build: add vulnerability scan to PR build #711
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Build Check | ||
| on: | ||
| pull_request: | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
| jobs: | ||
| editorconfig-checker: | ||
| name: Check editorconfig | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - uses: editorconfig-checker/action-editorconfig-checker@main | ||
| - run: editorconfig-checker | ||
| commitlint: | ||
| name: Lint commits for semantic-release | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "20" | ||
| - run: npx commitlint --from=${{ github.event.pull_request.base.sha }} --to=${{ github.sha }} --verbose | ||
| security: | ||
| name: Security validation | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: gradle/actions/wrapper-validation@v3 | ||
| scan: | ||
| uses: ./.github/workflows/vulnerability-scan.yml | ||
|
Check failure on line 38 in .github/workflows/pr.yml
|
||
| java: | ||
| name: Build and Test Java | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| submodules: recursive | ||
| - name: Set up JDK 17 | ||
| uses: actions/setup-java@v4 | ||
| with: | ||
| java-version: '17' | ||
| distribution: 'temurin' | ||
| - name: Setup Gradle | ||
| uses: gradle/actions/setup-gradle@v3 | ||
| - name: Build with Gradle | ||
| run: gradle build --rerun-tasks | ||
| isthmus-native-image-mac-linux: | ||
| name: Build Isthmus Native Image | ||
| needs: java | ||
| runs-on: ${{ matrix.os }} | ||
| strategy: | ||
| matrix: | ||
| os: [ubuntu-latest, macOS-latest] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| submodules: recursive | ||
| - uses: graalvm/setup-graalvm@v1 | ||
| with: | ||
| java-version: '17' | ||
| distribution: 'graalvm' | ||
| # helps avoid rate-limiting issues | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Setup Gradle | ||
| uses: gradle/actions/setup-gradle@v3 | ||
| - name: Report Java Version | ||
| run: java -version | ||
| - name: Install GraalVM native image | ||
| run: gu install native-image | ||
| - name: Build with Gradle | ||
| run: gradle nativeImage | ||
| - name: Smoke Test | ||
| run: | | ||
| ./isthmus-cli/src/test/script/smoke.sh | ||
| ./isthmus-cli/src/test/script/tpch_smoke.sh | ||
| - name: Rename the artifact to OS-unique name | ||
| shell: bash | ||
| run: | | ||
| value=`mv isthmus-cli/build/graal/isthmus isthmus-cli/build/graal/isthmus-${{ matrix.os }}` | ||
| - name: Publish artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: isthmus-${{ matrix.os }} | ||
| path: isthmus-cli/build/graal/isthmus-${{ matrix.os }} | ||
| dry-run-release: | ||
| name: Dry-run release | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "20" | ||
| - name: Check current status before next release | ||
| run: ./ci/release/dry_run.sh | ||
