chore(deps): update dependency owasp-dep-scan/dep-scan to v5.5.0 (#601) #1437
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Application build and test | |
| on: | |
| push: | |
| concurrency: | |
| group: ${{ github.ref }}-${{ github.workflow }} | |
| cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} | |
| env: | |
| CDXGEN_VERSION: '10.11.0' | |
| CDXGEN_PLUGINS_VERSION: '1.6.7' | |
| GRYPE_VERSION: 'v0.84.0' | |
| SBOMQS_VERSION: 'v0.2.2' | |
| DEPSCAN_VERSION: 'v5.5.0' | |
| NYDUS_VERSION: '2.3.0' | |
| SWIFT_VERSION: '5.10.1' | |
| semantic_version: '19.0.5' | |
| java_version: '21' | |
| node_version: '21' | |
| mvn_parameter: '-B -ntp' | |
| image_name: 'ghcr.io/mediamarktsaturn/technolinator' | |
| jobs: | |
| preparation: | |
| name: Preparation | |
| runs-on: ubuntu-latest | |
| if: | | |
| github.actor != 'dependabot[bot]' || | |
| (github.actor == 'dependabot[bot]' && github.ref != 'refs/heads/main') | |
| outputs: | |
| has_changes: ${{ steps.changed-files.outputs.any_changed }} | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get relevant changes | |
| id: changed-files | |
| uses: tj-actions/changed-files@v45 | |
| with: | |
| files_ignore: | | |
| **/*.md | |
| docs/ | |
| .github/dependabot.yml | |
| .github/technolinator.yml | |
| skip_ci: | |
| # Use the same name as CI build as workaround for required status checks for pull requests | |
| # See https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks | |
| name: Application Build | |
| runs-on: ubuntu-latest | |
| needs: preparation | |
| if: needs.preparation.outputs.has_changes == 'false' | |
| steps: | |
| - run: echo 'Skip build because no relevant files have been changed.' | |
| ci: | |
| name: Application Build | |
| runs-on: ubuntu-latest | |
| needs: preparation | |
| if: needs.preparation.outputs.has_changes == 'true' | |
| steps: | |
| - name: Free disk space | |
| run: | | |
| df -h | |
| echo "----------------------------------------" | |
| sudo swapoff -a | |
| sudo rm -f /swapfile | |
| sudo apt clean | |
| docker rmi $(docker image ls -aq) | |
| df -h | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| - name: Setup Nodejs | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '${{ env.node_version }}' | |
| - name: Setup Java | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '${{ env.java_version }}' | |
| distribution: 'temurin' | |
| - name: Install dependencies for semantic-release-action | |
| run: npm install -D conventional-changelog-conventionalcommits@7.0.2 | |
| - name: Getting next release version | |
| id: semantic | |
| uses: cycjimmy/semantic-release-action@v4 | |
| with: | |
| dry_run: true | |
| semantic_version: ${{ env.semantic_version }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install requirements | |
| uses: ./.github/actions/install-requirements | |
| with: | |
| grype_version: ${{ env.GRYPE_VERSION }} | |
| sbomqs_version: ${{ env.SBOMQS_VERSION }} | |
| depscan_version: ${{ env.DEPSCAN_VERSION }} | |
| nydus_version: ${{ env.NYDUS_VERSION }} | |
| cdxgen_version: ${{ env.CDXGEN_VERSION }} | |
| cdxgen_plugins_version: ${{ env.CDXGEN_PLUGINS_VERSION }} | |
| - name: Application Build and Test | |
| env: | |
| sem_ver: ${{ steps.semantic.outputs.new_release_version }} | |
| QUARKUS_GITHUB_APP_APP_ID: 32168 | |
| QUARKUS_GITHUB_APP_WEBHOOK_SECRET: for-my-eyes-only | |
| QUARKUS_GITHUB_APP_PRIVATE_KEY: '' | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| if [ -n "$sem_ver" ]; then | |
| mvn ${{ env.mvn_parameter }} versions:set -DnewVersion="$sem_ver" | |
| fi | |
| mvn ${{ env.mvn_parameter }} clean install | |
| VERSION=$(mvn org.apache.maven.plugins:maven-help-plugin:3.3.0:evaluate -Dexpression=project.version -q -DforceStdout) | |
