Skip to content

feat: run in nightly veracode #4900

feat: run in nightly veracode

feat: run in nightly veracode #4900

Workflow file for this run

name: Alfresco Connector for Hyland Experience Insight CI
on:
pull_request:
branches:
- feature/**
- fix/**
- master
- release/**
push:
branches:
- feature/**
- fix/**
- master
- release/**
schedule:
- cron: "0 0 * * *" # Runs every night at midnight
env:
# Both variables are required to be set before the release process starts .
# As the release is triggered by a commit message with "[release]" keyword on a release branch,
# setting these variables to new values can be done in the same commit and will indicate the release and the dev versions in it.
DEVELOPMENT_VERSION: "1.0.2-SNAPSHOT" # The version that will be set in pom files after the release (next dev version)
RELEASE_VERSION: "1.0.1" # The version of the release (tag).
GITHUB_ACTIONS_DEPLOY_TIMEOUT: 60
MAVEN_CLI_OPTS: "-B -e -fae -V -DinstallAtEnd=true -DfailIfNoTests=false -U -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn -Pdistribution "
MAVEN_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
MAVEN_USERNAME: ${{ secrets.NEXUS_USERNAME }}
JAVA_VERSION: "17"
JAVA_VERSION_SUPPORTED_BY_REPO: "11"
S3_BUCKET_REGION: "eu-west-1"
jobs:
pre_commit:
runs-on: ubuntu-latest
if: github.job == 'pre_commit'
outputs:
java_version: ${{ env.JAVA_VERSION }}
java_version_supported_by_repo: ${{ env.JAVA_VERSION_SUPPORTED_BY_REPO }}
steps:
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: actions/checkout@v4
with:
fetch-depth: 0
- id: changed-files
uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
with:
write-list-to-env: true
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
veracode_sca:
name: "Veracode - Source Clear Scan (SCA)"
runs-on: ubuntu-latest
needs:
- pre_commit
if: >
(github.ref_name == 'master' || startsWith(github.ref_name, 'release/') || github.event_name == 'schedule' || github.actor == 'dependabot[bot]') &&
!contains(github.event.head_commit.message, '[skip build]')
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
continue-on-error: true
with:
srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }}
veracode_sast:
name: "Pipeline SAST Scan"
runs-on: ubuntu-latest
needs:
- pre_commit
if: >
(github.ref_name == 'master' || startsWith(github.ref_name, 'release/') || github.event_name == 'schedule') &&
github.actor != 'dependabot[bot]' &&
!contains(github.event.head_commit.message, '[skip build]')
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
with:
token: ${{ secrets.BOT_GITHUB_TOKEN }}
repository: "Alfresco/veracode-baseline-archive"
file-path: "hxinsight-connector/hxinsight-connector-baseline.json"
target: "baseline.json"
- name: "Build application"
run: mvn ${{ env.MAVEN_CLI_OPTS }} clean install -DskipTests
- name: "Run SAST Scan"
uses: veracode/[email protected]
with:
vid: ${{ secrets.VERACODE_API_ID }}
vkey: ${{ secrets.VERACODE_API_KEY }}
file: "distribution/target/alfresco-hxinsight-connector-distribution-*.zip"
fail_build: false
project_name: hxinsight-connector
issue_details: true
veracode_policy_name: Alfresco Default
summary_output: true
summary_output_file: results.json
summary_display: true
baseline_file: baseline.json
- name: "Clean Maven cache"
run: bash ./scripts/ci/cleanup_cache.sh
pmd_scan:
name: "PMD Scan"
runs-on: ubuntu-latest
if: >
github.event_name == 'pull_request' &&
!contains(github.event.head_commit.message, '[skip pmd]') &&
!contains(github.event.head_commit.message, '[skip tests]')
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/[email protected]
