This is an automated email from the ASF dual-hosted git repository.
mmerli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git
The following commit(s) were added to refs/heads/master by this push:
new 3629c4c81b Remove OWASP dependency check from CI (#4717)
3629c4c81b is described below
commit 3629c4c81bcd30b3bcad2aecf19a9db9fb5a1aaf
Author: Lari Hotari <[email protected]>
AuthorDate: Tue Mar 3 23:28:59 2026 +0200
Remove OWASP dependency check from CI (#4717)
---
.github/workflows/bk-ci.yml | 46 --------------------------------
.github/workflows/owasp-daily-build.yml | 47 ---------------------------------
2 files changed, 93 deletions(-)
diff --git a/.github/workflows/bk-ci.yml b/.github/workflows/bk-ci.yml
index 10cfad1fc2..101b4186e1 100644
--- a/.github/workflows/bk-ci.yml
+++ b/.github/workflows/bk-ci.yml
@@ -61,7 +61,6 @@ jobs:
id: check_changes
run: |
echo "docs_only=${{ fromJSON(steps.changes.outputs.all_count) ==
fromJSON(steps.changes.outputs.docs_count) &&
fromJSON(steps.changes.outputs.docs_count) > 0 }}" >> $GITHUB_OUTPUT
- echo "need_owasp=${{ fromJSON(steps.changes.outputs.need_owasp) }}"
>> $GITHUB_OUTPUT
- name: Cache local Maven repository
if: steps.check_changes.outputs.docs_only != 'true'
@@ -96,7 +95,6 @@ jobs:
run: mvn -B -nsu -am -pl
bookkeeper-common,bookkeeper-server,:bookkeeper-stats-api,:bookkeeper-stats-providers,:codahale-metrics-provider,:prometheus-metrics-provider
javadoc:aggregate -DskipTests -Pdelombok -Dchesktyle.skip -Dspotbugs.skip
outputs:
docs_only: ${{ steps.check_changes.outputs.docs_only }}
- need_owasp: ${{ steps.check_changes.outputs.need_owasp }}
unit-tests:
name: ${{ matrix.step_name }}
@@ -511,49 +509,6 @@ jobs:
- name: Check typos
uses: crate-ci/[email protected]
- owasp-dependency-check:
- name: OWASP Dependency Check
- runs-on: ubuntu-latest
- timeout-minutes: 60
- needs: [ 'build-and-license-check' ]
- if: ${{ needs.build-and-license-check.outputs.need_owasp == 'true' }}
- steps:
- - name: Checkout
- uses: actions/checkout@v4
-
- - name: Tune Runner VM
- uses: ./.github/actions/tune-runner-vm
-
- - name: Cache local Maven repository
- id: cache
- uses: actions/cache@v4
- with:
- path: |
- ~/.m2/repository/*/*/*
- !~/.m2/repository/org/apache/bookkeeper
- !~/.m2/repository/org/apache/distributedlog
- key: ${{ runner.os }}-bookkeeper-all-${{ hashFiles('**/pom.xml') }}
-
- - name: Set up JDK 11
- uses: actions/setup-java@v4
- with:
- distribution: 'temurin'
- java-version: 21
-
- - name: run "clean install verify" to trigger dependency check
- # excluding dlfs because it includes hadoop lib with
- # CVEs that we cannot patch up anyway
- run: mvn -q -B -ntp clean install verify -Powasp-dependency-check
-DskipTests -pl '!stream/distributedlog/io/dlfs,!tests'
-
- - name: Upload report
- uses: actions/upload-artifact@v4
- if: ${{ cancelled() || failure() }}
- continue-on-error: true
- with:
- name: dependency report
- path: target/dependency-check-report.html
- retention-days: 7
-
bookkeeper-ci-checks-completed:
name: "BookKeeper CI checks completed"
if: ${{ always() && ((github.event_name != 'schedule') ||
(github.repository == 'apache/bookkeeper')) }}
@@ -565,7 +520,6 @@ jobs:
'integration-tests',
'jdk-compatibility-checks',
'macos-build',
- 'owasp-dependency-check',
'typo-check',
'unit-tests',
'windows-build'
diff --git a/.github/workflows/owasp-daily-build.yml
b/.github/workflows/owasp-daily-build.yml
deleted file mode 100644
index 5dc9eaf3b5..0000000000
--- a/.github/workflows/owasp-daily-build.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-name: OWASP Daily Build
-
-on:
- schedule:
- - cron: '0 0 * * *' # Runs at 00:00 UTC every day
- workflow_dispatch:
-
-env:
- NIST_NVD_API_KEY: ${{ secrets.NIST_NVD_API_KEY }}
-
-jobs:
- owasp-daily-build:
- name: OWASP Dependency Check
- runs-on: ubuntu-latest
- steps:
- - name: Checkout
- uses: actions/checkout@v4
-
- - name: Tune Runner VM
- uses: ./.github/actions/tune-runner-vm
-
- - name: Set up JDK 21
- uses: actions/setup-java@v4
- with:
- distribution: 'temurin'
- java-version: 21
-
- - name: run "clean install verify" to trigger dependency check
- # excluding dlfs because it includes hadoop lib with
- # CVEs that we cannot patch up anyway
- run: mvn -q -B -ntp clean install verify -Powasp-dependency-check
-DskipTests -pl '!stream/distributedlog/io/dlfs,!tests'
