--- # SPDX-License-Identifier: MIT name: "Setup Java environment" description: "Initialize Java Environment and retrieve secrets from Vault" author: Oliver Weyhmüller inputs: roleid: description: "Role ID of Approle" required: true default: "" secretid: description: "Secret ID of Approle" required: true default: "" runs: using: "composite" steps: - name: "Import Secrets" id: "import-secrets" uses: "https://github.com/hashicorp/vault-action@v3" with: url: "https://vault.w9r.dev" method: "approle" role: "forgejo-ci" roleId: "${{ inputs.roleid }}" secretId: "${{ inputs.secretid }}" secrets: | kv/data/ci/nexus username | NEXUS_USERNAME ; kv/data/ci/nexus password | NEXUS_PASSWORD ; kv/data/ci/vulnz username | VULNZ_USERNAME ; kv/data/ci/vulnz password | VULNZ_PASSWORD ; kv/data/ci/releasebot gpgPrivateKey | RELEASEBOT_PRIVATE_KEY ; kv/data/ci/releasebot gpgPublicKey | RELEASEBOT_PUBLIC_KEY ; kv/data/ci/releasebot gpgPassphrase | RELEASEBOT_PASSPHRASE ; kv/data/ci/releasebot ciToken | JRELEASER_GITEA_TOKEN ; kv/data/ci/signing gpgPrivateKey | GPG_PRIVATE_KEY ; kv/data/ci/signing gpgPublicKey | GPG_PUBLIC_KEY ; kv/data/ci/signing gpgPassphrase | GPG_PASSPHRASE ; kv/data/ci/sonarqube sonarToken | SONARQUBE_TOKEN ; kv/data/ci/sonarqube sonarHost | SONARQUBE_HOST ; - name: "Set up Environment" shell: "bash" run: | apt update apt install -y zip mkdir -p /root/.jreleaser mkdir -p /root/.m2 touch /root/.jreleaser/config.properties - name: "Install syft" uses: "https://github.com/anchore/sbom-action/download-syft@v0" id: "install_syft" with: syft-version: "v1.18.1" - name: "maven-settings-xml-action" uses: "https://github.com/whelk-io/maven-settings-xml-action@v22" with: repositories: > [ { "id": "maven-releases", "name": "Releases", "url": "https://nexus.w9r.dev/repository/maven-releases", "releases": { "enabled": "true", "updatePolicy": "always", "checksumPolicy": "warn" }, "snapshots": { "enabled": "false", "updatePolicy": "always", "checksumPolicy": "fail" } }, { "id": "maven-snapshots", "name": "Snapshots", "url": "https://nexus.w9r.dev/repository/maven-snapshots", "releases": { "enabled": "false", "updatePolicy": "always", "checksumPolicy": "warn" }, "snapshots": { "enabled": "true", "updatePolicy": "always", "checksumPolicy": "warn" } } ] servers: > [ { "id": "maven-group", "username": "${{ env.NEXUS_USERNAME }}", "password": "${{ env.NEXUS_PASSWORD }}" }, { "id": "maven-snapshots", "username": "${{ env.NEXUS_USERNAME }}", "password": "${{ env.NEXUS_PASSWORD }}" }, { "id": "maven-releases", "username": "${{ env.NEXUS_USERNAME }}", "password": "${{ env.NEXUS_PASSWORD }}" }, { "id": "vulnz", "username": "${{ env.VULNZ_USERNAME }}", "password": "${{ env.VULNZ_PASSWORD }}" } ] mirrors: > [ { "id": "maven-group", "name": "central", "mirrorOf": "*", "url": "https://nexus.w9r.dev/repository/maven-group/" } ] plugin_groups: > [ "org.sonarsource.scanner.maven" ] output_file: /root/.m2/settings.xml - name: "Setup Java" uses: "https://github.com/actions/setup-java@v4" with: distribution: "temurin" java-version: 21 cache: "maven" check-latest: true - name: "Import Commit Signing GPG key" id: "import-gpg" uses: "https://github.com/crazy-max/ghaction-import-gpg@v6" with: gpg_private_key: "${{ env.RELEASEBOT_PRIVATE_KEY }}" passphrase: "${{ env.RELEASEBOT_PASSPHRASE }}" git_user_signingkey: true git_commit_gpgsign: true - name: "GPG user IDs" shell: "bash" run: | echo "fingerprint: ${{ steps.import-gpg.outputs.fingerprint }}" echo "keyid: ${{ steps.import-gpg.outputs.keyid }}" echo "name: ${{ steps.import-gpg.outputs.name }}" echo "email: ${{ steps.import-gpg.outputs.email }}"