diff --git a/.github/actions/deploy-release/action.yml b/.github/actions/deploy-release/action.yml deleted file mode 100644 index b1ef193..0000000 --- a/.github/actions/deploy-release/action.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: Deploy Release to Maven Central -description: "Deploys released artifacts to Maven Central repository." - -inputs: - user: - description: "The user used for the upload (technical user for maven central upload)" - required: true - password: - description: "The password used for the upload (technical user for maven central upload)" - required: true - pgp-pub-key: - description: "The public pgp key ID" - required: true - pgp-private-key: - description: "The private pgp key" - required: true - pgp-passphrase: - description: "The passphrase for pgp" - required: true - revision: - description: "The revision of cds-feature-event-hub" - required: true - maven-version: - description: "The Maven version the build shall run with." - required: true - -runs: - using: composite - steps: - - name: Echo Inputs - run: | - echo "user: ${{ inputs.user }}" - echo "revision: ${{ inputs.revision }}" - shell: bash - - - name: Set up Java - uses: actions/setup-java@v4 - with: - distribution: sapmachine - java-version: '17' - cache: maven - server-id: central - server-username: MAVEN_CENTRAL_USER - server-password: MAVEN_CENTRAL_PASSWORD - - - name: Set up Maven ${{ inputs.maven-version }} - uses: stCarolas/setup-maven@v5 - with: - maven-version: ${{ inputs.maven-version }} - - - name: Import GPG Key - run: | - echo "${{ inputs.pgp-private-key }}" | gpg --batch --passphrase "$PASSPHRASE" --import - shell: bash - env: - PASSPHRASE: ${{ inputs.pgp-passphrase }} - - - name: Deploy to Maven Central - run: > - mvn -B -ntp --show-version - -Dmaven.install.skip=true - -Dmaven.test.skip=true - -Dgpg.passphrase="$GPG_PASSPHRASE" - -Dgpg.keyname="$GPG_PUB_KEY" - clean deploy -P deploy-release - shell: bash - env: - MAVEN_CENTRAL_USER: ${{ inputs.user }} - MAVEN_CENTRAL_PASSWORD: ${{ inputs.password }} - GPG_PASSPHRASE: ${{ inputs.pgp-passphrase }} - GPG_PUB_KEY: ${{ inputs.pgp-pub-key }} diff --git a/.github/actions/scan-with-blackduck/action.yaml b/.github/actions/scan-with-blackduck/action.yaml deleted file mode 100644 index 414875c..0000000 --- a/.github/actions/scan-with-blackduck/action.yaml +++ /dev/null @@ -1,62 +0,0 @@ -name: "Scan with BlackDuck" -description: "Scans the project with BlackDuck" - -inputs: - blackduck_token: - description: "The token to use for BlackDuck authentication" - required: true - github_token: - description: "The token to use for GitHub authentication" - required: true - java-version: - description: "The version of Java to use" - default: '17' - required: false - maven-version: - description: "The Maven version the build shall run with." - required: true - scan_mode: - description: The scan mode to use (FULL or RAPID) - default: 'RAPID' - required: false - -runs: - using: composite - steps: - - name: Set up Java ${{ inputs.java-version }} - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 - with: - java-version: ${{ inputs.java-version }} - distribution: sapmachine - cache: maven - - - name: Set up Maven ${{ inputs.maven-version }} - uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 - with: - maven-version: ${{ inputs.maven-version }} - - - name: Get Revision - id: get-revision - run: | - echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT - shell: bash - - - name: BlackDuck Security Scan - uses: blackduck-inc/black-duck-security-scan@659a0742e793a093377fab3117b0d90f23b04bfa # v2.9.0 - with: - blackducksca_url: https://sap.blackducksoftware.com/ - blackducksca_token: ${{ inputs.blackduck_token }} - blackducksca_scan_full: ${{ inputs.scan_mode == 'FULL' }} - github_token: ${{ inputs.github_token }} - detect_args: > - --detect.project.name=com.sap.cds.feature.event-hub - --detect.project.version.name=${{ steps.get-revision.outputs.REVISION }} - --detect.included.detector.types=MAVEN - --detect.excluded.directories=**/node_modules,**/*test*,**/localrepo,**/target/site,**/*-site.jar,**/samples/** - --detect.tools=DETECTOR,BINARY_SCAN - --detect.risk.report.pdf=false - --logging.level.detect=INFO - env: - BLACKDUCKSCA_TOKEN: ${{ inputs.blackduck_token }} - BLACKDUCKSCA_URL: https://sap.blackducksoftware.com/ - BLACKDUCK_API_TOKEN: ${{ inputs.blackduck_token }} diff --git a/.github/actions/scan-with-codeql/action.yaml b/.github/actions/scan-with-codeql/action.yaml deleted file mode 100644 index bdaca32..0000000 --- a/.github/actions/scan-with-codeql/action.yaml +++ /dev/null @@ -1,49 +0,0 @@ -name: Scan with CodeQL -description: Scans the project with CodeQL - -inputs: - java-version: - description: The Java version to use for the build. - required: true - maven-version: - description: The Maven version to use for the build. - required: true - -runs: - using: composite - steps: - - name: Set up Java ${{ inputs.java-version }} - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 - with: - java-version: ${{ inputs.java-version }} - distribution: sapmachine - cache: maven - - - name: Set up Maven ${{ inputs.maven-version }} - uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 - with: - maven-version: ${{ inputs.maven-version }} - - - name: Initialize CodeQL - uses: github/codeql-action/init@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 - with: - languages: java-kotlin - build-mode: manual - queries: security-extended - - - name: Install @sap/cds-dk - run: npm i -g @sap/cds-dk - shell: bash - - - name: Install npm dependencies - run: npm install - shell: bash - - - name: Build Java code - run: mvn clean compile -B -ntp -Dcds.install-node.skip - shell: bash - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 - with: - category: "/language:java-kotlin" diff --git a/.github/actions/scan-with-sonar/action.yaml b/.github/actions/scan-with-sonar/action.yaml deleted file mode 100644 index 34522cf..0000000 --- a/.github/actions/scan-with-sonar/action.yaml +++ /dev/null @@ -1,48 +0,0 @@ -name: Scan with SonarQube -description: Scans the project with SonarQube - -inputs: - sonarq-token: - description: The token to use for SonarQube authentication - required: true - github-token: - description: The token to use for GitHub authentication - required: true - java-version: - description: The version of Java to use - required: true - maven-version: - description: The version of Maven to use - required: true - -runs: - using: composite - - steps: - - name: Set up Java ${{inputs.java-version}} - uses: actions/setup-java@v4 - with: - java-version: ${{inputs.java-version}} - distribution: sapmachine - cache: maven - - - name: Set up Maven ${{inputs.maven-version}} - uses: stCarolas/setup-maven@v5 - with: - maven-version: ${{inputs.maven-version}} - - - name: Get Revision - id: get-revision - run: | - echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT - shell: bash - - - name: Print Revision - run: echo "${{steps.get-revision.outputs.REVISION}}" - shell: bash - - - name: SonarQube Scan - uses: SAP/project-piper-action@main - with: - step-name: sonarExecuteScan - flags: --token=${{inputs.sonarq-token}} --githubToken=${{inputs.github-token}} --version=${{steps.get-revision.outputs.REVISION}} --inferJavaBinaries=true diff --git a/.github/workflows/main-build-and-deploy-oss.yml b/.github/workflows/main-build-and-deploy-oss.yml index 303959b..9893379 100644 --- a/.github/workflows/main-build-and-deploy-oss.yml +++ b/.github/workflows/main-build-and-deploy-oss.yml @@ -13,31 +13,40 @@ jobs: name: Blackduck Scan runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Scan With Black Duck - uses: ./.github/actions/scan-with-blackduck + uses: cap-java/.github/actions/scan-with-blackduck@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} - github_token: ${{ secrets.GITHUB_TOKEN }} maven-version: ${{ env.MAVEN_VERSION }} - scan_mode: RAPID + project-name: com.sap.cds.feature.event-hub + included-modules: cds-feature-event-hub + scan_mode: FULL codeql: name: CodeQL Scan runs-on: ubuntu-latest timeout-minutes: 60 + permissions: + contents: read + actions: read + security-events: write + packages: read steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Scan With CodeQL - continue-on-error: true - uses: ./.github/actions/scan-with-codeql + uses: cap-java/.github/actions/scan-with-codeql@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: maven-version: ${{ env.MAVEN_VERSION }} java-version: ${{ env.JAVA_VERSION }} + language: java-kotlin + queries: security-extended # update-version: # name: Update Version @@ -114,13 +123,13 @@ jobs: with: name: root-build - name: Deploy - uses: ./.github/actions/deploy-release + uses: cap-java/.github/actions/deploy-release@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: user: ${{ secrets.CAP_JAVA_CDS_FEATURE_EVENT_HUB_USER }} password: ${{ secrets.CAP_JAVA_CDS_FEATURE_EVENT_HUB_PASS }} - pgp-pub-key: ${{ secrets.PGP_PUBKEY_ID }} - pgp-private-key: ${{ secrets.PGP_PRIVATE_KEY }} - pgp-passphrase: ${{ secrets.PGP_PASSPHRASE }} + gpg-pub-key: ${{ secrets.PGP_PUBKEY_ID }} + gpg-private-key: ${{ secrets.PGP_PRIVATE_KEY }} + gpg-passphrase: ${{ secrets.PGP_PASSPHRASE }} revision: ${{ github.event.release.tag_name }} maven-version: ${{ env.MAVEN_VERSION }} - name: Echo Status diff --git a/.github/workflows/main-build.yml b/.github/workflows/main-build.yml index 7817807..c414341 100644 --- a/.github/workflows/main-build.yml +++ b/.github/workflows/main-build.yml @@ -38,31 +38,40 @@ jobs: name: Blackduck Scan runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Scan With Black Duck - uses: ./.github/actions/scan-with-blackduck + uses: cap-java/.github/actions/scan-with-blackduck@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} - github_token: ${{ secrets.GITHUB_TOKEN }} maven-version: ${{ env.MAVEN_VERSION }} - scan_mode: RAPID + project-name: com.sap.cds.feature.event-hub + included-modules: cds-feature-event-hub + scan_mode: FULL codeql: name: CodeQL Scan runs-on: ubuntu-latest timeout-minutes: 60 + permissions: + contents: read + actions: read + security-events: write + packages: read steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Scan With CodeQL - continue-on-error: true - uses: ./.github/actions/scan-with-codeql + uses: cap-java/.github/actions/scan-with-codeql@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main with: maven-version: ${{ env.MAVEN_VERSION }} java-version: ${{ env.JAVA_VERSION }} + language: java-kotlin + queries: security-extended deploy-snapshot: name: Deploy snapshot to Artifactory diff --git a/.github/workflows/pull-request-build.yml b/.github/workflows/pull-request-build.yml index 723f3b6..2b443ca 100644 --- a/.github/workflows/pull-request-build.yml +++ b/.github/workflows/pull-request-build.yml @@ -4,10 +4,32 @@ env: MAVEN_VERSION: '3.9.15' on: + workflow_dispatch: pull_request: branches: [ "main" ] + types: [reopened, synchronize, opened] jobs: + blackduck: + name: Blackduck Scan + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Scan With Black Duck + uses: cap-java/.github/actions/scan-with-blackduck@296573b55e906f5c77a1855bcfe4285cbbc5cac4 # main + with: + blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} + maven-version: ${{ env.MAVEN_VERSION }} + project-name: com.sap.cds.feature.event-hub + included-modules: cds-feature-event-hub + scan_mode: RAPID + rapid_compare_mode: BOM_COMPARE # PRs might only be blocked by things they introduce, not by pre-existing issues that could have appeared in the main branch in the meantime + build: runs-on: ubuntu-latest