Skip to content

Commit

Permalink
feat(gradle-library): support skipping security scan
Browse files Browse the repository at this point in the history
  • Loading branch information
stempler committed Aug 20, 2024
1 parent be1659a commit 4586a5d
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 1 deletion.
5 changes: 5 additions & 0 deletions .github/workflows/gradle-library-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ on:
description: Custom ref to check out
type: string
default: ''
skip-scan:
description: If security scan and associated tasks should be skipped (e.g. in case no Gradle lock files are configured to be generated)
type: boolean
default: false
secrets:
WETF_ARTIFACTORY_USER:
WETF_ARTIFACTORY_PASSWORD:
Expand All @@ -35,5 +39,6 @@ jobs:
multi-module: ${{ inputs.multi-module }}
expect-tests: ${{ inputs.expect-tests }}
checkout-ref: ${{ inputs.checkout-ref }}
skip-scan: ${{ inputs.skip-scan }}
notify-failure: false
secrets: inherit
5 changes: 5 additions & 0 deletions .github/workflows/gradle-library-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ on:
description: If semantic release should do a dryrun
default: false
type: boolean
skip-scan:
description: If security scan and associated tasks should be skipped (e.g. in case no Gradle lock files are configured to be generated)
type: boolean
default: false
outputs:
release-published:
description: If a release was created
Expand All @@ -59,6 +63,7 @@ jobs:
multi-module: ${{ inputs.multi-module }}
expect-tests: ${{ inputs.expect-tests }}
checkout-ref: ${{ inputs.checkout-ref }}
skip-scan: ${{ inputs.skip-scan }}
semantic-release: ${{ inputs.semantic-release }}
semantic-release-dryrun: ${{ inputs.semantic-release-dryrun }}
secrets: inherit
9 changes: 8 additions & 1 deletion .github/workflows/gradle-library.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@ on:
description: If this is a multi-module project
type: boolean
default: false
skip-scan:
description: If security scan and associated tasks should be skipped (e.g. in case no Gradle lock files are configured to be generated)
type: boolean
default: false
checkout-ref:
description: Custom ref to check out
type: string
Expand Down Expand Up @@ -118,14 +122,15 @@ jobs:
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3.5.0

- name: Write dependency lockfile for security scan
if: ${{ !inputs.skip-scan }}
env:
ORG_GRADLE_PROJECT_wetfArtifactoryUser: ${{ secrets.WETF_ARTIFACTORY_USER }}
ORG_GRADLE_PROJECT_wetfArtifactoryPassword: ${{ secrets.WETF_ARTIFACTORY_PASSWORD }}
JAVA_TOOL_OPTIONS: ${{ inputs.java-options }}
run: ./gradlew dependencies --write-locks

- name: Write dependency lockfile for security scan (submodules)
if: ${{ inputs.multi-module }}
if: ${{ !inputs.skip-scan && inputs.multi-module }}
env:
ORG_GRADLE_PROJECT_wetfArtifactoryUser: ${{ secrets.WETF_ARTIFACTORY_USER }}
ORG_GRADLE_PROJECT_wetfArtifactoryPassword: ${{ secrets.WETF_ARTIFACTORY_PASSWORD }}
Expand Down Expand Up @@ -173,9 +178,11 @@ jobs:
#

- name: Make sure test-results folder exists
if: ${{ !inputs.skip-scan }}
run: mkdir -p ${{ inputs.multi-module && 'trivy-gha-scan/build/test-results' || 'build/test-results' }}

- name: Vulnerability scan
if: ${{ !inputs.skip-scan }}
uses: wetransform/gha-trivy@8915cc9f5106f6683462a6eec9d093649e50a345 # v2.1.0
with:
junit-test-output: "${{ inputs.multi-module && 'trivy-gha-scan/build/test-results/trivy.xml' || 'build/test-results/trivy.xml' }}" # added to unit test report
Expand Down

0 comments on commit 4586a5d

Please sign in to comment.