Skip to content

Alfresco Transform Core CI #1194

Alfresco Transform Core CI

Alfresco Transform Core CI #1194

Workflow file for this run

name: Alfresco Transform Core CI
on:
push:
branches:
- master
- feature/**
- fix/**
- SP/**
- HF/**
- ATS-**
- ACS-**
- MNT-**
pull_request:
branches:
- master
- feature/**
- fix/**
- SP/**
- HF/**
schedule:
- cron: '0 5 * * 1'
workflow_dispatch:
env:
DOCKERHUB_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
DOCKERHUB_USERNAME: ${{ secrets.DOCKER_USERNAME }}
NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
NEXUS_USERNAME: ${{ secrets.NEXUS_USERNAME }}
QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }}
QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
GIT_USERNAME: ${{ secrets.BOT_GITHUB_USERNAME }}
GIT_EMAIL: ${{ secrets.BOT_GITHUB_EMAIL }}
GIT_PASSWORD: ${{ secrets.BOT_GITHUB_TOKEN }}
GITHUB_ACTIONS_DEPLOY_TIMEOUT: 60
jobs:
pre_commit:
runs-on: ubuntu-latest
steps:
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: actions/checkout@v4
with:
fetch-depth: 0
- id: changed-files
uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
with:
write-list-to-env: true
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
veracode_sca:
name: "Veracode - Source Clear Scan (SCA)"
runs-on: ubuntu-latest
if: >
github.ref_name == 'master' ||
github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: "Clean-up SNAPSHOT artifacts"
run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
continue-on-error: true
with:
srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }}
veracode_sast:
name: "Pipeline SAST Scan"
runs-on: ubuntu-latest
if: >
(github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/') || github.event_name == 'pull_request') &&
github.actor != 'dependabot[bot]' &&
!contains(github.event.head_commit.message, '[skip tests]')
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: "Login to Docker Hub"
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: "Login to Quay.io"
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
with:
token: ${{ secrets.BOT_GITHUB_TOKEN }}
repository: "Alfresco/veracode-baseline-archive"
file-path: "alfresco-transform-core/alfresco-transform-core-baseline.json"
target: "baseline.json"
- name: "Build"
run: mvn -B -U install -DskipTests
- name: "Create zip"
run: |
mkdir -p to-scan
for file in engines/aio/target/alfresco-transform-core-aio-*.jar engines/base/target/alfresco-base-t-engine-*.jar model/target/alfresco-transform-model-*.jar
do
if [[ $file != *javadoc.jar ]] && [[ $file != *sources.jar ]] && [[ $file != *tests.jar ]]; then
mv "$file" to-scan/
fi
done
# Removing the aspectjweaver and bouncycastle jars from the scan, since Veracode detects them as 1st party code and fails the scan. TO BE REVERTED ONCE VERACODE FIXES THE ISSUE
zip -d to-scan/alfresco-transform*.jar "BOOT-INF/lib/bcmail-jdk18on-*.jar" "BOOT-INF/lib/bcprov-jdk18on-*.jar" "BOOT-INF/lib/aspectjweaver*.jar"
zip -r to-scan.zip to-scan
- name: "Run SAST Scan"
uses: veracode/[email protected]
with:
vid: ${{ secrets.VERACODE_API_ID }}
vkey: ${{ secrets.VERACODE_API_KEY }}
file: "to-scan.zip"
fail_build: true
project_name: alfresco-transform-core
issue_details: true
veracode_policy_name: Alfresco Default
summary_output: true
summary_output_file: results.json
summary_display: true
baseline_file: baseline.json
include: "to-scan/alfresco*"
- name: Upload scan result
if: success() || failure()
run: zip readable_output.zip results.json
- name: Upload Artifact
if: success() || failure()
uses: actions/upload-artifact@v4
with:
name: Veracode Pipeline-Scan Results (Human Readable)
path: readable_output.zip
pmd_scan:
name: "PMD Scan"
runs-on: ubuntu-latest
if: >
github.event_name == 'pull_request' &&
!contains(github.event.head_commit.message, '[skip pmd]') &&
!contains(github.event.head_commit.message, '[skip tests]')
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/[email protected]
with:
classpath-build-command: "mvn -ntp package -DskipTests"
build_and_test:
name: "Core & Base Snapshot deployment"
runs-on: ubuntu-latest
if: >
github.ref_name == 'master' &&
github.event_name != 'pull_request'
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: "Login to Docker Hub"
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: "Login to Quay.io"
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: "Enable experimental docker features"
run: |
echo '{"experimental":true}' | sudo tee /etc/docker/daemon.json
sudo service docker restart
- name: "Clean-up SNAPSHOT artifacts"
run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf
- name: "Build"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: mvn -B -U -q clean install -DadditionalOption=-Xdoclint:none -DskipTests -Dmaven.javadoc.skip=true -Dmaven.wagon.http.pool=false -Pbase
- name: "Cache LibreOffice"
run: bash _ci/cache_artifacts.sh
- name: "Run tests"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: mvn -B -U clean deploy -DadditionalOption=-Xdoclint:none -Dmaven.javadoc.skip=true -Dmaven.wagon.http.pool=false -Pbase
all_tests_matrix:
name: ${{ matrix.testName }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- testName: ImageMagick
buildProfile: imagemagick
testProfile: imagemagick
- testName: LibreOffice
buildProfile: libreoffice
testProfile: libreoffice
- testName: Transform Misc
buildProfile: misc
testProfile: misc
- testName: PDF Renderer
buildProfile: pdf-renderer
testProfile: pdf-renderer
- testName: Tika
buildProfile: tika
testProfile: tika
- testName: All in One Transformer
buildProfile: full-build
testProfile: aio-test
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: "Login to Docker Hub"
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: "Login to Quay.io"
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: "Enable experimental docker features"
run: |
echo '{"experimental":true}' | sudo tee /etc/docker/daemon.json
sudo service docker restart
- name: "Clean-up SNAPSHOT artifacts"
run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf
- name: "Build local docker image"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: bash _ci/build.sh ${{ matrix.buildProfile }}
- name: "Cache LibreOffice"
run: bash _ci/cache_artifacts.sh
- name: "Run tests"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: bash _ci/test.sh ${{ matrix.testProfile }}
release:
name: "Release"
runs-on: ubuntu-latest
needs: [veracode_sca, build_and_test, all_tests_matrix]
if: >
!(failure() || cancelled()) &&
contains(github.event.head_commit.message, '[release]') &&
github.event_name != 'pull_request' &&
(github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/'))
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: linux/amd64,linux/arm64
- name: "Login to Docker Hub"
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: "Login to Quay.io"
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: "Enable experimental docker features"
run: |
echo '{"experimental":true}' | sudo tee /etc/docker/daemon.json
sudo service docker restart
- name: "Clean-up SNAPSHOT artifacts"
run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
with:
username: ${{ env.GIT_USERNAME }}
email: ${{ env.GIT_EMAIL }}
global: true
- name: "Cache LibreOffice"
run: bash _ci/cache_artifacts.sh
- name: "Release"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: bash _ci/release.sh