add wiz scan on create PR to master (SWG-14342)

ewaostrowska · ewaostrowska · commit e12b258bba2a · 2025-07-14T10:06:53.000+02:00
diff --git a/.github/workflows/maven-pr-3.0.yml b/.github/workflows/maven-pr-3.0.yml
@@ -11,7 +11,6 @@ jobs:
       matrix:
         java: [ 11, 17 ]
 
-    # export docker_tag from this job
     outputs:
       docker_tag: ${{ steps.build_image.outputs.tag }}
 
@@ -22,7 +21,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-        name: git checkout 3.0.0
+        name: Checkout swagger-codegen (3.0.0)
         with:
           ref: 3.0.0
 
@@ -64,26 +63,48 @@ jobs:
           /bin/bash ./bin/utils/detect_merge_conflict.sh
           /bin/bash ./bin/utils/detect_tab_in_java_class.sh
 
+      # ── NEW: clone & build generators before codegen ────────────────────────────
+      - name: Resolve generators version
+        id: gen_version
+        run: |
+          # extract version from codegen pom.xml
+          VER=$(sed -n 's/.*<swagger-codegen-generators-version>\([^<]*\)<\/swagger-codegen-generators-version>.*/\1/p' pom.xml | tr -d '[:space:]')
+          echo "GEN_VER=$VER" >> $GITHUB_OUTPUT
+
+      - name: Checkout swagger-codegen-generators
+        uses: actions/checkout@v4
+        with:
+          repository: swagger-api/swagger-codegen-generators
+          path: generators
+          # assume tags are named like “v1.0.58-SNAPSHOT” or “1.0.58-SNAPSHOT”
+          ref: ${{ steps.gen_version.outputs.GEN_VER }}
+
+      - name: Build & install swagger-codegen-generators
+        run: |
+          pushd generators
+          mvn clean install -DskipTests -B
+          popd
+      # ── end generators bootstrap ───────────────────────────────────────────────
+
       - name: Build with Maven
         if: ${{ matrix.java != 8 }}
         run: |
+          # your existing logic to resolve snapshot vs release remains unchanged:
           export MY_POM_VERSION=$(mvn -Dswagger-codegen-generators-version=1.0.37 \
             -q -Dexec.executable="echo" -Dexec.args='${projects.version}' \
             --non-recursive org.codehaus.mojo:exec-maven-plugin:1.3.1:exec)
           echo "POM VERSION ${MY_POM_VERSION}"
           
-          export GENERATORS_VERSION=$(sed -n 's/<swagger\-codegen\-generators\-version>\([^<]*\)<\/swagger\-codegen\-generators\-version>/\1/p' pom.xml | tr -d '[:space:]')
+          export GENERATORS_VERSION=$(sed -n 's/.*<swagger\-codegen\-generators\-version>\([^<]*\)<\/swagger\-codegen\-generators\-version>.*/\1/p' pom.xml | tr -d '[:space:]')
           echo "GENERATORS_VERSION ${GENERATORS_VERSION}"
           
+          # existing snapshot-fallback logic…
           export GENERATORS_VERSION_PROPERTY=""
           if [[ ! $MY_POM_VERSION =~ SNAPSHOT ]]; then
             if [[ ! $GENERATORS_VERSION =~ SNAPSHOT ]]; then
-              # check release version exists on Maven Central
-              local result
               result=$(curl -s --max-time 60 --retry 15 \
                 "https://search.maven.org/solrsearch/select?q=g:io.swagger.codegen.v3%20AND%20a:swagger-codegen-generators%20AND%20v:${GENERATORS_VERSION}%20AND%20p:jar")
               if [[ $(echo "$result" | jq '.response.numFound') -eq 0 ]]; then
-                # fall back to latest snapshot
                 SNAP_API="https://central.sonatype.com/repository/maven-snapshots"
                 ARTIFACT_PATH="io/swagger/codegen/v3/swagger-codegen-generators"
                 LAST_SNAP=$(curl -s "$SNAP_API/$ARTIFACT_PATH/maven-metadata.xml" \
@@ -102,18 +123,20 @@ jobs:
       - name: Build Docker image
         id: build_image
         run: |
-          # construct a unique tag: repo:pr-<number>-java<version>
           TAG="${{ github.repository }}:pr-${{ github.event.pull_request.number }}-java${{ matrix.java }}"
           docker build -t "$TAG" .
-          # export as both step output and env for downstream
           echo "::set-output name=tag::$TAG"
           echo "IMAGE_TAG=$TAG" >> $GITHUB_ENV
 
   scan-with-wiz:
     name: Trigger Wiz Scanning
     runs-on: ubuntu-latest
-    needs: [ build_pr_30 ]
-    if: success()
+    needs: build_pr_30
+    if: needs.build_pr_30.result == 'success'
+
+    env:
+      TAG: ${{ needs.build_pr_30.outputs.docker_tag }}
+      POLICY: "SmartBear default vulnerabilities policy"
 
     steps:
       - name: Authenticate to Wiz
@@ -124,8 +147,5 @@ jobs:
 
       - name: Run wiz-cli docker image scan
         run: |
-          ./wizcli docker scan --image $TAG --policy "$POLICY" 
-          ./wizcli docker tag --image $TAG
-        env:
-          TAG: ${{ needs.build_pr_30.outputs.docker_tag }}
-          POLICY: "SmartBear default vulnerabilities policy"
+          ./wizcli docker scan --image "$TAG" --policy "$POLICY"
+          ./wizcli docker tag  --image "$TAG"
