Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 39 additions & 22 deletions .github/workflows/nightly.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,27 +13,44 @@
runs-on: ubuntu-latest

steps:
# Setup java environment
- name: setup-java
uses: actions/setup-java@v1
with:
java-version: 11

# Checkout the git repository
- name: checkout
uses: actions/checkout@v2
uses: actions/checkout@v6
with:
fetch-depth: 0

# Get the current project version from pom.xml
- name: get-project-version
id: get_project_version
uses: avides/actions-project-version-check@v2

Check failure on line 25 in .github/workflows/nightly.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use full commit SHA hash for this dependency.

See more on https://sonarcloud.io/project/issues?id=avides_spring-rabbit&issues=AZ9LdnBPowT7bn0SYXnH&open=AZ9LdnBPowT7bn0SYXnH&pullRequest=19

Check failure

Code scanning / SonarCloud

External GitHub Actions and workflows should be pinned to a commit hash High

Use full commit SHA hash for this dependency. See more on SonarQube Cloud
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.GPR_TOKEN }}
fetch-depth: ''
token: ${{ secrets.GITHUB_TOKEN }}
file-to-check: pom.xml
only-return-version: true

# Execute some necessary git commands to get more repository informations
- name: post-checkout
run: git fetch --prune --unshallow
# Determine java-version
- name: determine-java-version
id: determine_java_version
run: |
if grep -q "<java.version>" pom.xml; then
JAVA_VERSION=$(grep -oP '(?<=<java.version>).*?(?=</java.version>)' pom.xml | head -n 1 | cut -d. -f1 | xargs)
elif [ -f ".github/java.version" ]; then
JAVA_VERSION=$(cat .github/java.version | xargs)
else
JAVA_VERSION="11"
fi
echo "detected_java_version=$JAVA_VERSION" >> $GITHUB_OUTPUT

# Setup java environment
- name: setup-java
uses: actions/setup-java@v5
with:
distribution: temurin
java-version: ${{ steps.determine_java_version.outputs.detected_java_version }}

# Setup/load GitHub Actions caching for external dependencies, in this case especially for Maven
- name: caching
uses: actions/cache@v2
uses: actions/cache@v5
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
Expand All @@ -51,16 +68,16 @@
- name: integration-tests
run: mvn -DskipUTs -Dgpg.skip=true jacoco:restore-instrumented-classes verify

# Execute sonar analysis and publish results to the sonarqube server
# Execute sonar analysis and publish results to the sonarcloud server
- name: sonar-analyse
env:
SONAR_HOST: ${{ secrets.OS_SONAR_HOST_URL }}
SONAR_TOKEN: ${{ secrets.OS_SONAR_TOKEN }}
PROJECT_VERSION: ${{ steps.get_project_version.outputs.version }}
run: |
export SONAR_ORGANIZATION=$(echo ${GITHUB_REPOSITORY} | cut -d / -f 1)
mvn sonar:sonar \
-Dsonar.host.url=${SONAR_HOST} \
-Dsonar.login=${SONAR_TOKEN} \
mvn org.sonarsource.scanner.maven:sonar-maven-plugin:5.5.0.6356:sonar \
-Dsonar.host.url=${{ secrets.OS_SONAR_HOST_URL }} \

Check warning on line 78 in .github/workflows/nightly.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Avoid expanding secrets in a run block.

See more on https://sonarcloud.io/project/issues?id=avides_spring-rabbit&issues=AZ9LdnBPowT7bn0SYXnF&open=AZ9LdnBPowT7bn0SYXnF&pullRequest=19

Check warning

Code scanning / SonarCloud

Secrets should not be directly expanded in run steps alongside third-party actions Medium

Avoid expanding secrets in a run block. See more on SonarQube Cloud
-Dsonar.token=${{ secrets.OS_SONAR_TOKEN }} \

Check warning on line 79 in .github/workflows/nightly.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Avoid expanding secrets in a run block.

See more on https://sonarcloud.io/project/issues?id=avides_spring-rabbit&issues=AZ9LdnBPowT7bn0SYXnG&open=AZ9LdnBPowT7bn0SYXnG&pullRequest=19

Check warning

Code scanning / SonarCloud

Secrets should not be directly expanded in run steps alongside third-party actions Medium

Avoid expanding secrets in a run block. See more on SonarQube Cloud
-Dsonar.projectVersion=${PROJECT_VERSION} \
-Dsonar.branch.name=master \
-Dsonar.organization=${SONAR_ORGANIZATION} \
-Dsonar.projectKey=${GITHUB_REPOSITORY//\//_} \
-Dsonar.java.binaries=./target/classes
-Dsonar.projectKey=${GITHUB_REPOSITORY//\//_}
122 changes: 64 additions & 58 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# This configuration is used for the deployment and publish to GitHub Packages
# This configuration is used for the deployment and publish to Maven Central
name: release

on:
Expand All @@ -11,101 +11,107 @@
release:
timeout-minutes: 30

env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

runs-on: ubuntu-latest

steps:
# Setup java environment
- name: setup-java
uses: actions/setup-java@v1
with:
java-version: 11
server-id: ossrh
server-username: OSSRH_USERNAME
server-password: OSSRH_PASSWORD

# Checkout the git repository
- name: setup-github-release
run: sed -i -e 's/<\/servers>/<server><id>github<\/id><username>x-access-token<\/username><password>${GITHUB_TOKEN}<\/password><\/server><\/servers>/g' /home/runner/.m2/settings.xml

# Setup GPG for Maven Central deployment
- name: setup-gpg
env:
GPG_PRIVATE_KEY: ${{ secrets.OS_GPG_PRIVATE_KEY }}
run: cat <(echo -e "${GPG_PRIVATE_KEY}") | gpg --batch --import

# Checkout the git repository
- name: checkout
uses: actions/checkout@v2
uses: actions/checkout@v6
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.GPR_TOKEN }}
fetch-depth: ''
fetch-depth: 0

# Get the current project version from pom.xml
- name: get-project-version
id: get_project_version
uses: avides/actions-project-version-check@v2

Check failure on line 26 in .github/workflows/release.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use full commit SHA hash for this dependency.

See more on https://sonarcloud.io/project/issues?id=avides_spring-rabbit&issues=AZ9LdnBGowT7bn0SYXnD&open=AZ9LdnBGowT7bn0SYXnD&pullRequest=19

Check failure

Code scanning / SonarCloud

External GitHub Actions and workflows should be pinned to a commit hash High

Use full commit SHA hash for this dependency. See more on SonarQube Cloud
with:
token: ${{ secrets.GITHUB_TOKEN }}
file-to-check: pom.xml
only-return-version: true

# Execute some necessary git commands to get more repository informations
- name: post-checkout
run: git fetch --prune --unshallow
# Determine java-version
- name: determine-java-version
id: determine_java_version
run: |
if grep -q "<java.version>" pom.xml; then
JAVA_VERSION=$(grep -oP '(?<=<java.version>).*?(?=</java.version>)' pom.xml | head -n 1 | cut -d. -f1 | xargs)
elif [ -f ".github/java.version" ]; then
JAVA_VERSION=$(cat .github/java.version | xargs)
else
JAVA_VERSION="11"
fi
echo "detected_java_version=$JAVA_VERSION" >> $GITHUB_OUTPUT

# Setup java environment
- name: setup-java
uses: actions/setup-java@v5
with:
distribution: temurin
java-version: ${{ steps.determine_java_version.outputs.detected_java_version }}
server-id: central
server-username: OS_CENTRAL_USERNAME
server-password: OS_CENTRAL_PASSWORD
Comment on lines +50 to +53

# Setup GitHub Actions caching for external dependencies, in this case especially for Maven
- name: caching
uses: actions/cache@v2
uses: actions/cache@v5
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-maven-

# Execute Maven command for the deployment and publish to Maven Central
# Setup GPG for Maven Central deployment
- name: setup-gpg
env:
GPG_PRIVATE_KEY: ${{ secrets.OS_GPG_PRIVATE_KEY }}
run: cat <(echo -e "${GPG_PRIVATE_KEY}") | gpg --batch --import

# Execute Maven command to build the project and publish to Maven Central
- name: deploy
env:
OSSRH_USERNAME: ${{ secrets.OS_OSSRH_USERNAME }}
OSSRH_PASSWORD: ${{ secrets.OS_OSSRH_PASSWORD }}
OS_CENTRAL_USERNAME: ${{ secrets.OS_CENTRAL_USERNAME }}
OS_CENTRAL_PASSWORD: ${{ secrets.OS_CENTRAL_PASSWORD }}
GPG_PASSPHRASE: ${{ secrets.OS_GPG_PASSPHRASE }}
run: mvn deploy -Dmaven.wagon.http.pool=false -Dgpg.executable=gpg -Dgpg.passphrase=${GPG_PASSPHRASE}
PROJECT_VERSION: ${{ steps.get_project_version.outputs.version }}
run: |
if [[ "$PROJECT_VERSION" == *"SNAPSHOT"* || "$PROJECT_VERSION" == *"RC"* ]]; then
mvn -Dmaven.wagon.http.pool=false -Dgpg.executable=gpg -Dgpg.passphrase=${GPG_PASSPHRASE} clean deploy
else
mvn -Dmaven.wagon.http.pool=false -Dgpg.executable=gpg -Dgpg.passphrase=${GPG_PASSPHRASE} -DskipUTs -DskipITs clean deploy
fi

