action-setup-environment/action.yml

---
# SPDX-License-Identifier: MIT
name: "Setup Java environment"
description: "Initialize Java Environment and retrieve secrets from Vault"
author: Oliver Weyhmüller
inputs:
  roleid:
    description: "Role ID of Approle"
    default: ""
  secretid:
    description: "Secret ID of Approle"
    default: ""
outputs:
  gituser:
    description: User to use for git operations
    value: ${{ steps.import-gpg.outputs.name }}
  gitemail:
    description: Email to use for git operations
    value: ${{ steps.import-gpg.outputs.email }}
runs:
  using: "composite"
  steps:
    - name: "Import Secrets"
      id: "import-secrets"
      uses: "https://github.com/hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c" # v3
      with:
        url: "https://vault.w9r.dev"
        method: "approle"
        role: "forgejo-ci"
        roleId: "${{ inputs.roleid }}"
        secretId: "${{ inputs.secretid }}"
        secrets: |
          kv/data/ci/nexus username | MAVEN_USERNAME ;
          kv/data/ci/nexus password | MAVEN_CENTRAL_TOKEN ;
          kv/data/ci/nexus username | JRELEASER_ARTIFACTORY_USERNAME ;
          kv/data/ci/nexus password | JRELEASER_ARTIFACTORY_TOKEN ;
          kv/data/ci/vulnz username | VULNZ_USERNAME ;
          kv/data/ci/vulnz password | VULNZ_PASSWORD ;
          kv/data/ci/releasebot gpgPrivateKey | JRELEASER_GPG_SECRET_KEY ;
          kv/data/ci/releasebot gpgPublicKey | JRELEASER_GPG_PUBLIC_KEY ;
          kv/data/ci/releasebot gpgPassphrase | JRELEASER_GPG_PASSPHRASE ;
          kv/data/ci/releasebot ciToken | JRELEASER_GITEA_TOKEN ;
          kv/data/ci/signing gpgPrivateKey | GPG_PRIVATE_KEY ;
          kv/data/ci/signing gpgPublicKey | GPG_PUBLIC_KEY ;
          kv/data/ci/signing gpgPassphrase | MAVEN_GPG_PASSPHRASE ;
          kv/data/ci/sonarqube sonarToken | SONAR_TOKEN ;
          kv/data/ci/sonarqube sonarHost | SONAR_HOST_URL ;

    - name: "Set up Environment"
      shell: "bash"
      run: |
        apt update
        apt install -y zip zstd
        mkdir -p /root/.jreleaser
        mkdir -p /root/.m2
        touch /root/.jreleaser/config.properties

    - name: "Install syft"
      uses: "https://github.com/anchore/sbom-action/download-syft@df80a981bc6edbc4e220a492d3cbe9f5547a6e75" # v0
      id: "install_syft"
      with:
        syft-version: "v1.18.1"

    - name: "Setup Java and Maven"
      uses: "https://github.com/s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1" # v1.18.0
      with:
        checkout-fetch-depth: 0
        java-distribution: "temurin"
        java-version: 21
        maven-version: 3.9.9
        settings-repositories: >
          [
            {
              "id": "maven-releases",
              "name": "Releases",
              "url": "https://nexus.w9r.dev/repository/maven-releases",
              "releases": {
                "enabled": "true",
                "updatePolicy": "always",
                "checksumPolicy": "warn"
              },
              "snapshots": {
                "enabled": "false",
                "updatePolicy": "always",
                "checksumPolicy": "fail"
              }
            },
            {
              "id": "maven-snapshots",
              "name": "Snapshots",
              "url": "https://nexus.w9r.dev/repository/maven-snapshots",
              "releases": {
                "enabled": "false",
                "updatePolicy": "always",
                "checksumPolicy": "warn"
              },
              "snapshots": {
                "enabled": "true",
                "updatePolicy": "always",
                "checksumPolicy": "warn"
              }
            }
          ]
        settings-servers: >
          [
            {
              "id": "maven-group",
              "username": "${{ env.MAVEN_USERNAME }}",
              "password": "${{ env.MAVEN_CENTRAL_TOKEN }}"
            },
            {
              "id": "maven-snapshots",
              "username": "${{ env.MAVEN_USERNAME }}",
              "password": "${{ env.MAVEN_CENTRAL_TOKEN }}"
            },
            {
              "id": "maven-releases",
              "username": "${{ env.MAVEN_USERNAME }}",
              "password": "${{ env.MAVEN_CENTRAL_TOKEN }}"
            },
            {
              "id": "vulnz",
              "username": "${{ env.VULNZ_USERNAME }}",
              "password": "${{ env.VULNZ_PASSWORD }}"
            }
          ]
        settings-mirrors: >
          [
            {
              "id": "maven-group",
              "name": "central",
              "mirrorOf": "*",
              "url": "https://nexus.w9r.dev/repository/maven-group/"
            }
          ]

