diff --git a/.github/workflows/first-interaction.yml b/.github/workflows/first-interaction.yaml
similarity index 96%
rename from .github/workflows/first-interaction.yml
rename to .github/workflows/first-interaction.yaml
index 3cd536195..538b88b78 100644
--- a/.github/workflows/first-interaction.yml
+++ b/.github/workflows/first-interaction.yaml
@@ -4,12 +4,15 @@ on:
pull_request_target:
types: [ opened ]
+permissions:
+ contents: read
+
jobs:
greeting:
# only on original eclipse-hawkbit/hawkbit repo
if: github.repository == 'eclipse-hawkbit/hawkbit'
runs-on: ubuntu-latest
-
+
steps:
- uses: actions/first-interaction@v1
with:
diff --git a/.github/workflows/license-scan.yaml b/.github/workflows/license-scan.yaml
new file mode 100644
index 000000000..a828bcbcc
--- /dev/null
+++ b/.github/workflows/license-scan.yaml
@@ -0,0 +1,24 @@
+name: License Scan
+
+on:
+ # enable running the workflow manually
+ workflow_dispatch:
+ schedule:
+ # run every night at 2:00 AM (UTC)
+ - cron: '0 2 * * *'
+
+permissions:
+ contents: write
+
+jobs:
+ license-scan:
+ # only on original eclipse-hawkbit/hawkbit repo or when manually triggered
+ if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch'
+ uses: ./.github/workflows/reusable_workflow_license-scan.yaml
+ permissions:
+ contents: write
+ with:
+ ref: ${{ github.ref }}
+ open_tickets: true
+ secrets:
+ inherit: true
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
new file mode 100644
index 000000000..d6e4474e9
--- /dev/null
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,118 @@
+name: Release
+
+on:
+ # enable running the workflow manually
+ workflow_dispatch:
+ inputs:
+ revision:
+ description: 'Release version'
+ default: '0-SNAPSHOT'
+ override_tag:
+ description: 'If to move the tag if already exists'
+ default: false
+ required: false
+ dry_run:
+ description: 'If to skip publishing the release to central repository'
+ default: false
+ required: false
+
+permissions:
+ contents: read
+ security-events: write
+
+jobs:
+ audit:
+ # only on original eclipse-hawkbit/hawkbit repo
+ if: github.repository == 'eclipse-hawkbit/hawkbit'
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: "Release ${{ inputs.revision }}"
+ run: echo "Releasing ${{ inputs.revision }}"
+
+ # tag with release version if not already tagged
+ # if already tagged - it will release from there
+ tag:
+ # only on original eclipse-hawkbit/hawkbit repo and when release fixed version
+ if: github.repository == 'eclipse-hawkbit/hawkbit' && inputs.revision != '0-SNAPSHOT'
+ uses: ./.github/workflows/reusable_workflow_tag.yaml
+ permissions:
+ contents: write
+ with:
+ tag_name: ${{ inputs.revision }}
+ tag_message: "Release version ${{ inputs.revision }}"
+ override_tag: ${{ inputs.override_tag }}
+
+ license-scan:
+ # only on original eclipse-hawkbit/hawkbit repo
+ if: github.repository == 'eclipse-hawkbit/hawkbit'
+ uses: ./.github/workflows/reusable_license-scan.yaml
+ permissions:
+ contents: read
+ with:
+ ref: ${{ inputs.revision == '0-SNAPSHOT' && github.ref || inputs.revision }}
+
+ trivy-scan:
+ # only on original eclipse-hawkbit/hawkbit repo or when manually triggered
+ if: github.repository == 'eclipse-hawkbit/hawkbit'
+ uses: ./.github/workflows/reusable_workflow_trivy-scan.yaml
+ permissions:
+ contents: read
+ security-events: write
+ with:
