This is an automated email from the ASF dual-hosted git repository.
nicoloboschi pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new 8f4c0e058f9 [ci] Move owasp check into the main workflow (#17568)
8f4c0e058f9 is described below
commit 8f4c0e058f97213796862a198b637886f083bd9a
Author: Nicolò Boschi <[email protected]>
AuthorDate: Mon Sep 12 15:26:09 2022 +0200
[ci] Move owasp check into the main workflow (#17568)
---
.github/changes-filter.yaml | 5 ++
.github/workflows/ci-owasp-dep-check.yaml | 101 ------------------------------
.github/workflows/pulsar-ci.yaml | 68 ++++++++++++++++++++
3 files changed, 73 insertions(+), 101 deletions(-)
diff --git a/.github/changes-filter.yaml b/.github/changes-filter.yaml
index b14153acb82..82f5b22a8aa 100644
--- a/.github/changes-filter.yaml
+++ b/.github/changes-filter.yaml
@@ -12,3 +12,8 @@ tests:
- added|modified: '**/src/test/java/**/*.java'
cpp:
- 'pulsar-client-cpp/**'
+need_owasp:
+ - 'pom.xml'
+ - '**/pom.xml'
+ - 'src/owasp-dependency-check-false-positives.xml'
+ - 'src/owasp-dependency-check-suppressions.xml'
\ No newline at end of file
diff --git a/.github/workflows/ci-owasp-dep-check.yaml
b/.github/workflows/ci-owasp-dep-check.yaml
deleted file mode 100644
index 27f820fb20a..00000000000
--- a/.github/workflows/ci-owasp-dep-check.yaml
+++ /dev/null
@@ -1,101 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-name: CI - Misc - OWASP Dependency Check
-on:
- pull_request:
- branches:
- - master
- push:
- branches:
- - branch-*
-
-env:
- MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false
-Dmaven.wagon.http.retryHandler.class=standard
-Dmaven.wagon.http.retryHandler.count=3
-
-concurrency:
- group: ${{ github.workflow }}-${{ github.ref }}
- cancel-in-progress: true
-
-jobs:
-
- owasp-dep-check:
- name:
- runs-on: ubuntu-20.04
- timeout-minutes: 120
-
- steps:
- - name: checkout
- uses: actions/checkout@v2
-
- - name: Tune Runner VM
- uses: ./.github/actions/tune-runner-vm
-
- - name: Detect changed pom files
- id: changes
- uses: apache/pulsar-test-infra/paths-filter@master
- with:
- filters: |
- poms:
- - 'pom.xml'
- - '**/pom.xml'
- - 'src/owasp-dependency-check-false-positives.xml'
- - 'src/owasp-dependency-check-suppressions.xml'
- - '.github/workflows/ci-owasp-dep-check.yaml'
-
- - name: Cache local Maven repository
- if: ${{ steps.changes.outputs.poms == 'true' }}
- uses: actions/cache@v2
- with:
- path: |
- ~/.m2/repository/*/*/*
- !~/.m2/repository/org/apache/pulsar
- key: ${{ runner.os }}-m2-dependencies-all-${{
hashFiles('**/pom.xml') }}
- restore-keys: |
- ${{ runner.os }}-m2-dependencies-core-modules-${{
hashFiles('**/pom.xml') }}
- ${{ runner.os }}-m2-dependencies-core-modules-
-
- - name: Set up JDK 17
- uses: actions/setup-java@v2
- if: ${{ steps.changes.outputs.poms == 'true' }}
- with:
- distribution: 'temurin'
- java-version: 17
-
- - name: clean disk
- if: ${{ steps.changes.outputs.poms == 'true' }}
- run: |
- sudo swapoff -a
- sudo rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android
/opt/ghc
- sudo apt clean
- docker rmi $(docker images -q) -f
- df -h
-
- # Projects dependent on flume, hdfs, hbase, and trino currently excluded
from the scan.
