diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 17ec146..2a9a91d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,6 +25,7 @@ jobs: - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0 with: version: 2025.7.12 + - name: get secrets id: secrets uses: SonarSource/vault-action-wrapper@v3 @@ -32,10 +33,29 @@ jobs: secrets: | development/kv/data/develocity token | DEVELOCITY_TOKEN; - # The SonarSource/ci-github-actions/build-gradle fails because of no access to ARTIFACTORY_DEPLOY_USERNAME - # it is not needed in this case, so the Gradle is called directly - - name: Build with Gradle + - name: Create Gradle User Home + shell: bash + run: | + export GRADLE_USER_HOME=${GITHUB_WORKSPACE}/.gradle + mkdir -p ${GRADLE_USER_HOME} + echo "GRADLE_USER_HOME=${GRADLE_USER_HOME}" >> $GITHUB_ENV + export TODAY=$(date '+%Y-%m-%d') + echo "TODAY=${TODAY}" >> $GITHUB_ENV + find . -name '*.gradle.kts' -type f -exec md5sum {} \; | sort && md5sum gradle/libs.versions.toml && md5sum gradle/wrapper/gradle-wrapper.properties && md5sum gradle.properties > gradle-md5-sums.txt + export GRADLE_CACHE_KEY=$(md5sum gradle-md5-sums.txt | awk '{ print $1 }') + echo "GRADLE_CACHE_KEY=${GRADLE_CACHE_KEY}" >> $GITHUB_ENV + rm gradle-md5-sums.txt + - name: Cache Gradle Dependencies + uses: SonarSource/ci-github-actions/cache@v1 + with: + path: ${{ env.GRADLE_USER_HOME }} + key: gradle-${{ env.GRADLE_CACHE_KEY }} + + - uses: SonarSource/ci-github-actions/build-gradle@v1 env: DEVELOCITY_ACCESS_KEY: develocity-public.sonar.build=${{ fromJSON(steps.secrets.outputs.vault).DEVELOCITY_TOKEN }} - run: | - ./gradlew build + with: + deploy: false + use-develocity: true + artifactory-reader-role: private-reader + disable-caching: 'true' diff --git a/.github/workflows/shadow-scan.yml b/.github/workflows/shadow-scan.yml new file mode 100644 index 0000000..ec0446a --- /dev/null +++ b/.github/workflows/shadow-scan.yml @@ -0,0 +1,64 @@ +name: Shadow scans +on: + pull_request: + schedule: + # Run the workflow every day at 01:00 UTC + - cron: "0 1 * * *" + +permissions: + id-token: write + contents: write + pull-requests: read + statuses: read + checks: read + +jobs: + build: + runs-on: github-ubuntu-latest-s + name: Build + if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'shadow_scan') + steps: + - uses: actions/checkout@v5 + with: + fetch-depth: 0 + - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0 + with: + version: 2025.7.12 + + - name: Create Gradle User Home + shell: bash + run: | + export GRADLE_USER_HOME=${GITHUB_WORKSPACE}/.gradle + mkdir -p ${GRADLE_USER_HOME} + echo "GRADLE_USER_HOME=${GRADLE_USER_HOME}" >> $GITHUB_ENV + export TODAY=$(date '+%Y-%m-%d') + echo "TODAY=${TODAY}" >> $GITHUB_ENV + find . -name '*.gradle.kts' -type f -exec md5sum {} \; | sort && md5sum gradle/libs.versions.toml && md5sum gradle/wrapper/gradle-wrapper.properties && md5sum gradle.properties > gradle-md5-sums.txt + export GRADLE_CACHE_KEY=$(md5sum gradle-md5-sums.txt | awk '{ print $1 }') + echo "GRADLE_CACHE_KEY=${GRADLE_CACHE_KEY}" >> $GITHUB_ENV + rm gradle-md5-sums.txt + - name: Cache Gradle Dependencies + uses: SonarSource/ci-github-actions/cache@v1 + with: + path: ${{ env.GRADLE_USER_HOME }} + key: gradle-${{ env.GRADLE_CACHE_KEY }} + + - uses: SonarSource/ci-github-actions/build-gradle@v1 + with: + deploy: false + use-develocity: false + artifactory-reader-role: private-reader + run-shadow-scans: 'true' + # Disable develocity for shadow scans + gradle-args: --no-scan + disable-caching: 'true' + + - name: Run IRIS Analysis + uses: SonarSource/unified-dogfooding-actions/run-iris@v1 + with: + primary_project_key: "SonarSource_cloud-native-gradle-modules" + primary_platform: "Next" + shadow1_project_key: "SonarSource_cloud-native-gradle-modules" + shadow1_platform: "SQC-EU" + shadow2_project_key: "SonarSource_cloud-native-gradle-modules" + shadow2_platform: "SQC-US" diff --git a/build.gradle.kts b/build.gradle.kts new file mode 100644 index 0000000..bfea1ac --- /dev/null +++ b/build.gradle.kts @@ -0,0 +1,26 @@ +/* + * SonarSource Cloud Native Gradle Modules + * Copyright (C) 2024-2025 SonarSource Sàrl + * mailto:info AT sonarsource DOT com + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource Sàrl. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the Sonar Source-Available License for more details. + * + * You should have received a copy of the Sonar Source-Available License + * along with this program; if not, see https://sonarsource.com/license/ssal/ + */ +plugins { + id("org.sonarqube") version "7.2.0.6526" +} + +sonar { + properties { + property("sonar.projectKey", "SonarSource_cloud-native-gradle-modules") + property("sonar.organization", "sonarsource") + } +} diff --git a/gradle.properties b/gradle.properties index c66382c..4217b58 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,3 +1,7 @@ +group=org.sonarsource.cloudnative.gradle +version=1.0-SNAPSHOT +description=Common Gradle modules for multiple projects +projectTitle=Cloud Security Gradle Modules org.gradle.caching=true org.gradle.jvmargs=-XX:MaxMetaspaceSize=512m