action-setup-environment/action.yml

---
name: Setup Java environment
description: Initialize Java Environment and retrieve secrets from Vault
inputs:
  vault-role-id:
    description: Role ID of Approle
    required: true
  vault-secret-id:
    description: Secret ID of Approle
    required: true
runs:
  using: composite
  steps:
    - name: Import Secrets
      id: import-secrets
      uses: https://github.com/hashicorp/vault-action@v3
      with:
        url: https://vault.w9r.dev
        method: approle
        role: forgejo-ci
        roleId: ${{ inputs.vault-role-id }}
        secretId: ${{ inputs.vault-secret-id }}
        secrets: |
          kv/data/ci/nexus username | NEXUS_USERNAME ;
          kv/data/ci/nexus password | NEXUS_PASSWORD ;
          kv/data/ci/vulnz username | VULNZ_USERNAME ;
          kv/data/ci/vulnz password | VULNZ_PASSWORD ;
          kv/data/ci/releasebot gpgPrivateKey | RELEASEBOT_PRIVATE_KEY ;
          kv/data/ci/releasebot gpgPublicKey | RELEASEBOT_PUBLIC_KEY ;
          kv/data/ci/releasebot gpgPassphrease | RELEASEBOT_PASSPHRASE ;
          kv/data/ci/releasebot ciToken | JRELEASER_GITEA_TOKEN ;
          kv/data/ci/signing gpgPrivateKey | GPG_PRIVATE_KEY ;
          kv/data/ci/signing gpgPublicKey | GPG_PUBLIC_KEY ;
          kv/data/ci/signing gpgPassphrease | GPG_PASSPHRASE ;
          kv/data/ci/sonarqube sonarToken | SONARQUBE_TOKEN ;
          kv/data/ci/sonarqube sonarHost | SONARQUBE_HOST ;

    - name: Set up Environment
      shell: bash
      run: |
        apt update
        apt install -y zip
        mkdir -p /root/.jreleaser
        mkdir -p /root/.m2
        touch /root/.jreleaser/config.properties

    - name: Install syft
      uses: https://github.com/anchore/sbom-action/download-syft@v0
      id: install_syft
      with:
        syft-version: v1.18.1

    - name: maven-settings-xml-action
      uses: https://github.com/whelk-io/maven-settings-xml-action@v22
      with:
        repositories: >
          [
            {
              "id": "maven-releases",
              "name": "Releases",
              "url": "https://nexus.w9r.dev/repository/maven-releases",
              "releases": {
                "enabled": "true",
                "updatePolicy": "always",
                "checksumPolicy": "warn"
              },
              "snapshots": {
                "enabled": "false",
                "updatePolicy": "always",
                "checksumPolicy": "fail"
              }
            },
            {
              "id": "maven-snapshots",
              "name": "Snapshots",
              "url": "https://nexus.w9r.dev/repository/maven-snapshots",
              "releases": {
                "enabled": "false",
                "updatePolicy": "always",
                "checksumPolicy": "warn"
              },
              "snapshots": {
                "enabled": "true",
                "updatePolicy": "always",
                "checksumPolicy": "warn"
              }
            }
          ]
        servers: >
          [
            {
              "id": "maven-group",
              "username": "${{ env.NEXUS_USERNAME }}",
              "password": "${{ env.NEXUS_PASSWORD }}"
            },
            {
              "id": "maven-snapshots",
              "username": "${{ env.NEXUS_USERNAME }}",
              "password": "${{ env.NEXUS_PASSWORD }}"
            },
            {
              "id": "maven-releases",
              "username": "${{ env.NEXUS_USERNAME }}",
              "password": "${{ env.NEXUS_PASSWORD }}"
            },
            {
              "id": "vulnz",
              "username": "${{ env.VULNZ_USERNAME }}",
              "password": "${{ env.VULNZ_PASSWORD }}"
            }
          ]
        mirrors: >
          [
            {
              "id": "maven-group",
              "name": "central",
              "mirrorOf": "*",
              "url": "https://nexus.w9r.dev/repository/maven-group/"
            }
          ]
        plugin_groups: >
          [
            "org.sonarsource.scanner.maven"
          ]
        output_file: /root/.m2/settings.xml

