Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

support for nested subprojects and skipping security scans for Gradle libraries #47

Merged
merged 2 commits into from
Aug 20, 2024
Merged

support for nested subprojects and skipping security scans for Gradle libraries #47

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
99cc5ab
feat(gradle-library): supported nested subprojects
stempler Aug 16, 2024
ee300de
feat(gradle-library): support skipping security scan
stempler Aug 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/workflows/gradle-library-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ on:
description: Custom ref to check out
type: string
default: ''
skip-scan:
description: If security scan and associated tasks should be skipped (e.g. in case no Gradle lock files are configured to be generated)
type: boolean
default: false
secrets:
WETF_ARTIFACTORY_USER:
WETF_ARTIFACTORY_PASSWORD:
Expand All @@ -35,5 +39,6 @@ jobs:
multi-module: ${{ inputs.multi-module }}
expect-tests: ${{ inputs.expect-tests }}
checkout-ref: ${{ inputs.checkout-ref }}
skip-scan: ${{ inputs.skip-scan }}
notify-failure: false
secrets: inherit
5 changes: 5 additions & 0 deletions .github/workflows/gradle-library-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ on:
description: If semantic release should do a dryrun
default: false
type: boolean
skip-scan:
description: If security scan and associated tasks should be skipped (e.g. in case no Gradle lock files are configured to be generated)
type: boolean
default: false
outputs:
release-published:
description: If a release was created
Expand All @@ -59,6 +63,7 @@ jobs:
multi-module: ${{ inputs.multi-module }}
expect-tests: ${{ inputs.expect-tests }}
checkout-ref: ${{ inputs.checkout-ref }}
skip-scan: ${{ inputs.skip-scan }}
semantic-release: ${{ inputs.semantic-release }}
semantic-release-dryrun: ${{ inputs.semantic-release-dryrun }}
secrets: inherit
15 changes: 11 additions & 4 deletions .github/workflows/gradle-library.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@ on:
description: If this is a multi-module project
type: boolean
default: false
skip-scan:
description: If security scan and associated tasks should be skipped (e.g. in case no Gradle lock files are configured to be generated)
type: boolean
default: false
checkout-ref:
description: Custom ref to check out
type: string
Expand Down Expand Up @@ -118,14 +122,15 @@ jobs:
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3.5.0

- name: Write dependency lockfile for security scan
if: ${{ !inputs.skip-scan }}
env:
ORG_GRADLE_PROJECT_wetfArtifactoryUser: ${{ secrets.WETF_ARTIFACTORY_USER }}
ORG_GRADLE_PROJECT_wetfArtifactoryPassword: ${{ secrets.WETF_ARTIFACTORY_PASSWORD }}
JAVA_TOOL_OPTIONS: ${{ inputs.java-options }}
run: ./gradlew dependencies --write-locks

- name: Write dependency lockfile for security scan (submodules)
if: ${{ inputs.multi-module }}
if: ${{ !inputs.skip-scan && inputs.multi-module }}
env:
ORG_GRADLE_PROJECT_wetfArtifactoryUser: ${{ secrets.WETF_ARTIFACTORY_USER }}
ORG_GRADLE_PROJECT_wetfArtifactoryPassword: ${{ secrets.WETF_ARTIFACTORY_PASSWORD }}
Expand All @@ -139,7 +144,7 @@ jobs:
for folder in $folders; do
echo "Processing subproject: $folder"

./gradlew ":${folder}:dependencies" --write-locks
./gradlew ":${folder//\//:}:dependencies" --write-locks
done

- name: Run custom command
Expand All @@ -166,16 +171,18 @@ jobs:
with:
name: Gradle test reports
retention-days: 7
path: ${{ inputs.multi-module && '*/build/reports/tests' || 'build/reports/tests' }}
path: ${{ inputs.multi-module && '**/build/reports/tests' || 'build/reports/tests' }}

#
# Security scans
#

- name: Make sure test-results folder exists
if: ${{ !inputs.skip-scan }}
run: mkdir -p ${{ inputs.multi-module && 'trivy-gha-scan/build/test-results' || 'build/test-results' }}

- name: Vulnerability scan
if: ${{ !inputs.skip-scan }}
uses: wetransform/gha-trivy@8915cc9f5106f6683462a6eec9d093649e50a345 # v2.1.0
with:
junit-test-output: "${{ inputs.multi-module && 'trivy-gha-scan/build/test-results/trivy.xml' || 'build/test-results/trivy.xml' }}" # added to unit test report
Expand Down Expand Up @@ -227,7 +234,7 @@ jobs:
uses: mikepenz/action-junit-report@db71d41eb79864e25ab0337e395c352e84523afe # v4.3.1
if: always() # always run even if the previous step fails
with:
report_paths: "${{ inputs.multi-module && '*/build/test-results/**/*.xml' || 'build/test-results/**/*.xml' }}"
report_paths: "${{ inputs.multi-module && '**/build/test-results/**/*.xml' || 'build/test-results/**/*.xml' }}"
require_tests: ${{ !inputs.skip-build && inputs.expect-tests }}

# Workaround for check that is additionally created being associated
Expand Down
Loading