.github/workflows/ci.yml

name: Gytheio CI

on:
  pull_request:
    branches:
      - master
      - SP/**
      - HF/**
      - ACS-**
      - feature/**
  push:
    branches:
      - master
      - SP/**
      - HF/**
      - ACS-**
      - feature/**
  schedule:
    - cron: '0 5 * * 3'
  workflow_dispatch:

env:
  MAVEN_USERNAME: ${{ secrets.NEXUS_USERNAME }}
  MAVEN_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
  GIT_USERNAME: ${{ secrets.BOT_GITHUB_USERNAME }}
  GIT_PASSWORD: ${{ secrets.BOT_GITHUB_TOKEN }}
  AWS_REGION: eu-west-1

jobs:
  veracode_sca:
    name: "Source Clear Scan (SCA)"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/veracode@v7.0.0
        continue-on-error: true
        with:
          srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }}

  veracode_sast:
    name: "Pipeline SAST Scan"
    runs-on: ubuntu-latest
    if: >
      (github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/') || github.event_name == 'pull_request') &&
      github.actor != 'dependabot[bot]' &&
      !contains(github.event.head_commit.message, '[skip build]')
    steps:
      - uses: actions/checkout@v4
      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
      - name: "Login to Docker Hub"
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: "Login to Quay.io"
        uses: docker/login-action@v3
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_PASSWORD }}
      - uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v7.0.0
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
          repository: "Alfresco/veracode-baseline-archive"
          file-path: "gytheio/gytheio-baseline.json"
          target: "baseline.json"
      - name: "Build"
        run: mvn -B -U install -DskipTests
      - name: Create zip
        run: find gytheio*/gytheio*/target gytheio*/target -name '*.jar'  -exec zip -y -r to-scan.zip {} +
      - name: "Run SAST Scan"
        uses: veracode/Veracode-pipeline-scan-action@v1.0.16
        with:
          vid: ${{ secrets.VERACODE_API_ID }}
          vkey: ${{ secrets.VERACODE_API_KEY }}
          file: "to-scan.zip"
          fail_build: true
          project_name: gytheio
          issue_details: true
          veracode_policy_name: Alfresco Default
          summary_output: true
          summary_output_file: results.json
          summary_display: true
          baseline_file: baseline.json
      - name: Upload scan result
        if: success() || failure()
        run: zip readable_output.zip results.json
      - name: Upload Artifact
        if: success() || failure()
        uses: actions/upload-artifact@v4
        with:
          name: Veracode Pipeline-Scan Results (Human Readable)
          path: readable_output.zip

  build:
    name: "Build"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
      - name: "Remove SNAPSHOT artifacts"
        run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf
      - name: "Install ImageMagick to parse PDFs"
        run: |
          sudo apt-get update
          sudo apt-get install -q -y imagemagick ghostscript ffmpeg
          # ImageMagick6's default security policy doesn't allow it to parse PDFs
          sudo sed -i '/PDF/s/none/read|write/' /etc/ImageMagick-6/policy.xml
      - name: "Configure AWS credentials"
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_S3_BUCKET_CREATE_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_S3_BUCKET_CREATE_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}
      - name: "Build and test"
        run: bash _ci/build.sh

  release:
    name: "Release"
    needs: [veracode_sca, build]
    runs-on: ubuntu-latest
    if: >
      contains(github.event.head_commit.message, '[release]') &&
      github.event_name != 'pull_request' &&
      (github.ref_name == 'master' || startsWith(github.ref_name, 'SP/') || startsWith(github.ref_name, 'HF/'))
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false
      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v7.0.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v7.0.0
      - uses: Alfresco/alfresco-build-tools/.github/actions/configure-git-author@v7.0.0
        with:
          username: ${{ secrets.BOT_GITHUB_USERNAME }}
          email: ${{ secrets.BOT_GITHUB_EMAIL }}
      - name: "Remove SNAPSHOT artifacts"
        run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf
      - name: "Release"
        run: bash _ci/release.sh