-
-
Notifications
You must be signed in to change notification settings - Fork 3
189 lines (166 loc) · 6.88 KB
/
maven.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
name: Maven
on:
workflow_dispatch:
push:
branches:
- main
pull_request:
types: [opened, reopened, synchronize]
branches:
- main
permissions:
contents: read
jobs:
build:
name: Test with Java ${{ matrix.jdk }}
runs-on: ubuntu-22.04
permissions:
# contents: read # for actions/checkout to fetch code
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
pull-requests: write # for JaCoCo report being attached to PR
strategy:
fail-fast: false
matrix:
jdk: ['8', '11', '17', '21', '23']
vendor: ['temurin']
steps:
- uses: actions/checkout@v4
- name: Set up JDK ${{ matrix.jdk }}
uses: actions/setup-java@v4
with:
distribution: ${{ matrix.vendor }}
java-version: ${{ matrix.jdk }}
cache: 'maven'
- name: Maven Package
run: mvn package
- name: Maven Verify
run: mvn -B verify spotbugs:check jacoco:report
- name: Add coverage to PR
id: jacoco
uses: madrapps/[email protected]
if: ${{ matrix.jdk == '11' }}
with:
paths: |
${{ github.workspace }}/**/target/surefire-reports/TEST-*.xml
${{ github.workspace }}/aggregate-report/target/site/jacoco-aggregate/jacoco.xml
token: ${{ secrets.GITHUB_TOKEN }}
min-coverage-overall: 70
min-coverage-changed-files: 75
- name: Upload JaCoCo Coverage
if: ${{ matrix.jdk == '11' }}
uses: actions/upload-artifact@v4
with:
name: jacoco.html
path: ${{ github.workspace }}/aggregate-report/target/site/jacoco-aggregate/index.html
overwrite: true
- name: JaCoCo Coverage
if: ${{ matrix.jdk == '11' && steps.jacoco.outputs.coverage-overall != '' }}
run: |
echo "Total coverage ${{ steps.jacoco.outputs.coverage-overall }}"
echo "Changed Files coverage ${{ steps.jacoco.outputs.coverage-changed-files }}"
# - name: Fail PR if overall coverage is less than 80%
# if: ${{ steps.jacoco.outputs.coverage-overall < 80.0 }}
# uses: actions/github-script@v6
# with:
# script: |
# core.setFailed('Overall coverage is less than 80%!')
analysis:
name: Static Analysis
needs: build
continue-on-error: false
if: ${{ needs.build.result == 'success' && github.ref == 'refs/heads/main' }}
runs-on: ubuntu-latest
permissions:
contents: write # for actions/checkout to fetch code
pull-requests: write # for attached results to PR
checks: write
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }} # to check out the actual pull request commit, not the merge commit
fetch-depth: 0 # a full history is required for pull request analysis
## latest Sonar requires Java 17 or higher
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 17
cache: maven
- name: Setup Cache for SonarCloud packages
uses: actions/cache@v4
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
## todo: use same artifacts from the build job
## Automatic Analysis is turned off on sonarcloud.io
- name: Maven JaCoCo report & Sonar
run: mvn -B install jacoco:report org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=barcode4j
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Copy aggregate JaCoCo Report (for Qodana)
shell: bash
run: |
ls -lha aggregate-report/target/site/jacoco-aggregate/
mkdir -p .qodana/code-coverage/
cp -r aggregate-report/target/site/jacoco-aggregate/jacoco.xml .qodana/code-coverage/
# potentially Qodana could be its own workflow (recommended in the docs)
- name: Qodana Scan
uses: JetBrains/[email protected]
with:
args: --baseline,qodana.sarif.json
fail-threshold: 100
env:
QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}
- name: Upload Qodana report to GitHub code scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json
# # This step creates the Checkmarx One scan
# - name: Checkmarx One scan
# uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc
# with:
# base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One
# cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e
# cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e
# cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One
# additional_params: --report-format sarif --output-path .
# - name: Upload SARIF file
# uses: github/codeql-action/upload-sarif@v3
# with:
# # Path to SARIF file relative to the root of the repository
# sarif_file: cx_result.sarif
# deploy:
# name: Deploy Artifact
# needs: build
# continue-on-error: true
# if: ${{ needs.build.result == 'success' && github.ref == 'refs/heads/main' }}
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v4
# - name: Set up JDK 7
# uses: actions/setup-java@v4
# with:
# distribution: zulu
# java-version: 7
# cache: maven
# #server-id: github
# server-id: ossrh
# server-username: MAVEN_USERNAME
# server-password: MAVEN_PASSWORD
# gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
# gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
# - name: Maven Deploy (GitHub Packages)
# run: mvn deploy -Prelease,githubPackages -DskipTests=true
# with:
# server-id: github
# env:
# GITHUB_TOKEN: ${{ github.token }}
# - name: Maven Deploy (Maven Central)
# run: mvn deploy -Prelease -DskipTests=true
# env:
# MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}
# MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
# MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}