name: Build on: push: branches: - '**' tags: - 'v*' pull_request: branches: - '**' workflow_dispatch: env: LC_ALL: "en_US.UTF-8" LANG: "en_US.UTF-8" LANGUAGE: "en_US" LIB_NAME: "MOA-SIG" PROJECT_PATH: '.' PROJECT_NAME: 'moa-sig' GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SECURE_LOG_LEVEL: "debug" PROJECT_PACKAGE: '${{ github.workspace }}/moaSig/moa-sig/build/distributions/*.zip' jobs: security-checks: name: Security Scans (Dependency/SAST/Secrets) runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Dependency Scanning (OWASP Dependency-Check) uses: dependency-check/Dependency-Check_Action@main with: project: ${{ env.PROJECT_NAME }} path: ${{ env.PROJECT_PATH }} format: ALL args: --noupdate - name: SAST (Semgrep) uses: returntocorp/semgrep-action@v1 continue-on-error: true with: config: >- p/security-audit p/java - name: Secret Detection (TruffleHog) uses: trufflesecurity/trufflehog@main build-and-analyse: name: Compile & Test if: ${{ !startsWith(github.ref, 'refs/tags/') }} needs: security-checks runs-on: [self-hosted, linux] outputs: version: ${{ steps.meta.outputs.version }} short_sha: ${{ steps.meta.outputs.short_sha }} steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 2 submodules: recursive - name: Set up JDK 17 uses: actions/setup-java@v4 with: distribution: temurin java-version: 17 cache: gradle - name: Gradle Metadata id: meta run: | echo "short_sha=${GITHUB_SHA:0:8}" >> "$GITHUB_OUTPUT" cd moaSig VERSION=$(./gradlew -q properties --console=plain | grep "^version:" | awk '{print $2}') echo "version=${VERSION}" >> "$GITHUB_OUTPUT" - name: Compile & Test run: | cd ./moaSig ./gradlew clean build --warning-mode all - name: Upload Analysis Reports if: failure() uses: actions/upload-artifact@v4 with: name: analysis-reports path: | **/build/reports/pmd/*.xml **/build/reports/spotbugs/*.xml **/build/reports/checkstyle/*.xml **/build/reports/jacoco/**/jacocoTestReport.xml **/build/test-results/test/TEST-*.xml if-no-files-found: warn retention-days: 1 - name: Extract Pull Request Number uses: jwalton/gh-find-current-pr@v1 id: pr - name: Detect Test Reports id: tests if: always() run: | shopt -s globstar nullglob reports=(**/build/test-results/test/TEST-*.xml) if [ ${#reports[@]} -gt 0 ]; then echo "has_tests=true" >> "$GITHUB_OUTPUT" else echo "has_tests=false" >> "$GITHUB_OUTPUT" fi - name: Run Quality Monitor (with coverage) if: ${{ always() && steps.tests.outputs.has_tests == 'true' }} uses: uhafner/quality-monitor@v4.2.0 continue-on-error: true with: pr-number: ${{ steps.pr.outputs.number }} config: > { "tests": { "tools": [ { "id": "junit", "name": "Unittests", "pattern": "**/build/test-results/test/TEST-*.xml" } ] }, "analysis": [ { "name": "Style", "id": "style", "tools": [ { "id": "checkstyle", "pattern": "**/build/reports/checkstyle/*.xml", "sourcePath": "src/main/java" } ] }, { "name": "Code Analyzer", "tools": [ { "id": "pmd", "pattern": "**/build/reports/pmd/*.xml", "sourcePath": "src/main/java" } ] }, { "name": "Bugs", "id": "bugs", "tools": [ { "id": "spotbugs", "pattern": "**/build/reports/spotbugs/*.xml", "sourcePath": "src/main/java" } ] } ], "coverage": [ { "name": "JaCoCo", "tools": [ { "id": "jacoco", "metric": "line", "sourcePath": "src/main/java", "pattern": "**/build/reports/jacoco/**/jacocoTestReport.xml" }, { "id": "jacoco", "metric": "branch", "sourcePath": "src/main/java", "pattern": "**/build/reports/jacoco/**/jacocoTestReport.xml" } ] } ] } quality-gates: > { "qualityGates": [ { "metric": "line", "threshold": 70.0, "criticality": "UNSTABLE" }, { "metric": "branch", "threshold": 70.0, "criticality": "UNSTABLE" }, { "metric": "checkstyle", "threshold": 70, "criticality": "UNSTABLE" }, { "metric": "pmd", "threshold": 70.0, "criticality": "UNSTABLE" }, { "metric": "spotbugs", "threshold": 10.0, "criticality": "UNSTABLE" } ] } - name: Run Quality Monitor (without coverage) if: ${{ always() && steps.tests.outputs.has_tests != 'true' }} uses: uhafner/quality-monitor@v4.2.0 continue-on-error: true with: pr-number: ${{ steps.pr.outputs.number }} config: > { "tests": { "tools": [ { "id": "junit", "name": "Unittests", "pattern": "**/build/test-results/test/TEST-*.xml" } ] }, "analysis": [ { "name": "Style", "id": "style", "tools": [ { "id": "checkstyle", "pattern": "**/build/reports/checkstyle/*.xml", "sourcePath": "src/main/java" } ] }, { "name": "Code Analyzer", "tools": [ { "id": "pmd", "pattern": "**/build/reports/pmd/*.xml", "sourcePath": "src/main/java" } ] }, { "name": "Bugs", "id": "bugs", "tools": [ { "id": "spotbugs", "pattern": "**/build/reports/spotbugs/*.xml", "sourcePath": "src/main/java" } ] } ], "coverage": [ { "name": "JaCoCo", "tools": [ { "id": "jacoco", "metric": "line", "sourcePath": "src/main/java", "pattern": "**/build/reports/jacoco/**/jacocoTestReport.xml" }, { "id": "jacoco", "metric": "branch", "sourcePath": "src/main/java", "pattern": "**/build/reports/jacoco/**/jacocoTestReport.xml" } ] } ] } quality-gates: > { "qualityGates": [ { "metric": "checkstyle", "threshold": 70, "criticality": "UNSTABLE" }, { "metric": "pmd", "threshold": 70.0, "criticality": "UNSTABLE" }, { "metric": "spotbugs", "threshold": 10.0, "criticality": "UNSTABLE" } ] } publish: name: Publish runs-on: [self-hosted, linux] needs: build-and-analyse if: ${{ !startsWith(github.ref, 'refs/tags/') }} env: SHORT_SHA: ${{ needs.build-and-analyse.outputs.short_sha }} steps: - uses: actions/checkout@v4 - uses: actions/setup-java@v4 with: distribution: temurin java-version: 17 cache: gradle - name: Set SSH known_hosts env: DEPLOY_EGIZ: ${{ secrets.DEPLOY_EGIZ }} run: | mkdir -p ~/.ssh echo $DEPLOY_EGIZ | base64 --decode > ~/.ssh/known_hosts chmod 644 ~/.ssh/known_hosts - name: Assemble & Publish run: | cd ./moaSig ./gradlew assemble publish - name: Upload Package Artifact if: success() && github.ref_name == 'master' uses: actions/upload-artifact@v4 with: name: ${{ env.PROJECT_NAME }}-${{ env.SHORT_SHA }} path: ${{ env.PROJECT_PACKAGE }} if-no-files-found: warn