Skip to content
Java CI with Maven

Pathogen Test Form Refactor (Part 1) #17706

Sign in to view logs

Pathogen Test Form Refactor (Part 1)

Pathogen Test Form Refactor (Part 1) #17706

Workflow file for this run

.github/workflows/ci.yml at ff198ba
---
# This workflow will build a Java project with Maven
# For more information see:
# https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
name: Java CI with Maven
env:
JAVA: 17
PRIVILEGED_RUN: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/development') || github.event.pull_request.head.repo.full_name == github.repository }}
CODEQL_LANGUAGES: 'java'
on:
push:
branches: [ development, master, hotfix* ]
pull_request:
branches: [ development, hotfix* ]
workflow_dispatch: # run it manually from the GH Actions web console
inputs:
skip_tests:
description: 'Skip Maven tests during build'
required: false
default: false
type: boolean
schedule:
- cron: '35 1 * * 0'
jobs:
ci:
name: SORMAS CI
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout repository (with token)
# Check if PR results from the repository: if yes, we have access to the secrets.
# The token is only needed for privileged actions from within the repo, so no need
# to make it available on 3rd party PRs
if: ${{ fromJSON(env.PRIVILEGED_RUN) }}
uses: actions/checkout@v6
with:
token: ${{ secrets.MAVEN_ACTIONS_TOKEN }}
- name: Checkout repository (without token)
# Check if PR results from a fork: if yes, we cannot access the token.
# The token is only needed for privileged actions from within the
# repo, so no need to make it available on 3rd party PRs
if: ${{ !fromJSON(env.PRIVILEGED_RUN) }}
uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ env.CODEQL_LANGUAGES }}
- name: Set up JDK ${{ env.JAVA }}
uses: actions/setup-java@v5
with:
java-version: ${{ env.JAVA }}
distribution: 'zulu'
- name: Cache Maven packages
# Check if PR results from the repository: if yes, it is safe to cache dependencies.
# This is to keep us safe from cache poisoning through 3rd party PRs.
if: ${{ fromJSON(env.PRIVILEGED_RUN) }}
uses: actions/cache@v5
with:
path: ~/.m2
key: ${{ runner.os }}-java-${{ env.JAVA }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-java-${{ env.JAVA }}-m2
- name: Build with Maven
working-directory: ./sormas-base
run: |
MAVEN_OPTS="-B -ntp clean install"
if [ "${{ inputs.skip_tests }}" = "true" ]; then
MAVEN_OPTS="$MAVEN_OPTS -DskipTests"
fi
mvn $MAVEN_OPTS
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@0.35.0
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
scanners: 'vuln,secret,config'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-results.sarif'
# needed as codeQL also performs an upload, and they clash otherwise
category: 'code-scanning/trivy-repo'
- name: Commit openAPI spec to development
# Privileged action needing a secret token. Since this only runs on development in our own repo
# the token will be available through a privileged checkout.
if: github.event_name == 'push' && github.ref == 'refs/heads/development' && hashFiles('sormas-rest/target/swagger.yaml') != hashFiles('sormas-rest/swagger.yaml')
# https://stackoverflow.com/questions/59604922/authorize-bash-to-access-github-protected-branch
run: |
git config --global user.name "sormas-robot"
git config --global user.email "accounts@sormas.org"
mkdir /tmp/openapi
cp sormas-rest/target/swagger.* /tmp/openapi
git fetch
git checkout development
git pull
rm -f sormas-rest/swagger.*
cp /tmp/openapi/swagger.* sormas-rest/
git add sormas-rest/swagger.*
git commit -m "[GitHub Actions] Update openAPI spec files"
git push