From a35201ac1cfeff55b64b40770a3f9e9010eca53c Mon Sep 17 00:00:00 2001 From: Avgustin Marinov Date: Fri, 27 Jun 2025 10:51:20 +0300 Subject: [PATCH] Refactor workflows - user reusable workflows (#2504) Signed-off-by: Avgustin Marinov --- ...interaction.yml => first-interaction.yaml} | 5 +- .github/workflows/license-scan.yaml | 24 ++++ .github/workflows/release.yaml | 118 ++++++++++++++++++ .github/workflows/release.yml | 116 ----------------- ...release_docker.yml => release_docker.yaml} | 20 +-- .github/workflows/release_tag.yaml | 39 ++++++ ...ml => reusable_workflow_license-scan.yaml} | 65 +++++----- .github/workflows/reusable_workflow_tag.yaml | 61 +++++++++ ....yml => reusable_workflow_trivy-scan.yaml} | 58 ++++++--- ...rify.yml => reusable_workflow_verify.yaml} | 30 ++--- .github/workflows/{stale.yml => stale.yaml} | 0 .github/workflows/verify-hibernate.yaml | 26 ++++ .github/workflows/verify-hibernate.yml | 54 -------- .github/workflows/verify.yaml | 25 ++++ .github/workflows/vulnerability-scan.yaml | 24 ++++ pom.xml | 3 + 16 files changed, 429 insertions(+), 239 deletions(-) rename .github/workflows/{first-interaction.yml => first-interaction.yaml} (96%) create mode 100644 .github/workflows/license-scan.yaml create mode 100644 .github/workflows/release.yaml delete mode 100644 .github/workflows/release.yml rename .github/workflows/{release_docker.yml => release_docker.yaml} (85%) create mode 100644 .github/workflows/release_tag.yaml rename .github/workflows/{license-scan.yml => reusable_workflow_license-scan.yaml} (50%) create mode 100644 .github/workflows/reusable_workflow_tag.yaml rename .github/workflows/{trivy-scan.yml => reusable_workflow_trivy-scan.yaml} (61%) rename .github/workflows/{verify.yml => reusable_workflow_verify.yaml} (67%) rename .github/workflows/{stale.yml => stale.yaml} (100%) create mode 100644 .github/workflows/verify-hibernate.yaml delete mode 100644 .github/workflows/verify-hibernate.yml create mode 100644 .github/workflows/verify.yaml create mode 100644 .github/workflows/vulnerability-scan.yaml diff --git a/.github/workflows/first-interaction.yml b/.github/workflows/first-interaction.yaml similarity index 96% rename from .github/workflows/first-interaction.yml rename to .github/workflows/first-interaction.yaml index 3cd536195..538b88b78 100644 --- a/.github/workflows/first-interaction.yml +++ b/.github/workflows/first-interaction.yaml @@ -4,12 +4,15 @@ on: pull_request_target: types: [ opened ] +permissions: + contents: read + jobs: greeting: # only on original eclipse-hawkbit/hawkbit repo if: github.repository == 'eclipse-hawkbit/hawkbit' runs-on: ubuntu-latest - + steps: - uses: actions/first-interaction@v1 with: diff --git a/.github/workflows/license-scan.yaml b/.github/workflows/license-scan.yaml new file mode 100644 index 000000000..a828bcbcc --- /dev/null +++ b/.github/workflows/license-scan.yaml @@ -0,0 +1,24 @@ +name: License Scan + +on: + # enable running the workflow manually + workflow_dispatch: + schedule: + # run every night at 2:00 AM (UTC) + - cron: '0 2 * * *' + +permissions: + contents: write + +jobs: + license-scan: + # only on original eclipse-hawkbit/hawkbit repo or when manually triggered + if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch' + uses: ./.github/workflows/reusable_workflow_license-scan.yaml + permissions: + contents: write + with: + ref: ${{ github.ref }} + open_tickets: true + secrets: + inherit: true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 000000000..d6e4474e9 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,118 @@ +name: Release + +on: + # enable running