[WOR-1334]: Bump com.github.spotbugs.snom:spotbugs-gradle-plugin (#317) #1290
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Test | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - '*.md' | |
| - '.github/**' | |
| pull_request: | |
| branches: [ '**' ] | |
| # There is an issue with GitHub required checks and paths-ignore. We don't really need to | |
| # run the tests if there are only irrelevant changes (see paths-ignore above). However, | |
| # we require tests to pass by making a "required check" rule on the branch. If the action | |
| # is not triggered, the required check never passes and you are stuck. Therefore, we have | |
| # to run tests even when we only change a markdown file. So don't do what I did and put a | |
| # paths-ignore right here! | |
| workflow_dispatch: {} | |
| jobs: | |
| bump-check: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| is-bump: ${{ steps.skiptest.outputs.is-bump }} | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: Skip version bump merges | |
| id: skiptest | |
| uses: ./.github/actions/bump-skip | |
| with: | |
| event-name: ${{ github.event_name }} | |
| build: | |
| needs: [ bump-check ] | |
| runs-on: ubuntu-latest | |
| if: needs.bump-check.outputs.is-bump == 'no' | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v2 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| - name: Setup Gradle | |
| uses: gradle/gradle-build-action@v2 | |
| - name: Build the test harness and, by dependency, the library | |
| run: ./gradlew --build-cache build -x test | |
| - name: Upload spotbugs results | |
| uses: github/codeql-action/upload-sarif@main | |
| with: | |
| sarif_file: library/build/reports/spotbugs/main.sarif | |
| tests-and-sonarqube: | |
| needs: [ bump-check, build ] | |
| runs-on: ubuntu-latest | |
| if: needs.bump-check.outputs.is-bump == 'no' | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' | |
| services: | |
| postgres: | |
| image: postgres:13.1 | |
| env: | |
| POSTGRES_PASSWORD: postgres | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| ports: | |
| - 5432:5432 | |
| steps: | |
| - uses: actions/checkout@v2 | |
| # Needed by sonar to get the git history for the branch the PR will be merged into. | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v2 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| - name: Initialize the database | |
| env: | |
| PGPASSWORD: postgres | |
| run: | | |
| psql -h localhost -U postgres -f ./scripts/postgres-init.sql | |
| - name: Setup Gradle | |
| uses: gradle/gradle-build-action@v2 | |
| # use a federated credential to connect w/azure | |
| - name: Azure CLI login | |
| uses: azure/login@v1 | |
| with: | |
| client-id: ${{ secrets.LANDINGZONE_TESTING_PUBLISHER_CLIENT_ID }} | |
| tenant-id: ${{ secrets.LANDINGZONE_TESTING_PUBLISHER_TENANT_ID }} | |
| subscription-id: f557c728-871d-408c-a28b-eb6b2141a087 | |
| # Run tests | |
| - name: Test Library and Library with coverage | |
| run: ./gradlew --build-cache library:test --scan | |
| - name: Test Harness Tests with coverage | |
| run: ./gradlew --build-cache testharness:test --scan | |
| - name: Integration Test with coverage | |
| run: ./gradlew --build-cache library:integration --scan | |
| - name: Upload Test Harness Test Reports | |
| uses: actions/upload-artifact@v1 | |
| if: always() | |
| with: | |
| name: Test Harness Reports | |
| path: testharness/build/reports/tests | |
| - name: Upload Library Test Reports | |
| uses: actions/upload-artifact@v1 | |
| if: always() | |
| with: | |
| name: Test Reports | |
| path: library/build/reports/tests | |
| # The SonarQube scan is done here, so it can upload the coverage report generated by the tests. | |
| - name: SonarQube scan | |
| run: ./gradlew --build-cache sonarqube | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Azure logout | |
| uses: azure/CLI@v1 | |
| if: always() | |
| with: | |
| inlineScript: | | |
| az logout | |
| az cache purge | |
| az account clear | |
| jib: | |
| #disable until we need it | |
| if: false | |
| needs: [ build ] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set up JDK | |
| uses: actions/setup-java@v3 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| cache: 'gradle' | |
| - name: Construct docker image name and tag | |
| id: image-name | |
| run: | | |
| GITHUB_REPO=$(basename ${{ github.repository }}) | |
| GIT_SHORT_HASH=$(git rev-parse --short HEAD) | |
| echo "name=${GITHUB_REPO}:${GIT_SHORT_HASH}" >> $GITHUB_OUTPUT | |
| - name: Build image locally with jib | |
| run: | | |
| ./gradlew --build-cache :service:jibDockerBuild \ | |
| --image=${{ steps.image-name.outputs.name }} \ | |
| -Djib.console=plain | |
| - name: Run Trivy vulnerability scanner | |
| uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
| with: | |
| image: ${{ steps.image-name.outputs.name }} |