build: add vulnerability scan to PR build #707
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PR Build Check | |
on: | |
pull_request: | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
editorconfig-checker: | |
name: Check editorconfig | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: editorconfig-checker/action-editorconfig-checker@main | |
- run: editorconfig-checker | |
commitlint: | |
name: Lint commits for semantic-release | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: "20" | |
- run: npx commitlint --from=${{ github.event.pull_request.base.sha }} --to=${{ github.sha }} --verbose | |
security: | |
name: Security validation | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: gradle/actions/wrapper-validation@v3 | |
osv-scanner: | |
runs-on: ubuntu-latest | |
continue-on-error: true | |
permissions: | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: | |
project: | |
- core | |
- isthmus | |
- isthmus-cli | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: stable | |
- name: Install OSV-Scanner | |
run: go install github.com/google/osv-scanner/cmd/osv-scanner@v1 | |
- name: Generate SBOM | |
run: ./gradlew :${{ matrix.project }}:cyclonedxBom | |
- name: Scan | |
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1" | |
with: | |
scan-args: |- | |
--lockfile=${{ matrix.projecy }}/build/reports/bom.json | |
java: | |
name: Build and Test Java | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v4 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@v3 | |
- name: Build with Gradle | |
run: gradle build --rerun-tasks | |
isthmus-native-image-mac-linux: | |
name: Build Isthmus Native Image | |
needs: java | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: [ubuntu-latest, macOS-latest] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- uses: graalvm/setup-graalvm@v1 | |
with: | |
java-version: '17' | |
distribution: 'graalvm' | |
# helps avoid rate-limiting issues | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@v3 | |
- name: Report Java Version | |
run: java -version | |
- name: Install GraalVM native image | |
run: gu install native-image | |
- name: Build with Gradle | |
run: gradle nativeImage | |
- name: Smoke Test | |
run: | | |
./isthmus-cli/src/test/script/smoke.sh | |
./isthmus-cli/src/test/script/tpch_smoke.sh | |
- name: Rename the artifact to OS-unique name | |
shell: bash | |
run: | | |
value=`mv isthmus-cli/build/graal/isthmus isthmus-cli/build/graal/isthmus-${{ matrix.os }}` | |
- name: Publish artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: isthmus-${{ matrix.os }} | |
path: isthmus-cli/build/graal/isthmus-${{ matrix.os }} | |
dry-run-release: | |
name: Dry-run release | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: "20" | |
- name: Check current status before next release | |
run: ./ci/release/dry_run.sh |