Alfresco Transform Core CI #1191
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Alfresco Transform Core CI | |
on: | |
push: | |
branches: | |
- master | |
- feature/** | |
- fix/** | |
- SP/** | |
- HF/** | |
- ATS-** | |
- ACS-** | |
- MNT-** | |
pull_request: | |
branches: | |
- master | |
- feature/** | |
- fix/** | |
- SP/** | |
- HF/** | |
schedule: | |
- cron: '0 5 * * 1' | |
workflow_dispatch: | |
env: | |
DOCKERHUB_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} | |
DOCKERHUB_USERNAME: ${{ secrets.DOCKER_USERNAME }} | |
NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} | |
NEXUS_USERNAME: ${{ secrets.NEXUS_USERNAME }} | |
QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }} | |
QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }} | |
GIT_USERNAME: ${{ secrets.BOT_GITHUB_USERNAME }} | |
GIT_EMAIL: ${{ secrets.BOT_GITHUB_EMAIL }} | |
GIT_PASSWORD: ${{ secrets.BOT_GITHUB_TOKEN }} | |
GITHUB_ACTIONS_DEPLOY_TIMEOUT: 60 | |
jobs: | |
pre_commit: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- id: changed-files | |
uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
with: | |
write-list-to-env: true | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
veracode_sca: | |
name: "Veracode - Source Clear Scan (SCA)" | |
runs-on: ubuntu-latest | |
if: > | |
github.ref_name == 'master' || | |
github.event_name == 'pull_request' | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- name: "Clean-up SNAPSHOT artifacts" | |
run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
continue-on-error: true | |
with: | |
srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }} | |
veracode_sast: | |
name: "Pipeline SAST Scan" | |
runs-on: ubuntu-latest | |
if: > | |
(github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/') || github.event_name == 'pull_request') && | |
github.actor != 'dependabot[bot]' && | |
!contains(github.event.head_commit.message, '[skip tests]') | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- name: "Login to Docker Hub" | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: "Login to Quay.io" | |
uses: docker/login-action@v3 | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_USERNAME }} | |
password: ${{ secrets.QUAY_PASSWORD }} | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
with: | |
token: ${{ secrets.BOT_GITHUB_TOKEN }} | |
repository: "Alfresco/veracode-baseline-archive" | |
file-path: "alfresco-transform-core/alfresco-transform-core-baseline.json" | |
target: "baseline.json" | |
- name: "Build" | |
run: mvn -B -U install -DskipTests | |
- name: "Create zip" | |
run: | | |
mkdir -p to-scan | |
for file in engines/aio/target/alfresco-transform-core-aio-*.jar engines/base/target/alfresco-base-t-engine-*.jar model/target/alfresco-transform-model-*.jar | |
do | |
if [[ $file != *javadoc.jar ]] && [[ $file != *sources.jar ]] && [[ $file != *tests.jar ]]; then | |
mv "$file" to-scan/ | |
fi | |
done | |
# Removing the aspectjweaver and bouncycastle jars from the scan, since Veracode detects them as 1st party code and fails the scan. TO BE REVERTED ONCE VERACODE FIXES THE ISSUE | |
zip -d to-scan/alfresco-transform*.jar "BOOT-INF/lib/bcmail-jdk18on-*.jar" "BOOT-INF/lib/bcprov-jdk18on-*.jar" "BOOT-INF/lib/aspectjweaver*.jar" | |
zip -r to-scan.zip to-scan | |
- name: "Run SAST Scan" | |
uses: veracode/[email protected] | |
with: | |
vid: ${{ secrets.VERACODE_API_ID }} | |
vkey: ${{ secrets.VERACODE_API_KEY }} | |
file: "to-scan.zip" | |
fail_build: true | |
project_name: alfresco-transform-core | |
issue_details: true | |
veracode_policy_name: Alfresco Default | |
summary_output: true | |
summary_output_file: results.json | |
summary_display: true | |
baseline_file: baseline.json | |
include: "to-scan/alfresco*" | |
- name: Upload scan result | |
if: success() || failure() | |
run: zip readable_output.zip results.json | |
- name: Upload Artifact | |
if: success() || failure() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: Veracode Pipeline-Scan Results (Human Readable) | |
path: readable_output.zip | |
pmd_scan: | |
name: "PMD Scan" | |
runs-on: ubuntu-latest | |
if: > | |
github.event_name == 'pull_request' && | |
!contains(github.event.head_commit.message, '[skip pmd]') && | |
