Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/workflows/checkmarx-one-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ on:
schedule:
- cron: "00 7 * * *" # Every day at 07:00

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

Expand All @@ -20,6 +24,8 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- name: Checkmarx One CLI Action
uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc #v.2.3.19
with:
Expand Down
30 changes: 28 additions & 2 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,15 @@ name: AST Java Wrapper CI

on: [ pull_request ]

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

jobs:
integration-tests:
integration-tests: # zizmor: ignore[anonymous-definition]
permissions:
contents: read
runs-on: cx-public-ubuntu-x64
Expand All @@ -16,6 +20,7 @@ jobs:
with:
token: ${{ secrets.GITHUB_TOKEN }}
lfs: true
persist-credentials: false

- name: Install Git LFS
run: |
Expand All @@ -34,7 +39,28 @@ jobs:

- name: Configure echo mirror for dependency resolution
run: |
sed -i 's|</settings>|<mirrors><mirror><id>echo</id><mirrorOf>central</mirrorOf><url>https://maven.echohq.com</url></mirror></mirrors></settings>|' ~/.m2/settings.xml
mkdir -p ~/.m2
cat > ~/.m2/settings.xml << EOF
<?xml version="1.0" encoding="UTF-8"?>
<settings>
<mirrors>
<mirror>
<id>echo-repo</id>
<mirrorOf>*</mirrorOf>
<url>https://maven.echohq.com</url>
</mirror>
</mirrors>
<servers>
<server>
<id>echo-repo</id>
<username></username>
<password>${ECHO_LIBRARIES_ACCESS_KEY}</password>
</server>
</servers>
</settings>
EOF
env:
ECHO_LIBRARIES_ACCESS_KEY: ${{ secrets.ECHO_LIBRARIES_ACCESS_KEY }}

- name: Check existence of cx-linux binary
run: |
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/manual-tag.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,29 +7,37 @@ on:
description: 'Next release tag'
required: true

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

permissions:
contents: read

jobs:
tag-creation:
name: Tag Creation
permissions:
contents: write # for Git to git push
runs-on: cx-public-ubuntu-x64
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
persist-credentials: false
- name: Tag
env:
INPUT_TAG: ${{ github.event.inputs.tag }}
PR_NUMBER: ${{ github.event.pull_request.number }}
PR_TITLE: ${{ github.event.pull_request.title }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ github.repository }}
run: |
echo "$INPUT_TAG"
echo "NEXT_VERSION=$INPUT_TAG" >> $GITHUB_ENV
message="$INPUT_TAG: PR #$PR_NUMBER $PR_TITLE"
git config user.name "${GITHUB_ACTOR}"
git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${REPO}"
git tag -a "$INPUT_TAG" -m "$message"
git push origin "$INPUT_TAG"
10 changes: 8 additions & 2 deletions .github/workflows/nightly.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,26 @@ on:
# branches:
# - main

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

permissions:
contents: read

jobs:
delete_tag:
name: Delete Tag
permissions:
contents: write
contents: write # for gh release delete to remove tags and releases
runs-on: cx-public-ubuntu-x64
steps:
- name: Delete release and tag
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
run: |
gh release delete "1.0.0-SNAPSHOT" --yes --cleanup-tag --repo ${{ github.repository }} || true
gh release delete "1.0.0-SNAPSHOT" --yes --cleanup-tag --repo "${GH_REPO}" || true

nightly:
needs: delete_tag
Expand Down
21 changes: 17 additions & 4 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,15 +50,22 @@ on:
required: true
OSSRH_USERNAME:
required: true
ECHO_LIBRARIES_ACCESS_KEY:
required: true

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

permissions:
contents: read

jobs:
release:
name: Release
permissions:
id-token: write
contents: write
id-token: write # for Maven Central publishing via OIDC
contents: write # for git push tag and creating GitHub release
runs-on: cx-public-ubuntu-x64
outputs:
CLI_VERSION: ${{ steps.extract_cli_version.outputs.CLI_VERSION }}
Expand All @@ -67,8 +74,8 @@ jobs:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
token: ${{ secrets.GITHUB_TOKEN }}
lfs: true
persist-credentials: false

- name: Download CLI
if: inputs.cliTag
Expand Down Expand Up @@ -105,11 +112,14 @@ jobs:
id: set_tag_name
env:
INPUT_TAG: ${{ inputs.tag }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ github.repository }}
run: |
echo "$INPUT_TAG"
echo "RELEASE_VERSION=$INPUT_TAG" >> $GITHUB_ENV
git config user.name "${GITHUB_ACTOR}"
git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${REPO}"
git tag -a "$INPUT_TAG" -m "$INPUT_TAG"
git push origin "$INPUT_TAG"
echo "TAG_NAME=$INPUT_TAG" >> $GITHUB_OUTPUT
Expand All @@ -127,7 +137,10 @@ jobs:

- name: Configure echo mirror for dependency resolution
run: |
sed -i 's|</settings>|<mirrors><mirror><id>echo</id><mirrorOf>central</mirrorOf><url>https://maven.echohq.com</url></mirror></mirrors></settings>|' ~/.m2/settings.xml
sed -i 's|</servers>|<server><id>echo-repo</id><username></username><password>'"$ECHO_LIBRARIES_ACCESS_KEY"'</password></server></servers>|' ~/.m2/settings.xml
sed -i 's|</settings>|<mirrors><mirror><id>echo-repo</id><mirrorOf>*</mirrorOf><url>https://maven.echohq.com</url></mirror></mirrors></settings>|' ~/.m2/settings.xml
env:
ECHO_LIBRARIES_ACCESS_KEY: ${{ secrets.ECHO_LIBRARIES_ACCESS_KEY }}

- name: Update the POM version.
run: mvn -B versions:set -DnewVersion="$RELEASE_VERSION" --file pom.xml -DskipTests
Expand Down
31 changes: 31 additions & 0 deletions .github/workflows/scan-github-action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: Scan for GitHub Actions issues

on:
pull_request:
workflow_call:

concurrency:
group: ${{ github.workflow }}-${{ github.repository }}-${{ github.ref }}

permissions: {}

jobs:
zizmor:
name: Scan repository contents
runs-on: cx-public-ubuntu-x64
permissions:
contents: read
steps:
- name: Check out repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

- name: Run Zizmor linter
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
with:
advanced-security: false
annotations: false
persona: pedantic
fail-on-no-inputs: false
online-audits: false
6 changes: 6 additions & 0 deletions .github/workflows/update-cli.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,23 @@ name: Update checkmarx ast cli
on:
workflow_dispatch:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

permissions:
contents: read

jobs:
update_cli:
name: Update CLI
runs-on: cx-public-ubuntu-x64
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
lfs: true
persist-credentials: false

- name: Install Git LFS
run: |
Expand Down
3 changes: 2 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -32,4 +32,5 @@ docker-compose.override.yml
#################################
Thumbs.db
.directory
.DS_Store
.DS_Store
/.vscode
Loading
Loading