+ ref: ${{ inputs.revision == '0-SNAPSHOT' && github.ref || inputs.revision }}
+ upload: true
+
+ deploy:
+ # only on original eclipse-hawkbit/hawkbit repo
+ if: github.repository == 'eclipse-hawkbit/hawkbit'
+ runs-on: ubuntu-latest
+
+ permissions:
+ contents: write
+
+ services:
+ rabbitmq:
+ image: rabbitmq:3-management-alpine
+ env:
+ RABBITMQ_DEFAULT_VHOST: /
+ RABBITMQ_DEFAULT_USER: guest
+ RABBITMQ_DEFAULT_PASS: guest
+ ports:
+ - 15672:15672
+ - 5672:5672
+
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ ref: ${{ inputs.revision == '0-SNAPSHOT' && github.ref || inputs.revision }}
+
+ - name: Set up JDK & Maven Central credentials
+ uses: actions/setup-java@v4
+ with:
+ distribution: 'temurin'
+ java-version: 21
+ cache: 'maven'
+ server-id: central
+ server-username: MAVEN_USERNAME
+ server-password: MAVEN_PASSWORD
+ gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
+ gpg-passphrase: MAVEN_GPG_PASSPHRASE
+
+ - name: Cache local Maven repository
+ uses: actions/cache@v4
+ with:
+ path: ~/.m2/repository
+ key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+ restore-keys: |
+ ${{ runner.os }}-maven-
+
+ - name: Run build javadoc, verify (test)
+ run: mvn verify javadoc:jar -PgenerateTestReport -Drevision=${{ inputs.revision }} --batch-mode
+
+ - name: "Deploy ${{ inputs.revision }}"
+ run: mvn deploy -DskipTests -Ppublish -Drevision=${{ inputs.revision }} -DskipPublishing=${{ inputs.dry_run }} --batch-mode
+ env:
+ MAVEN_USERNAME: ${{ secrets.CENTRAL_SONATYPE_TOKEN_USERNAME }}
+ MAVEN_PASSWORD: ${{ secrets.CENTRAL_SONATYPE_TOKEN_PASSWORD }}
+ MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
\ No newline at end of file
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
deleted file mode 100644
index b330fc164..000000000
--- a/.github/workflows/release.yml
+++ /dev/null
@@ -1,116 +0,0 @@
-name: Release
-
-on:
- # enable running the workflow manually
- workflow_dispatch:
- inputs:
- revision:
- description: 'Release version'
- default: '0-SNAPSHOT'
-
-jobs:
- release:
- # only on original eclipse-hawkbit/hawkbit repo
- if: github.repository == 'eclipse-hawkbit/hawkbit'
- runs-on: ubuntu-latest
-
- permissions:
- contents: write
-
- services:
- rabbitmq:
- image: rabbitmq:3-management-alpine
- env:
- RABBITMQ_DEFAULT_VHOST: /
- RABBITMQ_DEFAULT_USER: guest
- RABBITMQ_DEFAULT_PASS: guest
- ports:
- - 15672:15672
- - 5672:5672
-
- steps:
- - uses: actions/checkout@v4
-
- - name: "Release ${{ github.event.inputs.revision }}"
- run: echo "Releasing ${{ github.event.inputs.revision }}"
-
- - name: Set up JDK & Maven Central credentials
- uses: actions/setup-java@v4
- with:
- distribution: 'temurin'
- java-version: 21
- cache: 'maven'
- server-id: central
- server-username: MAVEN_USERNAME
- server-password: MAVEN_PASSWORD
- gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
- gpg-passphrase: MAVEN_GPG_PASSPHRASE
-
- - name: Cache local Maven repository
- uses: actions/cache@v4
- with:
- path: ~/.m2/repository
- key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
- restore-keys: |
- ${{ runner.os }}-maven-
-
- - name: Check file license headers
- run: mvn clean license:check -PcheckLicense --batch-mode
- - name: Check dependency licenses with dash tool
- run: |
- if [ "${REVISION}" = "0-SNAPSHOT" ]; then
- DASH_FAIL=false
- else
- DASH_FAIL=true
- fi
- mvn install -DskipTests -DskipJavadoc --batch-mode
