gh-actions-shared/.github/workflows/codeql-analysis.yml at main · killbill/gh-actions-shared · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: CodeQL

env:
  MAVEN_OPTS: "-Xmx2G -XX:+ExitOnOutOfMemoryError -Dmaven.wagon.httpconnectionManager.ttlSeconds=25 -Dmaven.wagon.http.retryHandler.count=3"

on:
  workflow_call:
    inputs:
      maven_args:
        description: The arguments to pass to all Maven commands when building the code
        required: false
        default: '-DskipTests=true -Dcheck.skip-dependency=true -Dcheck.skip-dependency-scope=true -Dcheck.skip-dependency-versions=true -Dcheck.skip-duplicate-finder=true -Dcheck.skip-enforcer=true -Dcheck.skip-rat=true -Dcheck.skip-spotbugs=true'
        type: string
      maven_version:
        description: The Maven version used for builds
        required: false
        default: '3.8.4'
        type: string
      os:
        description: The OS used
        required: false
        default: 'ubuntu-22.04'
        type: string
      jdk:
        description: The JDK used
        required: false
        default: '11'
        type: string
      jdk-distribution:
        description: The JDK distribution used
        required: false
        default: 'temurin'
        type: string
      timeout-minutes:
        description: 'timeout-minutes used by the builds (defaults to 360)'
        required: false
        default: 360
        type: number
      goal:
        description: The Maven goal(s) used
        required: false
        default: 'install'
        type: string
      failure-upload-path:
        description: A file, directory or wildcard pattern that describes what to upload on failure
        required: false
        type: string

jobs:
  analyze:
    runs-on: ${{ inputs.os }}
    timeout-minutes: ${{ inputs.timeout-minutes }}
    permissions:
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Set up JDK
        uses: actions/setup-java@v4
        with:
          java-version: ${{ inputs.jdk }}
          distribution: ${{ inputs.jdk-distribution }}
          cache: 'maven'
      - name: Configure Sonatype mirror
        uses: s4u/maven-settings-action@v3.1.0
        # Go to Sonatype directly to avoid delay syncs (could get rid of this if actions/setup-java were to support mirrors).
        with:
          mirrors: '[{"id": "oss-releases", "name": "Sonatype releases", "mirrorOf": "central", "url": "https://oss.sonatype.org/content/repositories/releases"}]'
          sonatypeSnapshots: true
          githubServer: false
          servers: '[{"id": "github","configuration": {"httpHeaders": {"property": {"name": "Authorization","value": "Bearer ${{ secrets.GITHUB_TOKEN }}"}}}}]'
      - name: Set up Maven
        run: mvn --errors --batch-mode --show-version wrapper:wrapper "-Dmaven=${{ inputs.maven_version }}"
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: java
      - name: Build code
        run: |
          ./mvnw --errors --batch-mode --show-version ${{ inputs.maven_args }} ${{ inputs.goal }}
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3