add wiz scan on create PR to 3.0.0 (SWG-14342)

ewaostrowska · ewaostrowska · commit 1602376bc695 · 2025-07-14T11:09:06.000+02:00
diff --git a/.github/workflows/maven-pr-3.0.yml b/.github/workflows/maven-pr-3.0.yml
@@ -6,93 +6,115 @@ on:
 
 jobs:
   build_pr_30:
-
     runs-on: ubuntu-latest
     strategy:
       matrix:
         java: [ 11, 17 ]
 
+    outputs:
+      java-version: ${{ matrix.java }}
+
     env:
       GENERATORS_VERSION_PROPERTY: ""
       MAVEN_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
       MAVEN_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
+
     steps:
       - uses: actions/checkout@v4
         name: git checkout 3.0.0
         with:
           ref: 3.0.0
+
       - name: Set up Java
         uses: actions/setup-java@v4
         with:
           java-version: ${{ matrix.java }}
           distribution: temurin
           cache: maven
           overwrite-settings: false
+
       - name: Add Central-Portal snapshot repo to settings.xml
         uses: s4u/maven-settings-action@v3.1.0
         with:
           repositories: '[{"id":"central-portal-snapshots","name":"Sonatype Central Portal snapshots","url":"https://central.sonatype.com/repository/maven-snapshots/","releases":{"enabled":false},"snapshots":{"enabled":true}}]'
           servers: '[{"id":"central","username":"${{ secrets.MAVEN_CENTRAL_USERNAME }}","password":"${{ secrets.MAVEN_CENTRAL_PASSWORD }}"}]'
+
       - name: preliminary checks
         run: |
           docker login --username=${{ secrets.DOCKERHUB_SB_USERNAME }} --password=${{ secrets.DOCKERHUB_SB_PASSWORD }}
           set -e
-          # fail if templates/generators contain carriage return '\r'
           /bin/bash ./bin/utils/detect_carriage_return.sh
-          # fail if generators contain merge conflicts
           /bin/bash ./bin/utils/detect_merge_conflict.sh
-          # fail if generators contain tab '\t'
           /bin/bash ./bin/utils/detect_tab_in_java_class.sh
+
       - name: Build with Maven
         if: ${{ matrix.java != 8 }}
         run: |
-          export MY_POM_VERSION=`mvn -Dswagger-codegen-generators-version=1.0.37 -q -Dexec.executable="echo" -Dexec.args='${projects.version}' --non-recursive org.codehaus.mojo:exec-maven-plugin:1.3.1:exec`
-          echo "POM VERSION" ${MY_POM_VERSION}
-          export GENERATORS_VERSION=`sed -n 's/<swagger\-codegen\-generators\-version>\([^\s]*\)<\/swagger\-codegen\-generators\-version>/\1/p' pom.xml`
-          export GENERATORS_VERSION=`echo ${GENERATORS_VERSION} | tr -d '[:space:]'`          
-          echo "GENERATORS_VERSION" ${GENERATORS_VERSION}
+          export MY_POM_VERSION=$(mvn -Dswagger-codegen-generators-version=1.0.37 \
+            -q -Dexec.executable="echo" -Dexec.args='${projects.version}' \
+            --non-recursive org.codehaus.mojo:exec-maven-plugin:1.3.1:exec)
+          echo "POM VERSION ${MY_POM_VERSION}"
+
+          export GENERATORS_VERSION=$(sed -n 's/<swagger\-codegen\-generators\-version>\([^<]*\)<\/swagger\-codegen\-generators\-version>/\1/p' pom.xml | tr -d '[:space:]')
+          echo "GENERATORS_VERSION ${GENERATORS_VERSION}"
+
           export GENERATORS_VERSION_PROPERTY=""
-          if [[ ! $MY_POM_VERSION =~ ^.*SNAPSHOT$ ]];
-          then
-            if [[ ! $GENERATORS_VERSION =~ ^.*SNAPSHOT$ ]];
-            then
-              # check release version exists
-              export GENERATORS_FOUND_JSON=`curl -s --max-time 60 --retry 15 --connect-timeout 20 https://search.maven.org/solrsearch/select?q=g:io.swagger.codegen.v3%20AND%20a:swagger-codegen-generators%20AND%20v:${GENERATORS_VERSION}%20AND%20p:jar`
-              export GENERATORS_FOUND=`echo ${GENERATORS_FOUND_JSON} | jq '.response.numFound'`
-              echo "GENERATORS_FOUND" ${GENERATORS_FOUND}
