Skip to content

Commit c1ad2c9

Browse files
ewaostrowskaewaostrowska
committed
add wiz scan on create PR to 3.0.0 (SWG-14342)
1 parent ad9635d commit c1ad2c9

File tree

3 files changed

+128
-83
lines changed

3 files changed

+128
-83
lines changed

.github/workflows/maven-master-pulls.yml

Lines changed: 75 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,6 @@ on:
66

77
jobs:
88
build:
9-
109
runs-on: ubuntu-latest
1110
strategy:
1211
matrix:
@@ -19,7 +18,7 @@ jobs:
1918
with:
2019
java-version: ${{ matrix.java }}
2120
- name: Cache local Maven repository
22-
uses: actions/cache@v2
21+
uses: actions/cache@v3
2322
with:
2423
path: ~/.m2/repository
2524
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
@@ -28,6 +27,78 @@ jobs:
2827
- name: Build with Maven
2928
run: mvn -B -U verify --file pom.xml
3029

30+
build_pr_30:
31+
32+
runs-on: ubuntu-latest
33+
strategy:
34+
matrix:
35+
java: [ 11, 17 ]
36+
37+
env:
38+
GENERATORS_VERSION_PROPERTY: ""
39+
MAVEN_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
40+
MAVEN_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
41+
steps:
42+
- uses: actions/checkout@v4
43+
name: git checkout 3.0.0
44+
with:
45+
ref: 3.0.0
46+
- name: Set up Java
47+
uses: actions/setup-java@v4
48+
with:
49+
java-version: ${{ matrix.java }}
50+
distribution: temurin
51+
cache: maven
52+
overwrite-settings: false
53+
- name: Add Central-Portal snapshot repo to settings.xml
54+
uses: s4u/[email protected]
55+
with:
56+
repositories: '[{"id":"central-portal-snapshots","name":"Sonatype Central Portal snapshots","url":"https://central.sonatype.com/repository/maven-snapshots/","releases":{"enabled":false},"snapshots":{"enabled":true}}]'
57+
servers: '[{"id":"central","username":"${{ secrets.MAVEN_CENTRAL_USERNAME }}","password":"${{ secrets.MAVEN_CENTRAL_PASSWORD }}"}]'
58+
- name: preliminary checks
59+
run: |
60+
docker login --username=${{ secrets.DOCKERHUB_SB_USERNAME }} --password=${{ secrets.DOCKERHUB_SB_PASSWORD }}
61+
set -e
62+
# fail if templates/generators contain carriage return '\r'
63+
/bin/bash ./bin/utils/detect_carriage_return.sh
64+
# fail if generators contain merge conflicts
65+
/bin/bash ./bin/utils/detect_merge_conflict.sh
66+
# fail if generators contain tab '\t'
67+
/bin/bash ./bin/utils/detect_tab_in_java_class.sh
68+
- name: Build with Maven
69+
if: ${{ matrix.java != 8 }}
70+
run: |
71+
export MY_POM_VERSION=`mvn -Dswagger-codegen-generators-version=1.0.37 -q -Dexec.executable="echo" -Dexec.args='${projects.version}' --non-recursive org.codehaus.mojo:exec-maven-plugin:1.3.1:exec`
72+
echo "POM VERSION" ${MY_POM_VERSION}
73+
export GENERATORS_VERSION=`sed -n 's/<swagger\-codegen\-generators\-version>\([^\s]*\)<\/swagger\-codegen\-generators\-version>/\1/p' pom.xml`
74+
export GENERATORS_VERSION=`echo ${GENERATORS_VERSION} | tr -d '[:space:]'`
75+
echo "GENERATORS_VERSION" ${GENERATORS_VERSION}
76+
export GENERATORS_VERSION_PROPERTY=""
77+
if [[ ! $MY_POM_VERSION =~ ^.*SNAPSHOT$ ]];
78+
then
79+
if [[ ! $GENERATORS_VERSION =~ ^.*SNAPSHOT$ ]];
80+
then
81+
# check release version exists
82+
export GENERATORS_FOUND_JSON=`curl -s --max-time 60 --retry 15 --connect-timeout 20 https://search.maven.org/solrsearch/select?q=g:io.swagger.codegen.v3%20AND%20a:swagger-codegen-generators%20AND%20v:${GENERATORS_VERSION}%20AND%20p:jar`
83+
export GENERATORS_FOUND=`echo ${GENERATORS_FOUND_JSON} | jq '.response.numFound'`
84+
echo "GENERATORS_FOUND" ${GENERATORS_FOUND}
85+
if [[ $GENERATORS_FOUND == '0' ]];
86+
then
87+
echo "generators version not found"
88+
rm -f maven-metadata.xml
89+
SNAP_API="https://central.sonatype.com/repository/maven-snapshots"
90+
ARTIFACT_PATH="io/swagger/codegen/v3/swagger-codegen-generators"
91+
ROOT_META="${SNAP_API}/${ARTIFACT_PATH}/maven-metadata.xml"
92+
export LAST_SNAP=$(curl -s "$ROOT_META" | grep -oP '(?<=<version>)1\.[^<]+' | sort -V | tail -n1)
93+
echo "LAST_SNAP $LAST_SNAP"
94+
export GENERATORS_VERSION_PROPERTY=-Dswagger-codegen-generators-version=$LAST_SNAP
95+
fi
96+
fi
97+
fi
98+
echo "GENERATORS_VERSION_PROPERTY ${GENERATORS_VERSION_PROPERTY}"
99+
echo "GENERATORS_VERSION_PROPERTY=${GENERATORS_VERSION_PROPERTY}" >> $GITHUB_ENV
100+
mvn clean verify -U -DJETTY_TEST_HTTP_PORT=8070 -DJETTY_TEST_STOP_PORT=8069 ${GENERATORS_VERSION_PROPERTY}
101+
31102
build-java8:
32103

33104
runs-on: ubuntu-latest
@@ -42,28 +113,11 @@ jobs:
42113
with:
43114
java-version: ${{ matrix.java }}
44115
- name: Cache local Maven repository
45-
uses: actions/cache@v2
116+
uses: actions/cache@v3
46117
with:
47118
path: ~/.m2/repository
48119
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
49120
restore-keys: |
50121
${{ runner.os }}-maven-
51122
- name: Build with Maven
52-
run: mvn -B -U clean verify -DskipTests -Dmaven.test.skip=true -Dmaven.site.skip=true -Dmaven.javadoc.skip=true -Psamples-java8 --file pom.xml
53-
54-
scan-with-lacework:
55-
name: Trigger LaceWork Scanning
56-
runs-on: ubuntu-latest
57-
58-
needs: [ build ]
59-
if: success()
60-
61-
steps:
62-
- name: Trigger LaceWork Scanning using a different method
63-
run: |
64-
docker run -e LW_ACCOUNT_NAME=$LW_ACCOUNT_NAME -e LW_ACCESS_TOKEN=$LW_ACCESS_TOKEN -e LW_SCANNER_SAVE_RESULTS=true -e LW_SCANNER_DISABLE_UPDATES=false -v /var/run/docker.sock:/var/run/docker.sock lacework/lacework-inline-scanner:latest image evaluate swaggerapi/swagger-codegen-cli latest --docker-server index.docker.io --docker-username $docker_user --docker-password $docker_password > /dev/null 2>&1
65-
env:
66-
LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }}
67-
LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }}
68-
docker_user: ${{ secrets.DOCKERHUB_SB_USERNAME}}
69-
docker_password: ${{ secrets.DOCKERHUB_SB_PASSWORD}}
123+
run: mvn -B -U clean verify -DskipTests -Dmaven.test.skip=true -Dmaven.site.skip=true -Dmaven.javadoc.skip=true -Psamples-java8 --file pom.xml