- mvn license-tool:license-check -PcheckLicense -Ddash.fail=${DASH_FAIL} -Ddash.iplab.token=${GITLAB_API_TOKEN} --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test' --batch-mode
- CHANGED_FILES_COUNT=$(git status --short | wc -l)
- CHANGED_FILES_COUNT=${CHANGED_FILES_COUNT//[[:space:]]/}
- echo "Number of changed files: ${CHANGED_FILES_COUNT}"
- if [ "${CHANGED_FILES_COUNT}" -ne 0 ]; then
- if [ "${CHANGED_FILES_COUNT}" -eq 1 ]; then
- DEPENDENCY_FILE=".3rd-party/DEPENDENCIES"
- DEPENDENCIES_MODIFIED=$(git status --short | grep ".3rd-party/DEPENDENCIES")
- # Check if the file is modified
- if [[ -n "$DEPENDENCIES_MODIFIED" ]]; then
- echo "${DEPENDENCY_FILE} changed - commit it"
- git config --local user.name "github-actions[bot]"
- git config --local user.email "github-actions[bot]@users.noreply.github.com"
- git add ${DEPENDENCY_FILE} && git commit -m "[Release] Automated commit of ${DEPENDENCY_FILE} changes" && git push
- else
- echo "Unexpected changes:"
- git status --short
- exit 1
- fi
- else
- echo "More than one file has changed:"
- git status --short
- exit 1
- fi
- fi
- env:
- REVISION: ${{ github.event.inputs.revision }}
- GITLAB_API_TOKEN: ${{ secrets.GITLAB_API_TOKEN }}
-
- - name: Run build javadoc, verify (test)
- run: mvn verify javadoc:jar -PgenerateTestReport -Drevision=${REVISION} --batch-mode
- env:
- REVISION: ${{ github.event.inputs.revision }}
-
- - name: "Deploy ${{ github.event.inputs.revision }}"
- run: mvn deploy -DskipTests -Ppublish -Drevision=${REVISION} --batch-mode
- env:
- REVISION: ${{ github.event.inputs.revision }}
- MAVEN_USERNAME: ${{ secrets.CENTRAL_SONATYPE_TOKEN_USERNAME }}
- MAVEN_PASSWORD: ${{ secrets.CENTRAL_SONATYPE_TOKEN_PASSWORD }}
- MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- - name: Tag release
- run: |
- if [ "${REVISION}" != "0-SNAPSHOT" ]; then
- git config --local user.name "github-actions[bot]"
- git config --local user.email "github-actions[bot]@users.noreply.github.com"
- git tag -a ${REVISION} -m "Release version ${REVISION}" && git push origin ${REVISION}
- fi
- env:
- REVISION: ${{ github.event.inputs.revision }}
diff --git a/.github/workflows/release_docker.yml b/.github/workflows/release_docker.yaml
similarity index 85%
rename from .github/workflows/release_docker.yml
rename to .github/workflows/release_docker.yaml
index 8a36090f5..c96327def 100644
--- a/.github/workflows/release_docker.yml
+++ b/.github/workflows/release_docker.yaml
@@ -11,6 +11,9 @@ on:
description: 'Release version'
default: '0-SNAPSHOT'
+permissions:
+ contents: read
+
jobs:
release_docker:
# only on fork of eclipse-hawkbit/hawkbit repo - see the note above
@@ -20,8 +23,8 @@ jobs:
steps:
- uses: actions/checkout@v4
- - name: "Release ${{ github.event.inputs.revision }}"
- run: echo "Releasing ${{ github.event.inputs.revision }}"
+ - name: "Release ${{ inputs.revision }}"
+ run: echo "Releasing ${{ inputs.revision }}"
- name: Setup
run: |
@@ -45,9 +48,9 @@ jobs:
for APP in "${ALL_APPS[@]}"; do
if [ "${APP}" == "hawkbit-repository-jpa-init" ]; then
- DOCKER_FILE="Dockerfile_dbinit"
+ DOCKER_FILE="Dockerfile_dbinit"
else
- DOCKER_FILE="Dockerfile"
+ DOCKER_FILE="Dockerfile"
fi
echo "Build ${APP}, docker file : ${DOCKER_FILE}"
docker buildx build -t hawkbit/${APP}:${REVISION} --build-arg HAWKBIT_APP=${APP} --build-arg HAWKBIT_VERSION=${REVISION} -f ${DOCKER_FILE} .
