diff --git a/.github/workflows/auto-merge-pr.yml b/.github/workflows/auto-merge-pr.yml
deleted file mode 100644
index dd352e8..0000000
--- a/.github/workflows/auto-merge-pr.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-name: Post-Check Actions
-on: [pull_request]
-
-permissions:
- contents: write
-
-jobs:
- dependabot-merge:
- runs-on: cx-public-ubuntu-x64
- if: contains(github.head_ref, 'feature/update_cli')
- steps:
- - name: Enable auto-merge for Dependabot PRs
- env:
- PR_URL: ${{github.event.pull_request.html_url}}
- GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN }}
- run: gh pr merge --auto --squash "$PR_URL"
- - name: Auto approve dependabot PRs
- uses: step-security/auto-approve-action@0c28339628c8e79ab2f6813291e7e6cd584b4d30 # v4.0.0
- with:
- github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml
new file mode 100644
index 0000000..0c441b7
--- /dev/null
+++ b/.github/workflows/checkmarx-one-scan.yml
@@ -0,0 +1,30 @@
+name: Checkmarx One Scan
+on:
+ workflow_dispatch:
+ pull_request:
+ push:
+ branches:
+ - main
+ schedule:
+ - cron: "00 7 * * *" # Every day at 07:00
+
+permissions:
+ contents: read
+
+jobs:
+ cx-scan:
+ name: Checkmarx One Scan
+ permissions:
+ contents: read
+ runs-on: cx-public-ubuntu-x64
+ steps:
+ - name: Checkout
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ - name: Checkmarx One CLI Action
+ uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc #v.2.3.19
+ with:
+ base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }}
+ cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }}
+ cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }}
+ cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }}
+ additional_params: --tags sypher --threshold "sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 26ea6e1..e1f1511 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,14 +2,19 @@ name: AST Java Wrapper CI
on: [ pull_request ]
+permissions:
+ contents: read
+
jobs:
integration-tests:
+ permissions:
+ contents: read
runs-on: cx-public-ubuntu-x64
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
- token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+ token: ${{ secrets.GITHUB_TOKEN }}
lfs: true
- name: Install Git LFS
@@ -27,6 +32,10 @@ jobs:
distribution: 'temurin'
java-version: '11'
+ - name: Configure echo mirror for dependency resolution
+ run: |
+ sed -i 's||echocentralhttps://maven.echohq.com|' ~/.m2/settings.xml
+
- name: Check existence of cx-linux binary
run: |
if [ ! -f "src/main/resources/cx-linux" ]; then
diff --git a/.github/workflows/manual-tag.yml b/.github/workflows/manual-tag.yml
index 8fb056d..57f0d50 100644
--- a/.github/workflows/manual-tag.yml
+++ b/.github/workflows/manual-tag.yml
@@ -19,14 +19,17 @@ jobs:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
- token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+ token: ${{ secrets.GITHUB_TOKEN }}
- name: Tag
+ env:
+ INPUT_TAG: ${{ github.event.inputs.tag }}
+ PR_NUMBER: ${{ github.event.pull_request.number }}
+ PR_TITLE: ${{ github.event.pull_request.title }}
run: |
- echo ${{ github.event.inputs.tag }}
- echo "NEXT_VERSION=${{ github.event.inputs.tag }}" >> $GITHUB_ENV
- tag=${{ github.event.inputs.tag }}
- message='${{ github.event.inputs.tag }}: PR #${{ github.event.pull_request.number }} ${{ github.event.pull_request.title }}'
+ echo "$INPUT_TAG"
+ echo "NEXT_VERSION=$INPUT_TAG" >> $GITHUB_ENV
+ message="$INPUT_TAG: PR #$PR_NUMBER $PR_TITLE"
git config user.name "${GITHUB_ACTOR}"
git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
- git tag -a "${tag}" -m "${message}"
- git push origin "${tag}"
+ git tag -a "$INPUT_TAG" -m "$message"
+ git push origin "$INPUT_TAG"
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index b52b877..5a8b2c9 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -1,9 +1,10 @@
name: Nightly Release
on:
- push:
- branches:
- - main
+ workflow_dispatch: # push disabled — re-enable when nightly is ready
+ # push:
+ # branches:
+ # - main
permissions:
contents: read
@@ -22,9 +23,13 @@ jobs:
nightly:
needs: delete_tag
- uses: Checkmarx/ast-cli-java-wrapper/.github/workflows/release.yml@main
+ uses: ./.github/workflows/release.yml
with:
tag: "1.0.0-SNAPSHOT"
dev: true
cliTag: "2.0.0-nightly"
- secrets: inherit
+ secrets:
+ MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
+ MAVEN_GPG_PRIVATE_KEY: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
+ OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
+ OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
diff --git a/.github/workflows/pr-label.yml b/.github/workflows/pr-label.yml
deleted file mode 100644
index 00dd428..0000000
--- a/.github/workflows/pr-label.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-name: PR Labeler
-on:
- pull_request:
- types: [opened]
-
-permissions:
- contents: read
-
-jobs:
- pr-labeler:
- permissions:
- pull-requests: write # for TimonVS/pr-labeler-action to add labels in PR
- runs-on: cx-public-ubuntu-x64
- steps:
- - uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af #v5
- with:
- configuration-path: .github/pr-labeler.yml # optional, .github/pr-labeler.yml is the default value
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 27a9360..81520b3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -41,6 +41,15 @@ on:
required: false
default: false
type: boolean
+ secrets:
+ MAVEN_GPG_PASSPHRASE:
+ required: true
+ MAVEN_GPG_PRIVATE_KEY:
+ required: true
+ OSSRH_TOKEN:
+ required: true
+ OSSRH_USERNAME:
+ required: true
permissions:
contents: read
@@ -56,16 +65,18 @@ jobs:
TAG_NAME: ${{ steps.set_tag_name.outputs.TAG_NAME }}
steps:
- name: Checkout
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+ uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
- token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+ token: ${{ secrets.GITHUB_TOKEN }}
lfs: true
- name: Download CLI
if: inputs.cliTag
+ env:
+ INPUT_CLI_TAG: ${{ inputs.cliTag }}
run: |
chmod +x ./.github/scripts/update_cli.sh
- ./.github/scripts/update_cli.sh ${{ inputs.cliTag }}
+ ./.github/scripts/update_cli.sh "$INPUT_CLI_TAG"
- name: Extract CLI version
id: extract_cli_version
@@ -92,19 +103,19 @@ jobs:
- name: Tag
id: set_tag_name
+ env:
+ INPUT_TAG: ${{ inputs.tag }}
run: |
- echo ${{ inputs.tag }}
- tag=${{ inputs.tag }}
- echo "RELEASE_VERSION=${{ inputs.tag }}" >> $GITHUB_ENV
- message='${{ inputs.tag }}'
+ echo "$INPUT_TAG"
+ echo "RELEASE_VERSION=$INPUT_TAG" >> $GITHUB_ENV
git config user.name "${GITHUB_ACTOR}"
git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
- git tag -a "${tag}" -m "${message}"
- git push origin "${tag}"
- echo "TAG_NAME=${{ inputs.tag }}" >> $GITHUB_OUTPUT
+ git tag -a "$INPUT_TAG" -m "$INPUT_TAG"
+ git push origin "$INPUT_TAG"
+ echo "TAG_NAME=$INPUT_TAG" >> $GITHUB_OUTPUT
- name: Set up Maven Central Repository
- uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4.3.0
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
java-version: '11'
distribution: 'temurin'
@@ -114,20 +125,27 @@ jobs:
gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
gpg-passphrase: MAVEN_GPG_PASSPHRASE
+ - name: Configure echo mirror for dependency resolution
+ run: |
+ sed -i 's||echocentralhttps://maven.echohq.com|' ~/.m2/settings.xml
+
- name: Update the POM version.
- run: mvn -B versions:set -DnewVersion='${{ env.RELEASE_VERSION }}' --file pom.xml -DskipTests
+ run: mvn -B versions:set -DnewVersion="$RELEASE_VERSION" --file pom.xml -DskipTests
- name: Build artifactId property
+ env:
+ INPUT_DEV: ${{ inputs.dev }}
+ INPUT_TAG: ${{ inputs.tag }}
run: |
prop=''
- if [ ${{ inputs.dev }} = true ] && ![ "${{ inputs.tag }}" = "1.0.0-SNAPSHOT" ]; then
+ if [ "$INPUT_DEV" = "true" ] && [ "$INPUT_TAG" != "1.0.0-SNAPSHOT" ]; then
prop='-Dast.wrapper.id=ast-cli-java-wrapper-dev'
fi
echo "AID_PROP=${prop}" >> $GITHUB_ENV
- name: Publish package
if: inputs.publish == true
- run: mvn --batch-mode deploy -DskipTests ${{ env.AID_PROP }}
+ run: mvn --batch-mode deploy -DskipTests $AID_PROP
env:
MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml
index 04fa5c7..6403725 100644
--- a/.github/workflows/update-cli.yml
+++ b/.github/workflows/update-cli.yml
@@ -38,14 +38,16 @@ jobs:
RELEASE_TAG: ${{ steps.checkmarx-ast-cli.outputs.release_tag }}
run: |
# Update current release
- echo ${{ steps.checkmarx-ast-cli.outputs.release_tag }} > checkmarx-ast-cli.version
+ echo "$RELEASE_TAG" > checkmarx-ast-cli.version
- name: Download latest cli and update branch
if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag
+ env:
+ RELEASE_TAG: ${{ steps.checkmarx-ast-cli.outputs.release_tag }}
run: |
# Update binaries
chmod +x ./.github/scripts/update_cli.sh
- ./.github/scripts/update_cli.sh ${{ steps.checkmarx-ast-cli.outputs.release_tag }}
+ ./.github/scripts/update_cli.sh "$RELEASE_TAG"
- name: Track large files with Git LFS
if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag