maven-lockfile/.github/workflows/code-qualitiy.yml at ce73c616ddd8bac37f3b6ae7ca39a8048d7f9076 · chains-project/maven-lockfile · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
name: Maven test
on:
  workflow_dispatch:
  pull_request:

permissions:
  id-token: write
  contents: read
jobs:
  maven-quality:
    runs-on: ubuntu-latest

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            github.com:443
            objects.githubusercontent.com:443
            oss.sonatype.org:443
            maven.artifacts.atlassian.com:443
            packages.atlassian.com:443
            release-assets.githubusercontent.com:443
            repo.maven.apache.org:443
            repo.spring.io:443
            tuf-repo-cdn.sigstore.dev:443
            fulcio.sigstore.dev:443
            rekor.sigstore.dev:443

      - name: Checkout repostiory
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Verify action checksums
        uses: chains-project/maven-lockfile/.github/actions/ghasum@05aeab3f62ea2a58fe670f64317d2f24546cc4ac # 5.8.1

      - name: Set up JDK 17
        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          java-version: '17'
          distribution: 'temurin'

      - name: mvn clean verify
        run: mvn clean verify

      - name: Build with Maven
        run: mvn --batch-mode --update-snapshots clean package

      - name: Run doc check
        run: mvn org.apache.maven.plugins:maven-javadoc-plugin:3.5.0:jar

      - name: Run spotless check
        run: mvn spotless:check

      - name: Check maven pom quality
        run: mvn org.kordamp.maven:pomchecker-maven-plugin:1.9.0:check-maven-central -D"checker.release=false"

  reproducilbilty:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ${{ github.workspace }}/maven_plugin
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            fulcio.sigstore.dev:443
            github.com:443
            maven.artifacts.atlassian.com:443
            objects.githubusercontent.com:443
            oss.sonatype.org:443
            packages.atlassian.com:443
            rekor.sigstore.dev:443
            release-assets.githubusercontent.com:443
            repo.maven.apache.org:443
            repo.spring.io:443
            tuf-repo-cdn.sigstore.dev:443

      - name: Checkout repository
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Verify action checksums
        uses: chains-project/maven-lockfile/.github/actions/ghasum@05aeab3f62ea2a58fe670f64317d2f24546cc4ac # 5.8.1

      - name: Set up JDK 17
        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          java-version: '17'
          distribution: 'temurin'

      - name: Build with Maven
        run: mvn --batch-mode --update-snapshots clean install

      - name: Run reproducibility check
        run: mvn clean install