chore(bootstrap): RAN-46 engineering bootstrap (security, runbooks, OpenSSF wiring) #280
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Java CI | |
| on: | |
| push: | |
| branches: [main] | |
| paths: ['src/**', 'pom.xml'] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v4.7.1 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '25' | |
| cache: 'maven' | |
| # Cache the OWASP Dependency-Check NVD data directory across runs so the | |
| # CVE gate does not need to re-download the full feed on every PR. | |
| # `key` is unique per run (forces a save on every run), `restore-keys` | |
| # falls back to the most recent prior cache so the H2 DB is incrementally | |
| # updated rather than rebuilt. | |
| - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: ~/.m2/repository/org/owasp/dependency-check-data | |
| key: dependency-check-${{ runner.os }}-${{ github.run_id }} | |
| restore-keys: | | |
| dependency-check-${{ runner.os }}- | |
| - name: Build + verify (jacoco 85% + SpotBugs + dependency-check) | |
| env: | |
| # When the NVD_API_KEY secret is unset, dependency-check falls back | |
| # to the unauthenticated NVD endpoint (rate-limited but functional | |
| # once the cache is warm). Provisioning the secret is tracked under | |
| # RAN-42. | |
| NVD_API_KEY: ${{ secrets.NVD_API_KEY }} | |
| run: mvn -B -ntp clean verify | |
| - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4.6.2 | |
| if: always() | |
| with: | |
| name: test-results | |
| path: target/surefire-reports/ | |
| - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4.6.2 | |
| with: | |
| name: coverage-report | |
| path: target/site/jacoco/ | |
| - name: SonarCloud analysis | |
| if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| run: > | |
| mvn sonar:sonar -B | |
| -Dsonar.projectKey=RandomCodeSpace_codeiq | |
| -Dsonar.organization=randomcodespace | |
| -Dsonar.host.url=https://sonarcloud.io | |
| "-Dsonar.exclusions=**/grammar/**,target/generated-sources/**" | |
| "-Dsonar.coverage.exclusions=**/grammar/**,target/generated-sources/**" |