Skip to content

build(deps): bump the dependencies group across 1 directory with 4 up… #267

build(deps): bump the dependencies group across 1 directory with 4 up…

build(deps): bump the dependencies group across 1 directory with 4 up… #267

Workflow file for this run

name: CI
on:
push:
branches:
- 'main'
tags-ignore:
- 'v*'
pull_request:
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
build-and-test:
name: All Tests
runs-on: ubuntu-latest
permissions:
security-events: write # Required to upload Trivy SARIF results to GitHub code scanning.
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
check.trivy.dev:443
get.trivy.dev:443
github.com:443
mirror.gcr.io:443
registry.npmjs.org:443
release-assets.githubusercontent.com:443
repo.maven.apache.org:443
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Set up Java
uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5.4.0
with:
distribution: temurin
java-version: '21'
- name: Set up SBOM tools
uses: ./.github/actions/setup-sbom-tools
with:
github-token: ${{ github.token }}
- name: Build and run tests
run: ./mvnw -B -ntp -P integration-tests,generate-sbom verify
- name: Show WireMock log on failure
if: failure()
run: cat maven-plugin/target/wiremock.log 2>/dev/null || echo "(WireMock log not found)"
# Trivy runs here rather than in ci-guardrails.yml because it scans the
# CycloneDX SBOM produced by the Maven build (target/bom_all.json), which
# contains the exact resolved dependency graph including transitives.
# Scanning the SBOM is strictly more accurate than Trivy's own filesystem
# heuristics, and the SBOM only exists after the build completes.
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
scan-type: sbom
scan-ref: target/bom_all.json
format: sarif
output: trivy-results.sarif
severity: HIGH,CRITICAL
ignore-unfixed: true
- name: Upload Trivy SARIF file
if: always()
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: trivy-results.sarif