From 4a1cf80b887ee702f189b98507bbb393c65dfea6 Mon Sep 17 00:00:00 2001 From: EddeCCC Date: Tue, 3 Dec 2024 08:41:43 +0100 Subject: [PATCH] refactor config-server workflow --- .github/workflows/agent_security_check.yml | 1 - .../configurationserver-security_check.yml | 49 ----------- .../configurationserver_security_check.yml | 86 +++++++++++++++++++ .../workflows/configurationserver_test.yml | 36 +------- .github/workflows/release.yml | 22 ----- 5 files changed, 89 insertions(+), 105 deletions(-) delete mode 100644 .github/workflows/configurationserver-security_check.yml create mode 100644 .github/workflows/configurationserver_security_check.yml diff --git a/.github/workflows/agent_security_check.yml b/.github/workflows/agent_security_check.yml index 8f43e8ac3c..310be59fbc 100644 --- a/.github/workflows/agent_security_check.yml +++ b/.github/workflows/agent_security_check.yml @@ -15,7 +15,6 @@ jobs: run: chmod +x gradlew - name: build run: ./gradlew :inspectit-ocelot-agent:assemble - # the action has not been updated a while, but it always uses the latest plugin version - name: Run DependencyCheck plugin uses: dependency-check/Dependency-Check_Action@main id: depcheck diff --git a/.github/workflows/configurationserver-security_check.yml b/.github/workflows/configurationserver-security_check.yml deleted file mode 100644 index 815f43efd0..0000000000 --- a/.github/workflows/configurationserver-security_check.yml +++ /dev/null @@ -1,49 +0,0 @@ -name: Automatic Security Check Configuration-Server - -on: - schedule: - - cron: "0 8 1,15 * *" # At 08:00 on day-of-month 1 and 15 - -jobs: - security-check: - name: Security Check Configuration-Server - runs-on: ubuntu-latest - container: openjdk:17-jdk-slim - steps: - - uses: actions/checkout@v3 - - name: Grant execute permission for gradlew - run: chmod +x gradlew - - name: build - run: ./gradlew :inspectit-ocelot-configurationserver:bootJarWithFrontend - # the action has not been updated a while, but it always uses the latest plugin version - - name: Run DependencyCheck plugin - uses: dependency-check/Dependency-Check_Action@main - id: depcheck - continue-on-error: true - with: - project: inspectIT/inspectit-ocelot-configuration-server - path: 'components/inspectit-ocelot-configurationserver' - format: 'HTML' - args: > - --disableAssembly - --disableNodeAudit - --nvdApiKey ${{ secrets.NVD_API_KEY }} - --nvdApiDelay 10000 - - name: Upload test results - uses: actions/upload-artifact@v4 - with: - name: dependency-check-report-ocelot-agent - path: ${{ github.workspace }}/reports - - name: Send Notification - uses: slackapi/slack-github-action@v2.0.0 - with: - webhook: ${{ secrets.SLACK_WEBHOOK_URL }} - webhook-type: incoming-webhook - payload: | - text: "*Ocelot-Configuration-Server Dependency-Check Report*: ${{ steps.depcheck.outcome }}\nPlease check the report here: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" - # if DependencyCheck failed, the job should also fail, but only after the results were uploaded - - name: Validate DependencyCheck outcome - if: ${{ steps.depcheck.outcome == 'failure' }} - run: | - echo "DependencyCheck failed" - exit 1 diff --git a/.github/workflows/configurationserver_security_check.yml b/.github/workflows/configurationserver_security_check.yml new file mode 100644 index 0000000000..3875c88139 --- /dev/null +++ b/.github/workflows/configurationserver_security_check.yml @@ -0,0 +1,86 @@ +name: Automatic Security Check Configuration-Server + +on: + schedule: + - cron: "0 8 1,15 * *" # At 08:00 on day-of-month 1 and 15 + +jobs: + security-check: + name: Security Check Configuration-Server + runs-on: ubuntu-latest + container: eclipse-temurin:17 + steps: + - uses: actions/checkout@v3 + - name: Grant execute permission for gradlew + run: chmod +x gradlew + - name: build Configuration-Server + run: ./gradlew :inspectit-ocelot-configurationserver:bootJarWithFrontend + - name: Run DependencyCheck Backend + uses: dependency-check/Dependency-Check_Action@main + id: depcheck + continue-on-error: true + with: + project: inspectIT/inspectit-ocelot-configuration-server + path: 'components/inspectit-ocelot-configurationserver' + format: 'HTML' + out: 'reports/configuration-server' + args: > + --disableAssembly + --disableNodeAudit + --nvdApiKey ${{ secrets.NVD_API_KEY }} + --nvdApiDelay 10000 + - name: Run DependencyCheck UI + uses: dependency-check/Dependency-Check_Action@main + id: depcheck-ui + continue-on-error: true + with: + project: inspectIT/inspectit-ocelot-configuration-server-ui + path: 'components/inspectit-ocelot-configurationserver-ui' + format: 'HTML' + out: 'reports/configuration-server-ui' + args: > + --disableAssembly + --disableNodeAudit + --nvdApiKey ${{ secrets.NVD_API_KEY }} + --nvdApiDelay 10000 + - name: build ConfigDocsGenerator + run: ./gradlew :inspectit-ocelot-configdocsgenerator:assemble + - name: Run DependencyCheck ConfigDocsGenerator + uses: dependency-check/Dependency-Check_Action@main + id: depcheck-docs + continue-on-error: true + with: + project: inspectIT/inspectit-ocelot-configdocsgenerator + path: 'components/inspectit-ocelot-configdocsgenerator' + format: 'HTML' + out: 'reports/configdocsgenerator' + args: > + --disableAssembly + --disableNodeAudit + --nvdApiKey ${{ secrets.NVD_API_KEY }} + --nvdApiDelay 10000 + - name: Upload test results + uses: actions/upload-artifact@v4 + with: + name: dependency-check-report-ocelot-configurationserver + path: ${{ github.workspace }}/reports + - name: Set DependencyCheck status + run: | + if [ ${{ steps.depcheck.outcome == 'failure' || steps.depcheck-ui.outcome == 'failure' || steps.depcheck-docs.outcome == 'failure' }} == "true" ]; then + echo "DEP_CHECK_STATUS=failure" >> $GITHUB_ENV + else + echo "DEP_CHECK_STATUS=success" >> $GITHUB_ENV + fi + - name: Send Notification + uses: slackapi/slack-github-action@v2.0.0 + with: + webhook: ${{ secrets.SLACK_WEBHOOK_URL }} + webhook-type: incoming-webhook + payload: | + text: "*Ocelot-Configuration-Server Dependency-Check Report*: ${{ env.DEP_CHECK_STATUS }}\nPlease check the report here: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + # if DependencyCheck failed, the job should also fail, but only after the results were uploaded + - name: Validate DependencyCheck outcome + if: ${{ env.DEP_CHECK_STATUS == 'failure' }} + run: | + echo "DependencyCheck failed" + exit 1 diff --git a/.github/workflows/configurationserver_test.yml b/.github/workflows/configurationserver_test.yml index 05bab03e5a..e5074432ae 100644 --- a/.github/workflows/configurationserver_test.yml +++ b/.github/workflows/configurationserver_test.yml @@ -41,9 +41,9 @@ jobs: - uses: actions/checkout@v3 - name: Grant execute permission for gradlew run: chmod +x gradlew - - name: build Configuration-server + - name: build Configuration-Server run: ./gradlew :inspectit-ocelot-configurationserver:bootJarWithFrontend - - name: Run DependencyCheck plugin + - name: Run DependencyCheck uses: dependency-check/Dependency-Check_Action@main id: depcheck continue-on-error: true @@ -57,36 +57,6 @@ jobs: --disableNodeAudit --nvdApiKey ${{ secrets.NVD_API_KEY }} --nvdApiDelay 10000 - - name: Run DependencyCheck plugin - uses: dependency-check/Dependency-Check_Action@main - id: depcheck-ui - continue-on-error: true - with: - project: inspectIT/inspectit-ocelot-configuration-server-ui - path: 'components/inspectit-ocelot-configurationserver-ui' - format: 'HTML' - out: 'reports/configuration-server-ui' - args: > - --disableAssembly - --disableNodeAudit - --nvdApiKey ${{ secrets.NVD_API_KEY }} - --nvdApiDelay 10000 - - name: build Configdocsgenerator - run: ./gradlew :inspectit-ocelot-configdocsgenerator:assemble - - name: Run DependencyCheck plugin - uses: dependency-check/Dependency-Check_Action@main - id: depcheck-docs - continue-on-error: true - with: - project: inspectIT/inspectit-ocelot-configdocsgenerator - path: 'components/inspectit-ocelot-configdocsgenerator' - format: 'HTML' - out: 'reports/configdocsgenerator' - args: > - --disableAssembly - --disableNodeAudit - --nvdApiKey ${{ secrets.NVD_API_KEY }} - --nvdApiDelay 10000 - name: Upload test results uses: actions/upload-artifact@v4 with: @@ -94,7 +64,7 @@ jobs: path: ${{ github.workspace }}/reports # if DependencyCheck failed, the job should also fail, but only after the results were uploaded - name: Validate DependencyCheck outcome - if: ${{ steps.depcheck.outcome == 'failure' || steps.depcheck-ui.outcome == 'failure' || steps.depcheck-docs.outcome == 'failure' }} + if: ${{ steps.depcheck.outcome == 'failure' }} run: | echo "DependencyCheck failed" exit 1 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 19932ff9b2..f314c4f32d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -35,28 +35,6 @@ jobs: - name: Calculate checksums of release artifacts working-directory: ./artifacts run: for f in *; do sha256sum "$f" >> inspectit-ocelot-sha256-checksums.txt; done - - name: Scan dependencies agent - uses: dependency-check/Dependency-Check_Action@main - with: - project: inspectIT/inspectit-ocelot-agent - path: 'inspectit-ocelot-agent' - format: 'HTML' - args: > - --disableAssembly - --disableNodeAudit - --nvdApiKey ${{ secrets.NVD_API_KEY }} - --nvdApiDelay 10000 - - name: Scan dependencies configuration-server - uses: dependency-check/Dependency-Check_Action@main - with: - project: inspectIT/inspectit-ocelot-configuration-server - path: 'components/inspectit-ocelot-configurationserver' - format: 'HTML' - args: > - --disableAssembly - --disableNodeAudit - --nvdApiKey ${{ secrets.NVD_API_KEY }} - --nvdApiDelay 10000 - name: "Get previous tag" id: previoustag # this gets the tag of the previous release based on the tags in the repo