@@ -61,14 +64,15 @@ jobs:
- name: Push Docker Images
run: |
- ALL_APPS=() # Initialize an empty
+ ALL_APPS=()
for APP in $(echo "${ALL_APPS_STRING}" | tr ',' '\n' | xargs); do
- ALL_APPS+=("${APP}") # Add trimmed app
+ ALL_APPS+=("${APP}") # trims chunk to fully qualified app name
done
for APP in "${ALL_APPS[@]}"; do
- echo "Deploy ${APP}"
+ echo "Deploying ${APP}..."
docker push hawkbit/${APP}:${REVISION}
docker tag hawkbit/${APP}:${REVISION} hawkbit/${APP}:latest
docker push hawkbit/${APP}:latest
- done
+ echo "${APP} deployed."
+ done
\ No newline at end of file
diff --git a/.github/workflows/release_tag.yaml b/.github/workflows/release_tag.yaml
new file mode 100644
index 000000000..7f282646f
--- /dev/null
+++ b/.github/workflows/release_tag.yaml
@@ -0,0 +1,39 @@
+name: Release Start
+
+on:
+ # enable running the workflow manually
+ workflow_dispatch:
+ inputs:
+ revision:
+ description: 'Release version'
+ default: '0-SNAPSHOT'
+ override_tag:
+ description: 'If to move the tag if already exists'
+ default: false
+ required: false
+
+permissions:
+ contents: write
+
+jobs:
+ audit:
+ # only on original eclipse-hawkbit/hawkbit repo
+ if: github.repository == 'eclipse-hawkbit/hawkbit'
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: "Release ${{ inputs.revision }}"
+ run: echo "Releasing ${{ inputs.revision }}"
+
+ # tag with release version if not already tagged
+ # if already tagged - it will release from there
+ tag:
+ # only on original eclipse-hawkbit/hawkbit repo and when release fixed version
+ if: github.repository == 'eclipse-hawkbit/hawkbit' && inputs.revision != '0-SNAPSHOT'
+ uses: ./.github/workflows/reusable_workflow_tag@${{ github.sha }}
+ permissions:
+ contents: write
+ with:
+ tag_name: ${{ inputs.revision }}
+ tag_message: "Release version ${{ inputs.revision }}"
+ override_tag: ${{ github.event.inputs.override_tag }}
\ No newline at end of file
diff --git a/.github/workflows/license-scan.yml b/.github/workflows/reusable_workflow_license-scan.yaml
similarity index 50%
rename from .github/workflows/license-scan.yml
rename to .github/workflows/reusable_workflow_license-scan.yaml
index 379b7778e..b324208f5 100644
--- a/.github/workflows/license-scan.yml
+++ b/.github/workflows/reusable_workflow_license-scan.yaml
@@ -1,23 +1,25 @@
-name: License Scan
+name: License Scan (Reusable Workflow)
on:
- # enable running the workflow manually
- workflow_dispatch:
- schedule:
- # run every night at 2:00 AM (UTC)
- - cron: '0 2 * * *'
+ workflow_call:
+ variables:
+ ref:
+ description: 'The branch, tag or SHA to checkout, e.g. master'
+ type: string
+ default: 'master'
+ open_tickets:
+ description: 'If to open tickets for license issues to Dash IP lab, e.g. true or false'
+ type: boolean
+ default: false
jobs:
- license-scan:
- # only on original eclipse-hawkbit/hawkbit repo or when manually triggered
- if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch'
+ reusable_workflow_license-scan:
runs-on: ubuntu-latest
- permissions:
- contents: write
-
steps:
- uses: actions/checkout@v4
+ with:
+ ref: ${{ inputs.ref }}
- name: Set up JDK & Maven Central credentials
uses: actions/setup-java@v4
@@ -36,7 +38,9 @@ jobs:
- name: Check file license headers
run: mvn license:check -PcheckLicense --batch-mode
- - name: Check dependency licenses with dash tool
+
