Refactor workflows - user reusable workflows (#2504)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
@@ -4,6 +4,9 @@ on:
|
|||||||
pull_request_target:
|
pull_request_target:
|
||||||
types: [ opened ]
|
types: [ opened ]
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
greeting:
|
greeting:
|
||||||
# only on original eclipse-hawkbit/hawkbit repo
|
# only on original eclipse-hawkbit/hawkbit repo
|
||||||
24
.github/workflows/license-scan.yaml
vendored
Normal file
24
.github/workflows/license-scan.yaml
vendored
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
name: License Scan
|
||||||
|
|
||||||
|
on:
|
||||||
|
# enable running the workflow manually
|
||||||
|
workflow_dispatch:
|
||||||
|
schedule:
|
||||||
|
# run every night at 2:00 AM (UTC)
|
||||||
|
- cron: '0 2 * * *'
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
license-scan:
|
||||||
|
# only on original eclipse-hawkbit/hawkbit repo or when manually triggered
|
||||||
|
if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch'
|
||||||
|
uses: ./.github/workflows/reusable_workflow_license-scan.yaml
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
|
with:
|
||||||
|
ref: ${{ github.ref }}
|
||||||
|
open_tickets: true
|
||||||
|
secrets:
|
||||||
|
inherit: true
|
||||||
118
.github/workflows/release.yaml
vendored
Normal file
118
.github/workflows/release.yaml
vendored
Normal file
@@ -0,0 +1,118 @@
|
|||||||
|
name: Release
|
||||||
|
|
||||||
|
on:
|
||||||
|
# enable running the workflow manually
|
||||||
|
workflow_dispatch:
|
||||||
|
inputs:
|
||||||
|
revision:
|
||||||
|
description: 'Release version'
|
||||||
|
default: '0-SNAPSHOT'
|
||||||
|
override_tag:
|
||||||
|
description: 'If to move the tag if already exists'
|
||||||
|
default: false
|
||||||
|
required: false
|
||||||
|
dry_run:
|
||||||
|
description: 'If to skip publishing the release to central repository'
|
||||||
|
default: false
|
||||||
|
required: false
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
security-events: write
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
audit:
|
||||||
|
# only on original eclipse-hawkbit/hawkbit repo
|
||||||
|
if: github.repository == 'eclipse-hawkbit/hawkbit'
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: "Release ${{ inputs.revision }}"
|
||||||
|
run: echo "Releasing ${{ inputs.revision }}"
|
||||||
|
|
||||||
|
# tag with release version if not already tagged
|
||||||
|
# if already tagged - it will release from there
|
||||||
|
tag:
|
||||||
|
# only on original eclipse-hawkbit/hawkbit repo and when release fixed version
|
||||||
|
if: github.repository == 'eclipse-hawkbit/hawkbit' && inputs.revision != '0-SNAPSHOT'
|
||||||
|
uses: ./.github/workflows/reusable_workflow_tag.yaml
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
|
with:
|
||||||
|
tag_name: ${{ inputs.revision }}
|
||||||
|
tag_message: "Release version ${{ inputs.revision }}"
|
||||||
|
override_tag: ${{ inputs.override_tag }}
|
||||||
|
|
||||||
|
license-scan:
|
||||||
|
# only on original eclipse-hawkbit/hawkbit repo
|
||||||
|
if: github.repository == 'eclipse-hawkbit/hawkbit'
|
||||||
|
uses: ./.github/workflows/reusable_license-scan.yaml
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
with:
|
||||||
|
ref: ${{ inputs.revision == '0-SNAPSHOT' && github.ref || inputs.revision }}
|
||||||
|
|
||||||
|
trivy-scan:
|
||||||
|
# only on original eclipse-hawkbit/hawkbit repo or when manually triggered
|
||||||
|
if: github.repository == 'eclipse-hawkbit/hawkbit'
|
||||||
|
uses: ./.github/workflows/reusable_workflow_trivy-scan.yaml
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
security-events: write
|
||||||
|
with:
|
||||||
|
ref: ${{ inputs.revision == '0-SNAPSHOT' && github.ref || inputs.revision }}
|
||||||
|
upload: true
|
||||||
|
|
||||||
|
deploy:
|
||||||
|
# only on original eclipse-hawkbit/hawkbit repo
|
||||||
|
if: github.repository == 'eclipse-hawkbit/hawkbit'
