From 9b71eac2d24e4d55313ef739b307983a3dea4a12 Mon Sep 17 00:00:00 2001 From: "kathrin.resek" Date: Sat, 21 Mar 2026 18:34:17 +0100 Subject: build(ci): switching from GitLab CI to GitHub Actions --- .github/workflows/build.yml | 348 ++++++++++++++++++++++++++++++++++++++++++ .github/workflows/release.yml | 59 +++++++ 2 files changed, 407 insertions(+) create mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/release.yml (limited to '.github') diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..25bed96 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,348 @@ +name: Build + +on: + push: + branches: + - '**' + tags: + - 'v*' + pull_request: + branches: + - '**' + workflow_dispatch: + +env: + LC_ALL: "en_US.UTF-8" + LANG: "en_US.UTF-8" + LANGUAGE: "en_US" + LIB_NAME: "MOA-SIG" + PROJECT_PATH: '.' + PROJECT_NAME: 'moa-sig' + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SECURE_LOG_LEVEL: "debug" + PROJECT_PACKAGE: '${{ github.workspace }}/moaSig/moa-sig/build/distributions/*.zip' + +jobs: + security-checks: + name: Security Scans (Dependency/SAST/Secrets) + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Dependency Scanning (OWASP Dependency-Check) + uses: dependency-check/Dependency-Check_Action@main + with: + project: ${{ env.PROJECT_NAME }} + path: ${{ env.PROJECT_PATH }} + format: ALL + args: --noupdate + + - name: SAST (Semgrep) + uses: returntocorp/semgrep-action@v1 + continue-on-error: true + with: + config: >- + p/security-audit + p/java + + - name: Secret Detection (TruffleHog) + uses: trufflesecurity/trufflehog@main + + build-and-analyse: + name: Compile & Test + if: ${{ !startsWith(github.ref, 'refs/tags/') }} + needs: security-checks + runs-on: [self-hosted, linux] + outputs: + version: ${{ steps.meta.outputs.version }} + short_sha: ${{ steps.meta.outputs.short_sha }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 2 + submodules: recursive + + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + cache: gradle + + - name: Gradle Metadata + id: meta + run: | + echo "short_sha=${GITHUB_SHA:0:8}" >> "$GITHUB_OUTPUT" + cd moaSig + VERSION=$(./gradlew -q properties --console=plain | grep "^version:" | awk '{print $2}') + echo "version=${VERSION}" >> "$GITHUB_OUTPUT" + + - name: Compile & Test + run: | + cd ./moaSig + ./gradlew clean build --warning-mode all + + - name: Upload Analysis Reports + if: github.event_name == 'workflow_dispatch' + uses: actions/upload-artifact@v4 + with: + name: analysis-reports + path: | + **/build/reports/pmd/*.xml + **/build/reports/spotbugs/*.xml + **/build/reports/checkstyle/*.xml + **/build/reports/jacoco/**/jacocoTestReport.xml + **/build/test-results/test/TEST-*.xml + if-no-files-found: warn + retention-days: 1 + + - name: Extract Pull Request Number + uses: jwalton/gh-find-current-pr@v1 + id: pr + + - name: Detect Test Reports + id: tests + if: always() + run: | + shopt -s globstar nullglob + reports=(**/build/test-results/test/TEST-*.xml) + if [ ${#reports[@]} -gt 0 ]; then + echo "has_tests=true" >> "$GITHUB_OUTPUT" + else + echo "has_tests=false" >> "$GITHUB_OUTPUT" + fi + + - name: Run Quality Monitor (with coverage) + if: ${{ always() && steps.tests.outputs.has_tests == 'true' }} + uses: uhafner/quality-monitor@v4.2.0 + with: + pr-number: ${{ steps.pr.outputs.number }} + config: > + { + "tests": { + "tools": [ + { + "id": "junit", + "name": "Unittests", + "pattern": "**/build/test-results/test/TEST-*.xml" + } + ] + }, + "analysis": [ + { + "name": "Style", + "id": "style", + "tools": [ + { + "id": "checkstyle", + "pattern": "**/build/reports/checkstyle/*.xml", + "sourcePath": "src/main/java" + } + ] + }, + { + "name": "Code Analyzer", + "tools": [ + { + "id": "pmd", + "pattern": "**/build/reports/pmd/*.xml", + "sourcePath": "src/main/java" + } + ] + }, + { + "name": "Bugs", + "id": "bugs", + "tools": [ + { + "id": "spotbugs", + "pattern": "**/build/reports/spotbugs/*.xml", + "sourcePath": "src/main/java" + } + ] + } + ], + "coverage": [ + { + "name": "JaCoCo", + "tools": [ + { + "id": "jacoco", + "metric": "line", + "sourcePath": "src/main/java", + "pattern": "**/build/reports/jacoco/**/jacocoTestReport.xml" + }, + { + "id": "jacoco", + "metric": "branch", + "sourcePath": "src/main/java", + "pattern": "**/build/reports/jacoco/**/jacocoTestReport.xml" + } + ] + } + ] + } + quality-gates: > + { + "qualityGates": [ + { + "metric": "line", + "threshold": 70.0, + "criticality": "FAILURE" + }, + { + "metric": "branch", + "threshold": 70.0, + "criticality": "FAILURE" + }, + { + "metric": "checkstyle", + "threshold": 70, + "criticality": "UNSTABLE" + }, + { + "metric": "pmd", + "threshold": 70.0, + "criticality": "UNSTABLE" + }, + { + "metric": "spotbugs", + "threshold": 10.0, + "criticality": "UNSTABLE" + } + ] + } + + - name: Run Quality Monitor (without coverage) + if: ${{ always() && steps.tests.outputs.has_tests != 'true' }} + uses: uhafner/quality-monitor@v4.2.0 + with: + pr-number: ${{ steps.pr.outputs.number }} + config: > + { + "tests": { + "tools": [ + { + "id": "junit", + "name": "Unittests", + "pattern": "**/build/test-results/test/TEST-*.xml" + } + ] + }, + "analysis": [ + { + "name": "Style", + "id": "style", + "tools": [ + { + "id": "checkstyle", + "pattern": "**/build/reports/checkstyle/*.xml", + "sourcePath": "src/main/java" + } + ] + }, + { + "name": "Code Analyzer", + "tools": [ + { + "id": "pmd", + "pattern": "**/build/reports/pmd/*.xml", + "sourcePath": "src/main/java" + } + ] + }, + { + "name": "Bugs", + "id": "bugs", + "tools": [ + { + "id": "spotbugs", + "pattern": "**/build/reports/spotbugs/*.xml", + "sourcePath": "src/main/java" + } + ] + } + ], + "coverage": [ + { + "name": "JaCoCo", + "tools": [ + { + "id": "jacoco", + "metric": "line", + "sourcePath": "src/main/java", + "pattern": "**/build/reports/jacoco/**/jacocoTestReport.xml" + }, + { + "id": "jacoco", + "metric": "branch", + "sourcePath": "src/main/java", + "pattern": "**/build/reports/jacoco/**/jacocoTestReport.xml" + } + ] + } + ] + } + quality-gates: > + { + "qualityGates": [ + { + "metric": "checkstyle", + "threshold": 70, + "criticality": "UNSTABLE" + }, + { + "metric": "pmd", + "threshold": 70.0, + "criticality": "UNSTABLE" + }, + { + "metric": "spotbugs", + "threshold": 10.0, + "criticality": "UNSTABLE" + } + ] + } + + publish: + name: Publish + runs-on: [self-hosted, linux] + needs: build-and-analyse + if: ${{ !startsWith(github.ref, 'refs/tags/') }} + env: + SHORT_SHA: ${{ needs.build-and-analyse.outputs.short_sha }} + + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + cache: gradle + + - name: Set SSH known_hosts + env: + DEPLOY_EGIZ: ${{ secrets.DEPLOY_EGIZ }} + run: | + mkdir -p ~/.ssh + echo $DEPLOY_EGIZ | base64 --decode > ~/.ssh/known_hosts + chmod 644 ~/.ssh/known_hosts + + - name: Assemble & Publish + run: | + cd ./moaSig + ./gradlew assemble publish + + - name: Upload Package Artifact + if: always() + uses: actions/upload-artifact@v4 + with: + name: ${{ env.PROJECT_NAME }}-${{ env.SHORT_SHA }} + path: ${{ env.PROJECT_PACKAGE }} + if-no-files-found: warn \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..fe22239 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,59 @@ +name: Release + +on: + push: + branches: + - '**' + tags: + - 'v*' + pull_request: + branches: + - '**' + workflow_dispatch: + +env: + LC_ALL: "en_US.UTF-8" + LANG: "en_US.UTF-8" + LANGUAGE: "en_US" + LIB_NAME: "MOA-SIG" + PROJECT_PATH: '.' + PROJECT_NAME: 'moa-sig' + SECURE_LOG_LEVEL: "debug" + +jobs: + release: + name: Release + environment: release + runs-on: [self-hosted, linux] + if: ${{ github.ref == 'refs/heads/master' && github.event_name == 'workflow_dispatch' }} + + steps: + + - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + cache: gradle + + - name: Set VERSION and SHORT_SHA + run: | + echo "SHORT_SHA=${GITHUB_SHA:0:8}" >> "$GITHUB_ENV" + cd moaSig + VERSION=$(./gradlew -q properties --console=plain | grep "^version:" | awk '{print $2}') + echo "VERSION=${VERSION}" >> "$GITHUB_ENV" + + - name: Build Release Package + run: | + echo "Releasing version ${{ env.VERSION }} of ${{ env.LIB_NAME }}" + echo "Publishing version ${{ env.VERSION }} to public EGIZ maven" + cd ./moaSig + ./gradlew clean + + - name: Upload Release Artifacts + uses: actions/upload-artifact@v4 + with: + name: ${{ env.PROJECT_NAME }}-${{ env.SHORT_SHA }}-release + path: | + release/${{ env.VERSION }}/moa-spss-${{ env.VERSION }}.zip + release/${{ env.VERSION }}/moa-spss-lib-${{ env.VERSION }}.zip \ No newline at end of file -- cgit v1.2.3