+ - name: Check dependency licenses with dash tool (and open issues to Dash IP lab, doesn't fail)
+ if: ${{ inputs.open_tickets == 'true' }}
run: |
mvn clean install -DskipTests -DskipJavadoc --batch-mode
mvn license-tool:license-check -Ddash.fail=false -PcheckLicense -Ddash.iplab.token=${GITLAB_API_TOKEN} --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test'
@@ -45,26 +49,29 @@ jobs:
echo "Number of changed files: ${CHANGED_FILES_COUNT}"
if [ "${CHANGED_FILES_COUNT}" -ne 0 ]; then
if [ "${CHANGED_FILES_COUNT}" -eq 1 ]; then
- DEPENDENCY_FILE=".3rd-party/DEPENDENCIES"
- DEPENDENCIES_MODIFIED=$(git status --short | grep ".3rd-party/DEPENDENCIES")
- # Check if the file is modified
- if [[ -n "$DEPENDENCIES_MODIFIED" ]]; then
- echo "${DEPENDENCY_FILE} changed - commit it"
- git config --local user.name "github-actions[bot]"
- git config --local user.email "github-actions[bot]@users.noreply.github.com"
- git add ${DEPENDENCY_FILE} && git commit -m "[Release] Automated commit of ${DEPENDENCY_FILE} changes" && git push
- else
- echo "Unexpected changes:"
- git status --short
- exit 1
- fi
- else
- echo "More than one file has changed:"
+ DEPENDENCY_FILE=".3rd-party/DEPENDENCIES"
+ DEPENDENCIES_MODIFIED=$(git status --short | grep ".3rd-party/DEPENDENCIES")
+ # Check if the file is modified
+ if [[ -n "$DEPENDENCIES_MODIFIED" ]]; then
+ echo "${DEPENDENCY_FILE} changed - commit it"
+ git config --local user.name "github-actions[bot]"
+ git config --local user.email "github-actions[bot]@users.noreply.github.com"
+ git add ${DEPENDENCY_FILE} && git commit -m "[Release] Automated commit of ${DEPENDENCY_FILE} changes" && git push
+ else
+ echo "Unexpected changes:"
git status --short
exit 1
+ fi
+ else
+ echo "More than one file has changed:"
+ git status --short
+ exit 1
fi
fi
- # do dash.fail=true so if there are restricted dependencis the build will fail
+ # do dash.fail=true so if there are restricted dependencies the build will fail
mvn license-tool:license-check -Ddash.fail=true -PcheckLicense -Ddash.iplab.token=${GITLAB_API_TOKEN} --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test'
env:
GITLAB_API_TOKEN: ${{ secrets.GITLAB_API_TOKEN }}
+
+ - name: Check dependency licenses with dash tool (and return the result)
+ run: mvn license-tool:license-check -Ddash.fail=true -PcheckLicense --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test'
\ No newline at end of file
diff --git a/.github/workflows/reusable_workflow_tag.yaml b/.github/workflows/reusable_workflow_tag.yaml
new file mode 100644
index 000000000..d6ac9d81a
--- /dev/null
+++ b/.github/workflows/reusable_workflow_tag.yaml
@@ -0,0 +1,61 @@
+name: Tag
+
+on:
+ workflow_call:
+ inputs:
+ tag_name:
+ type: string
+ description: 'Tag name, e.g. 1.0.0'
+ required: true
+ tag_message:
+ type: string
+ description: ''
+ required: false
+ override_tag:
+ type: boolean
+ description: 'If to override the tag if already exists'
+ required: false
+ default: false
+
+jobs:
+ tag:
+ runs-on: ubuntu-latest
+
+ permissions:
+ contents: write
+
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Tag release
+ run: |
+ git config --local user.name "github-actions[bot]"
+ git config --local user.email "github-actions[bot]@users.noreply.github.com"
+
+ if git rev-parse "${TAG_NAME}" >/dev/null 2>&1; then
+ echo "Creating a tag ${TAG_NAME} ..."
