From 266102843f87b35c7f33c5c8dbb70a03df7554d5 Mon Sep 17 00:00:00 2001 From: Shaun Hare Date: Thu, 9 May 2024 09:32:42 +0100 Subject: [PATCH 1/9] added workflows and amended pom --- .github/workflows/cd.yaml | 54 +++++++++++++++++++++++++++++ .github/workflows/ci.yaml | 17 +++++++++ .github/workflows/maven-publish.yml | 38 -------------------- .github/workflows/maven.yml | 35 +++++++++++++++++++ .github/workflows/maven_build.yaml | 18 ++++++++++ .github/workflows/security.yaml | 38 ++++++++++++++++++++ pom.xml | 8 ++--- 7 files changed, 166 insertions(+), 42 deletions(-) create mode 100644 .github/workflows/cd.yaml create mode 100644 .github/workflows/ci.yaml delete mode 100644 .github/workflows/maven-publish.yml create mode 100644 .github/workflows/maven.yml create mode 100644 .github/workflows/maven_build.yaml create mode 100644 .github/workflows/security.yaml diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml new file mode 100644 index 0000000..a9ff7cd --- /dev/null +++ b/.github/workflows/cd.yaml @@ -0,0 +1,54 @@ +name: CD + +on: + push: + branches: + - main + +jobs: + release-please: + name: Release + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + outputs: + tag_name: ${{ steps.release.outputs.tag_name }} + release_created: ${{ steps.release.outputs.release_created }} + steps: + - uses: google-github-actions/release-please-action@v4 + id: release + with: + release-type: maven + + call-build-maven: + needs: release-please + name: build with Maven + uses: ./.github/workflows/maven_build.yaml + + publish: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + needs: + - release-please + - call-build-maven + steps: + - name: checkout code + uses: actions/checkout@v4 + + - name: Set up JDK 11 + uses: actions/setup-java@v4 + with: + java-version: '11' + distribution: 'corretto' + cache: 'maven' + + - name: Publish to GitHub Packages Apache Maven + if: ${{needs.release-please.outputs.release_created}} + run: mvn --batch-mode deploy + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + + \ No newline at end of file diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..72604eb --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,17 @@ +name: CI + +on: + pull_request: + +jobs: + security: + name: Security + uses: ./.github/workflows/security.yaml + secrets: inherit + + build-maven: + name: build with Maven + uses: ./.github/workflows/maven_build.yaml + needs: security + + diff --git a/.github/workflows/maven-publish.yml b/.github/workflows/maven-publish.yml deleted file mode 100644 index b735f8e..0000000 --- a/.github/workflows/maven-publish.yml +++ /dev/null @@ -1,38 +0,0 @@ -# This workflow will build a package using Maven and then publish it to GitHub packages when a release is created -# For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#apache-maven-with-a-settings-path - -name: Maven Package - -on: - push: - branches: - - gitHubPackages - -jobs: - build: - - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - - steps: - - uses: actions/checkout@v4 - - name: Set up JDK 11 - uses: actions/setup-java@v3 - with: - java-version: '11' - distribution: 'temurin' - server-id: github # Value of the distributionManagement/repository/id field of the pom.xml - settings-path: ${{ github.workspace }} # location for the settings.xml file - server-username: GITHUB_USER_REF # env variable name for username - server-password: GITHUB_TOKEN_REF # env variable name for GitHub Personal Access Token - - - name: Build with Maven - run: mvn -B -Pgithub package --file pom.xml - - - name: Publish to GitHub Packages Apache Maven - run: mvn deploy -s $GITHUB_WORKSPACE/settings.xml - env: - GITHUB_USER_REF: ${{ secrets.GH_PACKAGE_REPO_USERNAME }} - GITHUB_TOKEN_REF: ${{ secrets.GH_PACKAGE_REPO_PASSWORD }} diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml new file mode 