Move dependency check to different pipeline

uhafner · uhafner · commit 12e8ecdd0cf8 · 2026-02-24T20:34:36.000+01:00
Let quality monitor combine the results of both quality pipelines.
diff --git a/.github/scripts/fetch-artifacts.sh b/.github/scripts/fetch-artifacts.sh
@@ -0,0 +1,96 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# This script expects the following environment variables:
+# REPO: owner/repo
+# HEAD_SHA: the commit SHA for which the producer workflows ran
+# TOKEN: a token with read access to Actions (GITHUB_TOKEN or a PAT)
+# OTHER_WORKFLOWS: comma-separated list of workflow filenames or workflow IDs
+# ARTIFACT_NAMES: comma-separated list of artifact names (in the same order as WORKFLOWS)
+# Optional:
+# RETRIES: number of polling attempts per workflow (default: 30)
+# SLEEP_SEC: seconds to wait between attempts (default: 10)
+
+IFS=',' read -r -a WORKFLOWS_ARR <<< "${OTHER_WORKFLOWS}"
+IFS=',' read -r -a ARTIFACTS_ARR <<< "${ARTIFACT_NAMES}"
+REPO="${REPO}"
+SHA="${HEAD_SHA}"
+TOKEN="${TOKEN}"
+API_BASE="https://api.github.com/repos/${REPO}"
+RETRIES=${RETRIES:-30}
+SLEEP_SEC=${SLEEP_SEC:-10}
+
+mkdir -p artifacts
+
+if [ ${#WORKFLOWS_ARR[@]} -ne ${#ARTIFACTS_ARR[@]} ]; then
+  echo "ERROR: OTHER_WORKFLOWS and ARTIFACT_NAMES must have the same number of items"
+  exit 1
+fi
+
+for idx in "${!WORKFLOWS_ARR[@]}"; do
+  wf_raw="${WORKFLOWS_ARR[$idx]}"
+  wf=$(echo "$wf_raw" | tr -d '[:space:]')
+  art_raw="${ARTIFACTS_ARR[$idx]}"
+  art=$(echo "$art_raw" | tr -d '[:space:]')
+
+  echo "-- Waiting for workflow '$wf' to succeed for sha $SHA (artifact: $art)"
+  attempt=0
+
+  while true; do
+    attempt=$((attempt+1))
+    echo "  attempt $attempt/$RETRIES"
+
+    # 1) Liste Runs für das Workflow (workflow id/name/file)
+    resp=$(curl -s -H "Authorization: Bearer ${TOKEN}" "${API_BASE}/actions/workflows/${wf}/runs?per_page=50")
+
+    # 2) Finde Run mit matching head_sha
+    run_id=$(echo "$resp" | jq -r --arg SHA "$SHA" '.workflow_runs[] | select(.head_sha==$SHA) | .id' | head -n1 || true)
+    run_status=$(echo "$resp" | jq -r --arg SHA "$SHA" '.workflow_runs[] | select(.head_sha==$SHA) | .status' | head -n1 || true)
+    run_conclusion=$(echo "$resp" | jq -r --arg SHA "$SHA" '.workflow_runs[] | select(.head_sha==$SHA) | .conclusion' | head -n1 || true)
+
+    if [ -n "${run_id}" ] && [ "${run_id}" != "null" ]; then
+      echo "  Found run ${run_id} status=${run_status} conclusion=${run_conclusion}"
+
+      if [ "${run_status}" = "completed" ]; then
+        if [ "${run_conclusion}" = "success" ]; then
+          echo "  Run succeeded — listing artifacts"
+          art_resp=$(curl -s -H "Authorization: Bearer ${TOKEN}" "${API_BASE}/actions/runs/${run_id}/artifacts")
+          art_id=$(echo "$art_resp" | jq -r --arg NAME "$art" '.artifacts[] | select(.name==$NAME) | .id' | head -n1 || true)
+
+          if [ -n "${art_id}" ] && [ "${art_id}" != "null" ]; then
+            echo "  Downloading artifact '$art' (id=${art_id})"
+            out_zip="artifacts/${art}.zip"
+            curl -L -s -H "Authorization: Bearer ${TOKEN}" "${API_BASE}/actions/artifacts/${art_id}/zip" -o "${out_zip}"
+            echo "  Unpacking to artifacts/${art}/"
+            mkdir -p "artifacts/${art}"
+            unzip -o "${out_zip}" -d "artifacts/${art}" >/dev/null
+            rm -f "${out_zip}"
+            echo "  Artifact $art downloaded and unpacked"
+            break
+          else
+            echo "  ERROR: Artifact '$art' not found in run ${run_id}"
+            exit 1
+          fi
+        else
+          echo "  ERROR: Run completed but conclusion='${run_conclusion}'"
+          exit 1
+        fi
+      else
+        echo "  Run exists but not completed yet (status=${run_status}), will retry"
+      fi
+    else
+      echo "  No run found for workflow '${wf}' and sha ${SHA} yet"
+    fi
+
+    if [ ${attempt} -ge ${RETRIES} ]; then
+      echo "ERROR: Timeout waiting for workflow '${wf}' to succeed for sha ${SHA}"
+      exit 1
+    fi
+
+    sleep ${SLEEP_SEC}
+  done
+
+done
+
+echo "All requested artifacts downloaded into ./artifacts/"
+exit 0
diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
@@ -0,0 +1,48 @@
+name: 'Dependency Check'
+
+on:
+  push:
+      branches:
+      - main
+  pull_request_target:
+
+jobs:
+  build:
+    runs-on: [ubuntu-latest]
+    name: Create report
+
+    steps:
+      - name: Checkout project
+        uses: actions/checkout@v6
+      - name: Set up JDK
+        uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin'
+          java-version: 25
+          check-latest: true
+          cache: 'maven'
+      - name: Set up Maven
+        uses: stCarolas/setup-maven@v5
+        with:
+          maven-version: 3.9.12
+      - name: Cache the NVD database
+        uses: actions/cache@v5
+        with:
+          path: ~/.m2/repository/org/owasp/dependency-check-data
+          key: dependency-check
+      - name: Build with Maven
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+          OSS_INDEX_TOKEN: ${{ secrets.OSS_INDEX_TOKEN }}
+        run: |
+          mvn -V --color always -ntp verify -Pci -Powasp
+          if [ "${PIPESTATUS[0]}" != "0" ]; then
+             exit 1;
+          fi
+      - name: Upload Dependency Report
+        uses: actions/upload-artifact@v6
+        with:
+          name: dependency-report
+          path: |
+            **/target/dependency-check-report.json
+
diff --git a/.github/workflows/quality-monitor-build.yml b/.github/workflows/quality-monitor-build.yml
@@ -1,32 +1,30 @@
-name: 'Quality Monitor Build'
+name: 'Quality Monitor'
 
