From 7d54d8d309b3ae8071550b6f0df2fc6e243cda59 Mon Sep 17 00:00:00 2001 From: Denis Plotnikov Date: Tue, 7 Feb 2023 11:49:47 +0400 Subject: [PATCH] [TH2-4566] Reusable workflow --- .../workflows/dev-java-publish-sonatype.yml | 64 ++++++++----------- .github/workflows/java-publish-sonatype.yml | 40 ++++++++---- .gitignore | 3 + README.md | 2 +- build.gradle | 38 ++++++++++- gradle.properties | 2 +- settings.gradle | 1 + 7 files changed, 96 insertions(+), 54 deletions(-) diff --git a/.github/workflows/dev-java-publish-sonatype.yml b/.github/workflows/dev-java-publish-sonatype.yml index 01f94879..9e728f8f 100644 --- a/.github/workflows/dev-java-publish-sonatype.yml +++ b/.github/workflows/dev-java-publish-sonatype.yml @@ -5,46 +5,36 @@ on: branches-ignore: - master - version-* - # paths: - # - gradle.properties jobs: - build: + build-job: + uses: th2-net/.github/.github/workflows/compound-java-dev.yml@main + with: + scanner-enabled: false + build-target: 'Sonatype' + runsOn: ubuntu-latest + secrets: + sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }} + sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }} + sonatypeSigningKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }} + sonatypeSigningPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }} + scan-job: runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 -# Prepare custom build version - - name: Get branch name - id: branch - run: echo ::set-output name=branch_name::${GITHUB_REF#refs/*/} - - name: Get release_version - id: ver - uses: christian-draeger/read-properties@1.0.1 - with: - path: gradle.properties - property: release_version - - name: Build custom release version - id: release_ver - run: echo ::set-output name=value::"${{ steps.ver.outputs.value }}-${{ steps.branch.outputs.branch_name }}-${{ github.run_id }}-SNAPSHOT" - - name: Write custom release version to file - uses: christian-draeger/write-properties@1.0.1 + - name: Checkout code + uses: actions/checkout@v3 + - name: Create lockfiles + run: ./gradlew createLockFiles + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master with: - path: gradle.properties - property: release_version - value: ${{ steps.release_ver.outputs.value }} - - name: Show custom release version - run: echo ${{ steps.release_ver.outputs.value }} -# Build and publish package - - name: Set up JDK 11 - uses: actions/setup-java@v1 + scan-type: 'fs' + ignore-unfixed: false + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + exit-code: '0' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 with: - java-version: '11' - - name: Build with Gradle - run: ./gradlew --info clean build publish - env: - ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }} - ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }} - ORG_GRADLE_PROJECT_signingKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }} - ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }} - + sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/java-publish-sonatype.yml b/.github/workflows/java-publish-sonatype.yml index b8c36688..5d1e85f9 100644 --- a/.github/workflows/java-publish-sonatype.yml +++ b/.github/workflows/java-publish-sonatype.yml @@ -1,5 +1,4 @@ name: Build and release Java distributions to sonatype. - on: push: branches: @@ -10,18 +9,33 @@ on: jobs: build: + uses: th2-net/.github/.github/workflows/compound-java.yml@main + with: + scanner-enabled: false + build-target: 'Sonatype' + runsOn: ubuntu-latest + secrets: + sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }} + sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }} + sonatypeSigningKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }} + sonatypeSigningPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }} + scan-job: runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Set up JDK 11 - uses: actions/setup-java@v1 + - name: Checkout code + uses: actions/checkout@v3 + - name: Create lockfiles + run: ./gradlew createLockFiles + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: false + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + exit-code: '0' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 with: - java-version: '11' - - name: Build with Gradle - run: ./gradlew --info clean build publish closeAndReleaseSonatypeStagingRepository - env: - ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }} - ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }} - ORG_GRADLE_PROJECT_signingKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }} - ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }} + sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/.gitignore b/.gitignore index 18acb945..7121109d 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,9 @@ /cradle-cassandra/.project /cradle-cassandra/.classpath /cradle-cassandra/build +/cradle-cassandra/gradle/ +/cradle-core/gradle/ +/gradle/dependency-locks/ /cradle-core/.classpath /cradle-core/.project /cradle-core/.settings diff --git a/README.md b/README.md index 43e3275f..520e3dc2 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# cradleapi (3.1.0) +# cradleapi (3.2.1) ## Overview diff --git a/build.gradle b/build.gradle index 5938c0b4..a51d0e9f 100644 --- a/build.gradle +++ b/build.gradle @@ -4,8 +4,8 @@ plugins { } ext { - slf4j_version = '1.7.26' - jackson_version = '2.9.7' + slf4j_version = '1.7.36' + jackson_version = '2.13.4' sharedDir = file("${project.rootDir}/shared") } @@ -13,6 +13,24 @@ ext { allprojects { version = release_version group = 'com.exactpro.th2' + + configurations { + compileClasspath { + resolutionStrategy.activateDependencyLocking() + } + } + + tasks.register('resolveAndLockAll') { + doFirst { + println gradle.startParameter.writeDependencyLocks + } + doLast { + configurations.findAll { + // Add any custom filtering on the configurations to be resolved + it.canBeResolved + }.each { it.resolve() } + } + } } subprojects { @@ -29,6 +47,22 @@ subprojects { resolutionStrategy.cacheDynamicVersionsFor 0, 'seconds' } } + + configurations { + compileClasspath { + resolutionStrategy.activateDependencyLocking() + } + } + + tasks.register('createLockFiles', Copy) { + dependsOn('resolveAndLockAll') + from "./gradle/dependency-locks/compileClasspath.lockfile" + into "./.." + + rename { String filename -> + return project.name + '-' + filename + } + } defaultTasks 'build' diff --git a/gradle.properties b/gradle.properties index a04ac86b..7ab67a47 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,4 +1,4 @@ -release_version = 3.2.0 +release_version = 3.2.1 description = 'Cradle API' vcs_url=https://github.com/th2-net/cradleapi \ No newline at end of file diff --git a/settings.gradle b/settings.gradle index f7f7a1a8..5ca681b5 100644 --- a/settings.gradle +++ b/settings.gradle @@ -4,3 +4,4 @@ include 'cradle-cassandra' // Defined names will be used for jar and artifact names project(':cradle-core').name = 'cradle-core' project(':cradle-cassandra').name = 'cradle-cassandra' +startParameter.setWriteDependencyLocks(true)