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
|
|
||||||
|
services:
|
||||||
|
rabbitmq:
|
||||||
|
image: rabbitmq:3-management-alpine
|
||||||
|
env:
|
||||||
|
RABBITMQ_DEFAULT_VHOST: /
|
||||||
|
RABBITMQ_DEFAULT_USER: guest
|
||||||
|
RABBITMQ_DEFAULT_PASS: guest
|
||||||
|
ports:
|
||||||
|
- 15672:15672
|
||||||
|
- 5672:5672
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
ref: ${{ inputs.revision == '0-SNAPSHOT' && github.ref || inputs.revision }}
|
||||||
|
|
||||||
|
- name: Set up JDK & Maven Central credentials
|
||||||
|
uses: actions/setup-java@v4
|
||||||
|
with:
|
||||||
|
distribution: 'temurin'
|
||||||
|
java-version: 21
|
||||||
|
cache: 'maven'
|
||||||
|
server-id: central
|
||||||
|
server-username: MAVEN_USERNAME
|
||||||
|
server-password: MAVEN_PASSWORD
|
||||||
|
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
|
||||||
|
gpg-passphrase: MAVEN_GPG_PASSPHRASE
|
||||||
|
|
||||||
|
- name: Cache local Maven repository
|
||||||
|
uses: actions/cache@v4
|
||||||
|
with:
|
||||||
|
path: ~/.m2/repository
|
||||||
|
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
|
||||||
|
restore-keys: |
|
||||||
|
${{ runner.os }}-maven-
|
||||||
|
|
||||||
|
- name: Run build javadoc, verify (test)
|
||||||
|
run: mvn verify javadoc:jar -PgenerateTestReport -Drevision=${{ inputs.revision }} --batch-mode
|
||||||
|
|
||||||
|
- name: "Deploy ${{ inputs.revision }}"
|
||||||
|
run: mvn deploy -DskipTests -Ppublish -Drevision=${{ inputs.revision }} -DskipPublishing=${{ inputs.dry_run }} --batch-mode
|
||||||
|
env:
|
||||||
|
MAVEN_USERNAME: ${{ secrets.CENTRAL_SONATYPE_TOKEN_USERNAME }}
|
||||||
|
MAVEN_PASSWORD: ${{ secrets.CENTRAL_SONATYPE_TOKEN_PASSWORD }}
|
||||||
|
MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
|
||||||
116
.github/workflows/release.yml
vendored
116
.github/workflows/release.yml
vendored
@@ -1,116 +0,0 @@
|
|||||||
name: Release
|
|
||||||
|
|
||||||
on:
|
|
||||||
# enable running the workflow manually
|
|
||||||
workflow_dispatch:
|
|
||||||
inputs:
|
|
||||||
revision:
|
|
||||||
description: 'Release version'
|
|
||||||
default: '0-SNAPSHOT'
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
release:
|
|
||||||
# only on original eclipse-hawkbit/hawkbit repo
|
|
||||||
if: github.repository == 'eclipse-hawkbit/hawkbit'
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: write
|
|
||||||
|
|
||||||
services:
|
|
||||||
rabbitmq:
|
|
||||||
image: rabbitmq:3-management-alpine
|
|
||||||
env:
|
|
||||||
RABBITMQ_DEFAULT_VHOST: /
|
|
||||||
RABBITMQ_DEFAULT_USER: guest
|
|
||||||
RABBITMQ_DEFAULT_PASS: guest
|
|
||||||
ports:
|
|
||||||
- 15672:15672
|
|
||||||
- 5672:5672
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
|
|
||||||
- name: "Release ${{ github.event.inputs.revision }}"
|
|
||||||
run: echo "Releasing ${{ github.event.inputs.revision }}"
|
|
||||||
|
|
||||||
- name: Set up JDK & Maven Central credentials
|
|
||||||
uses: actions/setup-java@v4
|
|
||||||
with:
|
|
||||||
distribution: 'temurin'
|
|
||||||
java-version: 21
|
|
||||||
cache: 'maven'
|
|
||||||
server-id: central
|
|
||||||
server-username: MAVEN_USERNAME
|
|
||||||
server-password: MAVEN_PASSWORD
|
|
||||||
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
|
|
||||||
gpg-passphrase: MAVEN_GPG_PASSPHRASE
|
|
||||||
|
|
||||||
- name: Cache local Maven repository
|
|
||||||
uses: actions/cache@v4
|
|
||||||
with:
|
|
||||||
path: ~/.m2/repository
|
|
||||||
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
|
|
||||||
restore-keys: |
|
|
||||||
${{ runner.os }}-maven-
|
|
||||||
|
|
||||||
- name: Check file license headers
|
|
||||||
run: mvn clean license:check -PcheckLicense --batch-mode
|
|
||||||
- name: Check dependency licenses with dash tool
|
|
||||||
run: |
|
|
||||||
if [ "${REVISION}" = "0-SNAPSHOT" ]; then
|
|
||||||
DASH_FAIL=false
|
|
||||||
else
|
|
||||||
DASH_FAIL=true
|
|
||||||
fi
|
|
||||||
mvn install -DskipTests -DskipJavadoc --batch-mode