 on:
+  push:
+      branches:
+      - main
   pull_request:
 
 jobs:
   build:
     runs-on: [ubuntu-latest]
-    name: Create quality reports
+    name: Create reports
 
     steps:
-      - name: Checkout PR
+      - name: Checkout project
         uses: actions/checkout@v6
-      - name: Set up JDK 21
+      - name: Set up JDK
         uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
-          java-version: 21
+          java-version: 25
           check-latest: true
           cache: 'maven'
       - name: Set up Maven
         uses: stCarolas/setup-maven@v5
         with:
-          maven-version: 3.9.11
-      - name: Cache the NVD database
-        uses: actions/cache@v5
-        with:
-          path: ~/.m2/repository/org/owasp/dependency-check-data
-          key: dependency-check
+          maven-version: 3.9.12
       - name: Check if quality monitor reports mutation coverage
         run: |
           FILE='.github/quality-monitor.json'
@@ -38,12 +36,10 @@ jobs:
           fi
       - name: Build with Maven
         env:
-          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
-          OSS_INDEX_TOKEN: ${{ secrets.OSS_INDEX_TOKEN }}
           PIT: ${{ env.PIT }}
           BROWSER: chrome-container
         run: |
-          mvn -V --color always -ntp clean verify $PIT -Pci -Powasp | tee maven.log
+          mvn -V --color always -ntp clean verify $PIT -Pci | tee maven.log
           if [ "${PIPESTATUS[0]}" != "0" ]; then
              exit 1;
           fi
diff --git a/.github/workflows/quality-monitor-comment-pr.yml b/.github/workflows/quality-monitor-comment-pr.yml
@@ -2,8 +2,8 @@ name: 'Quality Monitor Comment PR'
 
 on:
   workflow_run:
-    workflows: [ "Quality Monitor Build" ]
-    types: [ completed ]
+    workflows: ['Quality Monitor', 'Dependency Check']
+    types: [completed]
 
 permissions:
   actions: read
@@ -13,7 +13,7 @@ permissions:
 
 jobs:
   comment:
-    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request' }}
+    if: ${{ github.event.workflow_run.event == 'pull_request' }}
     runs-on: ubuntu-latest
     name: Comment on PR
 
