diff --git a/.github/workflows/gradle-library-check.yml b/.github/workflows/gradle-library-check.yml index 185e6c2..5e1574d 100644 --- a/.github/workflows/gradle-library-check.yml +++ b/.github/workflows/gradle-library-check.yml @@ -22,6 +22,10 @@ on: description: Custom ref to check out type: string default: '' + skip-scan: + description: If security scan and associated tasks should be skipped (e.g. in case no Gradle lock files are configured to be generated) + type: boolean + default: false secrets: WETF_ARTIFACTORY_USER: WETF_ARTIFACTORY_PASSWORD: @@ -35,5 +39,6 @@ jobs: multi-module: ${{ inputs.multi-module }} expect-tests: ${{ inputs.expect-tests }} checkout-ref: ${{ inputs.checkout-ref }} + skip-scan: ${{ inputs.skip-scan }} notify-failure: false secrets: inherit diff --git a/.github/workflows/gradle-library-publish.yml b/.github/workflows/gradle-library-publish.yml index e400e53..d802f11 100644 --- a/.github/workflows/gradle-library-publish.yml +++ b/.github/workflows/gradle-library-publish.yml @@ -35,6 +35,10 @@ on: description: If semantic release should do a dryrun default: false type: boolean + skip-scan: + description: If security scan and associated tasks should be skipped (e.g. in case no Gradle lock files are configured to be generated) + type: boolean + default: false outputs: release-published: description: If a release was created @@ -59,6 +63,7 @@ jobs: multi-module: ${{ inputs.multi-module }} expect-tests: ${{ inputs.expect-tests }} checkout-ref: ${{ inputs.checkout-ref }} + skip-scan: ${{ inputs.skip-scan }} semantic-release: ${{ inputs.semantic-release }} semantic-release-dryrun: ${{ inputs.semantic-release-dryrun }} secrets: inherit diff --git a/.github/workflows/gradle-library.yml b/.github/workflows/gradle-library.yml index 3ffaac5..2bd0d5f 100644 --- a/.github/workflows/gradle-library.yml +++ b/.github/workflows/gradle-library.yml @@ -62,6 +62,10 @@ on: description: If this is a multi-module project type: boolean default: false + skip-scan: + description: If security scan and associated tasks should be skipped (e.g. in case no Gradle lock files are configured to be generated) + type: boolean + default: false checkout-ref: description: Custom ref to check out type: string @@ -118,6 +122,7 @@ jobs: uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3.5.0 - name: Write dependency lockfile for security scan + if: ${{ !inputs.skip-scan }} env: ORG_GRADLE_PROJECT_wetfArtifactoryUser: ${{ secrets.WETF_ARTIFACTORY_USER }} ORG_GRADLE_PROJECT_wetfArtifactoryPassword: ${{ secrets.WETF_ARTIFACTORY_PASSWORD }} @@ -125,7 +130,7 @@ jobs: run: ./gradlew dependencies --write-locks - name: Write dependency lockfile for security scan (submodules) - if: ${{ inputs.multi-module }} + if: ${{ !inputs.skip-scan && inputs.multi-module }} env: ORG_GRADLE_PROJECT_wetfArtifactoryUser: ${{ secrets.WETF_ARTIFACTORY_USER }} ORG_GRADLE_PROJECT_wetfArtifactoryPassword: ${{ secrets.WETF_ARTIFACTORY_PASSWORD }} @@ -139,7 +144,7 @@ jobs: for folder in $folders; do echo "Processing subproject: $folder" - ./gradlew ":${folder}:dependencies" --write-locks + ./gradlew ":${folder//\//:}:dependencies" --write-locks done - name: Run custom command @@ -166,16 +171,18 @@ jobs: with: name: Gradle test reports retention-days: 7 - path: ${{ inputs.multi-module && '*/build/reports/tests' || 'build/reports/tests' }} + path: ${{ inputs.multi-module && '**/build/reports/tests' || 'build/reports/tests' }} # # Security scans # - name: Make sure test-results folder exists + if: ${{ !inputs.skip-scan }} run: mkdir -p ${{ inputs.multi-module && 'trivy-gha-scan/build/test-results' || 'build/test-results' }} - name: Vulnerability scan + if: ${{ !inputs.skip-scan }} uses: wetransform/gha-trivy@8915cc9f5106f6683462a6eec9d093649e50a345 # v2.1.0 with: junit-test-output: "${{ inputs.multi-module && 'trivy-gha-scan/build/test-results/trivy.xml' || 'build/test-results/trivy.xml' }}" # added to unit test report @@ -227,7 +234,7 @@ jobs: uses: mikepenz/action-junit-report@db71d41eb79864e25ab0337e395c352e84523afe # v4.3.1 if: always() # always run even if the previous step fails with: - report_paths: "${{ inputs.multi-module && '*/build/test-results/**/*.xml' || 'build/test-results/**/*.xml' }}" + report_paths: "${{ inputs.multi-module && '**/build/test-results/**/*.xml' || 'build/test-results/**/*.xml' }}" require_tests: ${{ !inputs.skip-build && inputs.expect-tests }} # Workaround for check that is additionally created being associated