|
|
||||||
mvn license-tool:license-check -PcheckLicense -Ddash.fail=${DASH_FAIL} -Ddash.iplab.token=${GITLAB_API_TOKEN} --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test' --batch-mode
|
|
||||||
CHANGED_FILES_COUNT=$(git status --short | wc -l)
|
|
||||||
CHANGED_FILES_COUNT=${CHANGED_FILES_COUNT//[[:space:]]/}
|
|
||||||
echo "Number of changed files: ${CHANGED_FILES_COUNT}"
|
|
||||||
if [ "${CHANGED_FILES_COUNT}" -ne 0 ]; then
|
|
||||||
if [ "${CHANGED_FILES_COUNT}" -eq 1 ]; then
|
|
||||||
DEPENDENCY_FILE=".3rd-party/DEPENDENCIES"
|
|
||||||
DEPENDENCIES_MODIFIED=$(git status --short | grep ".3rd-party/DEPENDENCIES")
|
|
||||||
# Check if the file is modified
|
|
||||||
if [[ -n "$DEPENDENCIES_MODIFIED" ]]; then
|
|
||||||
echo "${DEPENDENCY_FILE} changed - commit it"
|
|
||||||
git config --local user.name "github-actions[bot]"
|
|
||||||
git config --local user.email "github-actions[bot]@users.noreply.github.com"
|
|
||||||
git add ${DEPENDENCY_FILE} && git commit -m "[Release] Automated commit of ${DEPENDENCY_FILE} changes" && git push
|
|
||||||
else
|
|
||||||
echo "Unexpected changes:"
|
|
||||||
git status --short
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "More than one file has changed:"
|
|
||||||
git status --short
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
env:
|
|
||||||
REVISION: ${{ github.event.inputs.revision }}
|
|
||||||
GITLAB_API_TOKEN: ${{ secrets.GITLAB_API_TOKEN }}
|
|
||||||
|
|
||||||
- name: Run build javadoc, verify (test)
|
|
||||||
run: mvn verify javadoc:jar -PgenerateTestReport -Drevision=${REVISION} --batch-mode
|
|
||||||
env:
|
|
||||||
REVISION: ${{ github.event.inputs.revision }}
|
|
||||||
|
|
||||||
- name: "Deploy ${{ github.event.inputs.revision }}"
|
|
||||||
run: mvn deploy -DskipTests -Ppublish -Drevision=${REVISION} --batch-mode
|
|
||||||
env:
|
|
||||||
REVISION: ${{ github.event.inputs.revision }}
|
|
||||||
MAVEN_USERNAME: ${{ secrets.CENTRAL_SONATYPE_TOKEN_USERNAME }}
|
|
||||||
MAVEN_PASSWORD: ${{ secrets.CENTRAL_SONATYPE_TOKEN_PASSWORD }}
|
|
||||||
MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
|
|
||||||
- name: Tag release
|
|
||||||
run: |
|
|
||||||
if [ "${REVISION}" != "0-SNAPSHOT" ]; then
|
|
||||||
git config --local user.name "github-actions[bot]"
|
|
||||||
git config --local user.email "github-actions[bot]@users.noreply.github.com"
|
|
||||||
git tag -a ${REVISION} -m "Release version ${REVISION}" && git push origin ${REVISION}
|
|
||||||
fi
|
|
||||||
env:
|
|
||||||
REVISION: ${{ github.event.inputs.revision }}
|
|
||||||
@@ -11,6 +11,9 @@ on:
|
|||||||
description: 'Release version'
|
description: 'Release version'
|
||||||
default: '0-SNAPSHOT'
|
default: '0-SNAPSHOT'
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
release_docker:
|
release_docker:
|
||||||
# only on fork of eclipse-hawkbit/hawkbit repo - see the note above
|
# only on fork of eclipse-hawkbit/hawkbit repo - see the note above
|
||||||
@@ -20,8 +23,8 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: "Release ${{ github.event.inputs.revision }}"
|
- name: "Release ${{ inputs.revision }}"
|
||||||
run: echo "Releasing ${{ github.event.inputs.revision }}"
|
run: echo "Releasing ${{ inputs.revision }}"
|
||||||
|
|
||||||
- name: Setup
|
- name: Setup
|
||||||
run: |
|
run: |
|
||||||
@@ -61,14 +64,15 @@ jobs:
|
|||||||
|
|
||||||
- name: Push Docker Images
|
- name: Push Docker Images
|
||||||
run: |
|
run: |
|
||||||
ALL_APPS=() # Initialize an empty
|
ALL_APPS=()
|
||||||
for APP in $(echo "${ALL_APPS_STRING}" | tr ',' '\n' | xargs); do
|
for APP in $(echo "${ALL_APPS_STRING}" | tr ',' '\n' | xargs); do
|
||||||
ALL_APPS+=("${APP}") # Add trimmed app
|
ALL_APPS+=("${APP}") # trims chunk to fully qualified app name
|
||||||
done
|
done
|
||||||
|
|
||||||
for APP in "${ALL_APPS[@]}"; do
|
for APP in "${ALL_APPS[@]}"; do
|
||||||
echo "Deploy ${APP}"
|
echo "Deploying ${APP}..."
|
||||||
docker push hawkbit/${APP}:${REVISION}
|
docker push hawkbit/${APP}:${REVISION}
|
||||||
docker tag hawkbit/${APP}:${REVISION} hawkbit/${APP}:latest
|
docker tag hawkbit/${APP}:${REVISION} hawkbit/${APP}:latest
|
||||||
docker push hawkbit/${APP}:latest
|
docker push hawkbit/${APP}:latest
|
||||||
|
echo "${APP} deployed."
|
||||||
done
|
done
|
||||||
39
.github/workflows/release_tag.yaml
vendored
Normal file
39
.github/workflows/release_tag.yaml
vendored
Normal file
@@ -0,0 +1,39 @@
|
|||||||
|
name: Release Start
|
||||||
|
|
||||||
|
on:
|
||||||
|
# enable running the workflow manually
|
||||||
|
workflow_dispatch:
|
||||||
|
inputs:
|
||||||
|
revision:
|
||||||
|
description: 'Release version'
|
||||||
|
default: '0-SNAPSHOT'
|
||||||
|
override_tag:
|
||||||
|
description: 'If to move the tag if already exists'
|
||||||
|
default: false
|
||||||
|
required: false
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
audit:
|
||||||
|
# only on original eclipse-hawkbit/hawkbit repo
|
||||||
|
if: github.repository == 'eclipse-hawkbit/hawkbit'
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: "Release ${{ inputs.revision }}"
|
||||||
|
run: echo "Releasing ${{ inputs.revision }}"
|
||||||
|
|
||||||
|
# tag with release version if not already tagged
|
||||||
|
# if already tagged - it will release from there
|
||||||
|
tag:
|
||||||
|
# only on original eclipse-hawkbit/hawkbit repo and when release fixed version
|
||||||
|
if: github.repository == 'eclipse-hawkbit/hawkbit' && inputs.revision != '0-SNAPSHOT'
|
||||||
|
uses: ./.github/workflows/reusable_workflow_tag@${{ github.sha }}
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
|
with:
|
||||||
|
tag_name: ${{ inputs.revision }}
|
||||||
|
tag_message: "Release version ${{ inputs.revision }}"
|
||||||
|
override_tag: ${{ github.event.inputs.override_tag }}
|
||||||
@@ -1,23 +1,25 @@
|
|||||||
name: License Scan
|
name: License Scan (Reusable Workflow)
|
||||||
|
|
||||||
on:
|
on:
|
||||||
# enable running the workflow manually
|
workflow_call:
|
||||||
workflow_dispatch:
|
variables:
|
||||||
schedule:
|
ref:
|
||||||
# run every night at 2:00 AM (UTC)
|
description: 'The branch, tag or SHA to checkout, e.g. master'
|
||||||
- cron: '0 2 * * *'
|
type: string
|
||||||
|
default: 'master'
|
||||||
|
open_tickets:
|
||||||
|
description: 'If to open tickets for license issues to Dash IP lab, e.g. true or false'
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
license-scan:
|
reusable_workflow_license-scan:
|
||||||
# only on original eclipse-hawkbit/hawkbit repo or when manually triggered
|
|
||||||
if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch'
|
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: write
|
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
ref: ${{ inputs.ref }}
|
||||||
|
|
||||||
- name: Set up JDK & Maven Central credentials
|
- name: Set up JDK & Maven Central credentials
|
||||||
uses: actions/setup-java@v4
|
uses: actions/setup-java@v4
|
||||||
@@ -36,7 +38,9 @@ jobs:
|
|||||||
|
|
||||||
- name: Check file license headers
|
- name: Check file license headers
|
||||||
run: mvn license:check -PcheckLicense --batch-mode
|
run: mvn license:check -PcheckLicense --batch-mode
|
||||||
- name: Check dependency licenses with dash tool
|
|
||||||
|
- name: Check dependency licenses with dash tool (and open issues to Dash IP lab, doesn't fail)