@@ -22,18 +22,40 @@ jobs:
         id: pr
         run: |
           pr_number='${{ github.event.workflow_run.pull_requests[0].number }}'
-            echo "number=$pr_number" >> "$GITHUB_OUTPUT"
+          echo "number=$pr_number" >> "$GITHUB_OUTPUT"
           sha='${{ github.event.workflow_run.head_sha }}'
-            echo "sha=$sha" >> "$GITHUB_OUTPUT"
+          echo "sha=$sha" >> "$GITHUB_OUTPUT"
       - name: Checkout PR
         uses: actions/checkout@v6
         with:
           ref: ${{ steps.pr.outputs.sha }}
-      - name: Download PR Quality Reports from Quality Monitor Build workflow
-        uses: dawidd6/action-download-artifact@v14
-        with:
-          run_id: ${{ github.event.workflow_run.id }}
-          name: quality-reports
+      - name: Install jq and unzip
+        run: sudo apt-get update && sudo apt-get install -y jq unzip
+      - name: Prepare environment
+        env:
+          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+          REPO: ${{ github.repository }}
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "HEAD_SHA=$HEAD_SHA"
+          echo "REPO=$REPO"
+      - name: Fetch reports from dependency check and quality monitor workflows
+        env:
+          REPO: ${{ github.repository }}
+          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OTHER_WORKFLOWS: "quality-monitor-build.yml,dependency-check.yml"
+          ARTIFACT_NAMES: "quality-reports,dependency-report"
+          RETRIES: 30
+          SLEEP_SEC: 10
+        run: |
+          chmod +x ./.github/scripts/fetch-artifacts.sh
+          ./.github/scripts/fetch-artifacts.sh
+      - name: List downloaded reports
+        run: |
+          mkdir -p reports/target
+          mv artifacts/*/target/* reports/target
+          ls -la reports/target/* || true
       - name: Read Quality Monitor Configuration
         id: quality-monitor
         run: echo "json=$(jq -c . .github/quality-monitor-pr.json)" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/quality-monitor-comment.yml b/.github/workflows/quality-monitor-comment.yml
@@ -2,8 +2,8 @@ name: 'Quality Monitor Comment'
 
 on:
   workflow_run:
-    workflows: [ "Quality Monitor Build" ]
-    types: [ completed ]
+    workflows: ['Quality Monitor', 'Dependency Check']
+    types: [completed]
 
 permissions:
   actions: read
@@ -13,18 +13,40 @@ permissions:
 
 jobs:
   comment:
-    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'push' && github.event.workflow_run.head_branch == 'main' }}
+    if: ${{ github.event.workflow_run.event == 'push' && github.event.workflow_run.head_branch == 'main' }}
     runs-on: ubuntu-latest
     name: Comment main branch
 
     steps:
       - name: Checkout main branch
         uses: actions/checkout@v6
-      - name: Download Quality Reports from Quality Monitor Build workflow
-        uses: dawidd6/action-download-artifact@v14
-        with:
-          run_id: ${{ github.event.workflow_run.id }}
-          name: quality-reports
+      - name: Install jq and unzip
+        run: sudo apt-get update && sudo apt-get install -y jq unzip
+      - name: Prepare environment
+        env:
+          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+          REPO: ${{ github.repository }}
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "HEAD_SHA=$HEAD_SHA"
+          echo "REPO=$REPO"
+      - name: Fetch reports from dependency check and quality monitor workflows
+        env:
+          REPO: ${{ github.repository }}
+          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OTHER_WORKFLOWS: "quality-monitor-build.yml,dependency-check.yml"
+          ARTIFACT_NAMES: "quality-reports,dependency-report"
+          RETRIES: 30
+          SLEEP_SEC: 10
+        run: |
+          chmod +x ./.github/scripts/fetch-artifacts.sh
+          ./.github/scripts/fetch-artifacts.sh
+      - name: List downloaded reports
+        run: |
+          mkdir -p reports/target
+          mv artifacts/*/target/* reports/target
+          ls -la reports/target/* || true
       - name: Read Quality Monitor Configuration
         id: quality-monitor
         run: echo "json=$(jq -c . .github/quality-monitor.json)" >> "$GITHUB_OUTPUT"