# Execute sonar analysis and publish results to the sonarcloud server
- name: sonar-analyse
env:
SONAR_HOST: ${{ secrets.OS_SONAR_HOST_URL }}
SONAR_TOKEN: ${{ secrets.OS_SONAR_TOKEN }}
PROJECT_VERSION: ${{ steps.get_project_version.outputs.version }}
run: |
export SONAR_ORGANIZATION=$(echo ${GITHUB_REPOSITORY} | cut -d / -f 1)
mvn sonar:sonar \
-Dsonar.host.url=${SONAR_HOST} \
-Dsonar.login=${SONAR_TOKEN} \
mvn org.sonarsource.scanner.maven:sonar-maven-plugin:5.5.0.6356:sonar \
-Dsonar.host.url=${{ secrets.OS_SONAR_HOST_URL }} \

Check warning on line 90 in .github/workflows/release.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Avoid expanding secrets in a run block.

See more on https://sonarcloud.io/project/issues?id=avides_spring-rabbit&issues=AZ9LdnBGowT7bn0SYXnB&open=AZ9LdnBGowT7bn0SYXnB&pullRequest=19

Check warning

Code scanning / SonarCloud

Secrets should not be directly expanded in run steps alongside third-party actions Medium

Avoid expanding secrets in a run block. See more on SonarQube Cloud
-Dsonar.token=${{ secrets.OS_SONAR_TOKEN }} \

Check warning on line 91 in .github/workflows/release.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Avoid expanding secrets in a run block.

See more on https://sonarcloud.io/project/issues?id=avides_spring-rabbit&issues=AZ9LdnBGowT7bn0SYXnC&open=AZ9LdnBGowT7bn0SYXnC&pullRequest=19

Check warning

Code scanning / SonarCloud

Secrets should not be directly expanded in run steps alongside third-party actions Medium

Avoid expanding secrets in a run block. See more on SonarQube Cloud
-Dsonar.projectVersion=${PROJECT_VERSION} \
-Dsonar.branch.name=${{ github.ref_name }} \
-Dsonar.organization=${SONAR_ORGANIZATION} \
-Dsonar.projectKey=${GITHUB_REPOSITORY//\//_} \
-Dsonar.java.binaries=./target/classes

# Get the current project version from POM
- name: get-project-version
id: get_project_version
uses: avides/actions-project-version-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
file-to-check: pom.xml
only-return-version: true
-Dsonar.projectKey=${GITHUB_REPOSITORY//\//_}

# Get last commit message for GitHub Release tag
- name: setup-github-release
id: setup_github_release
env:
PROJECT_VERSION: ${{ steps.get_project_version.outputs.version }}
run: |
echo ::set-output name=gitcommitmessage::$(git log --no-merges -1 --oneline)
echo "gitcommitmessage=$(git log --no-merges -1 --oneline)" >> $GITHUB_OUTPUT
if [[ "$PROJECT_VERSION" == *"SNAPSHOT"* || "$PROJECT_VERSION" == *"RC"* ]]; then
echo ::set-output name=isprerelease::true
echo "isprerelease=true" >> $GITHUB_OUTPUT
else
echo "isprerelease=false" >> $GITHUB_OUTPUT
fi

# Create and publish GitHub Release tag
- name: github-release
uses: actions/create-release@v1
continue-on-error: true
env:
GITHUB_TOKEN: ${{ secrets.GPR_TOKEN }}
uses: softprops/action-gh-release@v2

Check failure on line 112 in .github/workflows/release.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use full commit SHA hash for this dependency.

See more on https://sonarcloud.io/project/issues?id=avides_spring-rabbit&issues=AZ9LdnBGowT7bn0SYXnE&open=AZ9LdnBGowT7bn0SYXnE&pullRequest=19

Check failure

Code scanning / SonarCloud

External GitHub Actions and workflows should be pinned to a commit hash High

Use full commit SHA hash for this dependency. See more on SonarQube Cloud
with:
token: ${{ secrets.GPR_TOKEN }}
tag_name: ${{ steps.get_project_version.outputs.version }}
release_name: ${{ steps.get_project_version.outputs.version }}
body: ${{ steps.setup_github_release.outputs.gitcommitmessage }}
prerelease: ${{ steps.setup_github_release.outputs.isprerelease }}
Loading
Loading