| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| |
| name: CI - OWASP Dependency Check |
| on: |
| schedule: |
| - cron: '15 0 * * *' |
| workflow_dispatch: |
| |
| env: |
| MAVEN_OPTS: -Xss1500k -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.http.retryHandler.requestSentEnabled=true -Dmaven.wagon.http.serviceUnavailableRetryStrategy.class=standard -Dmaven.wagon.rto=60000 |
| |
| jobs: |
| run-owasp-dependency-check: |
| if: ${{ github.repository == 'apache/pulsar' || github.event_name == 'workflow_dispatch' }} |
| name: Check ${{ matrix.branch }} |
| env: |
| JOB_NAME: Check ${{ matrix.branch }} |
| runs-on: ubuntu-20.04 |
| timeout-minutes: 45 |
| strategy: |
| fail-fast: false |
| matrix: |
| include: |
| - branch: master |
| - branch: branch-2.11 |
| - branch: branch-2.10 |
| jdk: 11 |
| - branch: branch-2.9 |
| jdk: 11 |
| - branch: branch-2.8 |
| jdk: 11 |
| |
| steps: |
| - name: checkout |
| uses: actions/checkout@v3 |
| with: |
| ref: ${{ matrix.branch }} |
| |
| - name: Tune Runner VM |
| uses: ./.github/actions/tune-runner-vm |
| |
| - name: Configure Gradle Enterprise |
| if: ${{ matrix.branch == 'master' }} |
| uses: ./.github/actions/gradle-enterprise |
| with: |
| token: ${{ secrets.GE_ACCESS_TOKEN }} |
| |
| - name: Cache local Maven repository |
| uses: actions/cache@v3 |
| timeout-minutes: 5 |
| with: |
| path: | |
| ~/.m2/repository/*/*/* |
| !~/.m2/repository/org/apache/pulsar |
| key: ${{ runner.os }}-m2-dependencies-owasp-${{ hashFiles('**/pom.xml') }} |
| restore-keys: | |
| ${{ runner.os }}-m2-dependencies-all-${{ hashFiles('**/pom.xml') }} |
| ${{ runner.os }}-m2-dependencies-core-modules-${{ hashFiles('**/pom.xml') }} |
| ${{ runner.os }}-m2-dependencies-core-modules- |
| |
| - name: Set up JDK ${{ matrix.jdk || '17' }} |
| uses: actions/setup-java@v3 |
| with: |
| distribution: 'temurin' |
| java-version: ${{ matrix.jdk || '17' }} |
| |
| - name: run install by skip tests |
| run: mvn -B -ntp clean install -DskipTests -Dspotbugs.skip=true -Dlicense.skip=true -Dcheckstyle.skip=true -Drat.skip=true -DskipDocker=true |
| |
| - name: run OWASP Dependency Check for distribution/server (-DfailBuildOnAnyVulnerability=true) |
| run: mvn -B -ntp -Pmain,skip-all,skipDocker,owasp-dependency-check initialize verify -pl distribution/server -DfailBuildOnAnyVulnerability=true |
| |
| - name: run OWASP Dependency Check for distribution/offloaders, distribution/io and pulsar-sql/presto-distribution |
| run: mvn -B -ntp -Pmain,skip-all,skipDocker,owasp-dependency-check initialize verify -pl distribution/offloaders,distribution/io,pulsar-sql/presto-distribution |
| |
| - name: Upload OWASP Dependency Check reports |
| uses: actions/upload-artifact@v3 |
| if: always() |
| with: |
| name: owasp-dependency-check-reports-${{ matrix.branch }} |
| path: | |
| distribution/server/target/dependency-check-report.html |
| distribution/offloaders/target/dependency-check-report.html |
| distribution/io/target/dependency-check-report.html |
| pulsar-sql/presto-distribution/target/dependency-check-report.html |