--- name: Setup Java environment description: Initialize Java Environment and retrieve secrets from Vault inputs: vault-role-id: description: Role ID of Approle required: true vault-secret-id: description: Secret ID of Approle required: true runs: using: composite steps: - name: Import Secrets id: import-secrets uses: https://github.com/hashicorp/vault-action@v3 with: url: https://vault.w9r.dev method: approle role: forgejo-ci roleId: ${{ inputs.vault-role-id }} secretId: ${{ inputs.vault-secret-id }} secrets: | kv/data/ci/nexus username | NEXUS_USERNAME ; kv/data/ci/nexus password | NEXUS_PASSWORD ; kv/data/ci/vulnz username | VULNZ_USERNAME ; kv/data/ci/vulnz password | VULNZ_PASSWORD ; kv/data/ci/releasebot gpgPrivateKey | RELEASEBOT_PRIVATE_KEY ; kv/data/ci/releasebot gpgPublicKey | RELEASEBOT_PUBLIC_KEY ; kv/data/ci/releasebot gpgPassphrease | RELEASEBOT_PASSPHRASE ; kv/data/ci/releasebot ciToken | JRELEASER_GITEA_TOKEN ; kv/data/ci/signing gpgPrivateKey | GPG_PRIVATE_KEY ; kv/data/ci/signing gpgPublicKey | GPG_PUBLIC_KEY ; kv/data/ci/signing gpgPassphrease | GPG_PASSPHRASE ; kv/data/ci/sonarqube sonarToken | SONARQUBE_TOKEN ; kv/data/ci/sonarqube sonarHost | SONARQUBE_HOST ; - name: Set up Environment shell: bash run: | apt update apt install -y zip mkdir -p /root/.jreleaser mkdir -p /root/.m2 touch /root/.jreleaser/config.properties - name: Install syft uses: https://github.com/anchore/sbom-action/download-syft@v0 id: install_syft with: syft-version: v1.18.1 - name: maven-settings-xml-action uses: https://github.com/whelk-io/maven-settings-xml-action@v22 with: repositories: > [ { "id": "maven-releases", "name": "Releases", "url": "https://nexus.w9r.dev/repository/maven-releases", "releases": { "enabled": "true", "updatePolicy": "always", "checksumPolicy": "warn" }, "snapshots": { "enabled": "false", "updatePolicy": "always", "checksumPolicy": "fail" } }, { "id": "maven-snapshots", "name": "Snapshots", "url": "https://nexus.w9r.dev/repository/maven-snapshots", "releases": { "enabled": "false", "updatePolicy": "always", "checksumPolicy": "warn" }, "snapshots": { "enabled": "true", "updatePolicy": "always", "checksumPolicy": "warn" } } ] servers: > [ { "id": "maven-group", "username": "${{ env.NEXUS_USERNAME }}", "password": "${{ env.NEXUS_PASSWORD }}" }, { "id": "maven-snapshots", "username": "${{ env.NEXUS_USERNAME }}", "password": "${{ env.NEXUS_PASSWORD }}" }, { "id": "maven-releases", "username": "${{ env.NEXUS_USERNAME }}", "password": "${{ env.NEXUS_PASSWORD }}" }, { "id": "vulnz", "username": "${{ env.VULNZ_USERNAME }}", "password": "${{ env.VULNZ_PASSWORD }}" } ] mirrors: > [ { "id": "maven-group", "name": "central", "mirrorOf": "*", "url": "https://nexus.w9r.dev/repository/maven-group/" } ] plugin_groups: > [ "org.sonarsource.scanner.maven" ] output_file: /root/.m2/settings.xml - name: Setup Java uses: https://github.com/actions/setup-java@v4 with: distribution: temurin # See 'Supported distributions' for available options java-version: 21 cache: maven check-latest: true - name: Import Commit Signing GPG key id: import-gpg uses: https://github.com/crazy-max/ghaction-import-gpg@v6 with: gpg_private_key: ${{ env.RELEASEBOT_PRIVATE_KEY }} passphrase: ${{ env.RELEASEBOT_PASSPHRASE }} git_user_signingkey: true git_commit_gpgsign: true - name: GPG user IDs shell: bash run: | echo "fingerprint: ${{ steps.import-gpg.outputs.fingerprint }}" echo "keyid: ${{ steps.import-gpg.outputs.keyid }}" echo "name: ${{ steps.import-gpg.outputs.name }}" echo "email: ${{ steps.import-gpg.outputs.email }}"