the workflow manually + workflow_dispatch: + inputs: + revision: + description: 'Release version' + default: '0-SNAPSHOT' + override_tag: + description: 'If to move the tag if already exists' + default: false + required: false + dry_run: + description: 'If to skip publishing the release to central repository' + default: false + required: false + +permissions: + contents: read + security-events: write + +jobs: + audit: + # only on original eclipse-hawkbit/hawkbit repo + if: github.repository == 'eclipse-hawkbit/hawkbit' + runs-on: ubuntu-latest + + steps: + - name: "Release ${{ inputs.revision }}" + run: echo "Releasing ${{ inputs.revision }}" + + # tag with release version if not already tagged + # if already tagged - it will release from there + tag: + # only on original eclipse-hawkbit/hawkbit repo and when release fixed version + if: github.repository == 'eclipse-hawkbit/hawkbit' && inputs.revision != '0-SNAPSHOT' + uses: ./.github/workflows/reusable_workflow_tag.yaml + permissions: + contents: write + with: + tag_name: ${{ inputs.revision }} + tag_message: "Release version ${{ inputs.revision }}" + override_tag: ${{ inputs.override_tag }} + + license-scan: + # only on original eclipse-hawkbit/hawkbit repo + if: github.repository == 'eclipse-hawkbit/hawkbit' + uses: ./.github/workflows/reusable_license-scan.yaml + permissions: + contents: read + with: + ref: ${{ inputs.revision == '0-SNAPSHOT' && github.ref || inputs.revision }} + + trivy-scan: + # only on original eclipse-hawkbit/hawkbit repo or when manually triggered + if: github.repository == 'eclipse-hawkbit/hawkbit' + uses: ./.github/workflows/reusable_workflow_trivy-scan.yaml + permissions: + contents: read + security-events: write + with: + ref: ${{ inputs.revision == '0-SNAPSHOT' && github.ref || inputs.revision }} + upload: true + + deploy: + # only on original eclipse-hawkbit/hawkbit repo + if: github.repository == 'eclipse-hawkbit/hawkbit' + runs-on: ubuntu-latest + + permissions: + contents: write + + services: + rabbitmq: + image: rabbitmq:3-management-alpine + env: + RABBITMQ_DEFAULT_VHOST: / + RABBITMQ_DEFAULT_USER: guest + RABBITMQ_DEFAULT_PASS: guest + ports: + - 15672:15672 + - 5672:5672 + + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.revision == '0-SNAPSHOT' && github.ref || inputs.revision }} + + - name: Set up JDK & Maven Central credentials + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: 21 + cache: 'maven' + server-id: central + server-username: MAVEN_USERNAME + server-password: MAVEN_PASSWORD + gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} + gpg-passphrase: MAVEN_GPG_PASSPHRASE + + - name: Cache local Maven repository + uses: actions/cache@v4 + with: + path: ~/.m2/repository + key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} + restore-keys: | + ${{ runner.os }}-maven- + + - name: Run build javadoc, verify (test) + run: mvn verify javadoc:jar -PgenerateTestReport -Drevision=${{ inputs.revision }} --batch-mode + + - name: "Deploy ${{ inputs.revision }}" + run: mvn deploy -DskipTests -Ppublish -Drevision=${{ inputs.revision }} -DskipPublishing=${{ inputs.dry_run }} --batch-mode + env: + MAVEN_USERNAME: ${{ secrets.CENTRAL_SONATYPE_TOKEN_USERNAME }} + MAVEN_PASSWORD: ${{ secrets.CENTRAL_SONATYPE_TOKEN_PASSWORD }} + MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index b330fc164..000000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,116 +0,0 @@ -name: Release - -on: - # enable running the workflow manually - workflow_dispatch: - inputs: - revision: - description: 'Release version' - default: '0-SNAPSHOT' - -jobs: - release: - # only on original eclipse-hawkbit/hawkbit repo - if: github.repository == 'eclipse-hawkbit/hawkbit' - runs-on: ubuntu-latest - - permissions: - contents: write - - services: - rabbitmq: - image: rabbitmq:3-management-alpine - env: - RABBITMQ_DEFAULT_VHOST: / - RABBITMQ_DEFAULT_USER: guest - RABBITMQ_DEFAULT_PASS: guest - ports: - - 15672:15672 - - 5672:5672 - - steps: - - uses: actions/checkout@v4 - - - name: "Release ${{ github.event.inputs.revision }}" - run: echo "Releasing ${{ github.event.inputs.revision }}" - - - name: Set up JDK & Maven Central credentials - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: 21 - cache: 'maven' - server-id: central - server-username: MAVEN_USERNAME - server-password: MAVEN_PASSWORD - gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} - gpg-passphrase: MAVEN_GPG_PASSPHRASE - - - name: Cache local Maven repository - uses: actions/cache@v4 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- - - - name: Check file license headers - run: mvn clean license:check -PcheckLicense --batch-mode - - name: Check dependency licenses with dash tool - run: | - if [ "${REVISION}" = "0-SNAPSHOT" ]; then - DASH_FAIL=false - else - DASH_FAIL=true - fi - mvn install -DskipTests -DskipJavadoc --batch-mode - mvn license-tool:license-check -PcheckLicense -Ddash.fail=${DASH_FAIL} -Ddash.iplab.token=${GITLAB_API_TOKEN} --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test' --batch-mode - CHANGED_FILES_COUNT=$(git status --short | wc -l) - CHANGED_FILES_COUNT=${CHANGED_FILES_COUNT//[[:space:]]/} - echo "Number of changed files: ${CHANGED_FILES_COUNT}" - if [ "${CHANGED_FILES_COUNT}" -ne 0 ]; then - if [ "${CHANGED_FILES_COUNT}" -eq 1 ]; then - DEPENDENCY_FILE=".3rd-party/DEPENDENCIES" - DEPENDENCIES_MODIFIED=$(git status --short | grep ".3rd-party/DEPENDENCIES") - # Check if the file is modified - if [[ -n "$DEPENDENCIES_MODIFIED" ]]; then - echo "${DEPENDENCY_FILE} changed - commit it" - git config --local user.name "github-actions[bot]" - git config --local user.email "github-actions[bot]@users.noreply.github.com" - git add ${DEPENDENCY_FILE} && git commit -m "[Release] Automated commit of ${DEPENDENCY_FILE} changes" && git push - else - echo "Unexpected changes:" - git status --short - exit 1 - fi - else - echo "More than one file has changed:" - git status --short - exit 1 - fi - fi - env: - REVISION: ${{ github.event.inputs.revision }} - GITLAB_API_TOKEN: ${{ secrets.GITLAB_API_TOKEN }} - - - name: Run build javadoc, verify (test) - run: mvn verify javadoc:jar -PgenerateTestReport -Drevision=${REVISION} --batch-mode - env: - REVISION: ${{ github.event.inputs.revision }} - - - name: "Deploy ${{ github.event.inputs.revision }}" - run: mvn deploy -DskipTests -Ppublish -Drevision=${REVISION} --batch-mode - env: - REVISION: ${{ github.event.inputs.revision }} - MAVEN_USERNAME: ${{ secrets.CENTRAL_SONATYPE_TOKEN_USERNAME }} - MAVEN_PASSWORD: ${{ secrets.CENTRAL_SONATYPE_TOKEN_PASSWORD }} - MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - - name: Tag release - run: | - if [ "${REVISION}" != "0-SNAPSHOT" ]; then - git config --local user.name "github-actions[bot]" - git config --local user.email "github-actions[bot]@users.noreply.github.com" - git tag -a ${REVISION} -m "Release version ${REVISION}" && git push origin ${REVISION} - fi - env: - REVISION: ${{ github.event.inputs.revision }} diff --git a/.github/workflows/release_docker.yml b/.github/workflows/release_docker.yaml similarity index 85% rename from .github/workflows/release_docker.yml rename to .github/workflows/release_docker.yaml index 8a36090f5..c96327def 100644 --- a/.github/workflows/release_docker.yml +++ b/.github/workflows/release_docker.yaml @@ -11,6 +11,9 @@ on: description: 'Release version' default: '0-SNAPSHOT' +permissions: + contents: read + jobs: release_docker: # only on fork of eclipse-hawkbit/hawkbit repo - see the note above @@ -20,8 +23,8 @@ jobs: steps: - uses: actions/checkout@v4 - - name: "Release ${{ github.event.inputs.revision }}" - run: echo "Releasing ${{ github.event.inputs.revision }}" + - name: "Release ${{ inputs.revision }}" + run: echo "Releasing ${{ inputs.revision }}" - name: Setup run: | @@ -45,9 +48,9 @@ jobs: for APP in "${ALL_APPS[@]}"; do if [ "${APP}" == "hawkbit-repository-jpa-init" ]; then - DOCKER_FILE="Dockerfile_dbinit" + DOCKER_FILE="Dockerfile_dbinit" else - DOCKER_FILE="Dockerfile" + DOCKER_FILE="Dockerfile" fi echo "Build ${APP}, docker file : ${DOCKER_FILE}" docker buildx build -t hawkbit/${APP}:${REVISION} --build-arg HAWKBIT_APP=${APP} --build-arg HAWKBIT_VERSION=${REVISION} -f ${DOCKER_FILE} . @@ -61,14 +64,15 @@ jobs: - name: Push Docker Images run: | - ALL_APPS=() # Initialize an empty + ALL_APPS=() for APP in $(echo "${ALL_APPS_STRING}" | tr ',' '\n' | xargs); do - ALL_APPS+=("${APP}") # Add trimmed app + ALL_APPS+=("${APP}") # trims chunk to fully qualified app name done for APP in "${ALL_APPS[@]}"; do - echo "Deploy ${APP}" + echo "Deploying ${APP}..." docker push hawkbit/${APP}:${REVISION} docker tag hawkbit/${APP}:${REVISION} hawkbit/${APP}:latest docker push hawkbit/${APP}:latest - done + echo "${APP} deployed." + done \ No newline at end of file diff --git a/.github/workflows/release_tag.yaml b/.github/workflows/release_tag.yaml new file mode 100644 index 000000000..7f282646f --- /dev/null +++ b/.github/workflows/release_tag.yaml @@ -0,0 +1,39 @@ +name: Release Start + +on: + # enable running the workflow manually + workflow_dispatch: + inputs: + revision: + description: 'Release version' + default: '0-SNAPSHOT' + override_tag: + description: 'If to move the tag if already exists' + default: false + required: false + +permissions: + contents: write + +jobs: + audit: + # only on original eclipse-hawkbit/hawkbit repo + if: github.repository == 'eclipse-hawkbit/hawkbit' + runs-on: ubuntu-latest + + steps: + - name: "Release ${{ inputs.revision }}" + run: echo "Releasing ${{ inputs.revision }}" + + # tag with release version if not already tagged + # if already tagged - it will release from there + tag: + # only on original eclipse-hawkbit/hawkbit repo and when release fixed version + if: github.repository == 'eclipse-hawkbit/hawkbit' && inputs.revision != '0-SNAPSHOT' + uses: ./.github/workflows/reusable_workflow_tag@${{ github.sha }} + permissions: + contents: write + with: + tag_name: ${{ inputs.revision }} + tag_message: "Release version ${{ inputs.revision }}" + override_tag: ${{ github.event.inputs.override_tag }} \ No newline at end of file diff --git a/.github/workflows/license-scan.yml b/.github/workflows/reusable_workflow_license-scan.yaml similarity index 50% rename from .github/workflows/license-scan.yml rename to .github/workflows/reusable_workflow_license-scan.yaml index 379b7778e..b324208f5 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/reusable_workflow_license-scan.yaml @@ -1,23 +1,25 @@ -name: License Scan +name: License Scan (Reusable Workflow) on: - # enable running the workflow manually - workflow_dispatch: - schedule: - # run every night at 2:00 AM (UTC) - - cron: '0 2 * * *' + workflow_call: + variables: + ref: + description: 'The branch, tag or SHA to checkout, e.g. master' + type: string + default: 'master' + open_tickets: + description: 'If to open tickets for license issues to Dash IP lab, e.g. true or false' + type: boolean + default: false jobs: - license-scan: - # only on original eclipse-hawkbit/hawkbit repo or when manually triggered - if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch' + reusable_workflow_license-scan: runs-on: ubuntu-latest - permissions: - contents: write - steps: - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} - name: Set up JDK & Maven Central credentials uses: actions/setup-java@v4 @@ -36,7 +38,9 @@ jobs: - name: Check file license headers run: mvn license:check -PcheckLicense --batch-mode - - name: Check dependency licenses with dash tool + + - name: Check dependency licenses with dash tool (and open issues to Dash IP lab, doesn't fail) + if: ${{ inputs.open_tickets == 'true' }} run: | mvn clean install -DskipTests -DskipJavadoc --batch-mode mvn license-tool:license-check -Ddash.fail=false -PcheckLicense -Ddash.iplab.token=${GITLAB_API_TOKEN} --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test' @@ -45,26 +49,29 @@ jobs: echo "Number of changed files: ${CHANGED_FILES_COUNT}" if [ "${CHANGED_FILES_COUNT}" -ne 0 ]; then if [ "${CHANGED_FILES_COUNT}" -eq 1 ]; then - DEPENDENCY_FILE=".3rd-party/DEPENDENCIES" - DEPENDENCIES_MODIFIED=$(git status --short | grep ".3rd-party/DEPENDENCIES") - # Check if the file is modified - if [[ -n "$DEPENDENCIES_MODIFIED" ]]; then - echo "${DEPENDENCY_FILE} changed - commit it" - git config --local user.name "github-actions[bot]" - git config --local user.email "github-actions[bot]@users.noreply.github.com" - git add ${DEPENDENCY_FILE} && git commit -m "[Release] Automated commit of ${DEPENDENCY_FILE} changes" && git push - else - echo "Unexpected changes:" - git status --short - exit 1 - fi - else - echo "More than one file has changed:" + DEPENDENCY_FILE=".3rd-party/DEPENDENCIES" + DEPENDENCIES_MODIFIED=$(git status --short | grep ".3rd-party/DEPENDENCIES") + # Check if the file is modified + if [[ -n "$DEPENDENCIES_MODIFIED" ]]; then + echo "${DEPENDENCY_FILE} changed - commit it" + git config --local user.name "github-actions[bot]" + git config --local user.email "github-actions[bot]@users.noreply.github.com" + git add ${DEPENDENCY_FILE} && git commit -m "[Release] Automated commit of ${DEPENDENCY_FILE} changes" && git push + else + echo "Unexpected changes:" git status --short exit 1 + fi + else + echo "More than one file has changed:" + git status --short + exit 1 fi fi - # do dash.fail=true so if there are restricted dependencis the build will fail + # do dash.fail=true so if there are restricted dependencies the build will fail mvn license-tool:license-check -Ddash.fail=true -PcheckLicense -Ddash.iplab.token=${GITLAB_API_TOKEN} --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test' env: GITLAB_API_TOKEN: ${{ secrets.GITLAB_API_TOKEN }} + + - name: Check dependency licenses with dash tool (and return the result) + run: mvn license-tool:license-check -Ddash.fail=true -PcheckLicense --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test' \ No newline at end of file diff --git a/.github/workflows/reusable_workflow_tag.yaml b/.github/workflows/reusable_workflow_tag.yaml new file mode 100644 index 000000000..d6ac9d81a --- /dev/null +++ b/.github/workflows/reusable_workflow_tag.yaml @@ -0,0 +1,61 @@ +name: Tag + +on: + workflow_call: + inputs: + tag_name: + type: string + description: 'Tag name, e.g. 1.0.0' + required: true + tag_message: + type: string + description: '' + required: false + override_tag: + type: boolean + description: 'If to override the tag if already exists' + required: false + default: false + +jobs: + tag: + runs-on: ubuntu-latest + + permissions: + contents: write + + steps: + - uses: actions/checkout@v4 + + - name: Tag release + run: | + git config --local user.name "github-actions[bot]" + git config --local user.email "github-actions[bot]@users.noreply.github.com" + + if git rev-parse "${TAG_NAME}" >/dev/null 2>&1; then + echo "Creating a tag ${TAG_NAME} ..." + if [ -n "${TAG_MESSAGE}" ]; then + git tag -a ${TAG_NAME} -m "${TAG_MESSAGE}" + else + git tag -a ${TAG_NAME} + fi + git push origin ${TAG_NAME} + echo "Tag ${TAG_NAME} created." + else + if [ "${{ inputs.override_tag }}" == "true" ]; then + echo "Tag ${TAG_NAME} already exists, but override is set to true, so moving it ..." + git tag -d ${TAG_NAME} + if [ -n "${TAG_MESSAGE}" ]; then + git tag -a ${TAG_NAME} -m "${TAG_MESSAGE}" + else + git tag -a ${TAG_NAME} + fi + git push origin ${TAG_NAME} + echo "Tag ${TAG_NAME} moved." + else + echo "Tag ${TAG_NAME} already exists, do nothing." + fi + fi` + env: + TAG_NAME: ${{ inputs.tag_name }} + TAG_MESSAGE: ${{ inputs.tag_message }} \ No newline at end of file diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/reusable_workflow_trivy-scan.yaml similarity index 61% rename from .github/workflows/trivy-scan.yml rename to .github/workflows/reusable_workflow_trivy-scan.yaml index d3d4437a1..7d2fc17f0 100644 --- a/.github/workflows/trivy-scan.yml +++ b/.github/workflows/reusable_workflow_trivy-scan.yaml @@ -1,16 +1,19 @@ -name: Vulnerability Scan +name: Trivy Scan (Reusable Workflow) on: - # enable running the workflow manually - workflow_dispatch: - schedule: - # run every night at 4:00 AM (UTC) - - cron: '0 4 * * *' + workflow_call: + variables: + ref: + description: 'The branch, tag or SHA to checkout, e.g. master' + type: string + default: 'master' + upload: + description: 'If to upload the scan results, e.g. true or false' + type: boolean + default: false jobs: trivy-scan: - # only on original eclipse-hawkbit/hawkbit repo or when manually triggered - if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest permissions: @@ -21,6 +24,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} - name: Set up JDK uses: actions/setup-java@v4 @@ -31,7 +36,7 @@ jobs: - name: Create hawkBit container images run: | - mvn clean install -DskipTests && \ + mvn clean install -DskipTests -DskipJavadoc && \ cd docker/build && \ chmod +x build_dev.sh && \ ./build_dev.sh && \ @@ -51,32 +56,53 @@ jobs: mkdir -p scans/eclipse-hawkbit/hawkbit for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "hawkbit/hawkbit-*:latest"); do echo "Scanning image ${IMAGE} ..." - ./trivy image "${IMAGE}" --ignore-unfixed --ignorefile .github/workflows/.trivyignore --severity HIGH,CRITICAL --vuln-type library --output "scans/eclipse-hawkbit/$IMAGE.sarif" --format sarif + ./trivy image "${IMAGE}" --ignore-unfixed --ignorefile .github/workflows/.trivyignore --severity HIGH,CRITICAL --vuln-type library --output "scans/eclipse-hawkbit/${IMAGE}.sarif" --format sarif done - - name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server + - name: Check if to upload scan results + run: | + if [ "${{ inputs.upload }}" = "true" ]; then + echo "Uploading scan results..." + else + echo "Skipping upload of scan results." + exit 0 + fi + + - name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server (hawkbit-ddi-server) uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-ddi-server:latest.sarif' category: "Container Images (hawkbit-ddi-server)" - - name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server + - name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server (hawkbit-dmf-server) uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-dmf-server:latest.sarif' category: "Container Images (hawkbit-dmf-server)" - - name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server + - name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server (hawkbit-mgmt-server) uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-mgmt-server:latest.sarif' category: "Container Images (hawkbit-mgmt-server)" - - name: Upload Docker image scan results to GitHub Security tab hawkbit-simple-ui + - name: Upload Docker image scan results to GitHub Security tab hawkbit-simple-ui (hawkbit-simple-ui) uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-simple-ui:latest.sarif' category: "Container Images (hawkbit-simple-ui)" - - name: Upload Docker image scan results to GitHub Security tab + - name: Upload Docker image scan results to GitHub Security tab (hawkbit-update-server) uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-update-server:latest.sarif' - category: "Container Images (hawkbit-update-server)" \ No newline at end of file + category: "Container Images (hawkbit-update-server)" + + - name: Upload Docker image scan results to GitHub Security tab (hawkbit-repository-jpa-init) + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-repository-jpa-init:latest.sarif' + category: "Container Images (hawkbit-update-server)" + + - name: Upload Docker image scan results to GitHub Security tab (hawkbit-repository-jpa-init) + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-repository-jpa-init:latest.sarif' + category: "Container Images (hawkbit-repository-jpa-init)" \ No newline at end of file diff --git a/.github/workflows/verify.yml b/.github/workflows/reusable_workflow_verify.yaml similarity index 67% rename from .github/workflows/verify.yml rename to .github/workflows/reusable_workflow_verify.yaml index ebd95c671..082289374 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/reusable_workflow_verify.yaml @@ -1,21 +1,19 @@ -name: Verify +name: Verify (Reusable Workflow) on: - push: - branches: - - master - paths-ignore: - - '.3rd-party/**' - - 'site/**' - - '**.md' - pull_request: - paths-ignore: - - '.3rd-party/**' - - 'site/**' - - '**.md' + workflow_call: + inputs: + ref: + description: 'The branch, tag or SHA to checkout, e.g. master' + type: string + default: 'master' + maven_properties: + type: string + default: '' + description: 'Properties to pass to Maven command line, e.g. -Djpa.vendor=hibernate' jobs: - verify: + reusable_workflow_verify: runs-on: ubuntu-latest services: @@ -31,6 +29,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} - name: Set up JDK uses: actions/setup-java@v4 @@ -51,4 +51,4 @@ jobs: run: mvn license:check -PcheckLicense --batch-mode - name: Run tests & javadoc - run: mvn clean verify javadoc:javadoc -PgenerateTestReport --batch-mode \ No newline at end of file + run: mvn clean verify javadoc:javadoc -PgenerateTestReport ${{ inputs.maven_properties }} --batch-mode \ No newline at end of file diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yaml similarity index 100% rename from .github/workflows/stale.yml rename to .github/workflows/stale.yaml diff --git a/.github/workflows/verify-hibernate.yaml b/.github/workflows/verify-hibernate.yaml new file mode 100644 index 000000000..c596e9daa --- /dev/null +++ b/.github/workflows/verify-hibernate.yaml @@ -0,0 +1,26 @@ +name: Verify (Hibernate) + +on: + push: + branches: + - master + paths-ignore: + - '.3rd-party/**' + - 'site/**' + - '**.md' + pull_request: + paths-ignore: + - '.3rd-party/**' + - 'site/**' + - '**.md' + workflow_dispatch: + +permissions: + contents: read + +jobs: + verify-hibernate: + uses: ./.github/workflows/reusable_workflow_verify.yaml + with: + ref: ${{ github.event_name == 'push' && github.ref || github.event_name == 'pull_request' && github.event.pull_request.head.ref || github.event_name == 'workflow_dispatch' && github.ref }} + maven_properties: '-Djpa.vendor=hibernate -Dlogging.level.org.hibernate.collection.spi.AbstractPersistentCollection=ERROR' \ No newline at end of file diff --git a/.github/workflows/verify-hibernate.yml b/.github/workflows/verify-hibernate.yml deleted file mode 100644 index 3a97485f8..000000000 --- a/.github/workflows/verify-hibernate.yml +++ /dev/null @@ -1,54 +0,0 @@ -name: Verify (Hibernate) - -on: - push: - branches: - - master - paths-ignore: - - '.3rd-party/**' - - 'site/**' - - '**.md' - pull_request: - paths-ignore: - - '.3rd-party/**' - - 'site/**' - - '**.md' - -jobs: - verify-hibernate: - runs-on: ubuntu-latest - - services: - rabbitmq: - image: rabbitmq:3-management-alpine - env: - RABBITMQ_DEFAULT_VHOST: / - RABBITMQ_DEFAULT_USER: guest - RABBITMQ_DEFAULT_PASS: guest - ports: - - 15672:15672 - - 5672:5672 - - steps: - - uses: actions/checkout@v4 - - - name: Set up JDK - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: 21 - cache: 'maven' - - - name: Cache local Maven repository - uses: actions/cache@v4 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- - - - name: Check file license headers - run: mvn license:check -PcheckLicense --batch-mode - - - name: Run tests & javadoc - run: mvn clean verify javadoc:javadoc --batch-mode -Djpa.vendor=hibernate -Dlogging.level.org.hibernate.collection.spi.AbstractPersistentCollection=ERROR \ No newline at end of file diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml new file mode 100644 index 000000000..defd11679 --- /dev/null +++ b/.github/workflows/verify.yaml @@ -0,0 +1,25 @@ +name: Verify + +on: + push: + branches: + - master + paths-ignore: + - '.3rd-party/**' + - 'site/**' + - '**.md' + pull_request: + paths-ignore: + - '.3rd-party/**' + - 'site/**' + - '**.md' + workflow_dispatch: + +permissions: + contents: read + +jobs: + verify: + uses: ./.github/workflows/reusable_workflow_verify.yaml + with: + ref: ${{ github.event_name == 'push' && github.ref || github.event_name == 'pull_request' && github.event.pull_request.head.ref || github.event_name == 'workflow_dispatch' && github.ref }} \ No newline at end of file diff --git a/.github/workflows/vulnerability-scan.yaml b/.github/workflows/vulnerability-scan.yaml new file mode 100644 index 000000000..fe5328b7f --- /dev/null +++ b/.github/workflows/vulnerability-scan.yaml @@ -0,0 +1,24 @@ +name: Vulnerability Scan + +on: + # enable running the workflow manually + workflow_dispatch: + schedule: + # run every night at 4:00 AM (UTC) + - cron: '0 4 * * *' + +permissions: + contents: read + security-events: write + +jobs: + trivy-scan: + # only on original eclipse-hawkbit/hawkbit repo or when manually triggered + if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch' + uses: ./.github/workflows/reusable_workflow_trivy-scan.yaml + permissions: + contents: read + security-events: write + with: + ref: ${{ github.ref }} + upload: ${{ github.ref == 'refs/heads/master' }} \ No newline at end of file diff --git a/pom.xml b/pom.xml index 6111789a5..c0bacb35f 100644 --- a/pom.xml +++ b/pom.xml @@ -129,6 +129,8 @@ ${project.build.directory}/.3rd-party/DEPENDENCIES_REVIEW org.eclipse,org.junit + + false @@ -670,6 +672,7 @@ central true published + ${skipPublishing}