Add Sonatype scan to pipeline #2093
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| env: | |
| JDK_JAVA_OPTIONS: -XX:+PrintCommandLineFlags -Xss10M # JDK_JAVA_OPTIONS is _the_ env. variable to use for modern Java | |
| JVM_OPTS: -XX:+PrintCommandLineFlags -Xss10M # for Java 8 only (sadly, it is not modern enough for JDK_JAVA_OPTIONS) | |
| SonatypeUrl: "https://finos.sonatype.app/platform/" | |
| SonatypeAppId: morphir-scala | |
| SonatypeStage: "build" | |
| SonatypeScanTarget: "." # depCache/coursier/v1/https/repo1.maven.org/maven2/ | |
| ExcludeDirectory: " -D fileExcludes='*.class, **/website/, **/docs/, **/.*' " | |
| on: | |
| pull_request: | |
| push: | |
| branches: ["main"] | |
| release: | |
| types: | |
| - published | |
| workflow_dispatch: | |
| # cancel older runs of a pull request; | |
| # this will not cancel anything for normal git pushes | |
| concurrency: | |
| group: cancel-old-pr-runs-${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout current branch | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Scala and Java | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: "temurin" | |
| java-version: "17" | |
| - name: Cache scala dependencies | |
| uses: coursier/cache-action@v6 | |
| - name: Setup proto and moon toolchains | |
| uses: moonrepo/[email protected] | |
| with: | |
| auto-install: true | |
| - name: Install tooling | |
| run: | | |
| ./build.sh install | |
| - name: Lint code | |
| run: ./build.sh lint | |
| test-js: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| java: ["11"] # Note there is no need ro actually run this for multiple JVM versions for JS | |
| scala: ["3.3.3"] | |
| steps: | |
| - name: Checkout current branch | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: ".nvmrc" | |
| - name: Install morphir-elm | |
| run: | | |
| npm install -g morphir-elm | |
| - name: Setup Scala and Java | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: "temurin" | |
| java-version: ${{ matrix.java }} | |
| - name: Cache scala dependencies | |
| uses: coursier/cache-action@v6 | |
| - name: Run JS tests | |
| run: | | |
| ./mill -i -k -j 0 "morphir[${{matrix.scala}}].__.js.__.compile" + "morphir[${{matrix.scala}}].__.js.publishArtifacts" + "morphir[${{matrix.scala}}].__.js.__.test" | |
| - name: Cache JS build output | |
| # when in master repo: all commits to main branch and all additional tags | |
| if: github.ref == 'refs/heads/main' || (github.ref != 'refs/heads/main' && startsWith( github.ref, 'refs/tags/') ) | |
| uses: actions/cache/save@v4 | |
| with: | |
| path: | | |
| out/morphir/${{matrix.scala}}/**/js/ | |
| key: ${{ runner.os }}-mill-js-${{matrix.java}}-${{ matrix.scala }}-${{ github.sha}}-${{ hashFiles('out') }} | |
| test-jvm: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| java: ["11", "17"] | |
| scala: ["3.3.3"] | |
| steps: | |
| - name: Checkout current branch | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: ".nvmrc" | |
| - name: Install morphir-elm | |
| run: | | |
| npm install -g morphir-elm | |
| - name: Setup Scala and Java | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: "temurin" | |
| java-version: ${{ matrix.java }} | |
| - name: Cache scala dependencies | |
| uses: coursier/cache-action@v6 | |
| - name: Setup proto and moon toolchains | |
| uses: moonrepo/[email protected] | |
| with: | |
| auto-install: true | |
| - name: Install tooling | |
| run: | | |
| ./build.sh install | |
| - name: Make Morphir IR | |
| run: | | |
| ./build.sh run :morphir-elm-build | |
| - name: Run JVM tests | |
| run: | | |
| ./build.sh --scala-version ${{matrix.scala}} test-jvm | |
| - name: Cache JVM build output | |
| # when in master repo: all commits to main branch and all additional tags | |
| if: github.ref == 'refs/heads/main' || (github.ref != 'refs/heads/main' && startsWith( github.ref, 'refs/tags/') ) | |
| uses: actions/cache/save@v4 | |
| with: | |
| path: | | |
| out/morphir/${{matrix.scala}}/**/jvm/ | |
| out/morphir/build/ | |
| key: ${{ runner.os }}-mill-jvm-${{matrix.java}}-${{ matrix.scala }}-${{ github.sha }}-${{ hashFiles('out') }} | |
| ############### SONATYPE SCAN ############### | |
| sonatype-scan: | |
| if: always() | |
| needs: [ci] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Cache scala dependencies | |
| uses: coursier/cache-action@v6 | |
| - name: Get OUT cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| path: out/ | |
| key: ${{ runner.os }}-* | |
| - name: Copy Cache for SCA Scan | |
| run: | | |
