yml @@ -1,7 +1,7 @@ name: Pull Request Voter env: - MAVEN_VERSION: '3.6.3' + MAVEN_VERSION: '3.9.15' on: pull_request: From 6e1aee8e27116865d4352fe81fb7c461671d9238 Mon Sep 17 00:00:00 2001 From: Lisa Julia Nebel Date: Tue, 26 May 2026 19:24:03 +0200 Subject: [PATCH 3/6] Clean up config.yml and scan-with-blackduck/action.yml --- .github/actions/scan-with-blackduck/action.yaml | 3 +-- .pipeline/config.yml | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/actions/scan-with-blackduck/action.yaml b/.github/actions/scan-with-blackduck/action.yaml index 865e9cc..b8ab894 100644 --- a/.github/actions/scan-with-blackduck/action.yaml +++ b/.github/actions/scan-with-blackduck/action.yaml @@ -47,12 +47,11 @@ runs: blackducksca_url: https://sap.blackducksoftware.com/ blackducksca_token: ${{ inputs.blackduck_token }} blackducksca_scan_full: ${{ inputs.scan_mode == 'FULL' }} - github_token: ${{ inputs.github_token }} detect_args: > --detect.project.name=com.sap.cds.feature.auditlog-ng --detect.project.version.name=${{ steps.get-revision.outputs.REVISION }} --detect.included.detector.types=MAVEN - --detect.excluded.directories=**/node_modules,**/*test*,**/localrepo,**/target/site,**/*-site.jar,**/samples/** + --detect.excluded.directories=**/node_modules,**/*test*,**/target/site --detect.tools=DETECTOR,BINARY_SCAN --detect.risk.report.pdf=false --logging.level.detect=INFO diff --git a/.pipeline/config.yml b/.pipeline/config.yml index 9881379..528f6b8 100644 --- a/.pipeline/config.yml +++ b/.pipeline/config.yml @@ -21,7 +21,7 @@ steps: verbose: true scanProperties: - --detect.included.detector.types=MAVEN - - --detect.excluded.directories='**/node_modules,**/*test*,**/localrepo,**/target/site,**/*-site.jar' + - --detect.excluded.directories='**/node_modules,**/*test*,**/target/site' - --detect.maven.build.command='-pl com.sap.cds:cds-feature-auditlog-ng' # https://www.project-piper.io/steps/detectExecuteScan/#dockerimage # If empty, Docker is not used and the command is executed directly on the Jenkins system. From 214d5f98a00513011e3ed0415d27d14e583f73ee Mon Sep 17 00:00:00 2001 From: Lisa Julia Nebel Date: Tue, 26 May 2026 19:28:27 +0200 Subject: [PATCH 4/6] Change action call to org/repo/path/to/file@main --- .github/workflows/main-build-and-deploy-oss.yml | 12 ++++++------ .github/workflows/main-build.yml | 8 ++++---- .github/workflows/pull-request-build.yml | 4 ++-- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/main-build-and-deploy-oss.yml b/.github/workflows/main-build-and-deploy-oss.yml index 473d900..848807b 100644 --- a/.github/workflows/main-build-and-deploy-oss.yml +++ b/.github/workflows/main-build-and-deploy-oss.yml @@ -18,7 +18,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Scan With Black Duck - uses: ./.github/actions/scan-with-blackduck + uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-blackduck@main with: blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} github_token: ${{ secrets.GITHUB_TOKEN }} @@ -35,7 +35,7 @@ jobs: - name: Scan With CodeQL continue-on-error: true - uses: ./.github/actions/scan-with-codeql + uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-codeql@main with: maven-version: ${{ env.MAVEN_VERSION }} java-version: ${{ env.JAVA_VERSION }} @@ -49,7 +49,7 @@ jobs: with: token: ${{ secrets.GH_TOKEN }} - name: Update version - uses: ./.github/actions/newrelease + uses: cap-java/cds-feature-auditlog-ng/.github/actions/newrelease@main with: java-version: ${{ env.JAVA_VERSION }} maven-version: ${{ env.MAVEN_VERSION }} @@ -72,12 +72,12 @@ jobs: with: name: root-new-version - name: Build - uses: ./.github/actions/build + uses: cap-java/cds-feature-auditlog-ng/.github/actions/build@main with: java-version: ${{ env.JAVA_VERSION }} maven-version: ${{ env.MAVEN_VERSION }} #- name: Sonar Scan - # uses: ./.github/actions/scan-with-sonar + # uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-sonar@main # with: # java-version: ${{ env.JAVA_VERSION }} # maven-version: ${{ env.MAVEN_VERSION }} @@ -102,7 +102,7 @@ jobs: with: name: root-build - name: Deploy - uses: ./.github/actions/deploy-release + uses: cap-java/cds-feature-auditlog-ng/.github/actions/deploy-release@main with: user: ${{ secrets.CENTRAL_REPOSITORY_USER }} password: ${{ secrets.CENTRAL_REPOSITORY_PASS }} diff --git a/.github/workflows/main-build.yml b/.github/workflows/main-build.yml index 7725c2c..77f3807 100644 --- a/.github/workflows/main-build.yml +++ b/.github/workflows/main-build.yml @@ -20,13 +20,13 @@ jobs: uses: actions/checkout@v6 - name: Build - uses: ./.github/actions/build + uses: cap-java/cds-feature-auditlog-ng/.github/actions/build@main with: java-version: ${{ matrix.java-version }} maven-version: ${{ env.MAVEN_VERSION }} #- name: SonarQube Scan - # uses: ./.github/actions/scan-with-sonar + # uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-sonar@main # if: ${{ matrix.java-version == 17 }} # with: # java-version: ${{ matrix.java-version }} @@ -43,7 +43,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Scan With Black Duck - uses: ./.github/actions/scan-with-blackduck + uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-blackduck@main with: blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} github_token: ${{ secrets.GITHUB_TOKEN }} @@ -59,7 +59,7 @@ jobs: - name: Scan With CodeQL continue-on-error: true - uses: ./.github/actions/scan-with-codeql + uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-codeql@main with: maven-version: ${{ env.MAVEN_VERSION }} java-version: ${{ env.JAVA_VERSION }} diff --git a/.github/workflows/pull-request-build.yml b/.github/workflows/pull-request-build.yml index 86e05a9..18be552 100644 --- a/.github/workflows/pull-request-build.yml +++ b/.github/workflows/pull-request-build.yml @@ -21,13 +21,13 @@ jobs: uses: actions/checkout@v6 - name: Build - uses: ./.github/actions/build + uses: cap-java/cds-feature-auditlog-ng/.github/actions/build@main with: java-version: ${{ matrix.java-version }} maven-version: ${{ env.MAVEN_VERSION }} #- name: SonarQube Scan - # uses: ./.github/actions/scan-with-sonar + # uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-sonar@main # if: ${{ matrix.java-version == 17 }} # with: # java-version: ${{ matrix.java-version }} From 812dfa72ae3682f2d5525428a206dcce7e163dba Mon Sep 17 00:00:00 2001 From: Lisa Julia Nebel Date: Tue, 26 May 2026 19:30:53 +0200 Subject: [PATCH 5/6] Remove unused env --- .github/actions/scan-with-blackduck/action.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/actions/scan-with-blackduck/action.yaml b/.github/actions/scan-with-blackduck/action.yaml index b8ab894..f8bcb42 100644 --- a/.github/actions/scan-with-blackduck/action.yaml +++ b/.github/actions/scan-with-blackduck/action.yaml @@ -55,7 +55,3 @@ runs: --detect.tools=DETECTOR,BINARY_SCAN --detect.risk.report.pdf=false --logging.level.detect=INFO - env: - BLACKDUCKSCA_TOKEN: ${{ inputs.blackduck_token }} - BLACKDUCKSCA_URL: https://sap.blackducksoftware.com/ - BLACKDUCK_API_TOKEN: ${{ inputs.blackduck_token }} From 6772225c5f0da0a635f9cb90004b9c0f0650ffb5 Mon Sep 17 00:00:00 2001 From: Lisa Julia Nebel Date: Mon, 1 Jun 2026 14:57:55 +0200 Subject: [PATCH 6/6] Use workflows from https://github.com/cap-java/.github --- .github/actions/deploy-release/action.yml | 71 ------------------- .../actions/scan-with-blackduck/action.yaml | 54 -------------- .github/actions/scan-with-codeql/action.yml | 45 ------------ .github/actions/scan-with-sonar/action.yaml | 48 ------------- .../workflows/main-build-and-deploy-oss.yml | 30 +++++--- .github/workflows/main-build.yml | 23 ++++-- .github/workflows/pull-request-build.yml | 32 ++++++++- 7 files changed, 66 insertions(+), 237 deletions(-) delete mode 100644 .github/actions/deploy-release/action.yml delete mode 100644 .github/actions/scan-with-blackduck/action.yaml delete mode 100644 .github/actions/scan-with-codeql/action.yml delete mode 100644 .github/actions/scan-with-sonar/action.yaml diff --git a/.github/actions/deploy-release/action.yml b/.github/actions/deploy-release/action.yml deleted file mode 100644 index 1c97ab2..0000000 --- a/.github/actions/deploy-release/action.