Mute snyk for tests, testing infrastructure, and docs #493
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build | |
on: | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- 'README.adoc' | |
- 'CONTRIBUTING.adoc' | |
pull_request: | |
paths-ignore: | |
- 'README.adoc' | |
- 'CONTRIBUTING.adoc' | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: 'Set up JDK' | |
uses: actions/setup-java@v3 | |
with: | |
distribution: zulu | |
java-version: 17 | |
- name: 'Cache Maven packages' | |
uses: actions/cache@v4 | |
with: | |
path: ~/.m2 | |
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}-${{ github.sha }} | |
- name: 'Enable Sonar for local PRs not from Dependabot' | |
if: ${{ github.event.sender.login != 'dependabot[bot]' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }} | |
run: echo "USE_SONAR=sonar" >> $GITHUB_ENV | |
- name: 'Disable Sonar for foreign PRs or from Dependabot' | |
if: ${{ github.event.sender.login == 'dependabot[bot]' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) }} | |
run: echo "USE_SONAR=-sonar" >> $GITHUB_ENV | |
- name: 'Cache SonarQube packages' | |
uses: actions/cache@v4 | |
with: | |
path: ~/.sonar/cache | |
key: ${{ runner.os }}-sonar | |
restore-keys: ${{ runner.os }}-sonar | |
- name: 'Enable reusable Testcontainers' | |
run: echo "testcontainers.reuse.enable=true" > ~/.testcontainers.properties | |
- name: 'Checkout' | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
- name: 'Clean and verify' | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} | |
run: > | |
./mvnw --no-transfer-progress | |
-P$USE_SONAR -Dsonar.projectKey=neo4j-jdbc -Dsonar.projectName='neo4j-jdbc' | |
-am -pl neo4j-jdbc -pl neo4j-jdbc-bom -pl bundles/neo4j-jdbc-bundle -pl bundles/neo4j-jdbc-full-bundle | |
clean install | |
integration_tests: | |
name: Integration tests using Java ${{ matrix.java }} | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
java: [ '17', '21' ] | |
needs: build | |
steps: | |
- name: 'Set up JDK' | |
uses: actions/setup-java@v3 | |
with: | |
distribution: zulu | |
java-version: ${{ matrix.java }} | |
- name: 'Cache Maven packages' | |
uses: actions/cache@v4 | |
with: | |
path: ~/.m2 | |
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}-${{ github.sha }} | |
- name: 'Enable reusable Testcontainers' | |
run: echo "testcontainers.reuse.enable=true" > ~/.testcontainers.properties | |
- name: 'Checkout' | |
uses: actions/checkout@v3 | |
- name: 'Ensure read permissions for neo4j.conf' | |
run: chmod 640 neo4j-jdbc-it/neo4j-jdbc-it-cp/src/test/resources/cc/neo4j.conf | |
- name: 'Run integration tests' | |
run: > | |
./mvnw --no-transfer-progress | |
-DskipUTs | |
-f neo4j-jdbc-it | |
clean verify | |
native_build: | |
name: Test using native image | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- name: 'Setup GraalVM' | |
uses: graalvm/setup-graalvm@v1 | |
with: | |
distribution: 'graalvm-community' | |
java-version: '17' | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: 'Cache Maven packages' | |
uses: actions/cache@v4 | |
with: | |
path: ~/.m2 | |
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}-${{ github.sha }} | |
- name: 'Enable reusable Testcontainers' | |
run: echo "testcontainers.reuse.enable=true" > ~/.testcontainers.properties | |
- name: 'Checkout' | |
uses: actions/checkout@v3 | |
- name: 'Run native tests' | |
run: ./mvnw --no-transfer-progress -DskipUTs -Dnative clean verify -pl neo4j-jdbc-it/neo4j-jdbc-it-cp | |
security_test: | |
runs-on: ubuntu-latest | |
if: ${{ github.event.sender.login != 'dependabot[bot]' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }} | |
steps: | |
- name: 'Checkout' | |
uses: actions/checkout@v3 | |
- name: 'Run Snyk to check for vulnerabilities' | |
uses: snyk/actions/maven@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
args: --severity-threshold=high --all-projects --exclude=dist,docs,etc,neo4j-jdbc-bundle,neo4j-jdbc-full-bundle,neo4j-jdbc-it,neo4j-jdbc-test-results,benchkit,neo4j-jdbc-text2cypher-translator,neo4j-jdbc-text2cypher-bundle |