|
||||||
|
if: ${{ inputs.open_tickets == 'true' }}
|
||||||
run: |
|
run: |
|
||||||
mvn clean install -DskipTests -DskipJavadoc --batch-mode
|
mvn clean install -DskipTests -DskipJavadoc --batch-mode
|
||||||
mvn license-tool:license-check -Ddash.fail=false -PcheckLicense -Ddash.iplab.token=${GITLAB_API_TOKEN} --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test'
|
mvn license-tool:license-check -Ddash.fail=false -PcheckLicense -Ddash.iplab.token=${GITLAB_API_TOKEN} --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test'
|
||||||
@@ -64,7 +68,10 @@ jobs:
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
# do dash.fail=true so if there are restricted dependencis the build will fail
|
# do dash.fail=true so if there are restricted dependencies the build will fail
|
||||||
mvn license-tool:license-check -Ddash.fail=true -PcheckLicense -Ddash.iplab.token=${GITLAB_API_TOKEN} --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test'
|
mvn license-tool:license-check -Ddash.fail=true -PcheckLicense -Ddash.iplab.token=${GITLAB_API_TOKEN} --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test'
|
||||||
env:
|
env:
|
||||||
GITLAB_API_TOKEN: ${{ secrets.GITLAB_API_TOKEN }}
|
GITLAB_API_TOKEN: ${{ secrets.GITLAB_API_TOKEN }}
|
||||||
|
|
||||||
|
- name: Check dependency licenses with dash tool (and return the result)
|
||||||
|
run: mvn license-tool:license-check -Ddash.fail=true -PcheckLicense --projects '!org.eclipse.hawkbit:hawkbit-repository-test,!org.eclipse.hawkbit:hawkbit-dmf-rabbitmq-test'
|
||||||
61
.github/workflows/reusable_workflow_tag.yaml
vendored
Normal file
61
.github/workflows/reusable_workflow_tag.yaml
vendored
Normal file
@@ -0,0 +1,61 @@
|
|||||||
|
name: Tag
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_call:
|
||||||
|
inputs:
|
||||||
|
tag_name:
|
||||||
|
type: string
|
||||||
|
description: 'Tag name, e.g. 1.0.0'
|
||||||
|
required: true
|
||||||
|
tag_message:
|
||||||
|
type: string
|
||||||
|
description: ''
|
||||||
|
required: false
|
||||||
|
override_tag:
|
||||||
|
type: boolean
|
||||||
|
description: 'If to override the tag if already exists'
|
||||||
|
required: false
|
||||||
|
default: false
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
tag:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Tag release
|
||||||
|
run: |
|
||||||
|
git config --local user.name "github-actions[bot]"
|
||||||
|
git config --local user.email "github-actions[bot]@users.noreply.github.com"
|
||||||
|
|
||||||
|
if git rev-parse "${TAG_NAME}" >/dev/null 2>&1; then
|
||||||
|
echo "Creating a tag ${TAG_NAME} ..."
|
||||||
|
if [ -n "${TAG_MESSAGE}" ]; then
|
||||||
|
git tag -a ${TAG_NAME} -m "${TAG_MESSAGE}"
|
||||||
|
else
|
||||||
|
git tag -a ${TAG_NAME}
|
||||||
|
fi
|
||||||
|
git push origin ${TAG_NAME}
|
||||||
|
echo "Tag ${TAG_NAME} created."
|
||||||
|
else
|
||||||
|
if [ "${{ inputs.override_tag }}" == "true" ]; then
|
||||||
|
echo "Tag ${TAG_NAME} already exists, but override is set to true, so moving it ..."
|
||||||
|
git tag -d ${TAG_NAME}
|
||||||
|
if [ -n "${TAG_MESSAGE}" ]; then
|
||||||
|
git tag -a ${TAG_NAME} -m "${TAG_MESSAGE}"
|
||||||
|
else
|
||||||
|
git tag -a ${TAG_NAME}
|
||||||
|
fi
|
||||||
|
git push origin ${TAG_NAME}
|
||||||
|
echo "Tag ${TAG_NAME} moved."
|
||||||
|
else
|
||||||
|
echo "Tag ${TAG_NAME} already exists, do nothing."
