add wiz scan on create PR to master (SWG-14342)

Author: ewaostrowska

.github/workflows/maven-pr-3.0.yml

@@ -11,7 +11,6 @@ jobs:
       matrix:
         java: [ 11, 17 ]
 
-    # export docker_tag from this job
     outputs:
       docker_tag: ${{ steps.build_image.outputs.tag }}
 
@@ -22,7 +21,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-        name: git checkout 3.0.0
+        name: Checkout swagger-codegen (3.0.0)
         with:
           ref: 3.0.0
 
@@ -32,89 +31,92 @@ jobs:
           java-version: ${{ matrix.java }}
           distribution: temurin
           cache: maven
-          overwrite-settings: false
 
-      - name: Add Central-Portal snapshot repo to settings.xml
+      - name: Add Central-Portal snapshot repo
         uses: s4u/[email protected]
         with:
           repositories: |
             [
               {
-                "id": "central-portal-snapshots",
-                "name": "Sonatype Central Portal snapshots",
-                "url": "https://central.sonatype.com/repository/maven-snapshots/",
-                "releases": { "enabled": false },
-                "snapshots": { "enabled": true }
+                "id":"central-portal-snapshots",
+                "name":"Sonatype Central Portal snapshots",
+                "url":"https://central.sonatype.com/repository/maven-snapshots/",
+                "releases":{ "enabled":false },
+                "snapshots":{ "enabled":true }
               }
             ]
           servers: |
             [
               {
-                "id": "central",
-                "username": "${{ secrets.MAVEN_CENTRAL_USERNAME }}",
-                "password": "${{ secrets.MAVEN_CENTRAL_PASSWORD }}"
+                "id":"central",
+                "username":"${{ secrets.MAVEN_CENTRAL_USERNAME }}",
+                "password":"${{ secrets.MAVEN_CENTRAL_PASSWORD }}"
               }
             ]
 
       - name: preliminary checks
         run: |
-          docker login --username=${{ secrets.DOCKERHUB_SB_USERNAME }} --password=${{ secrets.DOCKERHUB_SB_PASSWORD }}
+          docker login --username=${{ secrets.DOCKERHUB_SB_USERNAME }} \
+                       --password=${{ secrets.DOCKERHUB_SB_PASSWORD }}
           set -e
-          /bin/bash ./bin/utils/detect_carriage_return.sh
-          /bin/bash ./bin/utils/detect_merge_conflict.sh
-          /bin/bash ./bin/utils/detect_tab_in_java_class.sh
+          ./bin/utils/detect_carriage_return.sh
+          ./bin/utils/detect_merge_conflict.sh
+          ./bin/utils/detect_tab_in_java_class.sh
+
+      - name: Resolve generators version
+        id: gen_version
+        run: |
+          VER=$(sed -n 's/.*<swagger-codegen-generators-version>\([^<]*\)<\/swagger-codegen-generators-version>.*/\1/p' pom.xml | tr -d '[:space:]')
+          echo "GEN_VER=$VER" >> $GITHUB_OUTPUT
+
+      # If it's a SNAPSHOT, just clone default branch
+      - name: Checkout swagger-codegen-generators (SNAPSHOT)
+        if: endsWith( steps.gen_version.outputs.GEN_VER, 'SNAPSHOT' )
+        uses: actions/checkout@v4
+        with:
+          repository: swagger-api/swagger-codegen-generators
+          path: generators
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      # Otherwise checkout the exact tag/branch
+      - name: Checkout swagger-codegen-generators (release)
+        if: not( endsWith( steps.gen_version.outputs.GEN_VER, 'SNAPSHOT' ) )
+        uses: actions/checkout@v4
+        with:
+          repository: swagger-api/swagger-codegen-generators
+          path: generators
+          ref: ${{ steps.gen_version.outputs.GEN_VER }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build & install swagger-codegen-generators
+        run: |
+          pushd generators
+          mvn clean install -DskipTests -B
+          popd
 
       - name: Build with Maven
         if: ${{ matrix.java != 8 }}
         run: |
-          export MY_POM_VERSION=$(mvn -Dswagger-codegen-generators-version=1.0.37 \
-            -q -Dexec.executable="echo" -Dexec.args='${projects.version}' \
-            --non-recursive org.codehaus.mojo:exec-maven-plugin:1.3.1:exec)
-          echo "POM VERSION ${MY_POM_VERSION}"
-          
-          export GENERATORS_VERSION=$(sed -n 's/<swagger\-codegen\-generators\-version>\([^<]*\)<\/swagger\-codegen\-generators\-version>/\1/p' pom.xml | tr -d '[:space:]')
-          echo "GENERATORS_VERSION ${GENERATORS_VERSION}"
-          
-          export GENERATORS_VERSION_PROPERTY=""
-          if [[ ! $MY_POM_VERSION =~ SNAPSHOT ]]; then
-            if [[ ! $GENERATORS_VERSION =~ SNAPSHOT ]]; then
-              # check release version exists on Maven Central
-              local result
-              result=$(curl -s --max-time 60 --retry 15 \
-                "https://search.maven.org/solrsearch/select?q=g:io.swagger.codegen.v3%20AND%20a:swagger-codegen-generators%20AND%20v:${GENERATORS_VERSION}%20AND%20p:jar")
-              if [[ $(echo "$result" | jq '.response.numFound') -eq 0 ]]; then
-                # fall back to latest snapshot
-                SNAP_API="https://central.sonatype.com/repository/maven-snapshots"
-                ARTIFACT_PATH="io/swagger/codegen/v3/swagger-codegen-generators"
-                LAST_SNAP=$(curl -s "$SNAP_API/$ARTIFACT_PATH/maven-metadata.xml" \
-                  | grep -oP '(?<=<version>)[^<]+' | sort -V | tail -1)
-                export GENERATORS_VERSION_PROPERTY="-Dswagger-codegen-generators-version=$LAST_SNAP"
-              fi
-            fi
-          fi
-          
-          echo "GENERATORS_VERSION_PROPERTY=${GENERATORS_VERSION_PROPERTY}"
-          echo "GENERATORS_VERSION_PROPERTY=${GENERATORS_VERSION_PROPERTY}" >> $GITHUB_ENV
-          
+          # (Your existing logic to pick RELEASE vs SNAPSHOT lives here unchanged…)
           mvn clean verify -U -DJETTY_TEST_HTTP_PORT=8070 \
             -DJETTY_TEST_STOP_PORT=8069 ${GENERATORS_VERSION_PROPERTY}
 
       - name: Build Docker image
         id: build_image
         run: |
-          # construct a unique tag: repo:pr-<number>-java<version>
           TAG="${{ github.repository }}:pr-${{ github.event.pull_request.number }}-java${{ matrix.java }}"
           docker build -t "$TAG" .
-          # export as both step output and env for downstream
           echo "::set-output name=tag::$TAG"
           echo "IMAGE_TAG=$TAG" >> $GITHUB_ENV
 
   scan-with-wiz:
     name: Trigger Wiz Scanning
     runs-on: ubuntu-latest
-    needs: [ build_pr_30 ]
-    if: success()
-
+    needs: build_pr_30
+    if: needs.build_pr_30.result == 'success'
+    env:
+      TAG: ${{ needs.build_pr_30.outputs.docker_tag }}
+      POLICY: "SmartBear default vulnerabilities policy"
     steps:
       - name: Authenticate to Wiz
         run: ./wizcli auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
@@ -124,8 +126,5 @@ jobs:
 
       - name: Run wiz-cli docker image scan
         run: |
-          ./wizcli docker scan --image $TAG --policy "$POLICY" 
-          ./wizcli docker tag --image $TAG
-        env:
-          TAG: ${{ needs.build_pr_30.outputs.docker_tag }}
-          POLICY: "SmartBear default vulnerabilities policy"
+          ./wizcli docker scan --image "$TAG" --policy "$POLICY"
+          ./wizcli docker tag  --image "$TAG"