add wiz scan on create PR to master and remove lacework(SWG-14342) #200
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Test PR 3.0 | |
| on: | |
| pull_request: | |
| branches: [ "3.0.0" ] | |
| jobs: | |
| build_pr_30: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| java: [ 11, 17 ] | |
| outputs: | |
| java-version: ${{ matrix.java }} | |
| env: | |
| GENERATORS_VERSION_PROPERTY: "" | |
| MAVEN_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }} | |
| MAVEN_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| name: git checkout 3.0.0 | |
| with: | |
| ref: 3.0.0 | |
| - name: Set up Java | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: ${{ matrix.java }} | |
| distribution: temurin | |
| cache: maven | |
| overwrite-settings: false | |
| - name: Add Central-Portal snapshot repo to settings.xml | |
| uses: s4u/[email protected] | |
| with: | |
| repositories: '[{"id":"central-portal-snapshots","name":"Sonatype Central Portal snapshots","url":"https://central.sonatype.com/repository/maven-snapshots/","releases":{"enabled":false},"snapshots":{"enabled":true}}]' | |
| servers: '[{"id":"central","username":"${{ secrets.MAVEN_CENTRAL_USERNAME }}","password":"${{ secrets.MAVEN_CENTRAL_PASSWORD }}"}]' | |
| - name: preliminary checks | |
| run: | | |
| docker login --username=${{ secrets.DOCKERHUB_SB_USERNAME }} --password=${{ secrets.DOCKERHUB_SB_PASSWORD }} | |
| set -e | |
| /bin/bash ./bin/utils/detect_carriage_return.sh | |
| /bin/bash ./bin/utils/detect_merge_conflict.sh | |
| /bin/bash ./bin/utils/detect_tab_in_java_class.sh | |
| - name: Build with Maven | |
| if: ${{ matrix.java != 8 }} | |
| run: | | |
| export MY_POM_VERSION=$(mvn -Dswagger-codegen-generators-version=1.0.37 \ | |
| -q -Dexec.executable="echo" -Dexec.args='${projects.version}' \ | |
| --non-recursive org.codehaus.mojo:exec-maven-plugin:1.3.1:exec) | |
| echo "POM VERSION ${MY_POM_VERSION}" | |
| export GENERATORS_VERSION=$(sed -n 's/<swagger\-codegen\-generators\-version>\([^<]*\)<\/swagger\-codegen\-generators\-version>/\1/p' pom.xml | tr -d '[:space:]') | |
| echo "GENERATORS_VERSION ${GENERATORS_VERSION}" | |
| export GENERATORS_VERSION_PROPERTY="" | |
| if [[ ! $MY_POM_VERSION =~ SNAPSHOT ]] && [[ ! $GENERATORS_VERSION =~ SNAPSHOT ]]; then | |
| export FOUND=$(curl -s "https://search.maven.org/solrsearch/select?q=g:io.swagger.codegen.v3+AND+a:swagger-codegen-generators+AND+v:${GENERATORS_VERSION}+AND+p:jar" | jq '.response.numFound') | |
| if [[ "$FOUND" == "0" ]]; then | |
| echo "generators version not found" | |
| export LAST_SNAP=$(curl -s "https://central.sonatype.com/repository/maven-snapshots/io/swagger/codegen/v3/swagger-codegen-generators/maven-metadata.xml" | grep -oP '(?<=<version>)[^<]+(?=</version>)' | sort -V | tail -n1) | |
| export GENERATORS_VERSION_PROPERTY="-Dswagger-codegen-generators-version=$LAST_SNAP" | |
| echo "Using fallback snapshot: $LAST_SNAP" | |
| fi | |
| fi | |
| echo "GENERATORS_VERSION_PROPERTY=${GENERATORS_VERSION_PROPERTY}" >> $GITHUB_ENV | |
| mvn clean verify -U \ | |
| -DJETTY_TEST_HTTP_PORT=8070 \ | |
| -DJETTY_TEST_STOP_PORT=8069 \ | |
| ${GENERATORS_VERSION_PROPERTY} | |
| - name: Upload Maven output for scan | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-output | |
| path: '**/target' | |
| if-no-files-found: ignore | |
| scan_with_wiz: | |
| name: Scan Maven build with Wiz | |
| runs-on: ubuntu-latest | |
| needs: build_pr_30 | |
| steps: | |
| - name: Download build output | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: build-output | |
| path: scan-target | |
| - name: Download Wiz CLI | |
| run: | | |
| curl -sSLo wizcli https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64 | |
| chmod +x wizcli | |
| sudo mv wizcli /usr/local/bin/wizcli | |
| - name: Authenticate to Wiz | |
| run: wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET" | |
| env: | |
| WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }} | |
| WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }} | |
| - name: Scan directory with Wiz | |
| run: | | |
| wizcli dir scan \ | |
| --path scan-target \ | |
| --policy "$POLICY" \ | |
| --quiet \ | |
| --tag repo="${{ github.repository }}" \ | |
| --tag pr="${{ github.event.pull_request.number }}" \ | |
| --tag commit="${{ github.sha }}" > /dev/null 2>&1 | |
| env: | |
| POLICY: "SmartBear default vulnerabilities policy" |