test_application:
name: "Build and test application"
runs-on: ubuntu-latest
needs:
- pre_commit
if: >
(github.event_name == 'push' || github.actor == 'dependabot[bot]') &&
!contains(github.event.head_commit.message, '[skip tests]') &&
!contains(github.event.head_commit.message, '[skip build]')
strategy:
fail-fast: false
matrix:
subproject: [ "bulk-ingester", "common", "common-authentication", "common-test",
"live-ingester", "prediction-applier", "hxinsight-extension" ]
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: "Login to Quay.io"
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: "Test application"
run: mvn ${{ env.MAVEN_CLI_OPTS }} clean verify -pl '${{ matrix.subproject }}' -am
test_distribution:
name: "Build application with distribution profile"
runs-on: ubuntu-latest
needs:
- pre_commit
if: >
(github.event_name == 'push' || github.actor == 'dependabot[bot]') &&
!contains(github.event.head_commit.message, '[skip tests]') &&
!contains(github.event.head_commit.message, '[skip build]')
strategy:
fail-fast: false
matrix:
repoVersion: [ 7.3.2, 7.4.2, 23.3.0 ]
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: "Login to Quay.io"
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: "Build application with distribution profile"
run: mvn ${{ env.MAVEN_CLI_OPTS }} clean install -DskipTests -Dalfresco-platform.version=${{ matrix.repoVersion }}
run_e2e_test:
name: "Run e2e tests using ACS ${{ matrix.repoVersion }}"
runs-on: ubuntu-latest
needs:
- pre_commit
if: >
(github.event_name == 'push' || github.actor == 'dependabot[bot]') &&
!contains(github.event.head_commit.message, '[skip build]') &&
!contains(github.event.head_commit.message, '[skip tests]') &&
!contains(github.event.head_commit.message, '[skip e2es]')
strategy:
fail-fast: false
matrix:
repoVersion: [ 7.3.2, 7.4.2, 23.3.0 ]
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: "Login to Quay.io"
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: "Build application"
run: mvn ${{ env.MAVEN_CLI_OPTS }} clean install -DskipTests -Dalfresco-platform.version=${{ matrix.repoVersion }}
- name: "Build docker images"
run: bash ./scripts/ci/buildDockerImages.sh
- name: "Run e2e tests"
run: mvn ${{ env.MAVEN_CLI_OPTS }} verify -pl 'hxinsight-extension,e2e-test' -am -DskipUnitTests -DskipIntegrationTests -Dalfresco-platform.version=${{ matrix.repoVersion }}
run_e2e_test_using_older_java:
name: "Run e2e tests using ACS ${{ matrix.repoVersion }} on Java ${{ needs.pre_commit.outputs.java_version_supported_by_repo }}"
runs-on: ubuntu-latest
needs:
- pre_commit
if: >
needs.pre_commit.outputs.java_version_supported_by_repo != needs.pre_commit.outputs.java_version &&
github.event_name != 'pull_request' &&
(github.ref_name == 'master' || startsWith(github.ref_name, 'release/')) &&
!contains(github.event.head_commit.message, '[skip build]') &&
!contains(github.event.head_commit.message, '[skip tests]') &&
!contains(github.event.head_commit.message, '[skip e2es]')
strategy:
fail-fast: false
matrix:
repoVersion: [ 7.3.2, 7.4.2 ]
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: "Login to Quay.io"
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: "Build application"
run: mvn ${{ env.MAVEN_CLI_OPTS }} clean install -DskipTests -Dalfresco-platform.version=${{ matrix.repoVersion }} -Dalfresco-platform.java.version=${{ env.JAVA_VERSION_SUPPORTED_BY_REPO }}
- name: "Build docker images"
run: JAVA_VERSION=${{ env.JAVA_VERSION_SUPPORTED_BY_REPO }} && bash ./scripts/ci/buildDockerImages.sh
- name: "Run e2e tests"
