Magic-Mirror/cryptomator
1
0
Fork 0
mirror of https://github.com/cryptomator/cryptomator.git synced 2024-11-23 12:09:45 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

update dependency check and refactor to own workflow

Browse Source
This commit is contained in:
Armin Schrenk 2023-12-11 22:58:42 +01:00
parent 48f273b755
commit e194f9b205
No known key found for this signature in database
GPG Key ID: 8F2992163CBBA7FC
3 changed files with 74 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
.github/workflows/dependency-check.yml vendored Normal file
View File

@ -0,0 +1,54 @@
name: OWASP Maven Dependency Check
on:
schedule:
- cron: '0 7 * * 0'
push:
branches:
- 'release/**'
workflow_dispatch:
jobs:
check-dependencies:
name: Check dependencies
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
show-progress: false
- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 21
cache: 'maven'
- name: Run org.owasp:dependency-check plugin
id: dependency-check
continue-on-error: true
run: mvn -B verify -Pdependency-check -DskipTests
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
- name: Upload report on failure
if: steps.dependency-check.outcome == 'failure'
uses: actions/upload-artifact@v3
with:
name: dependency-check-report
path: target/dependency-check-report.html
if-no-files-found: error
- name: Slack Notification on regular check
if: github.event_name == 'schedule' && steps.dependency-check.outcome == 'failure'
uses: rtCamp/action-slack-notify@v2
env:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_USERNAME: 'Cryptobot'
SLACK_ICON: false
SLACK_ICON_EMOJI: ':bot:'
SLACK_CHANNEL: 'cryptomator-desktop'
SLACK_TITLE: "Vulnerabilities in ${{ github.event.repository.name }} detected."
SLACK_MESSAGE: "Download the <https://github.com/${{ github.repository }}/actions/run/${{ github.run_id }}|report> for more details."
SLACK_FOOTER: false
MSG_MINIMAL: true
- name: Failing workflow on release branch
if: github.event_name == 'push' && steps.dependency-check.outcome == 'failure'
shell: bash
run: exit 1

20
.github/workflows/release-check.yml vendored
View File

@ -10,12 +10,22 @@ defaults:
run:
shell: bash
env:
JAVA_DIST: 'zulu'
JAVA_VERSION: 21
jobs:
release-check-precondition:
check-preconditions:
name: Validate commits pushed to release/hotfix branch to fulfill release requirements
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Java
uses: actions/setup-java@v3
with:
distribution: ${{ env.JAVA_DIST }}
java-version: ${{ env.JAVA_VERSION }}
cache: 'maven'
- id: validate-pom-version
name: Validate POM version
run: |
@ -37,4 +47,10 @@ jobs:
if ! grep -q "<release date=\".*\" version=\"${{ steps.validate-pom-version.outputs.semVerStr }}\"/>" dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml; then
echo "Release not set in dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml"
exit 1
fi
fi
- name: Run org.owasp:dependency-check plugin
id: dependency-check
continue-on-error: true
run: mvn -B verify -Pdependency-check -DskipTests
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}

4
pom.xml
View File

@ -63,7 +63,7 @@
<!-- build-time dependencies -->
<jetbrains.annotations.version>24.1.0</jetbrains.annotations.version>
<dependency-check.version>9.0.1</dependency-check.version>
<dependency-check.version>9.0.4</dependency-check.version>
<jacoco.version>0.8.11</jacoco.version>
<license-generator.version>2.3.0</license-generator.version>
<junit-tree-reporter.version>1.2.1</junit-tree-reporter.version>
@ -460,11 +460,11 @@
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<cveValidForHours>24</cveValidForHours>
<failBuildOnCVSS>0</failBuildOnCVSS>
<skipTestScope>true</skipTestScope>
<detail>true</detail>
<suppressionFile>suppression.xml</suppressionFile>
<nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
</configuration>
<executions>
<execution>