Skip to content

Fix security issues #226

Fix security issues

Fix security issues #226

Workflow file for this run

# This file was generated by Project Keeper.
name: CI Build
on:
push:
branches: [
main
]
pull_request: null
jobs:
matrix-build:
runs-on: ubuntu-20.04
defaults:
run: {
shell: bash
}
permissions: {
contents: read
}
concurrency: {
group: '${{ github.workflow }}-${{ github.ref }}-${{ matrix.exasol_db_version }}',
cancel-in-progress: true
}
strategy:
fail-fast: false
matrix:
exasol_db_version: [
8.32.0,
7.1.30
]
env: {
DEFAULT_EXASOL_DB_VERSION: 8.32.0
}
steps:
- name: Free Disk Space
id: free-disk-space
if: ${{ true }}
run: |
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
- name: Checkout the repository
id: checkout
uses: actions/checkout@v4
with: {
fetch-depth: 0
}
- name: Set up JDKs
id: setup-java
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: |-
11
17
cache: maven
- name: Cache SonarCloud packages
id: cache-sonar
uses: actions/cache@v4
with: {
path: ~/.sonar/cache,
key: '${{ runner.os }}-sonar',
restore-keys: '${{ runner.os }}-sonar'
}
- {
name: Enable testcontainer reuse,
id: enable-testcontainer-reuse,
run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties"
}
- name: Run tests and build with Maven
id: build-pk-verify
run: |
mvn --batch-mode clean verify \
-Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
-DtrimStackTrace=false \
-Dcom.exasol.dockerdb.image=${{ matrix.exasol_db_version }}
env: {
EXASOL_DB_VERSION: '${{ matrix.exasol_db_version }}'
}
- name: Sonar analysis
id: sonar-analysis
if: ${{ env.SONAR_TOKEN != null && matrix.exasol_db_version == env.DEFAULT_EXASOL_DB_VERSION }}
run: |
mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
-DtrimStackTrace=false \
-Dsonar.token=$SONAR_TOKEN
env: {
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}',
SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
}
- name: Verify Release Artifacts
id: verify-release-artifacts
run: "print_message() {\n local -r message=$1\n echo \"$message\"\n echo \"$message\" >> \"$GITHUB_STEP_SUMMARY\"\n}\n\nprint_message \"### Release Artifacts\"\n\nIFS=$'\\n' artifacts_array=($ARTIFACTS)\nmissing_files=()\nfor file in \"${artifacts_array[@]}\";\ndo \n echo \"Checking if file $file exists...\"\n if ! [[ -f \"$file\" ]]; then\n print_message \"* ⚠️ \\`$file\\` does not exist ⚠️\"\n echo \"Content of directory $(dirname \"$file\"):\"\n ls \"$(dirname \"$file\")\"\n missing_files+=(\"$file\")\n else\n print_message \"* \\`$file\\` ✅\" \n fi\ndone\nprint_message \"\"\nnumber_of_missing_files=${#missing_files[@]}\nif [[ $number_of_missing_files -gt 0 ]]; then\n print_message \"⚠️ $number_of_missing_files release artifact(s) missing ⚠️\"\n exit 1\nfi\n"
env: {
ARTIFACTS: '${{ steps.build-pk-verify.outputs.release-artifacts }}'
}
- name: Upload artifacts
id: upload-artifacts
uses: actions/upload-artifact@v4
with: {
name: 'artifacts-exasol-${{ matrix.exasol_db_version }}',
path: '${{ steps.build-pk-verify.outputs.release-artifacts }}',
retention-days: 5
}
- name: Configure broken links checker
id: configure-link-check
run: |
mkdir -p ./target
echo '{"aliveStatusCodes": [429, 200], "ignorePatterns": [' \
'{"pattern": "^https?://(www|dev).mysql.com/"},' \
'{"pattern": "^https?://(www.)?opensource.org"}' \
'{"pattern": "^https?://(www.)?eclipse.org"}' \
'{"pattern": "^https?://projects.eclipse.org"}' \
']}' > ./target/broken_links_checker.json
- uses: gaurav-nelson/github-action-markdown-link-check@v1
id: run-link-check
with: {
use-quiet-mode: yes,
use-verbose-mode: yes,
config-file: ./target/broken_links_checker.json
}
next-java-compatibility:
runs-on: ubuntu-latest
defaults:
run: {
shell: bash
}
permissions: {
contents: read
}
concurrency: {
group: '${{ github.workflow }}-next-java-${{ github.ref }}',
cancel-in-progress: true
}
steps:
- name: Checkout the repository
id: checkout
uses: actions/checkout@v4
with: {
fetch-depth: 0
}
- name: Set up JDK 17
id: setup-java
uses: actions/setup-java@v4
with: {
distribution: temurin,
java-version: '17',
cache: maven
}
- {
name: Run tests and build with Maven 17,
id: build-next-java,
run: mvn --batch-mode clean package -DtrimStackTrace=false -Djava.version=17
}
build:
needs: [
matrix-build,
next-java-compatibility
]
runs-on: ubuntu-latest
defaults:
run: {
shell: bash
}
permissions: {
contents: read,
issues: read
}
outputs: {
release-required: '${{ steps.check-release.outputs.release-required }}'
}
steps:
- name: Checkout the repository
id: checkout
uses: actions/checkout@v4
with: {
fetch-depth: 0
}
- name: Set up JDKs
id: setup-java
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: |-
11
17
cache: maven
- name: Check if release is needed
id: check-release
if: ${{ github.ref == 'refs/heads/main' }}
run: |
if mvn --batch-mode com.exasol:project-keeper-maven-plugin:verify-release --projects .; then
echo "### ✅ Release preconditions met, start release" >> "$GITHUB_STEP_SUMMARY"
echo "release-required=true" >> "$GITHUB_OUTPUT"
else
echo "### 🛑 Not all release preconditions met, skipping release" >> "$GITHUB_STEP_SUMMARY"
echo "See log output for details." >> "$GITHUB_STEP_SUMMARY"
echo "release-required=false" >> "$GITHUB_OUTPUT"
fi
env: {
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
}
start_release:
needs: build
if: ${{ github.ref == 'refs/heads/main' && needs.build.outputs.release-required == 'true' }}
concurrency: {
cancel-in-progress: false,
group: release
}
secrets: inherit
permissions: {
contents: write,
actions: read,
issues: read
}
uses: ./.github/workflows/release.yml
with: {
started-from-ci: true
}