architecture-as-code/.github/workflows/cve-scanning-maven.yml at main · finos/architecture-as-code · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
name: CVE Scanning for Maven Projects

permissions:
    contents: read

on:
    workflow_dispatch:
    schedule:
        - cron: '0 8,18 * * 1-5'
    push:
        paths:
            - '**/pom.xml'
            - '.github/workflows/maven-cve-ignore-list.xml'
            - '.github/workflows/cve-scanning-maven.yml'
    pull_request:
        paths:
            - '**/pom.xml'
            - '.github/workflows/maven-cve-ignore-list.xml'
            - '.github/workflows/cve-scanning-maven.yml'

jobs:
    depchecktest:
        runs-on: ubuntu-latest
        strategy:
            matrix:
                java-version: ['21']
                module-folder: ['calm-hub']
        steps:
            - name: Checkout
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

            - name: Setup JDK
              uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
              with:
                  java-version: ${{ matrix.java-version }}
                  cache: maven
                  distribution: 'adopt'

            - name: Build and run dependency check with Maven
              run: mvn -U clean verify -DskipTests -P dependency-check
              working-directory: ${{ matrix.module-folder }}
              env:
                  NVD_API_KEY: ${{ secrets.NVD_API_KEY }}

            - name: Upload Test results
              if: ${{ always() }}
              uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
              with:
                  name: Depcheck report ${{ github.job }} ${{ matrix.module-folder }}
                  path: ${{ github.workspace }}/${{ matrix.module-folder }}/target/dependency-check-report.*