- - name: run "clean verify" to trigger dependency check
- if: ${{ steps.changes.outputs.poms == 'true' }}
- run: mvn -q -B -ntp clean verify -PskipDocker,owasp-dependency-check
-DskipTests -pl
'!pulsar-sql,!distribution/io,!distribution/offloaders,!tiered-storage/file-system,!pulsar-io/flume,!pulsar-io/hbase,!pulsar-io/hdfs2,!pulsar-io/hdfs3,!pulsar-io/docs,!pulsar-io/jdbc/openmldb'
-
- - name: Upload report
- uses: actions/upload-artifact@v3
- if: ${{ cancelled() || failure() }}
- continue-on-error: true
- with:
- name: dependency report
- path: target/dependency-check-report.html
diff --git a/.github/workflows/pulsar-ci.yaml b/.github/workflows/pulsar-ci.yaml
index 6185757a95e..1cc95c1f56c 100644
--- a/.github/workflows/pulsar-ci.yaml
+++ b/.github/workflows/pulsar-ci.yaml
@@ -855,6 +855,74 @@ jobs:
- name: build package
run: mvn -B clean package -DskipTests -T 1C -ntp
+ owasp-dep-check:
+ name: OWASP dependency check
+ runs-on: ubuntu-20.04
+ timeout-minutes: 120
+ needs: [ 'changed_files_job', 'integration-tests' ]
+ if: ${{ needs.changed_files_job.outputs.need_owasp == 'true' }}
+ steps:
+ - name: checkout
+ uses: actions/checkout@v2
+
+ - name: Tune Runner VM
+ uses: ./.github/actions/tune-runner-vm
+
+ - name: Setup ssh access to build runner VM
+ # ssh access is enabled for builds in own forks
+ if: ${{ github.repository != 'apache/pulsar' }}
+ uses: ./.github/actions/ssh-access
+ with:
+ limit-access-to-actor: true
+
+ - name: Cache Maven dependencies
+ uses: actions/cache@v2
+ with:
+ path: |
+ ~/.m2/repository/*/*/*
+ !~/.m2/repository/org/apache/pulsar
+ key: ${{ runner.os }}-m2-dependencies-core-modules-${{
hashFiles('**/pom.xml') }}
+ restore-keys: |
+ ${{ runner.os }}-m2-dependencies-core-modules-
+ - name: Set up JDK ${{ matrix.jdk || '17' }}
+ uses: actions/setup-java@v2
+ with:
+ distribution: 'temurin'
+ java-version: ${{ matrix.jdk || '17' }}
+
+ - name: clean disk
+ run: |
+ sudo swapoff -a
+ sudo rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android
/opt/ghc
+ sudo apt clean
+ docker rmi $(docker images -q) -f
+ df -h
+ - name: Install gh-actions-artifact-client.js
+ uses: apache/pulsar-test-infra/gh-actions-artifact-client/dist@master
+
+ - name: Restore maven build results from Github artifact cache
+ run: |
+ cd $HOME
+ $GITHUB_WORKSPACE/build/pulsar_ci_tool.sh
restore_tar_from_github_actions_artifacts pulsar-maven-repository-binaries
+ # Projects dependent on flume, hdfs, hbase, and presto currently
excluded from the scan.
+ - name: run "clean verify" to trigger dependency check
+ run: mvn -q -B -ntp verify -PskipDocker,owasp-dependency-check
-DskipTests -pl
'!pulsar-sql,!distribution/io,!distribution/offloaders,!tiered-storage/file-system,!pulsar-io/flume,!pulsar-io/hbase,!pulsar-io/hdfs2,!pulsar-io/hdfs3,!pulsar-io/docs,!pulsar-io/jdbc/openmldb'
+
+ - name: Upload report
+ uses: actions/upload-artifact@v3
+ if: ${{ cancelled() || failure() }}
+ continue-on-error: true
+ with:
+ name: dependency report
+ path: target/dependency-check-report.html
+
+ - name: Wait for ssh connection when build fails
+ # ssh access is enabled for builds in own forks
+ uses: ./.github/actions/ssh-access
+ if: ${{ failure() && github.repository != 'apache/pulsar' }}
+ continue-on-error: true
+ with:
+ action: wait
# This job is required for pulls to be merged.
# It depends on all other jobs in this workflow.
