Skip to content

chore(deps): update github/codeql-action action to v3.27.9 #970

chore(deps): update github/codeql-action action to v3.27.9

chore(deps): update github/codeql-action action to v3.27.9 #970

Workflow file for this run

name: Check
on:
pull_request:
branches:
- '*' # Trigger on all branches for pull requests
# also run workflow to refresh cache
workflow_dispatch: {}
schedule:
# roughly every 6 days
- cron: '0 0 2,6,10,16,22,28 * *'
# env:
# instead of embedded Maven use local Maven CLI
# HALE_BUILD_MAVEN_EMBEDDED: 'false'
jobs:
check:
runs-on: ubuntu-latest
steps:
- name: Setup Maven
uses: s4u/setup-maven-action@9a27433d289dd99d73851f653607c39d3444e8ba # v1.17.0
with:
java-version: 17
java-distribution: temurin
maven-version: 3.9.6
- name: Clean
run: ./build.sh clean
working-directory: ./build
- name: Test
run: ./build.sh commitStage
working-directory: ./build
- name: Publish Test Report
uses: mikepenz/action-junit-report@992d97d6eb2e5f3de985fbf9df6a04386874114d # v5.1.0
if: always() # always run even if the previous step fails
with:
# fail if there are no test results
require_tests: true
# Workaround for check that is additionally created being associated
# to the wrong workflow/run. Instead no additional check is created.
# See https://github.com/mikepenz/action-junit-report/issues/40
annotate_only: true
detailed_summary: true
report_paths: 'build/target/testReports/*.xml'
# TODO archive logs?
# build/target/testReports/*.out,build/target/testReports/*.err
build:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write # Note: Write permissions cannot be granted from forks (only works for private repos requiring enabling a related setting)
concurrency:
group: artifacts-${{ github.ref }}
cancel-in-progress: true
steps:
- name: Setup Maven
uses: s4u/setup-maven-action@9a27433d289dd99d73851f653607c39d3444e8ba # v1.17.0
with:
java-version: 17
java-distribution: temurin
maven-version: 3.9.6
- name: Install genisoimage # required for Mac build
run: sudo apt-get install -y genisoimage
- name: Clean
run: ./build.sh clean
working-directory: ./build
- name: Product
run: |
./build.sh product --arch x86_64 --os linux HALE
./build.sh product --arch x86_64 --os windows HALE
./build.sh product --arch x86_64 --os macosx HALE
working-directory: ./build
- name: Upload hale studio build (Linux)
id: upload-linux
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: hale studio (Linux)
path: build/target/hale-studio-*linux*.tar.gz
retention-days: 14
- name: Upload hale studio build (Windows)
id: upload-windows
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: hale studio (Windows)
path: build/target/hale-studio-*win32*.zip
retention-days: 14
- name: Upload hale studio build (macos)
id: upload-macos
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: hale studio (macos)
path: build/target/hale-studio-*macosx*.dmg
retention-days: 14
- name: Find artifact comment if it exists
if: "! github.event.pull_request.head.repo.fork " # Only run with write permissions
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
id: find-comment
with:
token: ${{ github.token }}
issue-number: ${{github.event.pull_request.number}}
comment-author: github-actions[bot]
body-includes: "hale studio builds for this pull request:"
- name: Comment with links to artifacts
if: "! github.event.pull_request.head.repo.fork " # Only run with write permissions
id: comment-plan
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
token: ${{ github.token }}
edit-mode: replace
comment-id: ${{ steps.find-comment.outputs.comment-id }}
issue-number: ${{github.event.pull_request.number}}
body: |
hale studio builds for this pull request:
- [Linux x64](${{ steps.upload-linux.outputs.artifact-url }})
- [Windows x64](${{ steps.upload-windows.outputs.artifact-url }})
- [macos x64](${{ steps.upload-macos.outputs.artifact-url }})
Build triggered for commit *${{ github.sha }}*.
Artifacts are retained for 14 days.
trivy:
needs: [build]
runs-on: ubuntu-latest
steps:
- name: Download hale studio build (Linux)
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: hale studio (Linux)
- name: Extract the archive file
run: |
mkdir -p hale-studio-linux-trivy
tar -xzf hale-studio-*linux*.tar.gz -C hale-studio-linux-trivy
- name: Run Trivy vulnerability scanner in rootfs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'rootfs'
scan-ref: 'hale-studio-linux-trivy'
format: 'sarif'
severity: 'CRITICAL,HIGH'
output: 'trivy-results.sarif'
- name: Upload Trivy SARIF report
uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
with:
sarif_file: trivy-results.sarif