+ if [ -n "${TAG_MESSAGE}" ]; then
+ git tag -a ${TAG_NAME} -m "${TAG_MESSAGE}"
+ else
+ git tag -a ${TAG_NAME}
+ fi
+ git push origin ${TAG_NAME}
+ echo "Tag ${TAG_NAME} created."
+ else
+ if [ "${{ inputs.override_tag }}" == "true" ]; then
+ echo "Tag ${TAG_NAME} already exists, but override is set to true, so moving it ..."
+ git tag -d ${TAG_NAME}
+ if [ -n "${TAG_MESSAGE}" ]; then
+ git tag -a ${TAG_NAME} -m "${TAG_MESSAGE}"
+ else
+ git tag -a ${TAG_NAME}
+ fi
+ git push origin ${TAG_NAME}
+ echo "Tag ${TAG_NAME} moved."
+ else
+ echo "Tag ${TAG_NAME} already exists, do nothing."
+ fi
+ fi`
+ env:
+ TAG_NAME: ${{ inputs.tag_name }}
+ TAG_MESSAGE: ${{ inputs.tag_message }}
\ No newline at end of file
diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/reusable_workflow_trivy-scan.yaml
similarity index 61%
rename from .github/workflows/trivy-scan.yml
rename to .github/workflows/reusable_workflow_trivy-scan.yaml
index d3d4437a1..7d2fc17f0 100644
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/reusable_workflow_trivy-scan.yaml
@@ -1,16 +1,19 @@
-name: Vulnerability Scan
+name: Trivy Scan (Reusable Workflow)
on:
- # enable running the workflow manually
- workflow_dispatch:
- schedule:
- # run every night at 4:00 AM (UTC)
- - cron: '0 4 * * *'
+ workflow_call:
+ variables:
+ ref:
+ description: 'The branch, tag or SHA to checkout, e.g. master'
+ type: string
+ default: 'master'
+ upload:
+ description: 'If to upload the scan results, e.g. true or false'
+ type: boolean
+ default: false
jobs:
trivy-scan:
- # only on original eclipse-hawkbit/hawkbit repo or when manually triggered
- if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
permissions:
@@ -21,6 +24,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
+ with:
+ ref: ${{ inputs.ref }}
- name: Set up JDK
uses: actions/setup-java@v4
@@ -31,7 +36,7 @@ jobs:
- name: Create hawkBit container images
run: |
- mvn clean install -DskipTests && \
+ mvn clean install -DskipTests -DskipJavadoc && \
cd docker/build && \
chmod +x build_dev.sh && \
./build_dev.sh && \
@@ -51,32 +56,53 @@ jobs:
mkdir -p scans/eclipse-hawkbit/hawkbit
for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "hawkbit/hawkbit-*:latest"); do
echo "Scanning image ${IMAGE} ..."
- ./trivy image "${IMAGE}" --ignore-unfixed --ignorefile .github/workflows/.trivyignore --severity HIGH,CRITICAL --vuln-type library --output "scans/eclipse-hawkbit/$IMAGE.sarif" --format sarif
+ ./trivy image "${IMAGE}" --ignore-unfixed --ignorefile .github/workflows/.trivyignore --severity HIGH,CRITICAL --vuln-type library --output "scans/eclipse-hawkbit/${IMAGE}.sarif" --format sarif
done
- - name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server
+ - name: Check if to upload scan results
+ run: |
+ if [ "${{ inputs.upload }}" = "true" ]; then
+ echo "Uploading scan results..."
+ else
+ echo "Skipping upload of scan results."
