Skip to content
Build & Release

chore(deps): update pre-commit hook woodruffw/zizmor-pre-commit to v1… #528

Sign in to view logs

chore(deps): update pre-commit hook woodruffw/zizmor-pre-commit to v1…

chore(deps): update pre-commit hook woodruffw/zizmor-pre-commit to v1… #528

Workflow file for this run

.github/workflows/maven-build.yml at 6bec4c6
---
name: Build & Release
on:
push:
branches: ['**']
pull_request:
branches: [main]
types: [opened, synchronize, reopened, ready_for_review]
workflow_dispatch:
env:
SETTINGS_XML: ${{ github.workspace }}/.mvn/settings.xml
JAVA_VERSION: 17
JAVA_DISTRIBUTION: temurin
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
outputs:
project_version: ${{ steps.project_metadata.outputs.version }}
is_release: ${{ steps.project_metadata.outputs.is_release }}
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
GITHUB_TOKEN: ${{ github.token }} # Providing this prevents reaching the GitHub request limits
steps:
- name: 📄 Checkout the repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0 # Sonar needs full history
persist-credentials: false
- name: 🧱 Set up JDK and Maven
uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
with:
distribution: ${{ env.JAVA_DISTRIBUTION }}
java-version: ${{ env.JAVA_VERSION }}
cache: maven
- name: 📝 Extract project metadata
id: project_metadata
run: |
VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
# Check if it is a release
if [[ ! "${VERSION}" =~ -SNAPSHOT$ ]]; then
IS_RELEASE=true
else
IS_RELEASE=false
fi
{
echo "version=${VERSION}"
echo "is_release=${IS_RELEASE}"
} >> "$GITHUB_OUTPUT"
- name: 🔍 Cache SonarQube packages
uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: 📦 Build with Maven for Pushes
if: github.event_name == 'push'
env:
GITHUB_HEAD_REF: ${{ github.head_ref }}
run: |
if [ -n "${GITHUB_HEAD_REF}" ]; then
mvn --batch-mode -s "${SETTINGS_XML}" clean verify sonar:sonar -Dsonar.branch.name="${GITHUB_HEAD_REF}"
else
mvn --batch-mode -s "${SETTINGS_XML}" clean verify sonar:sonar
fi
- name: 📦 Build with Maven for PRs
if: github.event_name == 'pull_request'
env:
GITHUB_HEAD_REF: ${{ github.head_ref }}
GITHUB_BASE_REF: ${{ github.base_ref }}
GITHUB_PR_NUMBER_REF: ${{ github.event.pull_request.number }}
run: mvn --batch-mode -s "${SETTINGS_XML}" clean verify sonar:sonar -Dsonar.pullrequest.base="${GITHUB_BASE_REF}" -Dsonar.pullrequest.branch="${GITHUB_HEAD_REF}" -Dsonar.pullrequest.key="${GITHUB_PR_NUMBER_REF}"
- name: 📋 Analyze dependencies
run: mvn --batch-mode -s "${SETTINGS_XML}" dependency:analyze
continue-on-error: false
- name: 📦 Upload build artifacts
# needed for uploads to GitHub Releases
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: maven-artifacts
path: |
target/*.jar
target/*.pom
retention-days: 1
if-no-files-found: error
deploy-maven-central:
needs: build
if: ${{ needs.build.outputs.is_release == 'true' && github.ref == 'refs/heads/main' }}
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
env:
COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_USERNAME: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_USERNAME }}
COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_TOKEN: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_TOKEN }}
COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PASSPHRASE: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PASSPHRASE }}
GITHUB_TOKEN: ${{ github.token }} # Providing this prevents reaching the GitHub request limits
steps:
- name: 📄 Checkout the repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1
persist-credentials: false
- name: 🧱 Set up JDK and Maven with cache
uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
with:
distribution: ${{ env.JAVA_DISTRIBUTION }}
java-version: ${{ env.JAVA_VERSION }}
cache: maven
gpg-private-key: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PRIVATE_KEY }}
- name: 📦 Deploy to Maven Central
# This cannot be implemented using deploy:deploy-file
# The central-publishing-maven-plugin must be used instead due to specific deployment requirements
# Additionally, timeouts are set to 1 hour to avoid issues with the connection to Sonatype Central during deployment
run: |
mvn --batch-mode -s "${SETTINGS_XML}" clean deploy \
-Dmaven.test.skip=true \
-P gpg-sign \
-P central-publishing \
-Dcentral.timeout=3600 \
-Dmaven.wagon.http.connectionTimeout=3600000 \
-Dmaven.wagon.http.readTimeout=3600000
deploy-github-packages:
needs: build
if: ${{ github.ref == 'refs/heads/main' }}
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
env:
GITHUB_TOKEN: ${{ github.token }}
GITHUB_REPO_NAME: ${{ github.repository }}
PROJECT_VERSION: ${{ needs.build.outputs.project_version }}
steps:
- name: 📄 Checkout the repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1
persist-credentials: false
- name: 📥 Download build artifacts
# The artifacts are generated in the 'build' step
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
name: maven-artifacts
path: target/
- name: 🧱 Set up JDK and Maven
uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
with:
distribution: ${{ env.JAVA_DISTRIBUTION }}
java-version: ${{ env.JAVA_VERSION }}
cache: maven
- name: 📦 Deploy to GitHub Packages
# Releases should only be deployed to GitHub packages when the repo is private
# Only snapshots should always be deployed here
if: ${{ needs.build.outputs.is_release == 'false' }}
run: |
mvn --batch-mode -s "${SETTINGS_XML}" deploy \
-Dmaven.test.skip=true \
-Dmaven.javadoc.skip=true \
-Dmaven.source.skip=true \
-P deploy-github-packages
- name: 📦 Upload assets to GitHub Release
if: ${{ needs.build.outputs.is_release == 'true' }}
run: |-
gh release upload "v${PROJECT_VERSION}" "target/*-${PROJECT_VERSION}.jar" --clobber