    - name: Setup Java
      uses: https://github.com/actions/setup-java@v4
      with:
        distribution: temurin # See 'Supported distributions' for available options
        java-version: 21
        cache: maven
        check-latest: true


    - name: Import Commit Signing GPG key
      id: import-gpg
      uses: https://github.com/crazy-max/ghaction-import-gpg@v6
      with:
        gpg_private_key: ${{ env.RELEASEBOT_PRIVATE_KEY }}
        passphrase: ${{ env.RELEASEBOT_PASSPHRASE }}
        git_user_signingkey: true
        git_commit_gpgsign: true

    - name: GPG user IDs
      shell: bash
      run: |
        echo "fingerprint: ${{ steps.import-gpg.outputs.fingerprint }}"
        echo "keyid:       ${{ steps.import-gpg.outputs.keyid }}"
        echo "name:        ${{ steps.import-gpg.outputs.name }}"
        echo "email:       ${{ steps.import-gpg.outputs.email }}"
feat: initial Version 2025-01-07 05:58:42 +01:00			`---`
fix: change vault secrets to inputs 2025-01-07 06:54:09 +01:00			`name: Setup Java environment`
			`description: Initialize Java Environment and retrieve secrets from Vault`
			`inputs:`
			`vault-role-id:`
			`description: Role ID of Approle`
			`required: true`
			`vault-secret-id:`
			`description: Secret ID of Approle`
			`required: true`
feat: initial Version 2025-01-07 05:58:42 +01:00			`runs:`
fix: change vault secrets to inputs 2025-01-07 06:54:09 +01:00			`using: composite`
feat: initial Version 2025-01-07 05:58:42 +01:00			`steps:`
			`- name: Import Secrets`
			`id: import-secrets`
fix: update vault action 2025-01-07 06:22:10 +01:00			`uses: https://github.com/hashicorp/vault-action@v3`
feat: initial Version 2025-01-07 05:58:42 +01:00			`with:`
			`url: https://vault.w9r.dev`
			`method: approle`
fix: update vault action 2025-01-07 06:22:10 +01:00			`role: forgejo-ci`
fix: change vault secrets to inputs 2025-01-07 06:54:09 +01:00			`roleId: ${{ inputs.vault-role-id }}`
			`secretId: ${{ inputs.vault-secret-id }}`
feat: initial Version 2025-01-07 05:58:42 +01:00			`secrets: \|`
			`kv/data/ci/nexus username \| NEXUS_USERNAME ;`
			`kv/data/ci/nexus password \| NEXUS_PASSWORD ;`
			`kv/data/ci/vulnz username \| VULNZ_USERNAME ;`
			`kv/data/ci/vulnz password \| VULNZ_PASSWORD ;`
			`kv/data/ci/releasebot gpgPrivateKey \| RELEASEBOT_PRIVATE_KEY ;`
			`kv/data/ci/releasebot gpgPublicKey \| RELEASEBOT_PUBLIC_KEY ;`
			`kv/data/ci/releasebot gpgPassphrease \| RELEASEBOT_PASSPHRASE ;`
			`kv/data/ci/releasebot ciToken \| JRELEASER_GITEA_TOKEN ;`
			`kv/data/ci/signing gpgPrivateKey \| GPG_PRIVATE_KEY ;`
			`kv/data/ci/signing gpgPublicKey \| GPG_PUBLIC_KEY ;`
			`kv/data/ci/signing gpgPassphrease \| GPG_PASSPHRASE ;`
			`kv/data/ci/sonarqube sonarToken \| SONARQUBE_TOKEN ;`
			`kv/data/ci/sonarqube sonarHost \| SONARQUBE_HOST ;`

			`- name: Set up Environment`
fix: change vault secrets to inputs 2025-01-07 06:54:09 +01:00			`shell: bash`
feat: initial Version 2025-01-07 05:58:42 +01:00			`run: \|`
			`apt update`
			`apt install -y zip`
			`mkdir -p /root/.jreleaser`
			`mkdir -p /root/.m2`
			`touch /root/.jreleaser/config.properties`

			`- name: Install syft`
			`uses: https://github.com/anchore/sbom-action/download-syft@v0`
			`id: install_syft`
			`with:`
			`syft-version: v1.18.1`

			`- name: maven-settings-xml-action`
			`uses: https://github.com/whelk-io/maven-settings-xml-action@v22`
			`with:`
			`repositories: >`
			`[`
			`{`
			`"id": "maven-releases",`
			`"name": "Releases",`
			`"url": "https://nexus.w9r.dev/repository/maven-releases",`
			`"releases": {`
			`"enabled": "true",`
			`"updatePolicy": "always",`
			`"checksumPolicy": "warn"`
			`},`
			`"snapshots": {`
			`"enabled": "false",`
			`"updatePolicy": "always",`
			`"checksumPolicy": "fail"`
			`}`
			`},`
			`{`
			`"id": "maven-snapshots",`
			`"name": "Snapshots",`
			`"url": "https://nexus.w9r.dev/repository/maven-snapshots",`
			`"releases": {`
			`"enabled": "false",`
			`"updatePolicy": "always",`
			`"checksumPolicy": "warn"`
			`},`
			`"snapshots": {`
			`"enabled": "true",`
			`"updatePolicy": "always",`
			`"checksumPolicy": "warn"`
			`}`
			`}`
			`]`
			`servers: >`
			`[`
			`{`
			`"id": "maven-group",`
			`"username": "${{ env.NEXUS_USERNAME }}",`
			`"password": "${{ env.NEXUS_PASSWORD }}"`
			`},`
			`{`
			`"id": "maven-snapshots",`
			`"username": "${{ env.NEXUS_USERNAME }}",`
			`"password": "${{ env.NEXUS_PASSWORD }}"`
			`},`
			`{`
			`"id": "maven-releases",`
			`"username": "${{ env.NEXUS_USERNAME }}",`
			`"password": "${{ env.NEXUS_PASSWORD }}"`
			`},`
			`{`
			`"id": "vulnz",`
			`"username": "${{ env.VULNZ_USERNAME }}",`
			`"password": "${{ env.VULNZ_PASSWORD }}"`
			`}`
			`]`
			`mirrors: >`
			`[`
			`{`
			`"id": "maven-group",`
			`"name": "central",`
			`"mirrorOf": "*",`
			`"url": "https://nexus.w9r.dev/repository/maven-group/"`
			`}`
			`]`
			`plugin_groups: >`
			`[`
			`"org.sonarsource.scanner.maven"`
			`]`
			`output_file: /root/.m2/settings.xml`

			`- name: Setup Java`
			`uses: https://github.com/actions/setup-java@v4`
			`with:`
fix: change vault secrets to inputs 2025-01-07 06:54:09 +01:00			`distribution: temurin # See 'Supported distributions' for available options`
			`java-version: 21`
			`cache: maven`
feat: initial Version 2025-01-07 05:58:42 +01:00			`check-latest: true`


			`- name: Import Commit Signing GPG key`
			`id: import-gpg`
			`uses: https://github.com/crazy-max/ghaction-import-gpg@v6`
			`with:`
			`gpg_private_key: ${{ env.RELEASEBOT_PRIVATE_KEY }}`
			`passphrase: ${{ env.RELEASEBOT_PASSPHRASE }}`
			`git_user_signingkey: true`
			`git_commit_gpgsign: true`

			`- name: GPG user IDs`
fix: change vault secrets to inputs 2025-01-07 06:54:09 +01:00			`shell: bash`
feat: initial Version 2025-01-07 05:58:42 +01:00			`run: \|`
			`echo "fingerprint: ${{ steps.import-gpg.outputs.fingerprint }}"`
			`echo "keyid: ${{ steps.import-gpg.outputs.keyid }}"`
			`echo "name: ${{ steps.import-gpg.outputs.name }}"`
			`echo "email: ${{ steps.import-gpg.outputs.email }}"`