Update dependency org.codehaus.mojo:exec-maven-plugin to v3.5.0 #818

Workflow file for this run

	name: "Build, Analyze and Test"

	on: [ push, pull_request ]

	# Declare default permissions as read only.
	permissions: read-all

	jobs:
	build:
	runs-on: ubuntu-latest
	permissions:
	packages: write
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
	with:
	egress-policy: audit

	- name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

	- uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4
	with:
	distribution: "temurin"
	java-version: 21

	- name: Dependency Review
	if: github.event_name == 'pull_request'
	uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4

	- uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4
	with:
	path: ~/.m2/repository
	key: ${{ runner.os }}-maven
	restore-keys: \|
	${{ runner.os }}-maven

	- name: Collect dependencies
	run: \|
	./mvnw dependency:go-offline --batch-mode
	./mvnw verify --fail-never --batch-mode

	- name: Build
	run: ./mvnw clean install --batch-mode

	- name: Build native
	run: ./mvnw clean install -Pnative --batch-mode

	- name: Run help
	id: runner
	run: \|
	runners=(target/github-stats-*-runner)
	echo "cmd=$(basename ${runners[0]})" >> "$GITHUB_OUTPUT"

	"${runners[0]}" help

	- name: Upload target
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
	with:
	name: target
	path: target/
	if-no-files-found: error

	- name: Upload runner binary
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
	with:
	name: runner
	path: target/github-stats-*-runner
	if-no-files-found: error

	- name: Generate hashes
	shell: bash
	id: hash
	run: \|
	echo "hashes=$(sha256sum target/github-stats-*-runner \| base64 -w0)" >> "$GITHUB_OUTPUT"

	- name: Get image tags
	id: image_tags
	uses: redhat-cop/github-actions/get-image-version@e4729075dcd3f34946b80df6b1bfb952b9fee166 # v4
	with:
	IMAGE_CONTEXT_DIR: src/main/docker

	- name: Build image
	id: build_image
	uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2
	with:
	dockerfiles: src/main/docker/Dockerfile.native
	image: github-stats
	oci: true
	tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}"

	- name: Push to ghcr.io
	if: startsWith(github.ref, 'refs/tags/')
	uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2
	id: push_image
	with:
	image: ${{ steps.build_image.outputs.image }}
	registry: ghcr.io/${{ github.repository }}
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}
	tags: ${{ steps.build_image.outputs.tags }}

	outputs:
	hashes: ${{ steps.hash.outputs.hashes }}
	image_repo: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}"
	image_digest: "${{ steps.push_image.outputs.digest }}"
	image_uri: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}@${{ steps.push_image.outputs.digest }}"
	runner: "${{ steps.runner.outputs.cmd }}"

	analyze:
	needs: [ build ]
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	contents: write
	steps:
	- name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

	- uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4
	with:
	distribution: "temurin"
	java-version: 21

	- name: Initialize CodeQL
	uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
	with:
	languages: java

	- name: Autobuild
	uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
	with:
	category: "/language:java"

	- name: Submit Dependency Snapshot
	uses: advanced-security/maven-dependency-submission-action@4f64ddab9d742a4806eeb588d238e4c311a8397d # v4

	test:
	needs: [ build ]
	runs-on: ubuntu-latest
	env:
	RUNNER: "${{ needs.build.outputs.runner }}"
	steps:
	- name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

	- name: Download target
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
	with:
	name: target

	- name: Make github-stats-*-runner executable
	run: chmod +x ${{ env.RUNNER }}

	- name: Run 'collect-stats' for UKI
	env:
	GITHUB_LOGIN: ${{ github.repository_owner }}
	GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
	run: \|
	touch /tmp/stats.csv
	./${{ env.RUNNER }} stats collect-stats --organization=RedHat-Consulting-UK --csv-output=/tmp/stats.csv --validate-org-config=false --required-limit=400

	- name: Run 'collect-members-from-ldap' for UKI
	env:
	GITHUB_LOGIN: ${{ github.repository_owner }}
	GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
	run: \|
	touch /tmp/members.csv
	./${{ env.RUNNER }} users collect-members-from-ldap --organization=RedHat-Consulting-UK --csv-output=/tmp/members.csv --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --fail-if-no-vpn=false --guess=false

	- name: Run 'create-who-are-you-issues' for UKI
	env:
	GITHUB_LOGIN: ${{ github.repository_owner }}
	GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
	run: ./${{ env.RUNNER }} users create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --permission=admin --guess=false --fail-if-no-vpn=false

	- name: Upload /tmp/*.csv
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
	with:
	name: outputs.csv
	path: /tmp/*.csv
	if-no-files-found: error

	- name: Run create-who-are-you-issues for UKI
	env:
	GITHUB_LOGIN: ${{ github.repository_owner }}
	GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
	run: ./${{ env.RUNNER }} users create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --permission=write --guess=false --fail-if-no-vpn=false

	sign-image:
	needs: [ build ]
	permissions:
	id-token: write
	packages: write
	if: startsWith(github.ref, 'refs/tags/')
	env:
	image_uri: ${{ needs.build.outputs.image_uri }}
	runs-on: ubuntu-latest
	steps:
	- name: Setup cosign
	uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3

	- name: Cosign login
	run: \|
	echo "${{ secrets.GITHUB_TOKEN }}" \| cosign login --username ${{ github.repository_owner }} --password-stdin ghcr.io

	- name: Sign Image
	run: \|
	cosign sign --yes "${image_uri}"

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
	env:
	TRIVY_USERNAME: ${{ github.repository_owner }}
	TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
	with:
	scan-type: image
	image-ref: ${{ env.image_uri }}
	format: "cosign-vuln"
	output: "cosign-vuln.json"

	- name: Run Trivy SBOM generator
	uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
	env:
	TRIVY_USERNAME: ${{ github.repository_owner }}
	TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
	with:
	scan-type: image
	image-ref: ${{ env.image_uri }}
	format: "spdx-json"
	output: "spdx-json.json"

	- name: Attach attestations
	run: \|
	cosign attest --yes --type vuln --predicate cosign-vuln.json "${image_uri}"
	cosign attest --yes --type cyclonedx --predicate spdx-json.json "${image_uri}"

	provenance_binary:
	needs: [ build ]
	if: startsWith(github.ref, 'refs/tags/')
	permissions:
	actions: read
	id-token: write
	contents: write
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v2.0.0
	with:
	base64-subjects: "${{ needs.build.outputs.hashes }}"
	upload-assets: true

	provenance_image:
	needs: [ build ]
	permissions:
	actions: read # for detecting the Github Actions environment.
	id-token: write # for creating OIDC tokens for signing.
	packages: write # for uploading attestations.
	if: startsWith(github.ref, 'refs/tags/')
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v2.0.0
	with:
	image: ${{ needs.build.outputs.image_repo }}
	digest: ${{ needs.build.outputs.image_digest }}
	registry-username: ${{ github.repository_owner }}
	secrets:
	registry-password: ${{ secrets.GITHUB_TOKEN }}

	release:
	needs: [ build ]
	runs-on: ubuntu-latest
	if: startsWith(github.ref, 'refs/tags/')
	permissions:
	contents: write
	steps:
	- name: Download runner
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
	with:
	name: runner

	- name: Upload assets to release
	uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
	with:
	files: \|
	github-stats-*-runner

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency org.codehaus.mojo:exec-maven-plugin to v3.5.0 #818

Workflow file

Update dependency org.codehaus.mojo:exec-maven-plugin to v3.5.0 #818

Jobs

Run details

Workflow file for this run