    - name: "Import Commit Signing GPG key"
      id: "import-gpg"
      uses: "https://github.com/crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5" # v6
      with:
        gpg_private_key: "${{ env.JRELEASER_GPG_SECRET_KEY }}"
        passphrase: "${{ env.JRELEASER_GPG_PASSPHRASE }}"
        git_user_signingkey: true
        git_commit_gpgsign: true

    - name: "GPG user IDs"
      shell: "bash"
      run: |
        echo "fingerprint: ${{ steps.import-gpg.outputs.fingerprint }}"
        echo "keyid:       ${{ steps.import-gpg.outputs.keyid }}"
        echo "name:        ${{ steps.import-gpg.outputs.name }}"
        echo "email:       ${{ steps.import-gpg.outputs.email }}"
feat: initial Version 2025-01-07 05:58:42 +01:00			`---`
fix: add license 2025-01-07 09:11:46 +01:00			`# SPDX-License-Identifier: MIT`
			`name: "Setup Java environment"`
			`description: "Initialize Java Environment and retrieve secrets from Vault"`
			`author: Oliver Weyhmüller`
fix: change vault secrets to inputs 2025-01-07 06:54:09 +01:00			`inputs:`
fix: add license 2025-01-07 09:11:46 +01:00			`roleid:`
			`description: "Role ID of Approle"`
			`default: ""`
			`secretid:`
			`description: "Secret ID of Approle"`
			`default: ""`
fix: add git user and email output 2025-01-07 13:33:16 +01:00			`outputs:`
			`gituser:`
			`description: User to use for git operations`
			`value: ${{ steps.import-gpg.outputs.name }}`
			`gitemail:`
			`description: Email to use for git operations`
			`value: ${{ steps.import-gpg.outputs.email }}`
feat: initial Version 2025-01-07 05:58:42 +01:00			`runs:`
fix: add license 2025-01-07 09:11:46 +01:00			`using: "composite"`
feat: initial Version 2025-01-07 05:58:42 +01:00			`steps:`
fix: add license 2025-01-07 09:11:46 +01:00			`- name: "Import Secrets"`
			`id: "import-secrets"`
chore(deps): pin dependencies Signed-off-by: RenovateBot <renovatebot@w9r.dev> 2025-01-08 11:50:14 +00:00			`uses: "https://github.com/hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c" # v3`
feat: initial Version 2025-01-07 05:58:42 +01:00			`with:`
fix: add license 2025-01-07 09:11:46 +01:00			`url: "https://vault.w9r.dev"`
			`method: "approle"`
			`role: "forgejo-ci"`
			`roleId: "${{ inputs.roleid }}"`
			`secretId: "${{ inputs.secretid }}"`
feat: initial Version 2025-01-07 05:58:42 +01:00			`secrets: \|`
fix: rename variables to simplify dependant workflows 2025-01-08 05:51:15 +01:00			`kv/data/ci/nexus username \| MAVEN_USERNAME ;`
			`kv/data/ci/nexus password \| MAVEN_CENTRAL_TOKEN ;`
			`kv/data/ci/nexus username \| JRELEASER_ARTIFACTORY_USERNAME ;`
			`kv/data/ci/nexus password \| JRELEASER_ARTIFACTORY_TOKEN ;`
feat: initial Version 2025-01-07 05:58:42 +01:00			`kv/data/ci/vulnz username \| VULNZ_USERNAME ;`
			`kv/data/ci/vulnz password \| VULNZ_PASSWORD ;`
fix: wrong variable name 2025-01-08 05:58:38 +01:00			`kv/data/ci/releasebot gpgPrivateKey \| JRELEASER_GPG_SECRET_KEY ;`
fix: rename variables to simplify dependant workflows 2025-01-08 05:51:15 +01:00			`kv/data/ci/releasebot gpgPublicKey \| JRELEASER_GPG_PUBLIC_KEY ;`
			`kv/data/ci/releasebot gpgPassphrase \| JRELEASER_GPG_PASSPHRASE ;`
feat: initial Version 2025-01-07 05:58:42 +01:00			`kv/data/ci/releasebot ciToken \| JRELEASER_GITEA_TOKEN ;`
			`kv/data/ci/signing gpgPrivateKey \| GPG_PRIVATE_KEY ;`
			`kv/data/ci/signing gpgPublicKey \| GPG_PUBLIC_KEY ;`
fix: rename variables to simplify dependant workflows 2025-01-08 05:51:15 +01:00			`kv/data/ci/signing gpgPassphrase \| MAVEN_GPG_PASSPHRASE ;`
			`kv/data/ci/sonarqube sonarToken \| SONAR_TOKEN ;`
			`kv/data/ci/sonarqube sonarHost \| SONAR_HOST_URL ;`
feat: initial Version 2025-01-07 05:58:42 +01:00
fix: add license 2025-01-07 09:11:46 +01:00			`- name: "Set up Environment"`
			`shell: "bash"`
feat: initial Version 2025-01-07 05:58:42 +01:00			`run: \|`
			`apt update`
fix: add zstd 2025-01-07 12:47:27 +01:00			`apt install -y zip zstd`
feat: initial Version 2025-01-07 05:58:42 +01:00			`mkdir -p /root/.jreleaser`
			`mkdir -p /root/.m2`
			`touch /root/.jreleaser/config.properties`

fix: add license 2025-01-07 09:11:46 +01:00			`- name: "Install syft"`
chore(deps): pin dependencies Signed-off-by: RenovateBot <renovatebot@w9r.dev> 2025-01-08 11:50:14 +00:00			`uses: "https://github.com/anchore/sbom-action/download-syft@df80a981bc6edbc4e220a492d3cbe9f5547a6e75" # v0`
fix: add license 2025-01-07 09:11:46 +01:00			`id: "install_syft"`
feat: initial Version 2025-01-07 05:58:42 +01:00			`with:`
fix: add license 2025-01-07 09:11:46 +01:00			`syft-version: "v1.18.1"`
feat: initial Version 2025-01-07 05:58:42 +01:00
feat: change to setup-maven-action 2025-01-07 12:26:44 +01:00			`- name: "Setup Java and Maven"`
chore(deps): pin dependencies Signed-off-by: RenovateBot <renovatebot@w9r.dev> 2025-01-08 11:50:14 +00:00			`uses: "https://github.com/s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1" # v1.18.0`
feat: initial Version 2025-01-07 05:58:42 +01:00			`with:`
feat: change to setup-maven-action 2025-01-07 12:26:44 +01:00			`checkout-fetch-depth: 0`
			`java-distribution: "temurin"`
			`java-version: 21`
			`maven-version: 3.9.9`
			`settings-repositories: >`
feat: initial Version 2025-01-07 05:58:42 +01:00			`[`
			`{`
			`"id": "maven-releases",`
			`"name": "Releases",`
			`"url": "https://nexus.w9r.dev/repository/maven-releases",`
			`"releases": {`
			`"enabled": "true",`
			`"updatePolicy": "always",`
			`"checksumPolicy": "warn"`
			`},`
			`"snapshots": {`
			`"enabled": "false",`
			`"updatePolicy": "always",`
			`"checksumPolicy": "fail"`
			`}`
			`},`
			`{`
			`"id": "maven-snapshots",`
			`"name": "Snapshots",`
			`"url": "https://nexus.w9r.dev/repository/maven-snapshots",`
			`"releases": {`
			`"enabled": "false",`
			`"updatePolicy": "always",`
			`"checksumPolicy": "warn"`
			`},`
			`"snapshots": {`
			`"enabled": "true",`
			`"updatePolicy": "always",`
			`"checksumPolicy": "warn"`
			`}`
			`}`
			`]`
feat: change to setup-maven-action 2025-01-07 12:26:44 +01:00			`settings-servers: >`
feat: initial Version 2025-01-07 05:58:42 +01:00			`[`
			`{`
			`"id": "maven-group",`
fix: rename variables to simplify dependant workflows 2025-01-08 05:51:15 +01:00			`"username": "${{ env.MAVEN_USERNAME }}",`
			`"password": "${{ env.MAVEN_CENTRAL_TOKEN }}"`
feat: initial Version 2025-01-07 05:58:42 +01:00			`},`
			`{`
			`"id": "maven-snapshots",`
fix: rename variables to simplify dependant workflows 2025-01-08 05:51:15 +01:00			`"username": "${{ env.MAVEN_USERNAME }}",`
			`"password": "${{ env.MAVEN_CENTRAL_TOKEN }}"`
feat: initial Version 2025-01-07 05:58:42 +01:00			`},`
			`{`
			`"id": "maven-releases",`
fix: rename variables to simplify dependant workflows 2025-01-08 05:51:15 +01:00			`"username": "${{ env.MAVEN_USERNAME }}",`
			`"password": "${{ env.MAVEN_CENTRAL_TOKEN }}"`
feat: initial Version 2025-01-07 05:58:42 +01:00			`},`
			`{`
			`"id": "vulnz",`
			`"username": "${{ env.VULNZ_USERNAME }}",`
			`"password": "${{ env.VULNZ_PASSWORD }}"`
			`}`
			`]`
feat: change to setup-maven-action 2025-01-07 12:26:44 +01:00			`settings-mirrors: >`
feat: initial Version 2025-01-07 05:58:42 +01:00			`[`
			`{`
			`"id": "maven-group",`
			`"name": "central",`
			`"mirrorOf": "*",`
			`"url": "https://nexus.w9r.dev/repository/maven-group/"`
			`}`
			`]`