run: mvn ${{ env.MAVEN_CLI_OPTS }} verify -pl 'hxinsight-extension,e2e-test' -am -DskipUnitTests -DskipIntegrationTests -Dalfresco-platform.version=${{ matrix.repoVersion }} -Dalfresco-platform.java.version=${{ env.JAVA_VERSION_SUPPORTED_BY_REPO }}
nightly_tests:
name: "Run nightly tests"
runs-on: ubuntu-latest
if: github.event_name == 'schedule' && github.ref_name == 'master'
steps:
- name: "Checkout repository"
uses: actions/checkout@v4
- name: "Set up JDK"
uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: "Build application"
run: mvn clean install -DskipTests -pl live-ingester
- name: "Run OpenApi Specification tests"
run: mvn test -Dtest=OpenApiRequestValidationTest -pl live-ingester
- name: "Notify on failure"
if: failure()
uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
with:
webhook-url: ${{ secrets.MS_TEAMS_WEBHOOK_URL }}
message: "Nightly tests failed"
push_docker_images:
name: "Push docker images"
runs-on: ubuntu-latest
needs:
- test_application
- test_distribution
- run_e2e_test
if: >
github.event_name == 'push' &&
(github.ref_name == 'master' || startsWith(github.ref_name, 'release/')) &&
!(failure() || cancelled()) &&
!contains(github.event.head_commit.message, '[skip build]')
steps:
- uses: actions/checkout@v4
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- name: "Login to Quay.io"
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: "Build application"
run: mvn ${{ env.MAVEN_CLI_OPTS }} clean install -DskipTests -Dalfresco-platform.java.version=${{ env.JAVA_VERSION_SUPPORTED_BY_REPO }}
- name: "Push docker images"
run: bash ./scripts/ci/buildDockerImages.sh -p
env:
COMMIT_MESSAGE: ${{ github.sha }}
- name: "Clean Maven cache"
run: bash ./scripts/ci/cleanup_cache.sh
publish_snapshot_artifacts:
name: "Publish SNAPSHOT artifacts"
runs-on: ubuntu-latest
needs:
- test_application
- test_distribution
- run_e2e_test
if: >
!(failure() || cancelled()) &&
(github.ref_name == 'master' || startsWith(github.ref_name, 'release/')) &&
github.event_name != 'pull_request' &&
!contains(github.event.head_commit.message, '[skip build]')
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: "Publish SNAPSHOT artifacts"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: mvn ${{ env.MAVEN_CLI_OPTS }} deploy -DskipTests -Dalfresco-platform.java.version=${{ env.JAVA_VERSION_SUPPORTED_BY_REPO }}
- name: "Clean Maven cache"
run: bash ./scripts/ci/cleanup_cache.sh
release_and_deploy_to_nexus_and_s3:
name: "Make release and deploy to Nexus and S3 Staging Bucket"
runs-on: ubuntu-latest
needs:
- test_application
- test_distribution
- run_e2e_test
if: >
!(failure() || cancelled()) &&
(github.ref_name == 'master' || startsWith(github.ref_name, 'release/')) &&
github.event_name != 'pull_request' &&
contains(github.event.head_commit.message, '[release]')
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
with:
username: ${{ secrets.BOT_GITHUB_USERNAME }}
email: ${{ secrets.BOT_GITHUB_EMAIL }}
- name: "Build application"
run: mvn ${{ env.MAVEN_CLI_OPTS }} clean install -DskipTests -Dproject.revision.key=${{ github.sha }} -Dalfresco-platform.java.version=${{ env.JAVA_VERSION_SUPPORTED_BY_REPO }}
- name: "Make release and deploy to Nexus"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: mvn ${{ env.MAVEN_CLI_OPTS }} -DreleaseVersion="${{ env.RELEASE_VERSION }}" -DdevelopmentVersion="${{ env.DEVELOPMENT_VERSION }}" -Dtag="${{ env.RELEASE_VERSION }}" -Dusername="${{ secrets.BOT_GITHUB_USERNAME }}" -Dpassword="${{ secrets.BOT_GITHUB_TOKEN }}" -DscmCommentPrefix="[maven-release-plugin][skip ci]" -DskipTests -Dproject.revision.key=${{ github.sha }} "-Darguments=-DskipTests -Dadditionalparam=-Xdoclint:none -Dproject.revision.key=${{ github.sha }} -Dalfresco-platform.java.version=${{ env.JAVA_VERSION_SUPPORTED_BY_REPO }}" release:prepare release:perform
