test: Migrate CI to GitHub (auth0#688)

RMSPORTS1902 · Sep 25, 2023 · 92c2f13 · 92c2f13
2 parents 70d3d13 + ee73f00
commit 92c2f13
Show file tree

Hide file tree

Showing 8 changed files with 238 additions and 20 deletions.
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -0,0 +1,34 @@
+name: Configure CI
+description: Performs the initial configuration of the CI environment
+
+inputs:
+ java:
+ description: The Java version to use
+ required: false
+ default: 8.0.382-tem
+ gradle:
+ description: The Gradle version to use
+ required: false
+ default: 6.7.1
+ kotlin:
+ description: The Kotlin version to use
+ required: false
+ default: 1.6.21
+
+runs:
+ using: composite
+
+ steps:
+ - run: |
+ curl -s "https://get.sdkman.io" | bash
+ source "/home/runner/.sdkman/bin/sdkman-init.sh"
+ sdk list java
+ sdk install java ${{ inputs.java }} && sdk default java ${{ inputs.java }}
+ sdk install gradle ${{ inputs.gradle }} && sdk default gradle ${{ inputs.gradle }}
+ sdk install kotlin ${{ inputs.kotlin }} && sdk default kotlin ${{ inputs.kotlin }}
+ shell: bash
+
+ - run: ./gradlew androidDependencies
+ shell: bash
+
+ - uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 # [email protected]
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+ - package-ecosystem: 'github-actions'
+ directory: '/'
+ schedule:
+ interval: 'daily'
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,53 @@
+name: CodeQL
+
+on:
+ merge_group:
+ pull_request:
+ types:
+ - opened
+ - synchronize
+ push:
+ branches:
+ - main
+ schedule:
+ - cron: "37 10 * * 2"
+
+permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+ cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+ analyze:
+ name: Check for Vulnerabilities
+ runs-on: ubuntu-latest
+
+ strategy:
+ fail-fast: false
+ matrix:
+ language: [java]
+
+ steps:
+ - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+ run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v2
+ with:
+ languages: ${{ matrix.language }}
+ queries: +security-and-quality
+
+ - name: Autobuild
+ uses: github/codeql-action/autobuild@v2
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v2
+ with:
+ category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,32 @@
+name: Publish Release
+
+on:
+ workflow_dispatch:
+ inputs:
+ branch:
+ description: The branch to release from.
+ required: true
+ default: main
+
+permissions:
+ contents: read
+
+jobs:
+ publish:
+ name: Publish to Maven Central
+ runs-on: ubuntu-latest
+ environment: release
+
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ fetch-depth: 0
+ ref: ${{ github.event.inputs.branch }}
+
+ - uses: ./.github/actions/setup
+
+ - run: ./gradlew clean assemble -PisSnapshot=false
+
+ - run: ./gradlew exportVersion -PisSnapshot=false
+
+ - run: ./gradlew publishAndroidLibraryPublicationToMavenRepository -PossrhUsername="${{ secrets.OSSR_USERNAME }}" -PossrhPassword="${{ secrets.OSSR_PASSWORD }}" -PsigningKey="${{ secrets.SIGNING_KEY }}" -PsigningPassword="${{ secrets.SIGNING_PASSWORD }}" -PisSnapshot=false"
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -1,24 +1,48 @@
-
 name: Semgrep
 
 on:
- pull_request: {}
-
+ merge_group:
+ pull_request_target:
+ types:
+ - opened
+ - synchronize
  push:
- branches: ["master", "main"]
-
+ branches:
+ - main
  schedule:
- - cron: '30 0 1,15 * *'
+ - cron: "30 0 1,15 * *"
+
+permissions:
+ contents: read
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+ cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
 jobs:
- semgrep:
- name: Scan
+ authorize:
+ name: Authorize
+ environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+ runs-on: ubuntu-latest
+ steps:
+ - run: true
+
+ run:
+ needs: authorize # Require approval before running on forked pull requests
+
+ name: Check for Vulnerabilities
  runs-on: ubuntu-latest
+
  container:
  image: returntocorp/semgrep
- if: (github.actor != 'dependabot[bot]')
+
  steps:
- - uses: actions/checkout@v3
+ - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+ run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+ - uses: actions/checkout@v4
+ with:
+ ref: ${{ github.event.pull_request.head.sha || github.ref }}
 
  - run: semgrep ci
  env:

diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
@@ -0,0 +1,47 @@
+name: Snyk
+
+on:
+ merge_group:
+ workflow_dispatch:
+ pull_request_target:
+ types:
+ - opened
+ - synchronize
+ push:
+ branches:
+ - main
+ schedule:
+ - cron: "30 0 1,15 * *"
+
+permissions:
+ contents: read
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+ cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+ authorize:
+ name: Authorize
+ environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+ runs-on: ubuntu-latest
+ steps:
+ - run: true
+
+ check:
+ needs: authorize
+
+ name: Check for Vulnerabilities
+ runs-on: ubuntu-latest
+
+ steps:
+ - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+ run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+ - uses: actions/checkout@v4
+ with:
+ ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+ - uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # [email protected]
+ env:
+ SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,32 @@
+name: Build and Test
+
+on:
+ merge_group:
+ workflow_dispatch:
+ pull_request:
+ branches:
+ - main
+ push:
+ branches:
+ - main
+
+permissions:
+ contents: read
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+ unit:
+ name: Run Unit Tests
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+
+ - uses: ./.github/actions/setup
+
+ - run: ./gradlew clean test jacocoTestReport lint --continue --console=plain --max-workers=1 --no-daemon
+
+ - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # [email protected]