+ exit 0
+ fi
+
+ - name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server (hawkbit-ddi-server)
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-ddi-server:latest.sarif'
category: "Container Images (hawkbit-ddi-server)"
- - name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server
+ - name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server (hawkbit-dmf-server)
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-dmf-server:latest.sarif'
category: "Container Images (hawkbit-dmf-server)"
- - name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server
+ - name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server (hawkbit-mgmt-server)
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-mgmt-server:latest.sarif'
category: "Container Images (hawkbit-mgmt-server)"
- - name: Upload Docker image scan results to GitHub Security tab hawkbit-simple-ui
+ - name: Upload Docker image scan results to GitHub Security tab hawkbit-simple-ui (hawkbit-simple-ui)
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-simple-ui:latest.sarif'
category: "Container Images (hawkbit-simple-ui)"
- - name: Upload Docker image scan results to GitHub Security tab
+ - name: Upload Docker image scan results to GitHub Security tab (hawkbit-update-server)
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-update-server:latest.sarif'
- category: "Container Images (hawkbit-update-server)"
\ No newline at end of file
+ category: "Container Images (hawkbit-update-server)"
+
+ - name: Upload Docker image scan results to GitHub Security tab (hawkbit-repository-jpa-init)
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-repository-jpa-init:latest.sarif'
+ category: "Container Images (hawkbit-update-server)"
+
+ - name: Upload Docker image scan results to GitHub Security tab (hawkbit-repository-jpa-init)
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-repository-jpa-init:latest.sarif'
+ category: "Container Images (hawkbit-repository-jpa-init)"
\ No newline at end of file
diff --git a/.github/workflows/verify.yml b/.github/workflows/reusable_workflow_verify.yaml
similarity index 67%
rename from .github/workflows/verify.yml
rename to .github/workflows/reusable_workflow_verify.yaml
index ebd95c671..082289374 100644
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/reusable_workflow_verify.yaml
@@ -1,21 +1,19 @@
-name: Verify
+name: Verify (Reusable Workflow)
on:
- push:
- branches:
- - master
- paths-ignore:
- - '.3rd-party/**'
- - 'site/**'
- - '**.md'
- pull_request:
- paths-ignore:
- - '.3rd-party/**'
- - 'site/**'
- - '**.md'
+ workflow_call:
+ inputs:
+ ref:
+ description: 'The branch, tag or SHA to checkout, e.g. master'
+ type: string
+ default: 'master'
+ maven_properties:
+ type: string
+ default: ''
+ description: 'Properties to pass to Maven command line, e.g. -Djpa.vendor=hibernate'
jobs:
- verify:
+ reusable_workflow_verify:
runs-on: ubuntu-latest
services:
@@ -31,6 +29,8 @@ jobs:
steps:
- uses: actions/checkout@v4
+ with:
+ ref: ${{ inputs.ref }}
- name: Set up JDK
uses: actions/setup-java@v4
@@ -51,4 +51,4 @@ jobs:
run: mvn license:check -PcheckLicense --batch-mode
- name: Run tests & javadoc
- run: mvn clean verify javadoc:javadoc -PgenerateTestReport --batch-mode
\ No newline at end of file
+ run: mvn clean verify javadoc:javadoc -PgenerateTestReport ${{ inputs.maven_properties }} --batch-mode
\ No newline at end of file
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yaml
similarity index 100%
rename from .github/workflows/stale.yml
rename to .github/workflows/stale.yaml
diff --git a/.github/workflows/verify-hibernate.yaml b/.github/workflows/verify-hibernate.yaml
new file mode 100644
index 000000000..c596e9daa
--- /dev/null
+++ b/.github/workflows/verify-hibernate.yaml
@@ -0,0 +1,26 @@
+name: Verify (Hibernate)
+
+on:
+ push:
