maven-lockfile/.github/workflows/code-qualitiy.yml at 03fc4fa353e5e659cc2f46b3d5c551d0db1c1e8a · chains-project/maven-lockfile · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Maven test
on:
  workflow_dispatch:
  pull_request:

permissions:
  id-token: write
  contents: read
jobs:
  maven-quality:
    runs-on: ubuntu-latest

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            github.com:443
            objects.githubusercontent.com:443
            oss.sonatype.org:443
            maven.artifacts.atlassian.com:443
            packages.atlassian.com:443
            release-assets.githubusercontent.com:443
            repo.maven.apache.org:443
            repo.spring.io:443
            tuf-repo-cdn.sigstore.dev:443
            fulcio.sigstore.dev:443
            rekor.sigstore.dev:443

      - name: Checkout repostiory
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Verify action checksums
        uses: chains-project/maven-lockfile/.github/actions/ghasum@723132de2c6095048129f6eaf5e6b30f13c5b2ca # 5.9.0

      - name: Set up JDK 17
        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          java-version: '17'
          distribution: 'temurin'

      - name: mvn clean verify
        run: mvn clean verify

      - name: Build with Maven
        run: mvn --batch-mode --update-snapshots clean package

      - name: Run doc check
        run: mvn org.apache.maven.plugins:maven-javadoc-plugin:3.5.0:jar

      - name: Run spotless check
        run: mvn spotless:check

      - name: Check maven pom quality
        run: mvn org.kordamp.maven:pomchecker-maven-plugin:1.9.0:check-maven-central -D"checker.release=false"

  reproducilbilty:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ${{ github.workspace }}/maven_plugin
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            fulcio.sigstore.dev:443
            github.com:443
            maven.artifacts.atlassian.com:443
            objects.githubusercontent.com:443
            oss.sonatype.org:443
            packages.atlassian.com:443
            rekor.sigstore.dev:443
            release-assets.githubusercontent.com:443
            repo.maven.apache.org:443
            repo.spring.io:443
            tuf-repo-cdn.sigstore.dev:443

      - name: Checkout repository
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Verify action checksums
        uses: chains-project/maven-lockfile/.github/actions/ghasum@723132de2c6095048129f6eaf5e6b30f13c5b2ca # 5.9.0

      - name: Set up JDK 17
        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          java-version: '17'
          distribution: 'temurin'

      - name: Build with Maven
        run: mvn --batch-mode --update-snapshots clean install

      - name: Run reproducibility check
        run: mvn clean install
  dirty-waters:
    runs-on:
        ubuntu-latest
    permissions:
      pull-requests: write # To comment on a Pull Request
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          submodules: true

      - name: Verify action checksums
        uses: ./.github/actions/ghasum

      - name: Setup JDK17
        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
        with:
          java-version: '17'
          distribution: 'temurin'

      - name: Dirty Waters Analysis
        uses: chains-project/dirty-waters-action@30bc4ef96e9c59f85efb05affc2992353d65870b # v1.11.52
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          package_manager: maven
          gradual_report: false
          debug: true
          config: dirty-waters.json