fix: pom.xml to reduce vulnerabilities #646
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| push: | |
| branches: | |
| - "**" | |
| defaults: | |
| run: | |
| # NOTE: A bit stricter than the default bash options used by GitHub Actions | |
| # (bash --noprofile --norc -e -o pipefail {0}) | |
| shell: bash --noprofile --norc -euo pipefail {0} | |
| # NOTE: Set concurrency for the current workflow to 1 | |
| concurrency: ci-${{ github.ref }}-${{ github.workflow }} | |
| jobs: | |
| build-and-release: | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: write | |
| packages: write | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 | |
| with: | |
| distribution: "zulu" | |
| java-version: "11.0.22" | |
| java-package: "jdk" | |
| - uses: capralifecycle/actions-lib/check-runtime-dependencies@7887a32ad872a79a8e00817659a30876f0a8f1be # v1.5.5 | |
| - name: cache mvn | |
| uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
| with: | |
| path: ~/.m2/repository | |
| key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-maven- | |
| - name: release preparation | |
| id: prep | |
| run: | | |
| git config --global user.name "github-actions[bot]" | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| major_version="$(sed -n "s/^.*<major-version>\([0-9]\{1,\}\)<\/major-version>.*$/\1/p" pom.xml)" | |
| echo "$major_version" | grep -q "^[0-9]\{1,\}$" || { | |
| echo "ERROR: Failed to extract <major-version> from pom.xml" | |
| exit 1 | |
| } | |
| echo "major-version=$major_version" >> "$GITHUB_OUTPUT" | |
| - uses: capralifecycle/actions-lib/generate-tag@7887a32ad872a79a8e00817659a30876f0a8f1be # v1.5.5 | |
| id: tag | |
| with: | |
| tag-prefix: "${{ steps.prep.outputs.major-version }}" | |
| tag-type: "punctuated-timestamp-tag" | |
| - name: resolve dependencies | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: mvn -B dependency:resolve | |
| - name: conditional release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| CONDITIONAL_RELEASE: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} | |
| TAG: "${{ steps.tag.outputs.tag }}" | |
| run: | | |
| if [ "$CONDITIONAL_RELEASE" = "true" ]; then | |
| echo "Releasing library with tag '$TAG'" | |
| mvn -B source:jar deploy scm:tag -Drevision="$TAG" -Dtag="$TAG" \ | |
| org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M3:enforce -Drules=requireReleaseDeps | |
| else | |
| mvn -B -U verify | |
| fi |