|
||||||
|
fi
|
||||||
|
fi`
|
||||||
|
env:
|
||||||
|
TAG_NAME: ${{ inputs.tag_name }}
|
||||||
|
TAG_MESSAGE: ${{ inputs.tag_message }}
|
||||||
@@ -1,16 +1,19 @@
|
|||||||
name: Vulnerability Scan
|
name: Trivy Scan (Reusable Workflow)
|
||||||
|
|
||||||
on:
|
on:
|
||||||
# enable running the workflow manually
|
workflow_call:
|
||||||
workflow_dispatch:
|
variables:
|
||||||
schedule:
|
ref:
|
||||||
# run every night at 4:00 AM (UTC)
|
description: 'The branch, tag or SHA to checkout, e.g. master'
|
||||||
- cron: '0 4 * * *'
|
type: string
|
||||||
|
default: 'master'
|
||||||
|
upload:
|
||||||
|
description: 'If to upload the scan results, e.g. true or false'
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
trivy-scan:
|
trivy-scan:
|
||||||
# only on original eclipse-hawkbit/hawkbit repo or when manually triggered
|
|
||||||
if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch'
|
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
@@ -21,6 +24,8 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
ref: ${{ inputs.ref }}
|
||||||
|
|
||||||
- name: Set up JDK
|
- name: Set up JDK
|
||||||
uses: actions/setup-java@v4
|
uses: actions/setup-java@v4
|
||||||
@@ -31,7 +36,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Create hawkBit container images
|
- name: Create hawkBit container images
|
||||||
run: |
|
run: |
|
||||||
mvn clean install -DskipTests && \
|
mvn clean install -DskipTests -DskipJavadoc && \
|
||||||
cd docker/build && \
|
cd docker/build && \
|
||||||
chmod +x build_dev.sh && \
|
chmod +x build_dev.sh && \
|
||||||
./build_dev.sh && \
|
./build_dev.sh && \
|
||||||
@@ -51,32 +56,53 @@ jobs:
|
|||||||
mkdir -p scans/eclipse-hawkbit/hawkbit
|
mkdir -p scans/eclipse-hawkbit/hawkbit
|
||||||
for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "hawkbit/hawkbit-*:latest"); do
|
for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "hawkbit/hawkbit-*:latest"); do
|
||||||
echo "Scanning image ${IMAGE} ..."
|
echo "Scanning image ${IMAGE} ..."
|
||||||
./trivy image "${IMAGE}" --ignore-unfixed --ignorefile .github/workflows/.trivyignore --severity HIGH,CRITICAL --vuln-type library --output "scans/eclipse-hawkbit/$IMAGE.sarif" --format sarif
|
./trivy image "${IMAGE}" --ignore-unfixed --ignorefile .github/workflows/.trivyignore --severity HIGH,CRITICAL --vuln-type library --output "scans/eclipse-hawkbit/${IMAGE}.sarif" --format sarif
|
||||||
done
|
done
|
||||||
|
|
||||||
- name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server
|
- name: Check if to upload scan results
|
||||||
|
run: |
|
||||||
|
if [ "${{ inputs.upload }}" = "true" ]; then
|
||||||
|
echo "Uploading scan results..."
|
||||||
|
else
|
||||||
|
echo "Skipping upload of scan results."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server (hawkbit-ddi-server)
|
||||||
uses: github/codeql-action/upload-sarif@v3
|
uses: github/codeql-action/upload-sarif@v3
|
||||||
with:
|
with:
|
||||||
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-ddi-server:latest.sarif'
|
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-ddi-server:latest.sarif'
|
||||||
category: "Container Images (hawkbit-ddi-server)"
|
category: "Container Images (hawkbit-ddi-server)"
|
||||||
- name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server
|
- name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server (hawkbit-dmf-server)
|
||||||
uses: github/codeql-action/upload-sarif@v3
|
uses: github/codeql-action/upload-sarif@v3
|
||||||
with:
|
with:
|
||||||
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-dmf-server:latest.sarif'
|
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-dmf-server:latest.sarif'
|
||||||
category: "Container Images (hawkbit-dmf-server)"
|
category: "Container Images (hawkbit-dmf-server)"
|
||||||
- name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server
|
- name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server (hawkbit-mgmt-server)
|
||||||
uses: github/codeql-action/upload-sarif@v3
|
uses: github/codeql-action/upload-sarif@v3
|
||||||
with:
|
with:
|
||||||
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-mgmt-server:latest.sarif'
|
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-mgmt-server:latest.sarif'
|
||||||
category: "Container Images (hawkbit-mgmt-server)"
|
category: "Container Images (hawkbit-mgmt-server)"
|
||||||
- name: Upload Docker image scan results to GitHub Security tab hawkbit-simple-ui