-              if [[ $GENERATORS_FOUND == '0' ]];
-              then
-                echo "generators version not found"
-                rm -f maven-metadata.xml
-                SNAP_API="https://central.sonatype.com/repository/maven-snapshots"
-                ARTIFACT_PATH="io/swagger/codegen/v3/swagger-codegen-generators"
-                ROOT_META="${SNAP_API}/${ARTIFACT_PATH}/maven-metadata.xml"
-                export LAST_SNAP=$(curl -s "$ROOT_META" | grep -oP '(?<=<version>)1\.[^<]+' | sort -V | tail -n1)
-                echo "LAST_SNAP $LAST_SNAP"
-                export GENERATORS_VERSION_PROPERTY=-Dswagger-codegen-generators-version=$LAST_SNAP
-              fi
+          if [[ ! $MY_POM_VERSION =~ SNAPSHOT ]] && [[ ! $GENERATORS_VERSION =~ SNAPSHOT ]]; then
+            export FOUND=$(curl -s "https://search.maven.org/solrsearch/select?q=g:io.swagger.codegen.v3+AND+a:swagger-codegen-generators+AND+v:${GENERATORS_VERSION}+AND+p:jar" | jq '.response.numFound')
+            if [[ "$FOUND" == "0" ]]; then
+              echo "generators version not found"
+              export LAST_SNAP=$(curl -s "https://central.sonatype.com/repository/maven-snapshots/io/swagger/codegen/v3/swagger-codegen-generators/maven-metadata.xml" | grep -oP '(?<=<version>)[^<]+(?=</version>)' | sort -V | tail -n1)
+              export GENERATORS_VERSION_PROPERTY="-Dswagger-codegen-generators-version=$LAST_SNAP"
+              echo "Using fallback snapshot: $LAST_SNAP"
             fi
           fi
-          echo "GENERATORS_VERSION_PROPERTY ${GENERATORS_VERSION_PROPERTY}"
+
           echo "GENERATORS_VERSION_PROPERTY=${GENERATORS_VERSION_PROPERTY}" >> $GITHUB_ENV
-          mvn clean verify -U -DJETTY_TEST_HTTP_PORT=8070 -DJETTY_TEST_STOP_PORT=8069 ${GENERATORS_VERSION_PROPERTY}
+
+          mvn clean verify -U \
+            -DJETTY_TEST_HTTP_PORT=8070 \
+            -DJETTY_TEST_STOP_PORT=8069 \
+            ${GENERATORS_VERSION_PROPERTY}
+
+      - name: Upload Maven output for scan
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-output
+          path: '**/target'
+          if-no-files-found: ignore
+
+  scan_with_wiz:
+    name: Scan Maven build with Wiz
+    runs-on: ubuntu-latest
+    needs: build_pr_30
+
+    steps:
+      - name: Download build output
+        uses: actions/download-artifact@v4
+        with:
+          name: build-output
+          path: scan-target
 
       - name: Download Wiz CLI
-        run: curl -o wizcli https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64 && chmod +x wizcli
+        run: |
+          curl -sSLo wizcli https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64
+          chmod +x wizcli
+          sudo mv wizcli /usr/local/bin/wizcli
 
       - name: Authenticate to Wiz
-        run: ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
+        run: wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
         env:
           WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }}
           WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }}
 
-      - name: Scan Maven build directory with Wiz
+      - name: Scan directory with Wiz
         run: |
-          ./wizcli dir scan \
-            --path . \
+          wizcli dir scan \
+            --path scan-target \
             --policy "$POLICY" \
+            --quiet \
             --tag repo="${{ github.repository }}" \
-            --tag commit="${{ github.sha }}" \
-            --tag java="${{ matrix.java }}" > /dev/null 2>&1
+            --tag pr="${{ github.event.pull_request.number }}" \
+            --tag commit="${{ github.sha }}" > /dev/null 2>&1
         env:
-          POLICY: "SmartBear default vulnerabilities policy"
+          POLICY: "SmartBear default vulnerabilities policy"
