diff --git a/.github/actions/scan-with-blackduck/action.yml b/.github/actions/scan-with-blackduck/action.yml new file mode 100644 index 0000000..d9a1114 --- /dev/null +++ b/.github/actions/scan-with-blackduck/action.yml @@ -0,0 +1,53 @@ +name: Scan with BlackDuck +description: Scans the project with BlackDuck + +inputs: + blackduck_token: + description: The token to use for BlackDuck authentication + required: true + github_token: + description: The token to use for GitHub authentication + required: true + java-version: + description: The version of Java to use + default: "17" + required: false + maven-version: + description: The Maven version the build shall run with. + required: true + +runs: + using: composite + steps: + - name: Set up Java ${{ inputs.java-version }} + uses: actions/setup-java@v4 + with: + java-version: ${{ inputs.java-version }} + distribution: sapmachine + cache: maven + + - name: Set up Maven ${{ inputs.maven-version }} + uses: stCarolas/setup-maven@v5 + with: + maven-version: ${{ inputs.maven-version }} + + - name: Get Major Version + id: get-major-version + run: | + echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT + shell: bash + + - name: Print Version Number + run: echo "${{ steps.get-major-version.outputs.REVISION }}" + shell: bash + + - name: BlackDuck Scan + uses: SAP/project-piper-action@main + with: + step-name: detectExecuteScan + flags: \ + --version=${{ steps.get-major-version.outputs.REVISION }} + env: + PIPER_token: ${{ inputs.blackduck_token }} + PIPER_githubToken: ${{ inputs.github_token }} + SCAN_MODE: FULL diff --git a/.github/actions/scan-with-sonar/action.yml b/.github/actions/scan-with-sonar/action.yml new file mode 100644 index 0000000..34522cf --- /dev/null +++ b/.github/actions/scan-with-sonar/action.yml @@ -0,0 +1,48 @@ +name: Scan with SonarQube +description: Scans the project with SonarQube + +inputs: + sonarq-token: + description: The token to use for SonarQube authentication + required: true + github-token: + description: The token to use for GitHub authentication + required: true + java-version: + description: The version of Java to use + required: true + maven-version: + description: The version of Maven to use + required: true + +runs: + using: composite + + steps: + - name: Set up Java ${{inputs.java-version}} + uses: actions/setup-java@v4 + with: + java-version: ${{inputs.java-version}} + distribution: sapmachine + cache: maven + + - name: Set up Maven ${{inputs.maven-version}} + uses: stCarolas/setup-maven@v5 + with: + maven-version: ${{inputs.maven-version}} + + - name: Get Revision + id: get-revision + run: | + echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT + shell: bash + + - name: Print Revision + run: echo "${{steps.get-revision.outputs.REVISION}}" + shell: bash + + - name: SonarQube Scan + uses: SAP/project-piper-action@main + with: + step-name: sonarExecuteScan + flags: --token=${{inputs.sonarq-token}} --githubToken=${{inputs.github-token}} --version=${{steps.get-revision.outputs.REVISION}} --inferJavaBinaries=true diff --git a/.github/workflows/blackduck.yml b/.github/workflows/blackduck.yml new file mode 100644 index 0000000..8921200 --- /dev/null +++ b/.github/workflows/blackduck.yml @@ -0,0 +1,33 @@ +name: Blackduck Scan + +env: + MAVEN_VERSION: "3.9.11" + +on: + schedule: + # Run nightly at 2 AM UTC + - cron: "0 2 * * *" + workflow_dispatch: # Allow manual trigger + pull_request: + branches: ["main"] + push: + branches: ["main"] +permissions: + contents: write + id-token: write + issues: write + pull-requests: write + +jobs: + blackduck: + name: Blackduck Scan + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v5 + - name: Scan With Black Duck + uses: ./.github/actions/scan-with-blackduck + with: + blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }} + github_token: ${{ secrets.GITHUB_TOKEN }} + maven-version: ${{ env.MAVEN_VERSION }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 13fbbe9..d5f0843 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,13 +1,14 @@ -name: PR Build +name: Build env: - MAVEN_VERSION: '3.9.11' + MAVEN_VERSION: "3.9.11" on: + workflow_dispatch: # Allow manual trigger pull_request: - branches: [ "main" ] + branches: ["main"] push: - branches: [ "main" ] + branches: ["main"] permissions: contents: write id-token: write @@ -17,13 +18,20 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - java-version: [ 17, 21 ] + java-version: [17, 21] steps: - name: Checkout uses: actions/checkout@v5 - - name: Build uses: ./.github/actions/build with: java-version: ${{ matrix.java-version }} - maven-version: ${{ env.MAVEN_VERSION }} \ No newline at end of file + maven-version: ${{ env.MAVEN_VERSION }} + - name: Sonar Scan + uses: ./.github/actions/scan-with-sonar + if: matrix.java-version == 21 + with: + java-version: 21 + maven-version: ${{ env.MAVEN_VERSION }} + sonarq-token: ${{ secrets.SONAR_TOKEN }} + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/prepare-next-version.yml b/.github/workflows/prepare-next-version.yml index 02b859a..0166cbd 100644 --- a/.github/workflows/prepare-next-version.yml +++ b/.github/workflows/prepare-next-version.yml @@ -1,8 +1,8 @@ -name: Deploy to Maven Central +name: Prepare Next Version env: - JAVA_VERSION: '17' - MAVEN_VERSION: '3.9.11' + JAVA_VERSION: "17" + MAVEN_VERSION: "3.9.11" on: workflow_dispatch: diff --git a/.pipeline/config.yml b/.pipeline/config.yml index 8ccd83c..c38b6bf 100644 --- a/.pipeline/config.yml +++ b/.pipeline/config.yml @@ -4,37 +4,35 @@ steps: verify: true flatten: true # https://www.project-piper.io/steps/mavenBuild/#dockerimage - # If empty, Docker is not used and the command is executed directly on the Jenkins system. - dockerImage: '' + dockerImage: "" detectExecuteScan: - projectName: 'com.sap.cds.feature.console' + projectName: "com.sap.cds.feature.console" groups: - - 'CDSJAVA-OPEN-SOURCE' - serverUrl: 'https://sap.blackducksoftware.com/' - mavenExcludedScopes: [ "provided", "test" ] - failOn: [ 'BLOCKER', 'CRITICAL', 'MAJOR' ] + - "CDSJAVA-OPEN-SOURCE" + serverUrl: "https://sap.blackducksoftware.com/" + mavenExcludedScopes: ["provided", "test"] + failOn: ["BLOCKER", "CRITICAL", "MAJOR"] versioningModel: "major-minor" - detectTools: [ 'DETECTOR', 'BINARY_SCAN' ] + detectTools: ["DETECTOR", "BINARY_SCAN"] installArtifacts: true - repository: '/cap-java/cds-feature-console' + owner: "cap-java" + repository: "cds-feature-console" verbose: true scanProperties: - --detect.included.detector.types=MAVEN - --detect.excluded.directories='**/node_modules,**/*test*,**/localrepo,**/target/site,**/*-site.jar' - --detect.maven.build.command='-pl com.sap.cds:cds-feature-console' # https://www.project-piper.io/steps/detectExecuteScan/#dockerimage - # If empty, Docker is not used and the command is executed directly on the Jenkins system. - dockerImage: '' + dockerImage: "" sonarExecuteScan: serverUrl: https://sonar.tools.sap projectKey: cds-feature-console # https://www.project-piper.io/steps/sonarExecuteScan/#dockerimage - # If empty, Docker is not used and the command is executed directly on the Jenkins system. - dockerImage: '' + dockerImage: "" options: - sonar.qualitygate.wait=true - sonar.java.source=17 - sonar.exclusions=**/node_modules/**,**/target/** - - sonar.coverage.jacoco.xmlReportPaths=cds-feature-console/target/site/jacoco/jacoco.xml \ No newline at end of file + - sonar.coverage.jacoco.xmlReportPaths=cds-feature-console/target/site/jacoco/jacoco.xml