.github/workflows/owasp-dep-check.yml - bookkeeper - Git at Google

 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 #

 name: OWASP Dependency Check

 on:
   push:
   pull_request:
     branches:
       - master
       - branch-*
     paths-ignore:
       - 'site3/**'
     workflow_dispatch:

 env:
   MAVEN_OPTS: -Dmaven.wagon.httpconnectionManager.ttlSeconds=25 -Dmaven.wagon.http.retryHandler.count=3

 jobs:
   check:

     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
       - name: Checkout
         uses: actions/checkout@v2

       - name: Tune Runner VM
         uses: ./.github/actions/tune-runner-vm

       - name: Detect changed pom files
         id: changes
         uses: apache/pulsar-test-infra/paths-filter@master
         with:
           filters: |
             poms:
               - 'pom.xml'
               - '**/pom.xml'

       - name: Set up JDK 1.8
         uses: actions/setup-java@v1
         if: ${{ steps.changes.outputs.poms == 'true' }}
         with:
           java-version: 1.8

       - name: run "clean install verify" to trigger dependency check
         if: ${{ steps.changes.outputs.poms == 'true' }}
         # excluding dlfs because it includes hadoop lib with
         # CVEs that we cannot patch up anyways
         run: mvn -q -B -ntp clean install verify -Powasp-dependency-check -DskipTests -pl '!stream/distributedlog/io/dlfs'

       - name: Upload report
         uses: actions/upload-artifact@v3
         if: ${{ cancelled() || failure() }}
         continue-on-error: true
         with:
           name: dependency report
           path: target/dependency-check-report.html
	#
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	#

	name: OWASP Dependency Check

	on:
	push:
	pull_request:
	branches:
	- master
	- branch-*
	paths-ignore:
	- 'site3/**'
	workflow_dispatch:

	env:
	MAVEN_OPTS: -Dmaven.wagon.httpconnectionManager.ttlSeconds=25 -Dmaven.wagon.http.retryHandler.count=3

	jobs:
	check:

	runs-on: ubuntu-latest
	timeout-minutes: 60
	steps:
	- name: Checkout
	uses: actions/checkout@v2

	- name: Tune Runner VM
	uses: ./.github/actions/tune-runner-vm

	- name: Detect changed pom files
	id: changes
	uses: apache/pulsar-test-infra/paths-filter@master
	with:
	filters: \|
	poms:
	- 'pom.xml'
	- '**/pom.xml'

	- name: Set up JDK 1.8
	uses: actions/setup-java@v1
	if: ${{ steps.changes.outputs.poms == 'true' }}
	with:
	java-version: 1.8

	- name: run "clean install verify" to trigger dependency check
	if: ${{ steps.changes.outputs.poms == 'true' }}
	# excluding dlfs because it includes hadoop lib with
	# CVEs that we cannot patch up anyways
	run: mvn -q -B -ntp clean install verify -Powasp-dependency-check -DskipTests -pl '!stream/distributedlog/io/dlfs'

	- name: Upload report
	uses: actions/upload-artifact@v3
	if: ${{ cancelled() \|\| failure() }}
	continue-on-error: true
	with:
	name: dependency report
	path: target/dependency-check-report.html