|
- name: Upload Docker image scan results to GitHub Security tab hawkbit-simple-ui (hawkbit-simple-ui)
|
||||||
uses: github/codeql-action/upload-sarif@v3
|
uses: github/codeql-action/upload-sarif@v3
|
||||||
with:
|
with:
|
||||||
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-simple-ui:latest.sarif'
|
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-simple-ui:latest.sarif'
|
||||||
category: "Container Images (hawkbit-simple-ui)"
|
category: "Container Images (hawkbit-simple-ui)"
|
||||||
|
|
||||||
- name: Upload Docker image scan results to GitHub Security tab
|
- name: Upload Docker image scan results to GitHub Security tab (hawkbit-update-server)
|
||||||
uses: github/codeql-action/upload-sarif@v3
|
uses: github/codeql-action/upload-sarif@v3
|
||||||
with:
|
with:
|
||||||
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-update-server:latest.sarif'
|
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-update-server:latest.sarif'
|
||||||
category: "Container Images (hawkbit-update-server)"
|
category: "Container Images (hawkbit-update-server)"
|
||||||
|
|
||||||
|
- name: Upload Docker image scan results to GitHub Security tab (hawkbit-repository-jpa-init)
|
||||||
|
uses: github/codeql-action/upload-sarif@v3
|
||||||
|
with:
|
||||||
|
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-repository-jpa-init:latest.sarif'
|
||||||
|
category: "Container Images (hawkbit-update-server)"
|
||||||
|
|
||||||
|
- name: Upload Docker image scan results to GitHub Security tab (hawkbit-repository-jpa-init)
|
||||||
|
uses: github/codeql-action/upload-sarif@v3
|
||||||
|
with:
|
||||||
|
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-repository-jpa-init:latest.sarif'
|
||||||
|
category: "Container Images (hawkbit-repository-jpa-init)"
|
||||||
@@ -1,21 +1,19 @@
|
|||||||
name: Verify
|
name: Verify (Reusable Workflow)
|
||||||
|
|
||||||
on:
|
on:
|
||||||
push:
|
workflow_call:
|
||||||
branches:
|
inputs:
|
||||||
- master
|
ref:
|
||||||
paths-ignore:
|
description: 'The branch, tag or SHA to checkout, e.g. master'
|
||||||
- '.3rd-party/**'
|
type: string
|
||||||
- 'site/**'
|
default: 'master'
|
||||||
- '**.md'
|
maven_properties:
|
||||||
pull_request:
|
type: string
|
||||||
paths-ignore:
|
default: ''
|
||||||
- '.3rd-party/**'
|
description: 'Properties to pass to Maven command line, e.g. -Djpa.vendor=hibernate'
|
||||||
- 'site/**'
|
|
||||||
- '**.md'
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
verify:
|
reusable_workflow_verify:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
services:
|
services:
|
||||||
@@ -31,6 +29,8 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
ref: ${{ inputs.ref }}
|
||||||
|
|
||||||
- name: Set up JDK
|
- name: Set up JDK
|
||||||
uses: actions/setup-java@v4
|
uses: actions/setup-java@v4
|
||||||
@@ -51,4 +51,4 @@ jobs:
|
|||||||
run: mvn license:check -PcheckLicense --batch-mode
|
run: mvn license:check -PcheckLicense --batch-mode
|
||||||
|
|
||||||
- name: Run tests & javadoc
|
- name: Run tests & javadoc
|
||||||
run: mvn clean verify javadoc:javadoc -PgenerateTestReport --batch-mode
|
run: mvn clean verify javadoc:javadoc -PgenerateTestReport ${{ inputs.maven_properties }} --batch-mode
|
||||||
26
.github/workflows/verify-hibernate.yaml
vendored
Normal file
26
.github/workflows/verify-hibernate.yaml
vendored
Normal file
@@ -0,0 +1,26 @@
|
|||||||
|
name: Verify (Hibernate)
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- master
|
||||||
|
paths-ignore:
|
||||||
|
- '.3rd-party/**'
|
||||||
|
- 'site/**'
|
||||||
|
- '**.md'
|
||||||
|
pull_request:
|
||||||
|
paths-ignore:
|
||||||
|
- '.3rd-party/**'
|
||||||
|
- 'site/**'
|
||||||
|
- '**.md'
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
verify-hibernate:
|
||||||
|
uses: ./.github/workflows/reusable_workflow_verify.yaml
|
||||||
|
with:
|
||||||
|
ref: ${{ github.event_name == 'push' && github.ref || github.event_name == 'pull_request' && github.event.pull_request.head.ref || github.event_name == 'workflow_dispatch' && github.ref }}
|
||||||
|
maven_properties: '-Djpa.vendor=hibernate -Dlogging.level.org.hibernate.collection.spi.AbstractPersistentCollection=ERROR'
|
||||||
54
.github/workflows/verify-hibernate.yml
vendored
54
.github/workflows/verify-hibernate.yml
vendored
@@ -1,54 +0,0 @@
|
|||||||
name: Verify (Hibernate)