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: Deploy Release to Maven Central -description: "Deploys released artifacts to Maven Central repository." - -inputs: - user: - description: "The user used for the upload (technical user for maven central upload)" - required: true - password: - description: "The password used for the upload (technical user for maven central upload)" - required: true - pgp-pub-key: - description: "The public pgp key ID" - required: true - pgp-private-key: - description: "The private pgp key" - required: true - pgp-passphrase: - description: "The passphrase for pgp" - required: true - revision: - description: "The revision of cds-feature-auditlog-ng" - required: true - maven-version: - description: "The Maven version the build shall run with." - required: true - -runs: - using: composite - steps: - - name: Echo Inputs - run: | - echo "user: ${{ inputs.user }}" - echo "revision: ${{ inputs.revision }}" - shell: bash - - - name: Set up Java - uses: actions/setup-java@v4 - with: - distribution: sapmachine - java-version: '17' - cache: maven - server-id: central - server-username: MAVEN_CENTRAL_USER - server-password: MAVEN_CENTRAL_PASSWORD - - - name: Set up Maven ${{ inputs.maven-version }} - uses: stCarolas/setup-maven@v5 - with: - maven-version: ${{ inputs.maven-version }} - - - name: Import GPG Key - run: | - echo "${{ inputs.pgp-private-key }}" | gpg --batch --passphrase "$PASSPHRASE" --import - shell: bash - env: - PASSPHRASE: ${{ inputs.pgp-passphrase }} - - - name: Deploy to Maven Central - run: > - mvn -B -ntp --show-version - -Dmaven.install.skip=true - -Dmaven.test.skip=true - -Dgpg.passphrase="$GPG_PASSPHRASE" - -Dgpg.keyname="$GPG_PUB_KEY" - clean deploy -P deploy-release - shell: bash - env: - MAVEN_CENTRAL_USER: ${{ inputs.user }} - MAVEN_CENTRAL_PASSWORD: ${{ inputs.password }} - GPG_PASSPHRASE: ${{ inputs.pgp-passphrase }} - GPG_PUB_KEY: ${{ inputs.pgp-pub-key }} diff --git a/.github/actions/scan-with-blackduck/action.yaml b/.github/actions/scan-with-blackduck/action.yaml deleted file mode 100644 index 9e09041..0000000 --- a/.github/actions/scan-with-blackduck/action.yaml +++ /dev/null @@ -1,54 +0,0 @@ -name: "Scan with BlackDuck" -description: "Scans the project with BlackDuck" - -inputs: - blackduck_token: - description: "The token to use for BlackDuck authentication" - required: true - java-version: - description: "The version of Java to use" - default: '17' - required: false - maven-version: - description: "The Maven version the build shall run with." - required: true - scan_mode: - description: The scan mode to use (FULL or RAPID) - default: 'RAPID' - required: false - -runs: - using: composite - steps: - - name: Set up Java ${{ inputs.java-version }} - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 - with: - java-version: ${{ inputs.java-version }} - distribution: sapmachine - cache: maven - - - name: Set up Maven ${{ inputs.maven-version }} - uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 - with: - maven-version: ${{ inputs.maven-version }} - - - name: Get Revision - id: get-revision - run: | - echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT - shell: bash - - - name: BlackDuck Security Scan - uses: blackduck-inc/black-duck-security-scan@659a0742e793a093377fab3117b0d90f23b04bfa # v2.9.0 - with: - blackducksca_url: https://sap.blackducksoftware.com/ - blackducksca_token: ${{ inputs.blackduck_token }} - blackducksca_scan_full: ${{ inputs.scan_mode == 'FULL' }} - detect_args: > - --detect.project.name=com.sap.cds.feature.auditlog-ng - --detect.project.version.name=${{ steps.get-revision.outputs.REVISION }} - --detect.included.detector.types=MAVEN - --detect.excluded.directories=**/node_modules,**/*test*,**/target/site - --detect.tools=DETECTOR,BINARY_SCAN - --detect.risk.report.pdf=false - --logging.level.detect=INFO diff --git a/.github/actions/scan-with-codeql/action.yml b/.github/actions/scan-with-codeql/action.yml deleted file mode 100644 index 88e7f91..0000000 --- a/.github/actions/scan-with-codeql/action.yml +++ /dev/null @@ -1,45 +0,0 @@ -name: Scan with CodeQL -description: Scans the project with CodeQL - -inputs: - java-version: - description: The Java version to use for the build. - required: true - maven-version: - description: The Maven version to use for the build. - required: true - -runs: - using: composite - steps: - - name: Set up Java ${{ inputs.java-version }} - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 - with: - java-version: ${{ inputs.java-version }} - distribution: sapmachine - cache: maven - - - name: Set up Maven ${{ inputs.maven-version }} - uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 - with: - maven-version: ${{ inputs.maven-version }} - - - name: Initialize CodeQL - uses: github/codeql-action/init@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 - with: - languages: java-kotlin - build-mode: manual - queries: security-extended - - - name: Install @sap/cds-dk - run: npm i -g @sap/cds-dk - shell: bash - - - name: Build Java code - run: mvn clean compile -B -ntp -Dcds.install-node.skip - shell: bash - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 - with: - category: "/language:java-kotlin" diff --git a/.github/actions/scan-with-sonar/action.yaml b/.github/actions/scan-with-sonar/action.yaml deleted file mode 100644 index 34522cf..0000000 --- a/.github/actions/scan-with-sonar/action.yaml +++ /dev/null @@ -1,48 +0,0 @@ -name: Scan with SonarQube -description: Scans the project with SonarQube - -inputs: - sonarq-token: - description: The token to use for SonarQube authentication - required: true - github-token: - description: The token to use for GitHub authentication - required: true - java-version: - description: The version of Java to use - required: true - maven-version: - description: The version of Maven to use - required: true - -runs: - using: composite - - steps: - - name: Set up Java ${{inputs.java-version}} - uses: actions/setup-java@v4 - with: - java-version: ${{inputs.java-version}} - distribution: sapmachine - cache: maven - - - name: Set up Maven ${{inputs.maven-version}} - uses: stCarolas/setup-maven@v5 - with: - maven-version: ${{inputs.maven-version}} - - - name: Get Revision - id: get-revision - run: | - echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT - shell: bash - - - name: Print Revision - run: echo "${{steps.get-revision.outputs.REVISION}}" - shell: bash - - - name: SonarQube Scan - uses: SAP/project-piper-action@main - with: - step-name: sonarExecuteScan - flags: --token=${{inputs.sonarq-token}} --githubToken=${{inputs.github-token}} --version=${{steps.get-revision.outputs.REVISION}} --inferJavaBinaries=true diff --git a/.github/workflows/main-build-and-deploy-oss.yml b/.github/workflows/main-build-and-deploy-oss.yml index dec12cf..efd1bd8 100644 --- a/.github/workflows/main-build-and-deploy-oss.yml +++ b/.github/workflows/main-build-and-deploy-oss.yml @@ -13,29 +13,39 @@ jobs: name: Blackduck Scan runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Scan With Black Duck - uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-blackduck@main + uses: cap-java/.github/actions/scan-with-blackduck@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} maven-version: ${{ env.MAVEN_VERSION }} - scan_mode: RAPID + project-name: com.sap.cds.feature.auditlog-ng + included-modules: cds-feature-auditlog-ng + scan_mode: FULL codeql: name: CodeQL Scan runs-on: ubuntu-latest timeout-minutes: 60 + permissions: + contents: read + actions: read + security-events: write + packages: read steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Scan With CodeQL - continue-on-error: true - uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-codeql@main + uses: cap-java/.github/actions/scan-with-codeql@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: maven-version: ${{ env.MAVEN_VERSION }} java-version: ${{ env.JAVA_VERSION }} + language: java-kotlin + queries: security-extended # update-version: # name: Update Version @@ -81,12 +91,12 @@ jobs: - name: Checkout uses: actions/checkout@v6 - name: Build - uses: cap-java/cds-feature-auditlog-ng/.github/actions/build@main + uses: cap-java/cds-feature-auditlog-ng/.github/actions/build@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: java-version: ${{ env.JAVA_VERSION }} maven-version: ${{ env.MAVEN_VERSION }} #- name: Sonar Scan - # uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-sonar@main + # uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-sonar@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main # with: # java-version: ${{ env.JAVA_VERSION }} # maven-version: ${{ env.MAVEN_VERSION }} @@ -112,13 +122,13 @@ jobs: with: name: root-build - name: Deploy - uses: cap-java/cds-feature-auditlog-ng/.github/actions/deploy-release@main + uses: cap-java/.github/actions/deploy-release@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: