Fix gcp marketplace flow #98
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security | |
on: | |
pull_request: | |
branches: | |
- 'main' | |
- 'release/**' | |
push: | |
branches: | |
- 'main' | |
- 'release/**' | |
tags: | |
- 'v*' | |
defaults: | |
run: | |
shell: bash | |
permissions: | |
contents: read | |
env: | |
LC_ALL: C.UTF-8 | |
jobs: | |
dependencies: | |
name: Dependency Check | |
runs-on: [self-hosted, Linux, large, ephemeral] | |
if: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
with: | |
egress-policy: audit | |
- name: Checkout Code | |
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
- name: Setup Node | |
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
with: | |
node-version: 21 | |
- name: Install JDK | |
uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 | |
with: | |
distribution: temurin | |
java-version: 21 | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2 | |
with: | |
gradle-home-cache-includes: | | |
caches | |
notifications | |
jdks | |
dependency-check-data | |
# write a cache on all executions to ensure the NVD data stays up-to-date | |
cache-read-only: false | |
- name: Vulnerability check | |
env: | |
NVD_API_KEY: ${{ secrets.NVD_API_KEY }} | |
run: ./gradlew dependencyCheckAggregate | |
- name: Upload report | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
if: failure() | |
with: | |
name: dependency-check-report | |
path: build/reports/dependency-check-report.html | |
gosec: | |
name: GoSec Code Scan | |
env: | |
GO111MODULE: on | |
runs-on: [self-hosted, Linux, large, ephemeral] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
with: | |
egress-policy: audit | |
- name: Checkout Code | |
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
with: | |
path: tmp | |
- name: Copy hedera-mirror-rosetta to workspace root | |
working-directory: . | |
run: | | |
cp -r tmp/hedera-mirror-rosetta/* . | |
rm -fr tmp | |
- name: Setup Node | |
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
with: | |
node-version: 21 | |
- name: Setup GoLang | |
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
with: | |
go-version: 1.22 | |
- name: Run Gosec Security Scanner | |
uses: securego/gosec@8658b8eab6c8fa98fd180f718b1961718e0dce48 # master | |
with: | |
args: ./... | |
sonar: | |
if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') | |
name: SonarCloud | |
runs-on: [self-hosted, Linux, large, ephemeral] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
with: | |
egress-policy: audit | |
- name: Checkout Code | |
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
with: | |
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
- name: Setup Node | |
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
with: | |
node-version: 21 | |
- name: Install JDK | |
uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 | |
with: | |
distribution: temurin | |
java-version: 21 | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2 | |
- name: Cache SonarCloud dependencies | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
with: | |
path: ~/.sonar/cache | |
key: ${{ runner.os }}-sonar | |
restore-keys: ${{ runner.os }}-sonar | |
- name: Execute Gradle | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
run: ./gradlew build sonar -x test | |
snyk: | |
if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') | |
name: Snyk Open Source | |
runs-on: [self-hosted, Linux, large, ephemeral] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
with: | |
egress-policy: audit | |
- name: Checkout Code | |
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
- name: Setup Node | |
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
with: | |
node-version: 21 | |
- name: Install JDK | |
uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 | |
with: | |
distribution: temurin | |
java-version: 21 | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2 | |
- name: Setup Snyk | |
run: npm install -g snyk-to-html @wcj/html-to-markdown-cli | |
- name: Execute Snyk Test | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
run: ./gradlew snyk-test | |
- name: Publish Snyk Results | |
continue-on-error: true | |
if: ${{ !cancelled() && always() }} | |
run: | | |
report="build/reports/snyk-test" | |
if [[ -f ${report}.json ]]; then | |
snyk-to-html -i ${report}.json -o ${report}.html && \ | |
html-to-markdown ${report}.html -o build/reports && \ | |
cat ${report}.html.md >> $GITHUB_STEP_SUMMARY | |
fi | |
snyk-code: | |
if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') | |
name: Snyk Code | |
runs-on: [self-hosted, Linux, large, ephemeral] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
with: | |
egress-policy: audit | |
- name: Checkout Code | |
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
- name: Setup Node | |
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
with: | |
node-version: 21 | |
- name: Install JDK | |
uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 | |
with: | |
distribution: temurin | |
java-version: 21 | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2 | |
- name: Setup Snyk | |
run: npm install -g snyk-to-html @wcj/html-to-markdown-cli | |
- name: Execute Snyk Code Test | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
run: ./gradlew snyk-code | |
- name: Publish Snyk Results | |
continue-on-error: true | |
if: ${{ !cancelled() && always() }} | |
run: | | |
report="build/reports/snyk-code" | |
if [[ -f ${report}.json ]]; then | |
snyk-to-html -i ${report}.json -o ${report}.html && \ | |
html-to-markdown ${report}.html -o build/reports && \ | |
cat ${report}.html.md >> $GITHUB_STEP_SUMMARY | |
fi |