.github/.github/workflows/java-security.yaml at main · dvsa/.github · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
name: Snyk Update

on:
  workflow_call:
    inputs:
      java_version:
        required: false
        type: string
        default: '11'
      snyk_threshold:
        required: false
        type: string
        default: 'high'
    secrets:
      SNYK_TOKEN:
        required: true
      USER_NAME:
        required: true
      ACCESS_TOKEN:
        required: true
      PACKAGE_REPO:
        required: true

jobs:
  snyk-cli:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Project Branch from GitHub
        uses: actions/checkout@v4

      - name: Install Java Corretto ${{inputs.java_version}}
        uses: actions/setup-java@v4
        with:
          distribution: 'corretto'
          java-version: '${{inputs.java_version}}'

      - name: Generate Maven settings.xml file to access GitHub Packages
        uses: whelk-io/maven-settings-xml-action@v22
        with:
          repositories: >
            [
              {
                "id": "central",
                "url": "https://repo1.maven.org/maven2"
              },
              {
                "id": "github",
                "url": "${{secrets.PACKAGE_REPO}}",
                "releases": {
                  "enabled": "true"
                  },
                "snapshots": {
                  "enabled": "true"
                }
              }
            ]
          servers: >
            [
              {
                "id": "github",
                "username": "${{secrets.USER_NAME}}",
                "password": "${{secrets.ACCESS_TOKEN}}"
              }
            ]
          active_profiles: >
            [
              "github"
            ]

      - name: Generate settings.yaml File Inside Repository
        uses: 1arp/create-a-file-action@0.4.5
        with:
          path: 'config'
          file: 'settings.yaml'

      - name: Install SNYK-CLI
        run: |
          curl -o ./snyk-linux https://static.snyk.io/cli/latest/snyk-linux && \
          curl -o ./snyk-linux.sha256 https://static.snyk.io/cli/latest/snyk-linux.sha256 && \
          sha256sum -c snyk-linux.sha256 && \
          mv snyk-linux /usr/local/bin/snyk && \
          chmod +x /usr/local/bin/snyk

      - name: Authorise SNYK-CLI
        run: snyk auth ${{secrets.SNYK_TOKEN}}

      - name: Run Maven Compile to Download Project Dependencies
        run: mvn compile -DskipUTs=true

      - name: Run SNYK Test
        run: snyk test --severity-threshold=${{inputs.snyk_threshold}}