diff --git a/.github/project.yml b/.github/project.yml index 5ed9f2c..6479a67 100644 --- a/.github/project.yml +++ b/.github/project.yml @@ -1,6 +1,25 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/cuioss/cuioss-organization/main/.github/actions/read-project-config/schema.json name: cui-java-module-template -pages-reference: cui-java-module-template -sonar-project-key: cuioss_cui-java-module-template +description: Template for cuioss Java modules + release: current-version: 1.0.0 next-version: 1.1.0-SNAPSHOT + create-github-release: true + +maven-build: + java-versions: '["21","25"]' + java-version: '21' + enable-snapshot-deploy: true + maven-profiles-snapshot: 'release-snapshot,javadoc' + maven-profiles-release: 'release,javadoc' + npm-cache: false + +sonar: + project-key: cuioss_cui-java-module-template + enabled: true + skip-on-dependabot: true + +pages: + reference: cui-java-module-template + deploy-at-release: true diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..468834f --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,17 @@ +# Example: Copy this to your repo as .github/workflows/dependency-review.yml +name: Dependency Review + +on: + pull_request: + branches: [main] + +permissions: + contents: read + +jobs: + dependency-review: + uses: cuioss/cuioss-organization/.github/workflows/reusable-dependency-review.yml@9ce5ba83776bab80eeffb695f7374e334cf6bd9f # v0.2.0 + permissions: + contents: read + pull-requests: write + secrets: inherit diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml deleted file mode 100644 index c412ea8..0000000 --- a/.github/workflows/maven-release.yml +++ /dev/null @@ -1,86 +0,0 @@ -name: Maven Release - -on: - pull_request: - types: [ closed ] - paths: - - '.github/project.yml' - workflow_dispatch: - -jobs: - release: - runs-on: ubuntu-latest - name: release - - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false # otherwise, the validation used is the PA_TOKEN, instead of your personal access token. - fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository. - - - uses: radcortez/project-metadata-action@203f7ffba8db2669b2c9b4d4c2e90b186c588fa5 # 1.1 - name: Retrieve project metadata from '.github/project.yml' - id: metadata - with: - github-token: ${{secrets.GITHUB_TOKEN}} - metadata-file-path: '.github/project.yml' - local-file: true - - - name: Set up JDK 21 - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 - with: - java-version: '21' - distribution: 'temurin' - server-id: central - server-username: MAVEN_USERNAME - server-password: MAVEN_PASSWORD - gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} - gpg-passphrase: MAVEN_GPG_PASSPHRASE - cache: maven - - - name: Configure Git author - run: | - git config --local user.email "action@github.com" - git config --local user.name "Cuioss Robot Action" - - - name: Maven release ${{steps.metadata.outputs.current-version}} - run: | - git checkout -b release - ./mvnw -B --no-transfer-progress -Prelease release:clean release:prepare -DreleaseVersion=${{steps.metadata.outputs.current-version}} -DdevelopmentVersion=${{steps.metadata.outputs.next-version}} - ./mvnw -B --no-transfer-progress -Prelease,javadoc site:site site:stage - git checkout ${{vars.GITHUB_BASE_REF}} - git rebase release - ./mvnw -B --no-transfer-progress -Prelease release:perform -DskipTests - env: - MAVEN_USERNAME: ${{ secrets.OSS_SONATYPE_USERNAME }} - MAVEN_PASSWORD: ${{ secrets.OSS_SONATYPE_PASSWORD }} - MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - - - name: Deploy Maven Site to cuioss.github.io -> ${{steps.metadata.outputs.pages-reference}}🚀 - uses: JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 # v4.7.3 - with: - folder: target/site - repository-name: cuioss/cuioss.github.io - target-folder: ${{steps.metadata.outputs.pages-reference}} - branch: main - token: ${{ secrets.PAGES_DEPLOY_TOKEN }} - - - name: Push changes to ${{github.ref_name}} - uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - branch: ${{github.ref_name}} - force: true - - - name: Push tag ${{steps.metadata.outputs.current-version}} - uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0 - with: - branch: ${{github.ref_name}} - github_token: ${{ secrets.GITHUB_TOKEN }} - tags: true - force: true \ No newline at end of file diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 48bfb51..de106b2 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -1,109 +1,18 @@ -name: Master Build +# Example: Copy this to your repo as .github/workflows/maven.yml +# Configuration is read from .github/project.yml - no inputs needed! +name: Maven Build on: push: - branches: [ "main", "feature/*" ] + branches: [main, "feature/*", "fix/*", "chore/*", "dependabot/**"] pull_request: - branches: [ "main" ] + branches: [main] + workflow_dispatch: jobs: build: - - runs-on: ubuntu-latest - strategy: - matrix: - version: [ 21,24 ] - - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Set up JDK ${{ matrix.version }} - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 - with: - java-version: ${{ matrix.version }} - distribution: 'temurin' - cache: maven - - name: Build with Maven, Java ${{ matrix.version }} - run: ./mvnw --no-transfer-progress verify -Dmaven.compiler.release=${{ matrix.version }} - - sonar-build: - needs: build - runs-on: ubuntu-latest - - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - fetch-depth: 0 - - - name: Set up JDK 21 for Sonar-build - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 - with: - java-version: '21' - distribution: 'temurin' - cache: maven - - - name: Cache SonarCloud packages - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 - with: - path: ~/.sonar/cache - key: ${{ runner.os }}-sonar - restore-keys: ${{ runner.os }}-sonar - - - uses: radcortez/project-metadata-action@203f7ffba8db2669b2c9b4d4c2e90b186c588fa5 # 1.1 - name: Retrieve project metadata from '.github/project.yml' - id: metadata - with: - github-token: ${{secrets.GITHUB_TOKEN}} - metadata-file-path: '.github/project.yml' - local-file: true - - - name: Build and analyze - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - run: ./mvnw -B --no-transfer-progress verify -Psonar -Dsonar.projectKey=${{steps.metadata.outputs.sonar-project-key}} sonar:sonar - - deploy-snapshot: - needs: sonar-build - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Set up JDK 17 for snapshot release - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 - with: - java-version: '21' - distribution: 'temurin' - server-id: central - server-username: MAVEN_USERNAME - server-password: MAVEN_PASSWORD - gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} - gpg-passphrase: MAVEN_GPG_PASSPHRASE - cache: maven - - - name: Extract project version - id: project - run: echo ::set-output name=version::$(./mvnw --no-transfer-progress help:evaluate -Dexpression=project.version -q -DforceStdout) - - - name: Deploy Snapshot with Maven, version ${{ steps.project.outputs.version }} - if: ${{endsWith(steps.project.outputs.version, '-SNAPSHOT')}} - run: | - ./mvnw -B --no-transfer-progress -Prelease-snapshot,javadoc deploy -Dmaven.test.skip=true - env: - MAVEN_USERNAME: ${{ secrets.OSS_SONATYPE_USERNAME }} - MAVEN_PASSWORD: ${{ secrets.OSS_SONATYPE_PASSWORD }} - MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} \ No newline at end of file + # Run on push events, OR on pull_request only if from a fork + # This prevents duplicate runs: push handles internal branches, PR handles forks + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name + uses: cuioss/cuioss-organization/.github/workflows/reusable-maven-build.yml@9ce5ba83776bab80eeffb695f7374e334cf6bd9f # v0.2.0 + secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..c32f904 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,19 @@ +# Example: Copy this to your repo as .github/workflows/release.yml +# Configuration is read from .github/project.yml - no inputs needed! +name: Release + +on: + pull_request: + types: [closed] + paths: + - '.github/project.yml' + workflow_dispatch: + +permissions: + contents: read + +jobs: + release: + if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' + uses: cuioss/cuioss-organization/.github/workflows/reusable-maven-release.yml@9ce5ba83776bab80eeffb695f7374e334cf6bd9f # v0.2.0 + secrets: inherit diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000..edfdd7d --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,14 @@ +# Example: Copy this to your repo as .github/workflows/scorecards.yml +name: Scorecard supply-chain security + +on: + branch_protection_rule: + schedule: + - cron: '20 7 * * 2' + push: + branches: [main] + +jobs: + analysis: + uses: cuioss/cuioss-organization/.github/workflows/reusable-scorecards.yml@9ce5ba83776bab80eeffb695f7374e334cf6bd9f # v0.2.0 + secrets: inherit