- run: mkdir -p deploy_dir/community/hxinsight-connector/${{ env.RELEASE_VERSION }}
- name: "Move the final artifacts to a single folder (deploy_dir) to be copied to S3"
run: mv "distribution/target/alfresco-hxinsight-connector-distribution-${{ env.RELEASE_VERSION }}.zip" "deploy_dir/community/hxinsight-connector/${{ env.RELEASE_VERSION }}/"
- name: "Clone Alfresco/third-party-license-overrides"
run: git clone --depth=1 https://github.com/Alfresco/third-party-license-overrides.git
- uses: actions/setup-python@v5
- name: "Create third party license csv file and add it to the deploy directory"
run: python3 ./third-party-license-overrides/thirdPartyLicenseCSVCreator.py --project "${{ github.workspace }}" --version "${{ env.RELEASE_VERSION }}" --combined --output "deploy_dir/community/hxinsight-connector/${{ env.RELEASE_VERSION }}"
- name: "Configure AWS credentials"
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_S3_STAGING_ACCESS_KEY }}
aws-secret-access-key: ${{ secrets.AWS_S3_STAGING_SECRET_KEY }}
aws-region: ${{ env.S3_BUCKET_REGION }}
- name: "Deploy to S3 Staging Bucket"
run: aws s3 cp --recursive --acl private ./deploy_dir s3://alfresco-artefacts-staging
- name: "Clean Maven cache"
run: bash ./scripts/ci/cleanup_cache.sh
deploy_release_version_to_quay:
name: "Deploy release version to quay.io"
runs-on: ubuntu-latest
needs:
- test_application
- test_distribution
- run_e2e_test
if: >
!(failure() || cancelled()) &&
(github.ref_name == 'master' || startsWith(github.ref_name, 'release/')) &&
github.event_name != 'pull_request' &&
contains(github.event.head_commit.message, '[release]')
steps:
- uses: actions/checkout@v4
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- name: "Login to Quay.io"
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: "Build application"
run: mvn ${{ env.MAVEN_CLI_OPTS }} clean install -DskipTests -Dproject.revision.key=${{ github.sha }} -Dalfresco-platform.java.version=${{ env.JAVA_VERSION_SUPPORTED_BY_REPO }}
- name: "Deploy release version to quay.io"
run: bash ./scripts/ci/releaseDockerImage.sh -v ${{ env.RELEASE_VERSION }}
env:
COMMIT_MESSAGE: ${{ github.sha }}
- name: "Clean Maven cache"
run: bash ./scripts/ci/cleanup_cache.sh
deploy_release:
name: "Copy to S3 Downloads Bucket"
runs-on: ubuntu-latest
needs:
- deploy_release_version_to_quay
- release_and_deploy_to_nexus_and_s3
- publish_snapshot_artifacts
- push_docker_images
if: >
!(failure() || cancelled()) &&
(github.ref_name == 'master' || startsWith(github.ref_name, 'release/')) &&
github.event_name != 'pull_request' &&
contains(github.event.head_commit.message, '[release]')
steps:
- uses: actions/checkout@v4
- name: "Configure AWS credentials"
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_S3_RELEASE_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_S3_RELEASE_SECRET_ACCESS_KEY }}
aws-region: ${{ env.S3_BUCKET_REGION }}
- run: set -x
- name: "Check release version and copy to S3 Downloads Bucket"
run: |
if [[ ${{ env.RELEASE_VERSION }} =~ ^[0-9]+\.[0-9]+\.[0-9]+(\.[0-9]+)?$ ]]; then
aws s3 cp --recursive --acl private --copy-props none "s3://alfresco-artefacts-staging/community/hxinsight-connector/${{ env.RELEASE_VERSION }}/" "s3://eu.dl.alfresco.com/release/community/hxinsight-connector/${{ env.RELEASE_VERSION }}/"
fi