| echo VERSION="$VERSION" >> $GITHUB_ENV | |
| - name: Static code analysis | |
| if: github.ref == 'refs/heads/main' && steps.semantic.outputs.new_release_version != null | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONARQUBE_ANALYSIS_TOKEN }} | |
| SONAR_HOST: ${{ secrets.SONARQUBE_HOST_URL }} | |
| PROJECT_KEY: technolinator:main | |
| run: | | |
| mvn ${{ env.mvn_parameter }} org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ | |
| -Dsonar.host.url="$SONAR_HOST" \ | |
| -Dsonar.login="$SONAR_TOKEN" \ | |
| -Dsonar.projectKey="$PROJECT_KEY" \ | |
| -Dsonar.coverage.jacoco.xmlReportPaths=target/jacoco-report/jacoco.xml | |
| - name: Sanity versions | |
| env: | |
| GRYPE: ${{ env.GRYPE_VERSION }} | |
| SBOMQS: ${{ env.SBOMQS_VERSION }} | |
| run: | | |
| echo "Sanity provided versions for docker build" | |
| { | |
| echo "GRYPE_VERSION=${GRYPE#v}" | |
| echo "SBOMQS_VERSION=${SBOMQS#v}" | |
| } >> "$GITHUB_ENV" | |
| - name: Docker build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: src/main/docker/Dockerfile | |
| tags: ${{ env.image_name }}:${{ env.VERSION }} | |
| load: true | |
| build-args: | | |
| CDXGEN_VERSION=${{ env.CDXGEN_VERSION }} | |
| CDXGEN_PLUGINS_VERSION=${{ env.CDXGEN_PLUGINS_VERSION }} | |
| GRYPE_VERSION=${{ env.GRYPE_VERSION }} | |
| SBOMQS_VERSION=${{ env.SBOMQS_VERSION }} | |
| NYDUS_VERSION=${{ env.NYDUS_VERSION }} | |
| DEPSCAN_VERSION=${{ env.DEPSCAN_VERSION }} | |
| - name: Container structure test and tagging | |
| run: | | |
| sudo curl -Lso /usr/local/bin/container-structure-test https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 | |
| sudo chmod a+x /usr/local/bin/container-structure-test | |
| container-structure-test test --config src/test/docker/structure-test.yaml --image ${{ env.image_name }}:${{ env.VERSION }} | |
| # tag for tag image build | |
| docker tag ${{ env.image_name }}:${{ env.VERSION }} technolinator:regular | |
| - name: Docker fat image build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: src/main/docker/Dockerfile.fat | |
| tags: ${{ env.image_name }}:fat-${{ env.VERSION }} | |
| load: true | |
| build-args: | | |
| SWIFT_VERSION=${{ env.SWIFT_VERSION }} | |
| - name: Container structure test of fat image | |
| run: | | |
| container-structure-test test --config src/test/docker/structure-test.yaml --image ${{ env.image_name }}:fat-${{ env.VERSION }} | |
| container-structure-test test --config src/test/docker/structure-test.fat.yaml --image ${{ env.image_name }}:fat-${{ env.VERSION }} | |
| - name: Login to GHCR | |
| uses: docker/login-action@v3 | |
| if: github.ref == 'refs/heads/main' && steps.semantic.outputs.new_release_version != null | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Docker push | |
| if: github.ref == 'refs/heads/main' && steps.semantic.outputs.new_release_version != null | |
| run: | | |
| # upload images | |
| docker push ${{ env.image_name }}:${{ env.VERSION }} | |
| docker push ${{ env.image_name }}:fat-${{ env.VERSION }} | |
| - name: Create and upload container SBOM | |
| if: github.ref == 'refs/heads/main' | |
| run: | | |
| cdxgen -t container \ | |
| --server-url ${{ secrets.DTRACK_URL }} \ | |
| --api-key ${{ secrets.DTRACK_APIKEY }} \ | |
| --project-name technolinator_container \ | |
| --project-version 1 \ | |
| "${{ env.image_name }}:${{ env.VERSION }}" | |
| - name: Create Release | |
| if: github.ref == 'refs/heads/main' && steps.semantic.outputs.new_release_version != null | |
| uses: cycjimmy/semantic-release-action@v4 | |
| with: | |
| semantic_version: ${{ env.semantic_version }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |