lingwei.kong/hawkbit
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Refactor workflows - user reusable workflows (#2504)

Browse Source 
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2025-06-27 10:51:20 +03:00
committed by GitHub
parent 4a6e862d57
commit a35201ac1c
16 changed files with 429 additions and 239 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.github/workflows/first-interaction.yml → .github/workflows/first-interaction.yaml vendored
View File

@@ -4,12 +4,15 @@ on:
pull_request_target:
types: [ opened ]
permissions:
contents: read
jobs:
greeting:
# only on original eclipse-hawkbit/hawkbit repo
if: github.repository == 'eclipse-hawkbit/hawkbit'
runs-on: ubuntu-latest
steps:
- uses: actions/first-interaction@v1
with:

24
.github/workflows/license-scan.yaml vendored Normal file
View File

@@ -0,0 +1,24 @@
name: License Scan
on:
# enable running the workflow manually
workflow_dispatch:
schedule:
# run every night at 2:00 AM (UTC)
- cron: '0 2 * * *'
permissions:
contents: write
jobs:
license-scan:
# only on original eclipse-hawkbit/hawkbit repo or when manually triggered
if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch'
uses: ./.github/workflows/reusable_workflow_license-scan.yaml
permissions:
contents: write
with:
ref: ${{ github.ref }}
open_tickets: true
secrets:
inherit: true

118
.github/workflows/release.yaml vendored Normal file
View File

@@ -0,0 +1,118 @@
name: Release
on:
# enable running the workflow manually
workflow_dispatch:
inputs:
revision:
description: 'Release version'
default: '0-SNAPSHOT'
override_tag:
description: 'If to move the tag if already exists'
default: false
required: false
dry_run:
description: 'If to skip publishing the release to central repository'
default: false
required: false
permissions:
contents: read
security-events: write
jobs:
audit:
# only on original eclipse-hawkbit/hawkbit repo
if: github.repository == 'eclipse-hawkbit/hawkbit'
runs-on: ubuntu-latest
steps:
- name: "Release ${{ inputs.revision }}"
run: echo "Releasing ${{ inputs.revision }}"
# tag with release version if not already tagged
# if already tagged - it will release from there
tag:
# only on original eclipse-hawkbit/hawkbit repo and when release fixed version
if: github.repository == 'eclipse-hawkbit/hawkbit' && inputs.revision != '0-SNAPSHOT'
uses: ./.github/workflows/reusable_workflow_tag.yaml
permissions:
contents: write
with:
tag_name: ${{ inputs.revision }}
tag_message: "Release version ${{ inputs.revision }}"
override_tag: ${{ inputs.override_tag }}
license-scan:
# only on original eclipse-hawkbit/hawkbit repo
if: github.repository == 'eclipse-hawkbit/hawkbit'
uses: ./.github/workflows/reusable_license-scan.yaml
permissions:
contents: read
with:
ref: ${{ inputs.revision == '0-SNAPSHOT' && github.ref || inputs.revision }}
trivy-scan:
# only on original eclipse-hawkbit/hawkbit repo or when manually triggered
if: github.repository == 'eclipse-hawkbit/hawkbit'
uses: ./.github/workflows/reusable_workflow_trivy-scan.yaml
permissions:
contents: read
security-events: write
with:
ref: ${{ inputs.revision == '0-SNAPSHOT' && github.ref || inputs.revision }}
upload: true
deploy:
# only on original eclipse-hawkbit/hawkbit repo
if: github.repository == 'eclipse-hawkbit/hawkbit'
runs-on: ubuntu-latest
permissions:
contents: write
services:
rabbitmq:
image: rabbitmq:3-management-alpine
env:
RABBITMQ_DEFAULT_VHOST: /
RABBITMQ_DEFAULT_USER: guest
RABBITMQ_DEFAULT_PASS: guest
ports:
- 15672:15672
- 5672:5672
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.revision == '0-SNAPSHOT' && github.ref || inputs.revision }}
- name: Set up JDK & Maven Central credentials
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 21
cache: 'maven'
server-id: central
server-username: MAVEN_USERNAME
server-password: MAVEN_PASSWORD
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
gpg-passphrase: MAVEN_GPG_PASSPHRASE
- name: Cache local Maven repository
uses: actions/cache@v4
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Run build javadoc, verify (test)
run: mvn verify javadoc:jar -PgenerateTestReport -Drevision=${{ inputs.revision }} --batch-mode
- name: "Deploy ${{ inputs.revision }}"
run: mvn deploy -DskipTests -Ppublish -Drevision=${{ inputs.revision }} -DskipPublishing=${{ inputs.dry_run }} --batch-mode
env:
MAVEN_USERNAME: ${{ secrets.CENTRAL_SONATYPE_TOKEN_USERNAME }}
MAVEN_PASSWORD: ${{ secrets.CENTRAL_SONATYPE_TOKEN_PASSWORD }}
MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

116
.github/workflows/release.yml vendored
View File

@@ -1,116 +0,0 @@
name: Release
on:
# enable running the workflow manually
workflow_dispatch:
inputs:
revision:
description: 'Release version'
default: '0-SNAPSHOT'
jobs:
release:
# only on original eclipse-hawkbit/hawkbit repo
if: github.repository == 'eclipse-hawkbit/hawkbit'
runs-on: ubuntu-latest
permissions:
contents: write
services:
rabbitmq:
image: rabbitmq:3-management-alpine
env:
RABBITMQ_DEFAULT_VHOST: /
RABBITMQ_DEFAULT_USER: guest
RABBITMQ_DEFAULT_PASS: guest
ports:
- 15672:15672
- 5672:5672
steps:
- uses: actions/checkout@v4
- name: "Release ${{ github.event.inputs.revision }}"
run: echo "Releasing ${{ github.event.inputs.revision }}"
- name: Set up JDK & Maven Central credentials
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 21
cache: 'maven'
server-id: central
server-username: MAVEN_USERNAME
server-password: MAVEN_PASSWORD
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
gpg-passphrase: MAVEN_GPG_PASSPHRASE
- name: Cache local Maven repository
uses: actions/cache@v4
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Check file license headers
run: mvn clean license:check -PcheckLicense --batch-mode
- name: Check dependency licenses with dash tool
run: |
if [ "${REVISION}" = "0-SNAPSHOT" ]; then
DASH_FAIL=false
else
DASH_FAIL=true
fi
mvn install -DskipTests -DskipJavadoc --batch-mode
mvn license-tool:license-check -PcheckLicense -Ddash.fail=${DASH_FAIL} -Ddash.iplab.token=${GITLAB_API_TOKEN} --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test' --batch-mode
CHANGED_FILES_COUNT=$(git status --short | wc -l)
CHANGED_FILES_COUNT=${CHANGED_FILES_COUNT//[[:space:]]/}
echo "Number of changed files: ${CHANGED_FILES_COUNT}"
if [ "${CHANGED_FILES_COUNT}" -ne 0 ]; then
if [ "${CHANGED_FILES_COUNT}" -eq 1 ]; then
DEPENDENCY_FILE=".3rd-party/DEPENDENCIES"
DEPENDENCIES_MODIFIED=$(git status --short | grep ".3rd-party/DEPENDENCIES")
# Check if the file is modified
if [[ -n "$DEPENDENCIES_MODIFIED" ]]; then
echo "${DEPENDENCY_FILE} changed - commit it"
git config --local user.name "github-actions[bot]"
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git add ${DEPENDENCY_FILE} && git commit -m "[Release] Automated commit of ${DEPENDENCY_FILE} changes" && git push
else
echo "Unexpected changes:"
git status --short
exit 1
fi
else
echo "More than one file has changed:"
git status --short
exit 1
fi
fi
env:
REVISION: ${{ github.event.inputs.revision }}
GITLAB_API_TOKEN: ${{ secrets.GITLAB_API_TOKEN }}
- name: Run build javadoc, verify (test)
run: mvn verify javadoc:jar -PgenerateTestReport -Drevision=${REVISION} --batch-mode
env:
REVISION: ${{ github.event.inputs.revision }}
- name: "Deploy ${{ github.event.inputs.revision }}"
run: mvn deploy -DskipTests -Ppublish -Drevision=${REVISION} --batch-mode
env:
REVISION: ${{ github.event.inputs.revision }}
MAVEN_USERNAME: ${{ secrets.CENTRAL_SONATYPE_TOKEN_USERNAME }}
MAVEN_PASSWORD: ${{ secrets.CENTRAL_SONATYPE_TOKEN_PASSWORD }}
MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- name: Tag release
run: |
if [ "${REVISION}" != "0-SNAPSHOT" ]; then
git config --local user.name "github-actions[bot]"
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git tag -a ${REVISION} -m "Release version ${REVISION}" && git push origin ${REVISION}
fi
env:
REVISION: ${{ github.event.inputs.revision }}

20
.github/workflows/release_docker.yml → .github/workflows/release_docker.yaml vendored
View File

@@ -11,6 +11,9 @@ on:
description: 'Release version'
default: '0-SNAPSHOT'
permissions:
contents: read
jobs:
release_docker:
# only on fork of eclipse-hawkbit/hawkbit repo - see the note above
@@ -20,8 +23,8 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: "Release ${{ github.event.inputs.revision }}"
run: echo "Releasing ${{ github.event.inputs.revision }}"
- name: "Release ${{ inputs.revision }}"
run: echo "Releasing ${{ inputs.revision }}"
- name: Setup
run: |
@@ -45,9 +48,9 @@ jobs:
for APP in "${ALL_APPS[@]}"; do
if [ "${APP}" == "hawkbit-repository-jpa-init" ]; then
DOCKER_FILE="Dockerfile_dbinit"
DOCKER_FILE="Dockerfile_dbinit"
else
DOCKER_FILE="Dockerfile"
DOCKER_FILE="Dockerfile"
fi
echo "Build ${APP}, docker file : ${DOCKER_FILE}"
docker buildx build -t hawkbit/${APP}:${REVISION} --build-arg HAWKBIT_APP=${APP} --build-arg HAWKBIT_VERSION=${REVISION} -f ${DOCKER_FILE} .
@@ -61,14 +64,15 @@ jobs:
- name: Push Docker Images
run: |
ALL_APPS=() # Initialize an empty
ALL_APPS=()
for APP in $(echo "${ALL_APPS_STRING}" | tr ',' '\n' | xargs); do
ALL_APPS+=("${APP}") # Add trimmed app
ALL_APPS+=("${APP}") # trims chunk to fully qualified app name
done
for APP in "${ALL_APPS[@]}"; do
echo "Deploy ${APP}"
echo "Deploying ${APP}..."
docker push hawkbit/${APP}:${REVISION}
docker tag hawkbit/${APP}:${REVISION} hawkbit/${APP}:latest
docker push hawkbit/${APP}:latest
done
echo "${APP} deployed."
done

39
.github/workflows/release_tag.yaml vendored Normal file
View File

@@ -0,0 +1,39 @@
name: Release Start
on:
# enable running the workflow manually
workflow_dispatch:
inputs:
revision:
description: 'Release version'
default: '0-SNAPSHOT'
override_tag:
description: 'If to move the tag if already exists'
default: false
required: false
permissions:
contents: write
jobs:
audit:
# only on original eclipse-hawkbit/hawkbit repo
if: github.repository == 'eclipse-hawkbit/hawkbit'
runs-on: ubuntu-latest
steps:
- name: "Release ${{ inputs.revision }}"
run: echo "Releasing ${{ inputs.revision }}"
# tag with release version if not already tagged
# if already tagged - it will release from there
tag:
# only on original eclipse-hawkbit/hawkbit repo and when release fixed version
if: github.repository == 'eclipse-hawkbit/hawkbit' && inputs.revision != '0-SNAPSHOT'
uses: ./.github/workflows/reusable_workflow_tag@${{ github.sha }}
permissions:
contents: write
with:
tag_name: ${{ inputs.revision }}
tag_message: "Release version ${{ inputs.revision }}"
override_tag: ${{ github.event.inputs.override_tag }}

65
.github/workflows/license-scan.yml → .github/workflows/reusable_workflow_license-scan.yaml vendored
View File

@@ -1,23 +1,25 @@
name: License Scan
name: License Scan (Reusable Workflow)
on:
# enable running the workflow manually
workflow_dispatch:
schedule:
# run every night at 2:00 AM (UTC)
- cron: '0 2 * * *'
workflow_call:
variables:
ref:
description: 'The branch, tag or SHA to checkout, e.g. master'
type: string
default: 'master'
open_tickets:
description: 'If to open tickets for license issues to Dash IP lab, e.g. true or false'
type: boolean
default: false
jobs:
license-scan:
# only on original eclipse-hawkbit/hawkbit repo or when manually triggered
if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch'
reusable_workflow_license-scan:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- name: Set up JDK & Maven Central credentials
uses: actions/setup-java@v4
@@ -36,7 +38,9 @@ jobs:
- name: Check file license headers
run: mvn license:check -PcheckLicense --batch-mode
- name: Check dependency licenses with dash tool
- name: Check dependency licenses with dash tool (and open issues to Dash IP lab, doesn't fail)
if: ${{ inputs.open_tickets == 'true' }}
run: |
mvn clean install -DskipTests -DskipJavadoc --batch-mode
mvn license-tool:license-check -Ddash.fail=false -PcheckLicense -Ddash.iplab.token=${GITLAB_API_TOKEN} --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test'
@@ -45,26 +49,29 @@ jobs:
echo "Number of changed files: ${CHANGED_FILES_COUNT}"
if [ "${CHANGED_FILES_COUNT}" -ne 0 ]; then
if [ "${CHANGED_FILES_COUNT}" -eq 1 ]; then
DEPENDENCY_FILE=".3rd-party/DEPENDENCIES"
DEPENDENCIES_MODIFIED=$(git status --short | grep ".3rd-party/DEPENDENCIES")
# Check if the file is modified
if [[ -n "$DEPENDENCIES_MODIFIED" ]]; then
echo "${DEPENDENCY_FILE} changed - commit it"
git config --local user.name "github-actions[bot]"
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git add ${DEPENDENCY_FILE} && git commit -m "[Release] Automated commit of ${DEPENDENCY_FILE} changes" && git push
else
echo "Unexpected changes:"
git status --short
exit 1
fi
else
echo "More than one file has changed:"
DEPENDENCY_FILE=".3rd-party/DEPENDENCIES"
DEPENDENCIES_MODIFIED=$(git status --short | grep ".3rd-party/DEPENDENCIES")
# Check if the file is modified
if [[ -n "$DEPENDENCIES_MODIFIED" ]]; then
echo "${DEPENDENCY_FILE} changed - commit it"
git config --local user.name "github-actions[bot]"
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git add ${DEPENDENCY_FILE} && git commit -m "[Release] Automated commit of ${DEPENDENCY_FILE} changes" && git push
else
echo "Unexpected changes:"
git status --short
exit 1
fi
else
echo "More than one file has changed:"
git status --short
exit 1
fi
fi
# do dash.fail=true so if there are restricted dependencis the build will fail
# do dash.fail=true so if there are restricted dependencies the build will fail
mvn license-tool:license-check -Ddash.fail=true -PcheckLicense -Ddash.iplab.token=${GITLAB_API_TOKEN} --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test'
env:
GITLAB_API_TOKEN: ${{ secrets.GITLAB_API_TOKEN }}
- name: Check dependency licenses with dash tool (and return the result)
run: mvn license-tool:license-check -Ddash.fail=true -PcheckLicense --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test'

61
.github/workflows/reusable_workflow_tag.yaml vendored Normal file
View File

@@ -0,0 +1,61 @@
name: Tag
on:
workflow_call:
inputs:
tag_name:
type: string
description: 'Tag name, e.g. 1.0.0'
required: true
tag_message:
type: string
description: ''
required: false
override_tag:
type: boolean
description: 'If to override the tag if already exists'
required: false
default: false
jobs:
tag:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- name: Tag release
run: |
git config --local user.name "github-actions[bot]"
git config --local user.email "github-actions[bot]@users.noreply.github.com"
if git rev-parse "${TAG_NAME}" >/dev/null 2>&1; then
echo "Creating a tag ${TAG_NAME} ..."
if [ -n "${TAG_MESSAGE}" ]; then
git tag -a ${TAG_NAME} -m "${TAG_MESSAGE}"
else
git tag -a ${TAG_NAME}
fi
git push origin ${TAG_NAME}
echo "Tag ${TAG_NAME} created."
else
if [ "${{ inputs.override_tag }}" == "true" ]; then
echo "Tag ${TAG_NAME} already exists, but override is set to true, so moving it ..."
git tag -d ${TAG_NAME}
if [ -n "${TAG_MESSAGE}" ]; then
git tag -a ${TAG_NAME} -m "${TAG_MESSAGE}"
else
git tag -a ${TAG_NAME}
fi
git push origin ${TAG_NAME}
echo "Tag ${TAG_NAME} moved."
else
echo "Tag ${TAG_NAME} already exists, do nothing."
fi
fi`
env:
TAG_NAME: ${{ inputs.tag_name }}
TAG_MESSAGE: ${{ inputs.tag_message }}

58
.github/workflows/trivy-scan.yml → .github/workflows/reusable_workflow_trivy-scan.yaml vendored
View File

@@ -1,16 +1,19 @@
name: Vulnerability Scan
name: Trivy Scan (Reusable Workflow)
on:
# enable running the workflow manually
workflow_dispatch:
schedule:
# run every night at 4:00 AM (UTC)
- cron: '0 4 * * *'
workflow_call:
variables:
ref:
description: 'The branch, tag or SHA to checkout, e.g. master'
type: string
default: 'master'
upload:
description: 'If to upload the scan results, e.g. true or false'
type: boolean
default: false
jobs:
trivy-scan:
# only on original eclipse-hawkbit/hawkbit repo or when manually triggered
if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
permissions:
@@ -21,6 +24,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- name: Set up JDK
uses: actions/setup-java@v4
@@ -31,7 +36,7 @@ jobs:
- name: Create hawkBit container images
run: |
mvn clean install -DskipTests && \
mvn clean install -DskipTests -DskipJavadoc && \
cd docker/build && \
chmod +x build_dev.sh && \
./build_dev.sh && \
@@ -51,32 +56,53 @@ jobs:
mkdir -p scans/eclipse-hawkbit/hawkbit
for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "hawkbit/hawkbit-*:latest"); do
echo "Scanning image ${IMAGE} ..."
./trivy image "${IMAGE}" --ignore-unfixed --ignorefile .github/workflows/.trivyignore --severity HIGH,CRITICAL --vuln-type library --output "scans/eclipse-hawkbit/$IMAGE.sarif" --format sarif
./trivy image "${IMAGE}" --ignore-unfixed --ignorefile .github/workflows/.trivyignore --severity HIGH,CRITICAL --vuln-type library --output "scans/eclipse-hawkbit/${IMAGE}.sarif" --format sarif
done
- name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server
- name: Check if to upload scan results
run: |
if [ "${{ inputs.upload }}" = "true" ]; then
echo "Uploading scan results..."
else
echo "Skipping upload of scan results."
exit 0
fi
- name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server (hawkbit-ddi-server)
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-ddi-server:latest.sarif'
category: "Container Images (hawkbit-ddi-server)"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server
- name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server (hawkbit-dmf-server)
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-dmf-server:latest.sarif'
category: "Container Images (hawkbit-dmf-server)"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server
- name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server (hawkbit-mgmt-server)
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-mgmt-server:latest.sarif'
category: "Container Images (hawkbit-mgmt-server)"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-simple-ui
- name: Upload Docker image scan results to GitHub Security tab hawkbit-simple-ui (hawkbit-simple-ui)
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-simple-ui:latest.sarif'
category: "Container Images (hawkbit-simple-ui)"
- name: Upload Docker image scan results to GitHub Security tab
- name: Upload Docker image scan results to GitHub Security tab (hawkbit-update-server)
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-update-server:latest.sarif'
category: "Container Images (hawkbit-update-server)"
category: "Container Images (hawkbit-update-server)"
- name: Upload Docker image scan results to GitHub Security tab (hawkbit-repository-jpa-init)
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-repository-jpa-init:latest.sarif'
category: "Container Images (hawkbit-update-server)"
- name: Upload Docker image scan results to GitHub Security tab (hawkbit-repository-jpa-init)
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-repository-jpa-init:latest.sarif'
category: "Container Images (hawkbit-repository-jpa-init)"

30
.github/workflows/verify.yml → .github/workflows/reusable_workflow_verify.yaml vendored
View File

@@ -1,21 +1,19 @@
name: Verify
name: Verify (Reusable Workflow)
on:
push:
branches:
- master
paths-ignore:
- '.3rd-party/**'
- 'site/**'
- '**.md'
pull_request:
paths-ignore:
- '.3rd-party/**'
- 'site/**'
- '**.md'
workflow_call:
inputs:
ref:
description: 'The branch, tag or SHA to checkout, e.g. master'
type: string
default: 'master'
maven_properties:
type: string
default: ''
description: 'Properties to pass to Maven command line, e.g. -Djpa.vendor=hibernate'
jobs:
verify:
reusable_workflow_verify:
runs-on: ubuntu-latest
services:
@@ -31,6 +29,8 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- name: Set up JDK
uses: actions/setup-java@v4
@@ -51,4 +51,4 @@ jobs:
run: mvn license:check -PcheckLicense --batch-mode
- name: Run tests & javadoc
run: mvn clean verify javadoc:javadoc -PgenerateTestReport --batch-mode
run: mvn clean verify javadoc:javadoc -PgenerateTestReport ${{ inputs.maven_properties }} --batch-mode

0
.github/workflows/stale.yml → .github/workflows/stale.yaml vendored
View File

26
.github/workflows/verify-hibernate.yaml vendored Normal file
View File

@@ -0,0 +1,26 @@
name: Verify (Hibernate)
on:
push:
branches:
- master
paths-ignore:
- '.3rd-party/**'
- 'site/**'
- '**.md'
pull_request:
paths-ignore:
- '.3rd-party/**'
- 'site/**'
- '**.md'
workflow_dispatch:
permissions:
contents: read
jobs:
verify-hibernate:
uses: ./.github/workflows/reusable_workflow_verify.yaml
with:
ref: ${{ github.event_name == 'push' && github.ref || github.event_name == 'pull_request' && github.event.pull_request.head.ref || github.event_name == 'workflow_dispatch' && github.ref }}
maven_properties: '-Djpa.vendor=hibernate -Dlogging.level.org.hibernate.collection.spi.AbstractPersistentCollection=ERROR'

54
.github/workflows/verify-hibernate.yml vendored
View File

@@ -1,54 +0,0 @@
name: Verify (Hibernate)
on:
push:
branches:
- master
paths-ignore:
- '.3rd-party/**'
- 'site/**'
- '**.md'
pull_request:
paths-ignore:
- '.3rd-party/**'
- 'site/**'
- '**.md'
jobs:
verify-hibernate:
runs-on: ubuntu-latest
services:
rabbitmq:
image: rabbitmq:3-management-alpine
env:
RABBITMQ_DEFAULT_VHOST: /
RABBITMQ_DEFAULT_USER: guest
RABBITMQ_DEFAULT_PASS: guest
ports:
- 15672:15672
- 5672:5672
steps:
- uses: actions/checkout@v4
- name: Set up JDK
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 21
cache: 'maven'
- name: Cache local Maven repository
uses: actions/cache@v4
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Check file license headers
run: mvn license:check -PcheckLicense --batch-mode
- name: Run tests & javadoc
run: mvn clean verify javadoc:javadoc --batch-mode -Djpa.vendor=hibernate -Dlogging.level.org.hibernate.collection.spi.AbstractPersistentCollection=ERROR

25
.github/workflows/verify.yaml vendored Normal file
View File

@@ -0,0 +1,25 @@
name: Verify
on:
push:
branches:
- master
paths-ignore:
- '.3rd-party/**'
- 'site/**'
- '**.md'
pull_request:
paths-ignore:
- '.3rd-party/**'
- 'site/**'
- '**.md'
workflow_dispatch:
permissions:
contents: read
jobs:
verify:
uses: ./.github/workflows/reusable_workflow_verify.yaml
with:
ref: ${{ github.event_name == 'push' && github.ref || github.event_name == 'pull_request' && github.event.pull_request.head.ref || github.event_name == 'workflow_dispatch' && github.ref }}

24
.github/workflows/vulnerability-scan.yaml vendored Normal file
View File

@@ -0,0 +1,24 @@
name: Vulnerability Scan
on:
# enable running the workflow manually
workflow_dispatch:
schedule:
# run every night at 4:00 AM (UTC)
- cron: '0 4 * * *'
permissions:
contents: read
security-events: write
jobs:
trivy-scan:
# only on original eclipse-hawkbit/hawkbit repo or when manually triggered
if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch'
uses: ./.github/workflows/reusable_workflow_trivy-scan.yaml
permissions:
contents: read
security-events: write
with:
ref: ${{ github.ref }}
upload: ${{ github.ref == 'refs/heads/master' }}