fix: pom.xml to reduce vulnerabilities #2395
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# DSpace Continuous Integration/Build via GitHub Actions | |
# Concepts borrowed from | |
# https://docs.github.com/en/free-pro-team@latest/actions/guides/building-and-testing-java-with-maven | |
name: Build | |
# Run this Build for all pushes / PRs to current branch | |
on: [push, pull_request] | |
permissions: | |
contents: read # to fetch code (actions/checkout) | |
jobs: | |
tests: | |
runs-on: ubuntu-latest | |
env: | |
# Give Maven 1GB of memory to work with | |
MAVEN_OPTS: "-Xmx1024M" | |
strategy: | |
# Create a matrix of two separate configurations for Unit vs Integration Tests | |
# This will ensure those tasks are run in parallel | |
# Also specify version of Java to use (this can allow us to optionally run tests on multiple JDKs in future) | |
matrix: | |
include: | |
# NOTE: Unit Tests include deprecated REST API v6 (as it has unit tests) | |
# - surefire.rerunFailingTestsCount => try again for flakey tests, and keep track of/report on number of retries | |
- type: "Unit Tests" | |
java: 11 | |
mvnflags: "-DskipUnitTests=false -Pdspace-rest -Dsurefire.rerunFailingTestsCount=2" | |
resultsdir: "**/target/surefire-reports/**" | |
# NOTE: ITs skip all code validation checks, as they are already done by Unit Test job. | |
# - enforcer.skip => Skip maven-enforcer-plugin rules | |
# - checkstyle.skip => Skip all checkstyle checks by maven-checkstyle-plugin | |
# - license.skip => Skip all license header checks by license-maven-plugin | |
# - xml.skip => Skip all XML/XSLT validation by xml-maven-plugin | |
# - failsafe.rerunFailingTestsCount => try again for flakey tests, and keep track of/report on number of retries | |
- type: "Integration Tests" | |
java: 11 | |
mvnflags: "-DskipIntegrationTests=false -Denforcer.skip=true -Dcheckstyle.skip=true -Dlicense.skip=true -Dxml.skip=true -Dfailsafe.rerunFailingTestsCount=2" | |
resultsdir: "**/target/failsafe-reports/**" | |
# Do NOT exit immediately if one matrix job fails | |
# This ensures ITs continue running even if Unit Tests fail, or visa versa | |
fail-fast: false | |
name: Run ${{ matrix.type }} | |
# These are the actual CI steps to perform per job | |
steps: | |
# https://github.com/actions/checkout | |
- name: Checkout codebase | |
uses: actions/checkout@v3 | |
# https://github.com/actions/setup-java | |
- name: Install JDK ${{ matrix.java }} | |
uses: actions/setup-java@v3 | |
with: | |
java-version: ${{ matrix.java }} | |
distribution: 'temurin' | |
# https://github.com/actions/cache | |
- name: Cache Maven dependencies | |
uses: actions/cache@v3 | |
with: | |
# Cache entire ~/.m2/repository | |
path: ~/.m2/repository | |
# Cache key is hash of all pom.xml files. Therefore any changes to POMs will invalidate cache | |
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
restore-keys: ${{ runner.os }}-maven- | |
# Run parallel Maven builds based on the above 'strategy.matrix' | |
- name: Run Maven ${{ matrix.type }} | |
env: | |
TEST_FLAGS: ${{ matrix.mvnflags }} | |
run: mvn --no-transfer-progress -V install -P-assembly -Pcoverage-report $TEST_FLAGS | |
# If previous step failed, save results of tests to downloadable artifact for this job | |
# (This artifact is downloadable at the bottom of any job's summary page) | |
- name: Upload Results of ${{ matrix.type }} to Artifact | |
if: ${{ failure() }} | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ${{ matrix.type }} results | |
path: ${{ matrix.resultsdir }} | |
# Upload code coverage report to artifact, so that it can be shared with the 'codecov' job (see below) | |
- name: Upload code coverage report to Artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ${{ matrix.type }} coverage report | |
path: 'dspace/target/site/jacoco-aggregate/jacoco.xml' | |
retention-days: 14 | |
# Codecov upload is a separate job in order to allow us to restart this separate from the entire build/test | |
# job above. This is necessary because Codecov uploads seem to randomly fail at times. | |
# See https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954 | |
codecov: | |
# Must run after 'tests' job above | |
needs: tests | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
# Download artifacts from previous 'tests' job | |
- name: Download coverage artifacts | |
uses: actions/download-artifact@v3 | |
# Now attempt upload to Codecov using its action. | |
# NOTE: We use a retry action to retry the Codecov upload if it fails the first time. | |
# | |
# Retry action: https://github.com/marketplace/actions/retry-action | |
# Codecov action: https://github.com/codecov/codecov-action | |
- name: Upload coverage to Codecov.io | |
uses: Wandalen/[email protected] | |
with: | |
action: codecov/codecov-action@v3 | |
# Try upload 5 times max | |
attempt_limit: 5 | |
# Run again in 30 seconds | |
attempt_delay: 30000 |