From 5a9915a5dbf7a715afe134e063beca565b8a1604 Mon Sep 17 00:00:00 2001 From: Oliver Weyhmueller Date: Tue, 7 Jan 2025 05:58:42 +0100 Subject: [PATCH] feat: initial Version --- .gitignore | 78 +++++++++++++++++++++++++++++ action.yml | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 219 insertions(+) create mode 100644 .gitignore create mode 100644 action.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..596557a --- /dev/null +++ b/.gitignore @@ -0,0 +1,78 @@ +### Intellij+all template +# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider +# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 + +# User-specific stuff +.idea/**/workspace.xml +.idea/**/tasks.xml +.idea/**/usage.statistics.xml +.idea/**/dictionaries +.idea/**/shelf + +# AWS User-specific +.idea/**/aws.xml + +# Generated files +.idea/**/contentModel.xml + +# Sensitive or high-churn files +.idea/**/dataSources/ +.idea/**/dataSources.ids +.idea/**/dataSources.local.xml +.idea/**/sqlDataSources.xml +.idea/**/dynamic.xml +.idea/**/uiDesigner.xml +.idea/**/dbnavigator.xml + +# Gradle +.idea/**/gradle.xml +.idea/**/libraries + +# Gradle and Maven with auto-import +# When using Gradle or Maven with auto-import, you should exclude module files, +# since they will be recreated, and may cause churn. Uncomment if using +# auto-import. +# .idea/artifacts +# .idea/compiler.xml +# .idea/jarRepositories.xml +# .idea/modules.xml +# .idea/*.iml +# .idea/modules +# *.iml +# *.ipr + +# CMake +cmake-build-*/ + +# Mongo Explorer plugin +.idea/**/mongoSettings.xml + +# File-based project format +*.iws + +# IntelliJ +out/ + +# mpeltonen/sbt-idea plugin +.idea_modules/ + +# JIRA plugin +atlassian-ide-plugin.xml + +# Cursive Clojure plugin +.idea/replstate.xml + +# SonarLint plugin +.idea/sonarlint/ + +# Crashlytics plugin (for Android Studio and IntelliJ) +com_crashlytics_export_strings.xml +crashlytics.properties +crashlytics-build.properties +fabric.properties + +# Editor-based Rest Client +.idea/httpRequests + +# Android studio 3.1+ serialized cache file +.idea/caches/build_file_checksums.ser diff --git a/action.yml b/action.yml new file mode 100644 index 0000000..f7f42fc --- /dev/null +++ b/action.yml @@ -0,0 +1,141 @@ +--- +name: 'Setup Java environment' +description: 'Initialise Java Environment and retrieve secrets from Vault' +runs: + using: 'composite' + steps: + - name: Import Secrets + id: import-secrets + uses: https://github.com/hashicorp/vault-action@v2 + with: + url: https://vault.w9r.dev + method: approle + roleId: ${{ secrets.VAULT_ROLE_ID }} + secretId: ${{ secrets.VAULT_SECRET_ID }} + secrets: | + kv/data/ci/nexus username | NEXUS_USERNAME ; + kv/data/ci/nexus password | NEXUS_PASSWORD ; + kv/data/ci/vulnz username | VULNZ_USERNAME ; + kv/data/ci/vulnz password | VULNZ_PASSWORD ; + kv/data/ci/releasebot gpgPrivateKey | RELEASEBOT_PRIVATE_KEY ; + kv/data/ci/releasebot gpgPublicKey | RELEASEBOT_PUBLIC_KEY ; + kv/data/ci/releasebot gpgPassphrease | RELEASEBOT_PASSPHRASE ; + kv/data/ci/releasebot ciToken | JRELEASER_GITEA_TOKEN ; + kv/data/ci/signing gpgPrivateKey | GPG_PRIVATE_KEY ; + kv/data/ci/signing gpgPublicKey | GPG_PUBLIC_KEY ; + kv/data/ci/signing gpgPassphrease | GPG_PASSPHRASE ; + kv/data/ci/sonarqube sonarToken | SONARQUBE_TOKEN ; + kv/data/ci/sonarqube sonarHost | SONARQUBE_HOST ; + + - name: Set up Environment + run: | + apt update + apt install -y zip + mkdir -p /root/.jreleaser + mkdir -p /root/.m2 + touch /root/.jreleaser/config.properties + + - name: Install syft + uses: https://github.com/anchore/sbom-action/download-syft@v0 + id: install_syft + with: + syft-version: v1.18.1 + + - name: maven-settings-xml-action + uses: https://github.com/whelk-io/maven-settings-xml-action@v22 + with: + repositories: > + [ + { + "id": "maven-releases", + "name": "Releases", + "url": "https://nexus.w9r.dev/repository/maven-releases", + "releases": { + "enabled": "true", + "updatePolicy": "always", + "checksumPolicy": "warn" + }, + "snapshots": { + "enabled": "false", + "updatePolicy": "always", + "checksumPolicy": "fail" + } + }, + { + "id": "maven-snapshots", + "name": "Snapshots", + "url": "https://nexus.w9r.dev/repository/maven-snapshots", + "releases": { + "enabled": "false", + "updatePolicy": "always", + "checksumPolicy": "warn" + }, + "snapshots": { + "enabled": "true", + "updatePolicy": "always", + "checksumPolicy": "warn" + } + } + ] + servers: > + [ + { + "id": "maven-group", + "username": "${{ env.NEXUS_USERNAME }}", + "password": "${{ env.NEXUS_PASSWORD }}" + }, + { + "id": "maven-snapshots", + "username": "${{ env.NEXUS_USERNAME }}", + "password": "${{ env.NEXUS_PASSWORD }}" + }, + { + "id": "maven-releases", + "username": "${{ env.NEXUS_USERNAME }}", + "password": "${{ env.NEXUS_PASSWORD }}" + }, + { + "id": "vulnz", + "username": "${{ env.VULNZ_USERNAME }}", + "password": "${{ env.VULNZ_PASSWORD }}" + } + ] + mirrors: > + [ + { + "id": "maven-group", + "name": "central", + "mirrorOf": "*", + "url": "https://nexus.w9r.dev/repository/maven-group/" + } + ] + plugin_groups: > + [ + "org.sonarsource.scanner.maven" + ] + output_file: /root/.m2/settings.xml + + - name: Setup Java + uses: https://github.com/actions/setup-java@v4 + with: + distribution: 'temurin' # See 'Supported distributions' for available options + java-version: '21' + cache: 'maven' + check-latest: true + + + - name: Import Commit Signing GPG key + id: import-gpg + uses: https://github.com/crazy-max/ghaction-import-gpg@v6 + with: + gpg_private_key: ${{ env.RELEASEBOT_PRIVATE_KEY }} + passphrase: ${{ env.RELEASEBOT_PASSPHRASE }} + git_user_signingkey: true + git_commit_gpgsign: true + + - name: GPG user IDs + run: | + echo "fingerprint: ${{ steps.import-gpg.outputs.fingerprint }}" + echo "keyid: ${{ steps.import-gpg.outputs.keyid }}" + echo "name: ${{ steps.import-gpg.outputs.name }}" + echo "email: ${{ steps.import-gpg.outputs.email }}"