!contains(github.event.head_commit.message, '[skip tests]') | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/[email protected] | |
with: | |
classpath-build-command: "mvn -ntp package -DskipTests" | |
build_and_test: | |
name: "Core & Base Snapshot deployment" | |
runs-on: ubuntu-latest | |
if: > | |
github.ref_name == 'master' && | |
github.event_name != 'pull_request' | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- name: "Login to Docker Hub" | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: "Login to Quay.io" | |
uses: docker/login-action@v3 | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_USERNAME }} | |
password: ${{ secrets.QUAY_PASSWORD }} | |
- name: "Enable experimental docker features" | |
run: | | |
echo '{"experimental":true}' | sudo tee /etc/docker/daemon.json | |
sudo service docker restart | |
- name: "Clean-up SNAPSHOT artifacts" | |
run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf | |
- name: "Build" | |
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} | |
run: mvn -B -U -q clean install -DadditionalOption=-Xdoclint:none -DskipTests -Dmaven.javadoc.skip=true -Dmaven.wagon.http.pool=false -Pbase | |
- name: "Cache LibreOffice" | |
run: bash _ci/cache_artifacts.sh | |
- name: "Run tests" | |
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} | |
run: mvn -B -U clean deploy -DadditionalOption=-Xdoclint:none -Dmaven.javadoc.skip=true -Dmaven.wagon.http.pool=false -Pbase | |
all_tests_matrix: | |
name: ${{ matrix.testName }} | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- testName: ImageMagick | |
buildProfile: imagemagick | |
testProfile: imagemagick | |
- testName: LibreOffice | |
buildProfile: libreoffice | |
testProfile: libreoffice | |
- testName: Transform Misc | |
buildProfile: misc | |
testProfile: misc | |
- testName: PDF Renderer | |
buildProfile: pdf-renderer | |
testProfile: pdf-renderer | |
- testName: Tika | |
buildProfile: tika | |
testProfile: tika | |
- testName: All in One Transformer | |
buildProfile: full-build | |
testProfile: aio-test | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- name: "Login to Docker Hub" | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: "Login to Quay.io" | |
uses: docker/login-action@v3 | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_USERNAME }} | |
password: ${{ secrets.QUAY_PASSWORD }} | |
- name: "Enable experimental docker features" | |
run: | | |
echo '{"experimental":true}' | sudo tee /etc/docker/daemon.json | |
sudo service docker restart | |
- name: "Clean-up SNAPSHOT artifacts" | |
run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf | |
- name: "Build local docker image" | |
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} | |
run: bash _ci/build.sh ${{ matrix.buildProfile }} | |
- name: "Cache LibreOffice" | |
run: bash _ci/cache_artifacts.sh | |
- name: "Run tests" | |
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} | |
run: bash _ci/test.sh ${{ matrix.testProfile }} | |
release: | |
name: "Release" | |
runs-on: ubuntu-latest | |
needs: [veracode_sca, build_and_test, all_tests_matrix] | |
if: > | |
!(failure() || cancelled()) && | |
contains(github.event.head_commit.message, '[release]') && | |
github.event_name != 'pull_request' && | |
(github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/')) | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
with: | |
platforms: linux/amd64,linux/arm64 | |
- name: "Login to Docker Hub" | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: "Login to Quay.io" | |
uses: docker/login-action@v3 | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_USERNAME }} | |
password: ${{ secrets.QUAY_PASSWORD }} | |
- name: "Enable experimental docker features" | |
run: | | |
echo '{"experimental":true}' | sudo tee /etc/docker/daemon.json | |
sudo service docker restart | |
- name: "Clean-up SNAPSHOT artifacts" | |
run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
with: | |
username: ${{ env.GIT_USERNAME }} | |
email: ${{ env.GIT_EMAIL }} | |
global: true | |
- name: "Cache LibreOffice" | |
run: bash _ci/cache_artifacts.sh | |
- name: "Release" | |
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }} | |
run: bash _ci/release.sh |