.github/workflows/maven-master.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -88,7 +88,7 @@ jobs:
8888
with:
8989
java-version: ${{ matrix.java }}
9090
- name: Cache local Maven repository
91-
uses: actions/cache@v2
91+
uses: actions/cache@v3
9292
with:
9393
path: ~/.m2/repository
9494
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}

.github/workflows/maven-pr-3.0.yml

Lines changed: 52 additions & 61 deletions
Original file line numberDiff line numberDiff line change
@@ -6,73 +6,64 @@ on:
66

77
jobs:
88
build_pr_30:
9-
109
runs-on: ubuntu-latest
1110
strategy:
1211
matrix:
1312
java: [ 11, 17 ]
1413

15-
env:
16-
GENERATORS_VERSION_PROPERTY: ""
17-
MAVEN_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
18-
MAVEN_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
14+
# expose docker_tag from the “build_with_maven” step
15+
outputs:
16+
docker_tag: ${{ steps.build_with_maven.outputs.tag }}
17+
1918
steps:
20-
- uses: actions/checkout@v4
21-
name: git checkout 3.0.0
22-
with:
23-
ref: 3.0.0
24-
- name: Set up Java
25-
uses: actions/setup-java@v4
26-
with:
27-
java-version: ${{ matrix.java }}
28-
distribution: temurin
29-
cache: maven
30-
overwrite-settings: false
31-
- name: Add Central-Portal snapshot repo to settings.xml
32-
uses: s4u/[email protected]
33-
with:
34-
repositories: '[{"id":"central-portal-snapshots","name":"Sonatype Central Portal snapshots","url":"https://central.sonatype.com/repository/maven-snapshots/","releases":{"enabled":false},"snapshots":{"enabled":true}}]'
35-
servers: '[{"id":"central","username":"${{ secrets.MAVEN_CENTRAL_USERNAME }}","password":"${{ secrets.MAVEN_CENTRAL_PASSWORD }}"}]'
36-
- name: preliminary checks
37-
run: |
38-
docker login --username=${{ secrets.DOCKERHUB_SB_USERNAME }} --password=${{ secrets.DOCKERHUB_SB_PASSWORD }}
39-
set -e
40-
# fail if templates/generators contain carriage return '\r'
41-
/bin/bash ./bin/utils/detect_carriage_return.sh
42-
# fail if generators contain merge conflicts
43-
/bin/bash ./bin/utils/detect_merge_conflict.sh
44-
# fail if generators contain tab '\t'
45-
/bin/bash ./bin/utils/detect_tab_in_java_class.sh
46-
- name: Build with Maven
19+
# … previous checkout, setup-java, preliminary checks, generators bootstrap …
20+
21+
- name: Build with Maven (and Docker)
22+
id: build_with_maven
4723
if: ${{ matrix.java != 8 }}
4824
run: |
49-
export MY_POM_VERSION=`mvn -Dswagger-codegen-generators-version=1.0.37 -q -Dexec.executable="echo" -Dexec.args='${projects.version}' --non-recursive org.codehaus.mojo:exec-maven-plugin:1.3.1:exec`
50-
echo "POM VERSION" ${MY_POM_VERSION}
51-
export GENERATORS_VERSION=`sed -n 's/<swagger\-codegen\-generators\-version>\([^\s]*\)<\/swagger\-codegen\-generators\-version>/\1/p' pom.xml`
52-
export GENERATORS_VERSION=`echo ${GENERATORS_VERSION} | tr -d '[:space:]'`
53-
echo "GENERATORS_VERSION" ${GENERATORS_VERSION}
54-
export GENERATORS_VERSION_PROPERTY=""
55-
if [[ ! $MY_POM_VERSION =~ ^.*SNAPSHOT$ ]];
56-
then
57-
if [[ ! $GENERATORS_VERSION =~ ^.*SNAPSHOT$ ]];
58-
then
59-
# check release version exists
60-
export GENERATORS_FOUND_JSON=`curl -s --max-time 60 --retry 15 --connect-timeout 20 https://search.maven.org/solrsearch/select?q=g:io.swagger.codegen.v3%20AND%20a:swagger-codegen-generators%20AND%20v:${GENERATORS_VERSION}%20AND%20p:jar`
61-
export GENERATORS_FOUND=`echo ${GENERATORS_FOUND_JSON} | jq '.response.numFound'`
62-
echo "GENERATORS_FOUND" ${GENERATORS_FOUND}
63-
if [[ $GENERATORS_FOUND == '0' ]];
64-
then
65-
echo "generators version not found"
66-
rm -f maven-metadata.xml
67-
SNAP_API="https://central.sonatype.com/repository/maven-snapshots"
68-
ARTIFACT_PATH="io/swagger/codegen/v3/swagger-codegen-generators"
69-
ROOT_META="${SNAP_API}/${ARTIFACT_PATH}/maven-metadata.xml"
70-
export LAST_SNAP=$(curl -s "$ROOT_META" | grep -oP '(?<=<version>)1\.[^<]+' | sort -V | tail -n1)
71-
echo "LAST_SNAP $LAST_SNAP"
72-
export GENERATORS_VERSION_PROPERTY=-Dswagger-codegen-generators-version=$LAST_SNAP
73-
fi
74-
fi
75-
fi
76-
echo "GENERATORS_VERSION_PROPERTY ${GENERATORS_VERSION_PROPERTY}"
25+
# — your existing Maven logic —
26+
export MY_POM_VERSION=$(mvn -Dswagger-codegen-generators-version=1.0.37 \
27+
-q -Dexec.executable="echo" -Dexec.args='${projects.version}' \
28+
--non-recursive org.codehaus.mojo:exec-maven-plugin:1.3.1:exec)
29+
echo "POM VERSION ${MY_POM_VERSION}"
30+
31+
export GENERATORS_VERSION=$(sed -n 's/.*<swagger\-codegen\-generators\-version>\([^<]*\)<\/swagger\-codegen\-generators\-version>.*/\1/p' pom.xml | tr -d '[:space:]')
32+
echo "GENERATORS_VERSION ${GENERATORS_VERSION}"
33+
34+
# … your snapshot‐fallback logic …
35+
echo "GENERATORS_VERSION_PROPERTY=${GENERATORS_VERSION_PROPERTY}"
7736
echo "GENERATORS_VERSION_PROPERTY=${GENERATORS_VERSION_PROPERTY}" >> $GITHUB_ENV
78-
mvn clean verify -U -DJETTY_TEST_HTTP_PORT=8070 -DJETTY_TEST_STOP_PORT=8069 ${GENERATORS_VERSION_PROPERTY}
37+
38+
mvn clean verify -U -DJETTY_TEST_HTTP_PORT=8070 \
39+
-DJETTY_TEST_STOP_PORT=8069 ${GENERATORS_VERSION_PROPERTY}
40+
41+
# — now build the Docker image using the same PR & Java matrix to tag —
42+
TAG="${{ github.repository }}:pr-${{ github.event.pull_request.number }}-java${{ matrix.java }}"
43+
docker build -t "$TAG" .
44+
45+
# export tag both as step-output and env
46+
echo "::set-output name=tag::$TAG"
47+
echo "IMAGE_TAG=$TAG" >> $GITHUB_ENV
48+
49+
# make sure Docker is available (login done in preliminary checks)
50+
shell: bash
51+
52+
scan-with-wiz:
53+
needs: build_pr_30
54+
runs-on: ubuntu-latest
55+
if: needs.build_pr_30.result == 'success'
56+
env:
57+
TAG: ${{ needs.build_pr_30.outputs.docker_tag }}
58+
POLICY: "SmartBear default vulnerabilities policy"
59+
steps:
60+
- name: Authenticate to Wiz
61+
run: ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
62+
env:
63+
WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }}
64+
WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }}
65+
66+
- name: Run wiz-cli docker image scan
67+
run: |
68+
./wizcli docker scan --image "$TAG" --policy "$POLICY"
69+
./wizcli docker tag --image "$TAG"

0 commit comments

Comments
 (0)