-
Notifications
You must be signed in to change notification settings - Fork 0
108 lines (96 loc) · 3.71 KB
/
pr-merge-main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-gradle
name: CI assessment-api pr to main
on:
pull_request:
branches: [ main ]
types: [ closed ]
permissions:
contents: read
packages: write
jobs:
build-test-release:
if: |
github.event.pull_request.merged == true && !startsWith(github.event.pull_request.head.ref, 'dependabot/')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
ref: main
token: ${{ secrets.REPO_TOKEN }}
- name: Set up JDK 21
uses: actions/setup-java@v3
with:
java-version: '21'
distribution: 'temurin'
- name: Build with Gradle
uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629
with:
arguments: build
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Test
uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629
with:
arguments: jacocoTestCoverageVerification
- name: Integration Test
uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629
with:
arguments: integrationTest --tests '*IntegrationTest'
- name: Set to github user
run: |
git config --global user.email "[email protected]"
git config --global user.name "GitHub Actions Bot"
- name: Update version
uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629
with:
arguments: release -Prelease.useAutomaticVersion=true
vulnerability-report:
if: github.event.pull_request.merged == true
runs-on: ubuntu-latest
permissions:
security-events: write
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
SNYK_ORG: legal-aid-agency
SNYK_TEST_EXCLUDE: build,generated
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v3
- name: Generate Snyk report and upload to LAA Dashboard
uses: snyk/actions/[email protected]
continue-on-error: true
with:
command: monitor
args: --org=${SNYK_ORG} --all-projects --exclude=$SNYK_TEST_EXCLUDE
- name: Generate sarif Snyk report
uses: snyk/actions/[email protected]
continue-on-error: true
with:
args: --org=$SNYK_ORG --all-projects --exclude=$SNYK_TEST_EXCLUDE --sarif-file-output=snyk-report.sarif
- name: Fix undefined values
run: |
cat snyk-report.sarif | jq '
.runs[].tool[].rules[]
|= (
if .properties["security-severity"] == "undefined"
then .properties["security-severity"] =
( if .shortDescription.text | test("(?i)critical") then "9.0"
elif .shortDescription.text | test("(?i)high") then "7.0"
elif .shortDescription.text | test("(?i)medium") then "4.0"
elif .shortDescription.text | test("(?i)low") then "0.1"
else ""
end
)
else .
end
)
' > snyk-report-cleansed.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk-report-cleansed.sarif