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- master
|
|
||||||
paths-ignore:
|
|
||||||
- '.3rd-party/**'
|
|
||||||
- 'site/**'
|
|
||||||
- '**.md'
|
|
||||||
pull_request:
|
|
||||||
paths-ignore:
|
|
||||||
- '.3rd-party/**'
|
|
||||||
- 'site/**'
|
|
||||||
- '**.md'
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
verify-hibernate:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
services:
|
|
||||||
rabbitmq:
|
|
||||||
image: rabbitmq:3-management-alpine
|
|
||||||
env:
|
|
||||||
RABBITMQ_DEFAULT_VHOST: /
|
|
||||||
RABBITMQ_DEFAULT_USER: guest
|
|
||||||
RABBITMQ_DEFAULT_PASS: guest
|
|
||||||
ports:
|
|
||||||
- 15672:15672
|
|
||||||
- 5672:5672
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
|
|
||||||
- name: Set up JDK
|
|
||||||
uses: actions/setup-java@v4
|
|
||||||
with:
|
|
||||||
distribution: 'temurin'
|
|
||||||
java-version: 21
|
|
||||||
cache: 'maven'
|
|
||||||
|
|
||||||
- name: Cache local Maven repository
|
|
||||||
uses: actions/cache@v4
|
|
||||||
with:
|
|
||||||
path: ~/.m2/repository
|
|
||||||
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
|
|
||||||
restore-keys: |
|
|
||||||
${{ runner.os }}-maven-
|
|
||||||
|
|
||||||
- name: Check file license headers
|
|
||||||
run: mvn license:check -PcheckLicense --batch-mode
|
|
||||||
|
|
||||||
- name: Run tests & javadoc
|
|
||||||
run: mvn clean verify javadoc:javadoc --batch-mode -Djpa.vendor=hibernate -Dlogging.level.org.hibernate.collection.spi.AbstractPersistentCollection=ERROR
|
|
||||||
25
.github/workflows/verify.yaml
vendored
Normal file
25
.github/workflows/verify.yaml
vendored
Normal file
@@ -0,0 +1,25 @@
|
|||||||
|
name: Verify
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- master
|
||||||
|
paths-ignore:
|
||||||
|
- '.3rd-party/**'
|
||||||
|
- 'site/**'
|
||||||
|
- '**.md'
|
||||||
|
pull_request:
|
||||||
|
paths-ignore:
|
||||||
|
- '.3rd-party/**'
|
||||||
|
- 'site/**'
|
||||||
|
- '**.md'
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
verify:
|
||||||
|
uses: ./.github/workflows/reusable_workflow_verify.yaml
|
||||||
|
with:
|
||||||
|
ref: ${{ github.event_name == 'push' && github.ref || github.event_name == 'pull_request' && github.event.pull_request.head.ref || github.event_name == 'workflow_dispatch' && github.ref }}
|
||||||
24
.github/workflows/vulnerability-scan.yaml
vendored
Normal file
24
.github/workflows/vulnerability-scan.yaml
vendored
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
name: Vulnerability Scan
|
||||||
|
|
||||||
|
on:
|
||||||
|
# enable running the workflow manually
|
||||||
|
workflow_dispatch:
|
||||||
|
schedule:
|
||||||
|
# run every night at 4:00 AM (UTC)
|
||||||
|
- cron: '0 4 * * *'
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
security-events: write
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
trivy-scan:
|
||||||
|
# only on original eclipse-hawkbit/hawkbit repo or when manually triggered
|
||||||
|
if: github.repository == 'eclipse-hawkbit/hawkbit' || github.event_name == 'workflow_dispatch'
|
||||||
|
uses: ./.github/workflows/reusable_workflow_trivy-scan.yaml
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
security-events: write
|
||||||
|
with:
|
||||||
|
ref: ${{ github.ref }}
|
||||||
|
upload: ${{ github.ref == 'refs/heads/master' }}
|
||||||
3
pom.xml
3
pom.xml
@@ -129,6 +129,8 @@
|
|||||||
<dash.review.summary>${project.build.directory}/.3rd-party/DEPENDENCIES_REVIEW</dash.review.summary>
|
<dash.review.summary>${project.build.directory}/.3rd-party/DEPENDENCIES_REVIEW</dash.review.summary>
|
||||||
<excludeGroupIds>org.eclipse,org.junit</excludeGroupIds>
|
<excludeGroupIds>org.eclipse,org.junit</excludeGroupIds>
|
||||||
<!-- Dash tool integration - END -->
|
<!-- Dash tool integration - END -->
|
||||||
|
|
||||||
|
<skipPublishing>false</skipPublishing>
|
||||||
</properties>
|
</properties>
|
||||||
|
|
||||||
<developers>
|
<developers>
|
||||||
@@ -670,6 +672,7 @@
|
|||||||
<publishingServerId>central</publishingServerId>
|
<publishingServerId>central</publishingServerId>
|
||||||
<autoPublish>true</autoPublish>
|
<autoPublish>true</autoPublish>
|
||||||
<waitUntil>published</waitUntil>
|
<waitUntil>published</waitUntil>
|
||||||
|
<skipPublishing>${skipPublishing}</skipPublishing>
|
||||||
</configuration>
|
</configuration>
|
||||||
</plugin>
|
</plugin>
|
||||||
</plugins>
|
</plugins>
|
||||||
|
|||||||
Reference in New Issue
Block a user