user: ${{ secrets.CAP_JAVA_CDS_FEATURE_AUDITLOG_NG_USER }} password: ${{ secrets.CAP_JAVA_CDS_FEATURE_AUDITLOG_NG_PASS }} - pgp-pub-key: ${{ secrets.PGP_PUBKEY_ID }} - pgp-private-key: ${{ secrets.PGP_PRIVATE_KEY }} - pgp-passphrase: ${{ secrets.PGP_PASSPHRASE }} + gpg-pub-key: ${{ secrets.PGP_PUBKEY_ID }} + gpg-private-key: ${{ secrets.PGP_PRIVATE_KEY }} + gpg-passphrase: ${{ secrets.PGP_PASSPHRASE }} revision: ${{ github.event.release.tag_name }} maven-version: ${{ env.MAVEN_VERSION }} - name: Echo Status diff --git a/.github/workflows/main-build.yml b/.github/workflows/main-build.yml index 77f3807..889c472 100644 --- a/.github/workflows/main-build.yml +++ b/.github/workflows/main-build.yml @@ -20,13 +20,13 @@ jobs: uses: actions/checkout@v6 - name: Build - uses: cap-java/cds-feature-auditlog-ng/.github/actions/build@main + uses: cap-java/cds-feature-auditlog-ng/.github/actions/build@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: java-version: ${{ matrix.java-version }} maven-version: ${{ env.MAVEN_VERSION }} #- name: SonarQube Scan - # uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-sonar@main + # uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-sonar@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main # if: ${{ matrix.java-version == 17 }} # with: # java-version: ${{ matrix.java-version }} @@ -38,31 +38,40 @@ jobs: name: Blackduck Scan runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Scan With Black Duck - uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-blackduck@main + uses: cap-java/.github/actions/scan-with-blackduck@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} - github_token: ${{ secrets.GITHUB_TOKEN }} maven-version: ${{ env.MAVEN_VERSION }} - scan_mode: RAPID + project-name: com.sap.cds.feature.auditlog-ng + included-modules: cds-feature-auditlog-ng + scan_mode: FULL codeql: name: CodeQL Scan runs-on: ubuntu-latest timeout-minutes: 60 + permissions: + contents: read + actions: read + security-events: write + packages: read steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Scan With CodeQL - continue-on-error: true - uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-codeql@main + uses: cap-java/.github/actions/scan-with-codeql@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: maven-version: ${{ env.MAVEN_VERSION }} java-version: ${{ env.JAVA_VERSION }} + language: java-kotlin + queries: security-extended deploy-snapshot: name: Deploy snapshot to Artifactory diff --git a/.github/workflows/pull-request-build.yml b/.github/workflows/pull-request-build.yml index 18be552..7943f1f 100644 --- a/.github/workflows/pull-request-build.yml +++ b/.github/workflows/pull-request-build.yml @@ -1,13 +1,41 @@ name: Pull Request Voter +permissions: + actions: read + contents: read + packages: read + security-events: write + env: MAVEN_VERSION: '3.9.15' on: + workflow_dispatch: pull_request: branches: [ "main" ] + types: [reopened, synchronize, opened] jobs: + blackduck: + name: Blackduck Scan + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Scan With Black Duck + uses: cap-java/.github/actions/scan-with-blackduck@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main + with: + blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} + maven-version: ${{ env.MAVEN_VERSION }} + project-name: com.sap.cds.feature.auditlog-ng + included-modules: cds-feature-auditlog-ng + scan_mode: RAPID + rapid_compare_mode: BOM_COMPARE # PRs might only be blocked by things they introduce, not by pre-existing issues that could have appeared in the main branch in the meantime + build: runs-on: ubuntu-latest @@ -21,13 +49,13 @@ jobs: uses: actions/checkout@v6 - name: Build - uses: cap-java/cds-feature-auditlog-ng/.github/actions/build@main + uses: cap-java/cds-feature-auditlog-ng/.github/actions/build@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: java-version: ${{ matrix.java-version }} maven-version: ${{ env.MAVEN_VERSION }} #- name: SonarQube Scan - # uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-sonar@main + # uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-sonar@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main # if: ${{ matrix.java-version == 17 }} # with: # java-version: ${{ matrix.java-version }}