Skip to content

Merge branch 'main' into dependabot/maven/maven-plugins-6ab5056d5f #9

Merge branch 'main' into dependabot/maven/maven-plugins-6ab5056d5f

Merge branch 'main' into dependabot/maven/maven-plugins-6ab5056d5f #9

Workflow file for this run

name: CI
on:
push:
branches:
- '**'
tags-ignore:
- 'v*'
pull_request:
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
build-and-test:
name: All Tests
runs-on: ubuntu-latest
permissions:
security-events: write # Required to upload Trivy SARIF results to GitHub code scanning.
steps:
- name: Harden Runner
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
check.trivy.dev:443
get.trivy.dev:443
github.com:443
mirror.gcr.io:443
registry.npmjs.org:443
release-assets.githubusercontent.com:443
repo.maven.apache.org:443
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Java
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: temurin
java-version: '21'
- name: Set up SBOM tools
uses: ./.github/actions/setup-sbom-tools
with:
github-token: ${{ github.token }}
- name: Build and run tests
run: ./mvnw -B -ntp -P integration-tests,generate-sbom verify
- name: Show WireMock log on failure
if: failure()
run: cat maven-plugin/target/wiremock.log 2>/dev/null || echo "(WireMock log not found)"
# Trivy runs here rather than in ci-guardrails.yml because it scans the
# CycloneDX SBOM produced by the Maven build (target/bom_all.json), which
# contains the exact resolved dependency graph including transitives.
# Scanning the SBOM is strictly more accurate than Trivy's own filesystem
# heuristics, and the SBOM only exists after the build completes.
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.29.0
with:
scan-type: sbom
scan-ref: target/bom_all.json
format: sarif
output: trivy-results.sarif
severity: HIGH,CRITICAL
ignore-unfixed: true
- name: Upload Trivy SARIF file
if: always()
uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
with:
sarif_file: trivy-results.sarif