add wiz scan on create PR to master and remove lacework(SWG-14342) #187
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Test PR 3.0 | |
| on: | |
| pull_request: | |
| branches: [ "3.0.0" ] | |
| jobs: | |
| build_pr_30: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| java: [ 11, 17 ] | |
| env: | |
| GENERATORS_VERSION_PROPERTY: "" | |
| MAVEN_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }} | |
| MAVEN_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| name: git checkout 3.0.0 | |
| with: | |
| ref: 3.0.0 | |
| - name: Set up Java | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: ${{ matrix.java }} | |
| distribution: temurin | |
| cache: maven | |
| overwrite-settings: false | |
| - name: Add Central-Portal snapshot repo to settings.xml | |
| uses: s4u/[email protected] | |
| with: | |
| repositories: '[{"id":"central-portal-snapshots","name":"Sonatype Central Portal snapshots","url":"https://central.sonatype.com/repository/maven-snapshots/","releases":{"enabled":false},"snapshots":{"enabled":true}}]' | |
| servers: '[{"id":"central","username":"${{ secrets.MAVEN_CENTRAL_USERNAME }}","password":"${{ secrets.MAVEN_CENTRAL_PASSWORD }}"}]' | |
| - name: preliminary checks | |
| run: | | |
| docker login --username=${{ secrets.DOCKERHUB_SB_USERNAME }} --password=${{ secrets.DOCKERHUB_SB_PASSWORD }} | |
| set -e | |
| # fail if templates/generators contain carriage return '\r' | |
| /bin/bash ./bin/utils/detect_carriage_return.sh | |
| # fail if generators contain merge conflicts | |
| /bin/bash ./bin/utils/detect_merge_conflict.sh | |
| # fail if generators contain tab '\t' | |
| /bin/bash ./bin/utils/detect_tab_in_java_class.sh | |
| - name: Build with Maven | |
| if: ${{ matrix.java != 8 }} | |
| run: | | |
| export MY_POM_VERSION=`mvn -Dswagger-codegen-generators-version=1.0.37 -q -Dexec.executable="echo" -Dexec.args='${projects.version}' --non-recursive org.codehaus.mojo:exec-maven-plugin:1.3.1:exec` | |
| echo "POM VERSION" ${MY_POM_VERSION} | |
| export GENERATORS_VERSION=`sed -n 's/<swagger\-codegen\-generators\-version>\([^\s]*\)<\/swagger\-codegen\-generators\-version>/\1/p' pom.xml` | |
| export GENERATORS_VERSION=`echo ${GENERATORS_VERSION} | tr -d '[:space:]'` | |
| echo "GENERATORS_VERSION" ${GENERATORS_VERSION} | |
| export GENERATORS_VERSION_PROPERTY="" | |
| if [[ ! $MY_POM_VERSION =~ ^.*SNAPSHOT$ ]]; | |
| then | |
| if [[ ! $GENERATORS_VERSION =~ ^.*SNAPSHOT$ ]]; | |
| then | |
| # check release version exists | |
| export GENERATORS_FOUND_JSON=`curl -s --max-time 60 --retry 15 --connect-timeout 20 https://search.maven.org/solrsearch/select?q=g:io.swagger.codegen.v3%20AND%20a:swagger-codegen-generators%20AND%20v:${GENERATORS_VERSION}%20AND%20p:jar` | |
| export GENERATORS_FOUND=`echo ${GENERATORS_FOUND_JSON} | jq '.response.numFound'` | |
| echo "GENERATORS_FOUND" ${GENERATORS_FOUND} | |
| if [[ $GENERATORS_FOUND == '0' ]]; | |
| then | |
| echo "generators version not found" | |
| rm -f maven-metadata.xml | |
| SNAP_API="https://central.sonatype.com/repository/maven-snapshots" | |
| ARTIFACT_PATH="io/swagger/codegen/v3/swagger-codegen-generators" | |
| ROOT_META="${SNAP_API}/${ARTIFACT_PATH}/maven-metadata.xml" | |
| export LAST_SNAP=$(curl -s "$ROOT_META" | grep -oP '(?<=<version>)1\.[^<]+' | sort -V | tail -n1) | |
| echo "LAST_SNAP $LAST_SNAP" | |
| export GENERATORS_VERSION_PROPERTY=-Dswagger-codegen-generators-version=$LAST_SNAP | |
| fi | |
| fi | |
| fi | |
| echo "GENERATORS_VERSION_PROPERTY ${GENERATORS_VERSION_PROPERTY}" | |
| echo "GENERATORS_VERSION_PROPERTY=${GENERATORS_VERSION_PROPERTY}" >> $GITHUB_ENV | |
| mvn clean verify -U -DJETTY_TEST_HTTP_PORT=8070 -DJETTY_TEST_STOP_PORT=8069 ${GENERATORS_VERSION_PROPERTY} | |
| - name: Copy local Maven repo to Docker build context | |
| run: | | |
| mkdir -p .docker-m2 | |
| cp -r ~/.m2/repository .docker-m2/ | |
| - name: Build Docker image using local Maven repo | |
| run: | | |
| docker build \ | |
| --build-arg GENERATORS_VERSION_PROPERTY="${GENERATORS_VERSION_PROPERTY}" \ | |
| --build-arg MAVEN_OPTS="-Dmaven.repo.local=/root/.m2/repository" \ | |
| -t swagger-codegen:latest . | |
| env: | |
| GENERATORS_VERSION_PROPERTY: ${{ env.GENERATORS_VERSION_PROPERTY }} | |
| scan-with-wiz: | |
| name: Trigger Wiz Scanning | |
| runs-on: ubuntu-latest | |
| needs: [ build_pr_30 ] | |
| if: success() | |
| steps: | |
| - name: Authenticate to Wiz | |
| run: ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET" | |
| env: | |
| WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }} | |
| WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }} | |
| - name: Run wiz-cli docker image scan | |
| run: | | |
| ./wizcli docker scan --image $TAG --policy "$POLICY" | |
| ./wizcli docker tag --image $TAG | |
| env: | |
| TAG: ${{ needs.build_pr_30.outputs.docker_tag }} | |
| POLICY: "SmartBear default vulnerabilities policy" |