fix: add license 2025-01-07 09:11:46 +01:00			`- name: "Import Commit Signing GPG key"`
			`id: "import-gpg"`
chore(deps): pin dependencies Signed-off-by: RenovateBot <renovatebot@w9r.dev> 2025-01-08 11:50:14 +00:00			`uses: "https://github.com/crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5" # v6`
feat: initial Version 2025-01-07 05:58:42 +01:00			`with:`
fix: wrong variable name 2025-01-08 05:58:38 +01:00			`gpg_private_key: "${{ env.JRELEASER_GPG_SECRET_KEY }}"`
fix: rename variables to simplify dependant workflows 2025-01-08 05:51:15 +01:00			`passphrase: "${{ env.JRELEASER_GPG_PASSPHRASE }}"`
feat: initial Version 2025-01-07 05:58:42 +01:00			`git_user_signingkey: true`
			`git_commit_gpgsign: true`

fix: add license 2025-01-07 09:11:46 +01:00			`- name: "GPG user IDs"`
			`shell: "bash"`
feat: initial Version 2025-01-07 05:58:42 +01:00			`run: \|`
			`echo "fingerprint: ${{ steps.import-gpg.outputs.fingerprint }}"`
			`echo "keyid: ${{ steps.import-gpg.outputs.keyid }}"`
			`echo "name: ${{ steps.import-gpg.outputs.name }}"`
			`echo "email: ${{ steps.import-gpg.outputs.email }}"`