Skip to content

Commit

Permalink
Feat: Add a new reusable workflow for Sonatype Lifecycle
Browse files Browse the repository at this point in the history 
Runs Sonatype Lifecycle scans on Node.js projects.
Required for ONAP, e.g. portal-ng-ui repository.

Signed-off-by: Matthew Watkins <[email protected]>
  • Loading branch information
@ModeSevenIndustrialSolutions
ModeSevenIndustrialSolutions committed Oct 23, 2024
1 parent cc59fef commit d88fbb4
Show file tree
Hide file tree
Showing 3 changed files with 173 additions and 1 deletion.
2 changes: 1 addition & 1 deletion .github/actions/node-build-action/action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# SPDX-License-Identifier: Apache-2.0
# SPDX-FileCopyrightText: 2024 The Linux Foundation

name: "node-build"
name: "[C] node-build"
description: "Setup Node.js and build a project (with npm or yarn)"

inputs:
Expand Down
104 changes: 104 additions & 0 deletions .github/workflows/call-gerrit-nodejs-sonatype-lifecycle.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
---
# SPDX-License-Identifier: Apache-2.0
# SPDX-FileCopyrightText: 2024 The Linux Foundation

name: "[G] gerrit-nodejs-sonatype-lifecycle"

# yamllint disable-line rule:truthy
on:
workflow_dispatch:
inputs:
GERRIT_BRANCH:
description: "Branch that change is against"
required: true
type: string
GERRIT_CHANGE_ID:
description: "The ID for the change"
required: true
type: string
GERRIT_CHANGE_NUMBER:
description: "The Gerrit number"
required: true
type: string
GERRIT_CHANGE_URL:
description: "URL to the change"
required: true
type: string
GERRIT_EVENT_TYPE:
description: "Type of Gerrit event"
required: true
type: string
GERRIT_PATCHSET_NUMBER:
description: "The patch number for the change"
required: true
type: string
GERRIT_PATCHSET_REVISION:
description: "The revision sha"
required: true
type: string
GERRIT_PROJECT:
description: "Project in Gerrit"
required: true
type: string
GERRIT_REFSPEC:
description: "Gerrit refspec of change"
required: true
type: string

concurrency:
# yamllint disable-line rule:line-length
group: gerrit-merge-${{ github.workflow }}-${{ github.event.inputs.GERRIT_CHANGE_ID || github.run_id }}
cancel-in-progress: true

jobs:
notify:
runs-on: ubuntu-latest
steps:
- name: Notify job start
# yamllint disable-line rule:line-length
uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8
with:
host: ${{ vars.GERRIT_SERVER }}
username: ${{ vars.GERRIT_SSH_USER }}
key: ${{ secrets.GERRIT_SSH_PRIVKEY }}
known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }}
gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }}
gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }}
vote-type: clear
- name: Allow replication
run: sleep 10s

build-nodejs:
needs: [notify]
runs-on: ubuntu-latest
steps:
- name: "Build Node.js project"
# yamllint disable-line rule:line-length
uses: lfit/releng-reusable-workflows/.github/actions/node-build-action@5db64208d04fdb0558e8a3a1a1a762b88ffd483e # Initial release

sonartype-lifecycle:
name: "Sonatype Lifecycle Scan"
needs: [notify, build-nodejs]
# yamllint disable-line rule:line-length
uses: modeseven-onap/portal-ng-ui/.github/workflows/reuse-sonatype-lifecycle.yaml@master
secrets:
NEXUS_IQ_PASSWORD: ${{ secrets.NEXUS_IQ_PASSWORD }}

report-status:
if: ${{ always() }}
needs: [notify, build-nodejs, sonartype-lifecycle]
runs-on: ubuntu-latest
steps:
- name: Get workflow conclusion
uses: technote-space/workflow-conclusion-action@v3
- name: Report workflow conclusion
# yamllint disable-line rule:line-length
uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8
with:
host: ${{ vars.GERRIT_SERVER }}
username: ${{ vars.GERRIT_SSH_USER }}
key: ${{ secrets.GERRIT_SSH_PRIVKEY }}
known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }}
gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }}
gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }}
vote-type: ${{ env.WORKFLOW_CONCLUSION }}
68 changes: 68 additions & 0 deletions .github/workflows/reuse-sonatype-lifecycle.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
---
# SPDX-License-Identifier: Apache-2.0
# SPDX-FileCopyrightText: 2024 The Linux Foundation

# Runs a Sonatype Lifecycle (Nexus IQ) scan
name: "[R] sonatype-lifecycle"

# yamllint disable-line rule:truthy
on:
workflow_call:
inputs:
JAVA_DISTRIBUTION:
description: "JAVA SE distribution to setup/run for Nexus CLI tool"
required: false
type: string
default: "temurin"
JAVA_VERSION:
description: "Java runtime to setup/run for Nexus CLI tool"
required: false
type: number
default: 17
IQ_CLI_VERSION:
description: "Specific version of Nexus CLI to setup/run"
required: false
type: string
default: "1.179.0-01"
APPLICATION_ID:
description: "Organisation and project name in Nexus IQ"
required: false
type: string
# yamllint disable-line rule:line-length
default: ${{ github.repository_owner }}-${{ github.event.repository.name }}
SCAN_TARGETS:
description: "Location of file(s) or folder(s) to scan"
required: false
type: string
default: "."
# Re-usable workflow requires secrets be explicitly passed
secrets:
NEXUS_IQ_PASSWORD:
description: "Nexus IQ Password"
required: true

jobs:
sonatype-cli:
name: "Scan"
runs-on: ubuntu-latest
steps:
- name: Setup Sonatype CLI
uses: sonatype/actions/setup-iq-cli@v1
with:
iq-cli-version: ${{ inputs.IQ_CLI_VERSION }}

# Sonatype CLI requires Java to run
- name: Setup Java runtime
uses: actions/setup-java@v4
with:
distribution: ${{ inputs.JAVA_DISTRIBUTION }}
java-version: ${{ inputs.JAVA_VERSION }}

- name: Run Sonatype CLI
uses: sonatype/actions/run-iq-cli@v1
with:
iq-server-url: ${{ vars.NEXUS_IQ_SERVER }}
username: ${{ vars.NEXUS_IQ_USERNAME }}
password: ${{ secrets.NEXUS_IQ_PASSWORD }}
application-id: ${{ inputs.APPLICATION_ID }}
scan-targets: ${{ inputs.SCAN_TARGETS }}

0 comments on commit d88fbb4

Please sign in to comment.