+ branches:
+ - master
+ paths-ignore:
+ - '.3rd-party/**'
+ - 'site/**'
+ - '**.md'
+ pull_request:
+ paths-ignore:
+ - '.3rd-party/**'
+ - 'site/**'
+ - '**.md'
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+jobs:
+ verify-hibernate:
+ uses: ./.github/workflows/reusable_workflow_verify.yaml
+ with:
+ ref: ${{ github.event_name == 'push' && github.ref || github.event_name == 'pull_request' && github.event.pull_request.head.ref || github.event_name == 'workflow_dispatch' && github.ref }}
+ maven_properties: '-Djpa.vendor=hibernate -Dlogging.level.org.hibernate.collection.spi.AbstractPersistentCollection=ERROR'
\ No newline at end of file
diff --git a/.github/workflows/verify-hibernate.yml b/.github/workflows/verify-hibernate.yml
deleted file mode 100644
index 3a97485f8..000000000
--- a/.github/workflows/verify-hibernate.yml
+++ /dev/null
@@ -1,54 +0,0 @@
-name: Verify (Hibernate)
-
-on:
- push:
- branches:
- - master
- paths-ignore:
- - '.3rd-party/**'
- - 'site/**'
- - '**.md'
- pull_request:
- paths-ignore:
- - '.3rd-party/**'
- - 'site/**'
- - '**.md'
-
-jobs:
- verify-hibernate:
- runs-on: ubuntu-latest
-
- services:
- rabbitmq:
- image: rabbitmq:3-management-alpine
- env:
- RABBITMQ_DEFAULT_VHOST: /
- RABBITMQ_DEFAULT_USER: guest
- RABBITMQ_DEFAULT_PASS: guest
- ports:
- - 15672:15672
- - 5672:5672
-
- steps:
- - uses: actions/checkout@v4
-
- - name: Set up JDK
- uses: actions/setup-java@v4
- with:
- distribution: 'temurin'
- java-version: 21
- cache: 'maven'
-
- - name: Cache local Maven repository
- uses: actions/cache@v4
- with:
- path: ~/.m2/repository
- key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
- restore-keys: |
- ${{ runner.os }}-maven-
-
- - name: Check file license headers
- run: mvn license:check -PcheckLicense --batch-mode
-
- - name: Run tests & javadoc
- run: mvn clean verify javadoc:javadoc --batch-mode -Djpa.vendor=hibernate -Dlogging.level.org.hibernate.collection.spi.AbstractPersistentCollection=ERROR
\ No newline at end of file
diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml
new file mode 100644
index 000000000..defd11679
--- /dev/null
+++ b/.github/workflows/verify.yaml
@@ -0,0 +1,25 @@
+name: Verify
+
+on:
+ push:
+ branches:
+ - master
+ paths-ignore:
+ - '.3rd-party/**'
+ - 'site/**'
+ - '**.md'
+ pull_request:
+ paths-ignore:
+ - '.3rd-party/**'
+ - 'site/**'
+ - '**.md'
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+jobs:
+ verify:
+ uses: ./.github/workflows/reusable_workflow_verify.yaml
+ with:
+ ref: ${{ github.event_name == 'push' && github.ref || github.event_name == 'pull_request' && github.event.pull_request.head.ref || github.event_name == 'workflow_dispatch' && github.ref }}
\ No newline at end of file
diff --git a/.github/workflows/vulnerability-scan.yaml b/.github/workflows/vulnerability-scan.yaml
new file mode 100644
index 000000000..fe5328b7f
--- /dev/null
+++ b/.github/workflows/vulnerability-scan.yaml
@@ -0,0 +1,24 @@
+name: Vulnerability Scan
+
+on:
+ # enable running the workflow manually
+ workflow_dispatch:
+ schedule:
+ # run every night at 4:00 AM (UTC)
+ - cron: '0 4 * * *'
+
+permissions:
+ contents: read
+ security-events: write
+
+jobs:
+ trivy-scan:
+ # only on original eclipse-hawkbit/hawkbit repo or when manually triggered
+ if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch'
+ uses: ./.github/workflows/reusable_workflow_trivy-scan.yaml
+ permissions:
+ contents: read
+ security-events: write
+ with:
+ ref: ${{ github.ref }}
+ upload: ${{ github.ref == 'refs/heads/master' }}
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 6111789a5..c0bacb35f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -129,6 +129,8 @@
${project.build.directory}/.3rd-party/DEPENDENCIES_REVIEW
org.eclipse,org.junit
+
+ false
@@ -670,6 +672,7 @@
central
true
published
+ ${skipPublishing}