Reusable CodeQL and Scorecards analysis

ppkarwasz · ppkarwasz · commit 3029bdca963e · 2023-10-11T21:27:07.000+02:00
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -15,14 +15,13 @@
 # limitations under the License.
 #
 
-name: "CodeQL"
+name: codeql-analysis
 
 on:
   push:
-    branches: [ 2.x ]
+    branches: [ "2.x", "main" ]
   pull_request:
-    # The branches below must be a subset of the branches provided in `on.push.branches`
-    branches: [ 2.x ]
+    branches: [ "2.x", "main" ]
   schedule:
     - cron: '32 12 * * 5'
 
@@ -31,51 +30,13 @@ permissions: read-all
 jobs:
 
   analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
+    uses: apache/logging-parent/.github/workflows/codeql-analysis-reusable.yaml@main
+    with:
+      java-version: |
+        11
+        8
+    # Permissions required to publish Security Alerts
     permissions:
       actions: read
       contents: read
       security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'java' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
-        # Learn more about CodeQL language support at https://git.io/codeql-language-support
-
-    steps:
-
-      - name: Checkout repository
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608   # 4.1.0
-
-      # Initializes the CodeQL tools for scanning.
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@2cb752a87e96af96708ab57187ab6372ee1973ab    # 2.22.0
-        with:
-          languages: ${{ matrix.language }}
-          # If you wish to specify custom queries, you can do so here or in a config file.
-          # By default, queries listed here will override any specified in a config file.
-          # Prefix the list here with "+" to use these queries and those in the config file.
-          # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-      # JDK 11 is used for the build.
-      - name: Setup JDK
-        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0   # 3.13.0
-        with:
-          distribution: temurin
-          java-version: 11
-          cache: maven
-
-      - name: Build with Maven
-        timeout-minutes: 60
-        shell: bash
-        run: |
-          ./mvnw \
-          --show-version --batch-mode --errors --no-transfer-progress \
-          -DskipTests -P!java8-tests \
-          clean verify
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@2cb752a87e96af96708ab57187ab6372ee1973ab    # 2.22.0
diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml
@@ -15,7 +15,7 @@
 # limitations under the License.
 #
 
-name: Scorecards
+name: scorecards-analysis
 
 on:
   branch_protection_rule:
@@ -29,43 +29,10 @@ permissions: read-all
 jobs:
 
   analysis:
-
-    name: "Scorecards analysis"
-    runs-on: ubuntu-latest
+    uses: apache/logging-parent/.github/workflows/scorecards-analysis-reusable.yaml@main
     permissions:
       # Needed to upload the results to the code-scanning dashboard.
       security-events: write
       actions: read
       id-token: write # This is required for requesting the JWT
       contents: read  # This is required for actions/checkout
-
-    steps:
-
-      - name: "Checkout code"
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608   # 4.1.0
-        with:
-          persist-credentials: false
-
-      - name: "Run analysis"
-        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031    # 2.2.0
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          # A read-only PAT token, which is sufficient for the action to function.
-          # The relevant discussion: https://github.com/ossf/scorecard-action/issues/188
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          # Publish the results for public repositories to enable scorecard badges.
-          # For more details: https://github.com/ossf/scorecard-action#publishing-results
-          publish_results: true
-
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32    # 3.1.0
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
-
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@2cb752a87e96af96708ab57187ab6372ee1973ab    # 2.1.22
-        with:
-          sarif_file: results.sarif
