-
Notifications
You must be signed in to change notification settings - Fork 1
87 lines (87 loc) · 2.57 KB
/
dependencies_check.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# This file was generated by Project Keeper.
name: Report Security Issues
on:
workflow_dispatch: null
schedule:
- {
cron: 0 2 * * *
}
jobs:
report_security_issues:
runs-on: ubuntu-latest
defaults:
run: {
shell: bash
}
permissions: {
contents: read,
issues: write
}
outputs: {
created-issues: '${{ steps.security-issues.outputs.created-issues }}'
}
concurrency: {
group: '${{ github.workflow }}-report_security_issues',
cancel-in-progress: true
}
steps:
- {
name: Checkout,
id: checkout,
uses: actions/checkout@v4
}
- name: Set up JDKs
id: setup-jdks
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: |-
11
17
cache: maven
- name: Install Project Keeper
id: install-project-keeper
run: |
mvn --batch-mode --threads 1C install \
-Dmaven.test.skip=true -Dproject-keeper.skip=true \
-Dossindex.skip=true -Dmaven.javadoc.skip=true \
-Derror-code-crawler.skip=true -Dreproducible.skip=true
- name: Generate ossindex report
id: ossindex-report
run: |
mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit \
org.sonatype.ossindex.maven:ossindex-maven-plugin:audit-aggregate \
-Dossindex.reportFile=$(pwd)/ossindex-report.json \
-Dossindex.fail=false
- name: Report Security Issues
id: security-issues
uses: exasol/python-toolbox/.github/actions/security-issues@main
with: {
format: maven,
command: cat ossindex-report.json,
github-token: '${{ secrets.GITHUB_TOKEN }}'
}
- name: Output security issues (Debugging)
id: debug-print-security-issues
run: |
echo "$CREATED_ISSUES" > test.jsonl
cat test.jsonl
env: {
CREATED_ISSUES: '${{ steps.security-issues.outputs.created-issues }}'
}
start_dependency_udpate:
needs: report_security_issues
if: ${{ needs.report_security_issues.outputs.created-issues }}
concurrency: {
group: '${{ github.workflow }}-start_dependency_update',
cancel-in-progress: false
}
secrets: inherit
permissions: {
contents: write,
pull-requests: write
}
uses: ./.github/workflows/dependencies_update.yml
with: {
vulnerability_issues: '${{ needs.report_security_issues.outputs.created-issues }}'
}