100644 index 0000000..e669f16 --- /dev/null +++ b/.github/workflows/maven.yml @@ -0,0 +1,35 @@ +# This workflow will build a package using Maven and then publish it to GitHub packages when a release is created +# For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#apache-maven-with-a-settings-path + +name: Maven Package + +on: + push: + branches: + - master + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + + steps: + - uses: actions/checkout@v4 + - name: Set up JDK 11 + uses: actions/setup-java@v3 + with: + java-version: '11' + distribution: 'temurin' + server-id: github # Value of the distributionManagement/repository/id field of the pom.xml + settings-path: ${{ github.workspace }} # location for the settings.xml file + + - name: Build with Maven + run: mvn -B package --file pom.xml + + - name: Publish to GitHub Packages Apache Maven + run: mvn deploy -s $GITHUB_WORKSPACE/settings.xml + env: + GITHUB_TOKEN: ${{ github.token }} diff --git a/.github/workflows/maven_build.yaml b/.github/workflows/maven_build.yaml new file mode 100644 index 0000000..7d01df2 --- /dev/null +++ b/.github/workflows/maven_build.yaml @@ -0,0 +1,18 @@ +name: Maven Build + +on: + workflow_call: + +permissions: + contents: read + +jobs: + build: + name: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - run: mvn -B -P github package + + \ No newline at end of file diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml new file mode 100644 index 0000000..49861eb --- /dev/null +++ b/.github/workflows/security.yaml @@ -0,0 +1,38 @@ +name: Security Scan + +on: + workflow_call: + inputs: + severity-threshold: + description: "Severity threshold" + required: false + default: "high" + type: string + secrets: + SNYK_TOKEN: + description: "Snyk token" + required: true + schedule: + # Weekly on Monday at 00:00 UTC + - cron: 0 0 * * 1 + +permissions: + contents: read + packages: read + +jobs: + scan: + name: scan + runs-on: ubuntu-latest + steps: + + - uses: actions/checkout@v4 + - uses: snyk/actions/setup@master + - uses: actions/setup-java@v4 + with: + distribution: "corretto" + java-version: "11" + cache: maven + - run: snyk test --severity-threshold=${{ inputs.severity-threshold || 'high' }} -- -P github + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} \ No newline at end of file diff --git a/pom.xml b/pom.xml index 8a5f4be..fce99a9 100644 --- a/pom.xml +++ b/pom.xml @@ -21,6 +21,7 @@ 0.9.11 2.22.0 2.22.0 + https://maven.pkg.github.com/dvsa/vol-accessibility-lib @@ -90,12 +91,11 @@ compile - - - maven-releases - ${nexus.releases} + github + GitHub dvsa Apache Maven Packages + ${github.url} \ No newline at end of file From 78a0aab600d2a46a7b635198783d86835d1a020c Mon Sep 17 00:00:00 2001 From: Shaun Hare Date: Thu, 9 May 2024 10:05:15 +0100 Subject: [PATCH 2/9] amended pom for active support and added to security action --- .github/workflows/security.yaml | 6 +++++- pom.xml | 28 +++++++++++++++++++++------- 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 49861eb..483a3d0 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -32,7 +32,11 @@ jobs: with: distribution: "corretto" java-version: "11" - cache: maven + cache: maven + - uses: whelk-io/maven-settings-xml-action@v22 + with: + servers: '[{ "id":"github-vol-active-support", "configuration": { "httpHeaders": { "property": { "name":"Authorization", "value":"Bearer ${{ secrets.GITHUB_TOKEN }}"} } } } ]' + - run: snyk test --severity-threshold=${{ inputs.severity-threshold || 'high' }} -- -P github env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} \ No newline at end of file diff --git a/pom.xml b/pom.xml index fce99a9..c59017c 100644 --- a/pom.xml +++ b/pom.xml @@ -12,7 +12,7 @@ https://nexus.olcs.dev-dvsacloud.uk/repository/maven-releases UTF-8 3.8.1 - 2.0.1.7 + 2.0.1.10 4.8.0 ${rules} @@ -24,12 +24,26 @@ https://maven.pkg.github.com/dvsa/vol-accessibility-lib - - - maven-releases - ${nexus.releases} - - + + + github + + + central + https://repo1.maven.org/maven2 + true + true + + + github-vol-active-support + GitHub dvsa Apache Maven Packages + https://maven.pkg.github.com/dvsa/vol-active-support + true + true + + + + From fb2a0b1adf603c3c927abb94ffb9c5ad167b767c Mon Sep 17 00:00:00 2001 From: Stefan Ranoszek Date: Thu, 9 May 2024 14:11:44 +0100 Subject: [PATCH 3/9] feat: snyk --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index c59017c..7f8283d 100644 --- a/pom.xml +++ b/pom.xml @@ -89,7 +89,7 @@ org.seleniumhq.selenium - selenenium-java + selenium-java From ecbe0b87e823375d973723a544bdf17ba26f21e6 Mon Sep 17 00:00:00 2001 From: Stefan Ranoszek Date: Thu, 9 May 2024 14:25:20 +0100 Subject: [PATCH 4/9] feat: snyk --- .snyk | 15 ++++++++ pom.xml | 116 ++++++++++++++++++++------------------------------------ 2 files changed, 57 insertions(+), 74 deletions(-) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 0000000..300ea15 --- /dev/null +++ b/.snyk @@ -0,0 +1,15 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: + SNYK-JAVA-DOM4J-174153: + - '*': + reason: None Given + expires: 2024-06-08T13:15:21.624Z + created: 2024-05-09T13:15:21.627Z + SNYK-JAVA-DOM4J-2812795: + - '*': + reason: None Given + expires: 2024-06-08T13:16:12.796Z + created: 2024-05-09T13:16:12.804Z +patch: {} diff --git a/pom.xml b/pom.xml index 7f8283d..d9aada6 100644 --- a/pom.xml +++ b/pom.xml @@ -22,94 +22,62 @@ 2.22.0 2.22.0 https://maven.pkg.github.com/dvsa/vol-accessibility-lib + 1.9.2 + 3.2.2 + 1.6.1 + 1.10.0 + 1.26.0 + 20180130 + 42.3.3 + 1.31 + 1.0.3 - - - github - - - central - https://repo1.maven.org/maven2 - true - true - - - github-vol-active-support - GitHub dvsa Apache Maven Packages - https://maven.pkg.github.com/dvsa/vol-active-support - true - true - - - - - - - - - org.springframework.build - aws-maven - 5.0.0.RELEASE - - - - - org.apache.maven.plugins - maven-compiler-plugin - ${maven.compiler.version} - - 11 - - - - - - org.apache.logging.log4j - log4j-api - ${slf4j.version} + commons-beanutils + commons-beanutils + ${commons-beanutils.version} + + + commons-collections + commons-collections + ${commons-collections.version} + + + dom4j + dom4j + ${dom4j.version} + + + org.apache.commons + commons-text + ${org.apache.commons.commons-text.version} - org.apache.logging.log4j - log4j-core - ${slf4j-log4j12.version} + org.apache.commons + commons-compress + ${org.apache.commons.commons-compress.version} - org.dvsa.testing.lib - active-support - ${active-support.version} + org.json + json + ${org.json.version} - com.deque.html.axe-core - selenium - ${axe-selenium-version} - test - - - org.seleniumhq.selenium - selenium-java - - + org.postgresql + postgresql + ${org.postgresql.version} - com.github.spullara.mustache.java - compiler - ${mustache.version} + org.yaml + snakeyaml + ${org.yaml.snakeyaml.version} - com.deque.html.axe-core - selenium - ${axe-selenium-version} - compile + software.amazon.ion + ion-java + ${software.amazon.ion.version} - - - github - GitHub dvsa Apache Maven Packages - ${github.url} - - \ No newline at end of file From f697056a07f18f78c8d2b4a1a0568d19abf432b9 Mon Sep 17 00:00:00 2001 From: Stefan Ranoszek Date: Thu, 9 May 2024 14:31:27 +0100 Subject: [PATCH 5/9] feat: snyk --- .snyk | 5 +++++ pom.xml | 5 +++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.snyk b/.snyk index 300ea15..6ddb787 100644 --- a/.snyk +++ b/.snyk @@ -12,4 +12,9 @@ ignore: reason: None Given expires: 2024-06-08T13:16:12.796Z created: 2024-05-09T13:16:12.804Z + SNYK-JAVA-SOFTWAREAMAZONION-6153869: + - '*': + reason: None Given + expires: 2024-06-08T13:27:49.964Z + created: 2024-05-09T13:27:49.971Z patch: {} diff --git a/pom.xml b/pom.xml index d9aada6..8e5e6b0 100644 --- a/pom.xml +++ b/pom.xml @@ -22,15 +22,16 @@ 2.22.0 2.22.0 https://maven.pkg.github.com/dvsa/vol-accessibility-lib - 1.9.2 + 1.9.4 3.2.2 1.6.1 1.10.0 1.26.0 20180130 - 42.3.3 + 42.3.9 1.31 1.0.3 + 20231013 From 667aa64b5dd7df6dc0306809c6dcaed3fd85bd96 Mon Sep 17 00:00:00 2001 From: Stefan Ranoszek Date: Thu, 9 May 2024 14:33:16 +0100 Subject: [PATCH 6/9] feat: snyk --- .snyk | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.snyk b/.snyk index 6ddb787..6327e38 100644 --- a/.snyk +++ b/.snyk @@ -7,14 +7,14 @@ ignore: reason: None Given expires: 2024-06-08T13:15:21.624Z created: 2024-05-09T13:15:21.627Z - SNYK-JAVA-DOM4J-2812795: - - '*': - reason: None Given - expires: 2024-06-08T13:16:12.796Z - created: 2024-05-09T13:16:12.804Z SNYK-JAVA-SOFTWAREAMAZONION-6153869: - '*': reason: None Given expires: 2024-06-08T13:27:49.964Z created: 2024-05-09T13:27:49.971Z + SNYK-JAVA-DOM4J-2812975: + - '*': + reason: None Given + expires: 2024-06-08T13:33:05.972Z + created: 2024-05-09T13:33:05.980Z patch: {} From 6b0e08957400484e693909bfcea23f38d29a9954 Mon Sep 17 00:00:00 2001 From: Stefan Ranoszek Date: Thu, 9 May 2024 15:30:37 +0100 Subject: [PATCH 7/9] feat: github profile cleanup --- .github/workflows/security.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 483a3d0..7e2d415 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -32,11 +32,7 @@ jobs: with: distribution: "corretto" java-version: "11" - cache: maven - - uses: whelk-io/maven-settings-xml-action@v22 - with: - servers: '[{ "id":"github-vol-active-support", "configuration": { "httpHeaders": { "property": { "name":"Authorization", "value":"Bearer ${{ secrets.GITHUB_TOKEN }}"} } } } ]' - - - run: snyk test --severity-threshold=${{ inputs.severity-threshold || 'high' }} -- -P github + cache: maven + - run: snyk test --severity-threshold=${{ inputs.severity-threshold || 'high' }} env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} \ No newline at end of file From a81bcefe1560c741c0486e6fa5ed4178c8fb808d Mon Sep 17 00:00:00 2001 From: Stefan Ranoszek Date: Thu, 9 May 2024 15:44:06 +0100 Subject: [PATCH 8/9] feat:maven build --- .github/workflows/maven_build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/maven_build.yaml b/.github/workflows/maven_build.yaml index 7d01df2..a7d82d6 100644 --- a/.github/workflows/maven_build.yaml +++ b/.github/workflows/maven_build.yaml @@ -13,6 +13,6 @@ jobs: steps: - uses: actions/checkout@v4 - - run: mvn -B -P github package + - run: mvn -B package \ No newline at end of file From 6e56195c73bd934e7bb406e5fcd86adc1bcf74b8 Mon Sep 17 00:00:00 2001 From: Shaun Hare Date: Thu, 9 May 2024 15:56:44 +0100 Subject: [PATCH 9/9] added profile back --- .github/workflows/maven.yml | 35 ----------------------------------- 1 file changed, 35 deletions(-) delete mode 100644 .github/workflows/maven.yml diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml deleted file mode 100644 index e669f16..0000000 --- a/.github/workflows/maven.yml +++ /dev/null @@ -1,35 +0,0 @@ -# This workflow will build a package using Maven and then publish it to GitHub packages when a release is created -# For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#apache-maven-with-a-settings-path - -name: Maven Package - -on: - push: - branches: - - master - -jobs: - build: - - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - - steps: - - uses: actions/checkout@v4 - - name: Set up JDK 11 - uses: actions/setup-java@v3 - with: - java-version: '11' - distribution: 'temurin' - server-id: github # Value of the distributionManagement/repository/id field of the pom.xml - settings-path: ${{ github.workspace }} # location for the settings.xml file - - - name: Build with Maven - run: mvn -B package --file pom.xml - - - name: Publish to GitHub Packages Apache Maven - run: mvn deploy -s $GITHUB_WORKSPACE/settings.xml - env: - GITHUB_TOKEN: ${{ github.token }}