| mkdir depCache/ #Create local copy of cache for Sonatype Scanner | |
| cp -r /home/runner/.cache/coursier/ depCache/ | |
| # - name: Save resolvedIvyDeps.json | |
| # run: ./mill show __.resolvedIvyDeps > depCache/resolvedIvyDeps.json | |
| - name: Sonatype Lifecycle SCA Scan | |
| id: evaluate | |
| uses: sonatype/actions/evaluate@v1 | |
| with: | |
| iq-server-url: ${{ env.SonatypeUrl }} | |
| username: ${{ secrets.SONATYPE_USER }} | |
| password: ${{ secrets.SONATYPE_PASSWORD }} | |
| application-id: ${{ env.SonatypeAppId }} | |
| stage: ${{ env.SonatypeStage }} | |
| scan-targets: ${{ env.SonatypeScanTarget }} ${{ env.ExcludeDirectory }} | |
| - name: Retrieve Sonatype SBOM (SPDX) | |
| uses: sonatype/actions/fetch-sbom@v1 | |
| if: ( success() || failure() ) && steps.evaluate.outputs.scan-id | |
| with: | |
| iq-server-url: ${{ env.SonatypeUrl }} | |
| username: ${{ secrets.SONATYPE_USER }} | |
| password: ${{ secrets.SONATYPE_PASSWORD }} | |
| application-id: ${{ env.SonatypeAppId }} | |
| scan-id: ${{ steps.evaluate.outputs.scan-id }} | |
| sbom-standard: spdx | |
| sbom-version: 2.3 | |
| artifact-name: ${{ env.SonatypeAppId }}-sbom (${{ env.SonatypeStage }}) | |
| ############################################# | |
| publish: | |
| # when in master repo: all commits to main branch and all additional tags | |
| if: github.repository == 'finos/morphir-scala' && ( github.ref == 'refs/heads/main' || (github.ref != 'refs/heads/main' && startsWith( github.ref, 'refs/tags/') ) ) | |
| needs: [ci] | |
| runs-on: ubuntu-latest | |
| # only run one publish job for the same sha at the same time | |
| # e.g. when a main-branch push is also tagged | |
| concurrency: publish-sonatype-${{ github.sha }} | |
| env: | |
| PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }} | |
| PGP_SECRET: ${{ secrets.PGP_SECRET_BASE64 }} | |
| SONATYPE_PASSWORD: ${{ secrets.MAVEN_DEPLOY_PASSWORD }} # Change to MAVEN_...?? | |
| SONATYPE_USERNAME: ${{ secrets.MAVEN_DEPLOY_USERNAME }} # Change to MAVEN_...?? | |
| PUBLISH_AS_SNAPSHOT: true | |
| LANG: "en_US.UTF-8" | |
| LC_MESSAGES: "en_US.UTF-8" | |
| LC_ALL: "en_US.UTF-8" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: ".nvmrc" | |
| - name: Install morphir-elm | |
| run: | | |
| npm install -g morphir-elm | |
| - uses: actions/setup-java@v4 | |
| with: | |
| java-version: "11" | |
| distribution: temurin | |
| - name: Cache scala dependencies | |
| uses: coursier/cache-action@v6 | |
| - name: Install libuv | |
| run: sudo apt-get update && sudo apt-get install -y libuv1-dev | |
| - name: Restore Scala 3.3 JVM Build Output From Cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| out/morphir/3.3.3/**/jvm/ | |
| key: ${{ runner.os }}-mill-jvm-11-3.3.3-${{ github.sha }}-${{ hashFiles('out') }} | |
| restore-keys: ${{ runner.os }}-mill-jvm-11-3.3.3-${{ github.sha }}- | |
| - name: Restore Scala 3.3 JS Build Output From Cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| out/morphir/3.3.3/**/js/ | |
| key: ${{ runner.os }}-mill-js-11-3.3.3-${{ github.sha }}-${{ hashFiles('out') }} | |
| restore-keys: ${{ runner.os }}-mill-js-11-3.3.3-${{ github.sha }}- | |
| ############### SONATYPE SCAN ############### | |
| - name: Sonatype Lifecycle SCA Scan | |
| id: evaluate | |
| uses: sonatype/actions/evaluate@v1 | |
| with: | |
| iq-server-url: ${{ env.SonatypeUrl }} | |
| username: ${{ secrets.SONATYPE_USER }} | |
| password: ${{ secrets.SONATYPE_PASSWORD }} | |
| application-id: ${{ env.SonatypeAppId }} | |
| stage: release | |
| scan-targets: ${{ env.SonatypeScanTarget }} ${{ env.ExcludeDirectory }} | |
| - name: Retrieve Sonatype SBOM (SPDX) | |
| uses: sonatype/actions/fetch-sbom@v1 | |
| if: ( success() || failure() ) && steps.evaluate.outputs.scan-id | |
| with: | |
| iq-server-url: ${{ env.SonatypeUrl }} | |
| username: ${{ secrets.SONATYPE_USER }} | |
| password: ${{ secrets.SONATYPE_PASSWORD }} | |
| application-id: ${{ env.SonatypeAppId }} | |
| scan-id: ${{ steps.evaluate.outputs.scan-id }} | |
| sbom-standard: spdx | |
| sbom-version: 2.3 | |
| artifact-name: ${{ env.SonatypeAppId }}-sbom (release) | |
| ##################################### | |
| - name: Setup GPG | |
| run: .github/scripts/gpg-setup.sh | |
| - name: Wrap GPG binary | |
| run: .github/scripts/wrap-gpg.sh | |
| - name: Release | |
| run: ./mill -i ci.publishSonatype __.publishArtifacts | |
| ci: | |
| runs-on: ubuntu-latest | |
| needs: [lint, test-js, test-jvm] | |
| steps: | |
| - name: Aggregate of lint, and all tests | |
| run: echo "ci passed" |