| name: vulnerability-check |
| on: |
| schedule: |
| # Run at 16:00 UTC every Sunday (Monday 00:00 CST) |
| - cron: "0 16 * * 0" |
| workflow_dispatch: |
| concurrency: |
| group: ${{ github.workflow }}-${{ github.ref }} |
| cancel-in-progress: true |
| |
| env: |
| MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 |
| MAVEN_ARGS: --batch-mode --no-transfer-progress |
| DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} |
| |
| jobs: |
| dependency-check: |
| if: ${{ github.event_name == 'workflow_dispatch' || github.repository == 'apache/iotdb' }} |
| runs-on: ubuntu-latest |
| permissions: |
| contents: read |
| |
| steps: |
| - uses: actions/checkout@v4 |
| - name: Set up JDK 17 |
| uses: actions/setup-java@v4 |
| with: |
| distribution: corretto |
| java-version: 17 |
| |
| - name: Do Maven install |
| shell: bash |
| run: mvn $MAVEN_ARGS clean install -DskipTests |
| |
| - name: Do the dependency-check:aggregate |
| shell: bash |
| run: mvn $MAVEN_ARGS org.owasp:dependency-check-maven:aggregate -DossIndexUsername=${{ secrets.OSS_INDEX_USER }} -DossIndexPassword=${{ secrets.OSS_INDEX_TOKEN }} -DnvdApiKey=${{ secrets.NVD_API_KEY }} |
| |
| - name: Generate report date for artifact name |
| run: | |
| utc_time="${{ github.run_started_at }}" |
| target_time=$(TZ=Asia/Shanghai date -d "$utc_time" +"%Y-%m-%d") |
| echo "REPORT_DATE=$target_time" >> $GITHUB_ENV |
| |
| - name: Upload Artifact |
| uses: actions/upload-artifact@v4 |
| with: |
| name: vulnerability-check-result-${{ env.REPORT_DATE }} |
| path: target/dependency-check-report.html |
| retention-days: 15 |
