This is an automated email from the ASF dual-hosted git repository.
joewitt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new ac627bc851 NIFI-14137 Added code-compliance workflow with Syft and
Grype This closes #9612 - Moved Static Analysis job from ci-workflow to
code-compliance workflow - Set Scan fail-build to be conditional on main branch
ac627bc851 is described below
commit ac627bc85198a8eee46bf552f51b476845a1d9fa
Author: exceptionfactory <[email protected]>
AuthorDate: Tue Jan 7 16:15:57 2025 -0600
NIFI-14137 Added code-compliance workflow with Syft and Grype
This closes #9612
- Moved Static Analysis job from ci-workflow to code-compliance workflow
- Set Scan fail-build to be conditional on main branch
Signed-off-by: Joseph Witt <[email protected]>
---
.github/workflows/ci-workflow.yml | 50 ---------------
.github/workflows/code-compliance.yml | 112 ++++++++++++++++++++++++++++++++++
README.md | 1 +
3 files changed, 113 insertions(+), 50 deletions(-)
diff --git a/.github/workflows/ci-workflow.yml
b/.github/workflows/ci-workflow.yml
index 9083deebcd..bcc3705570 100644
--- a/.github/workflows/ci-workflow.yml
+++ b/.github/workflows/ci-workflow.yml
@@ -49,60 +49,10 @@ concurrency:
cancel-in-progress: true
permissions:
- security-events: write
contents: read
pull-requests: read
jobs:
- static-analysis:
- timeout-minutes: 120
- name: Static Analysis
- runs-on: ubuntu-latest
- steps:
- - name: Clear Disk Space
- run: |
- sudo rm -rf /usr/share/dotnet
- sudo rm -rf /opt/ghc
- sudo rm -rf "/usr/local/share/boost"
- sudo rm -rf /usr/local/lib/android
- - name: Checkout Code
- uses: actions/checkout@v4
- - name: Cache Maven Modules
- uses: actions/cache@v4
- with:
- path: |
- ~/.m2/repository
- # Cache Maven modules using a cache key different from setup-java
steps
- key: ${{ runner.os }}-maven-static-analysis-${{
hashFiles('**/pom.xml') }}
- - name: Set up Java 21
- uses: actions/setup-java@v4
- with:
- distribution: 'zulu'
- java-version: '21'
- - name: Maven Build
- run: >
- ${{ env.MAVEN_COMMAND }}
- validate
- --no-snapshot-updates
- --no-transfer-progress
- --fail-fast
- -P contrib-check
- - name: Initialize CodeQL
- uses: github/codeql-action/init@v3
- with:
- languages: java
- - name: Maven Compile
- env:
- MAVEN_OPTS: >-
- ${{ env.COMPILE_MAVEN_OPTS }}
- # Run PMD Check with compile phase to resolve modules
- run: >
- ${{ env.MAVEN_COMMAND }}
- pmd:check
- ${{ env.MAVEN_COMPILE_COMMAND }}
- - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v3
-
ubuntu-build-en:
timeout-minutes: 120
runs-on: ubuntu-latest
diff --git a/.github/workflows/code-compliance.yml
b/.github/workflows/code-compliance.yml
new file mode 100644
index 0000000000..df8889c628
--- /dev/null
+++ b/.github/workflows/code-compliance.yml
@@ -0,0 +1,112 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+name: code-compliance
+
+on:
+ workflow_dispatch:
+ schedule:
+ - cron: "0 0 * * *"
+ pull_request:
+ push:
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: true
+
+permissions:
+ security-events: write
+ contents: write
+ pull-requests: read
+
+env:
+ DEFAULT_MAVEN_OPTS: >-
+ -Xms6g
+ -Xmx6g
+ -Dorg.slf4j.simpleLogger.defaultLogLevel=WARN
+
+jobs:
+ validate:
+ timeout-minutes: 60
+ name: Validate
+ runs-on: ubuntu-24.04
+ steps:
+ - name: Checkout Code
+ uses: actions/checkout@v4
+ - name: Set up Java 21
+ uses: actions/setup-java@v4
+ with:
+ distribution: 'zulu'
+ java-version: '21'
+ cache: 'maven'
+ - name: Maven Validate
+ run: >
+ ./mvnw
+ --show-version
+ --no-snapshot-updates
+ --no-transfer-progress
+ --fail-fast
+ --activate-profiles contrib-check
+ validate
+
+ scan:
+ timeout-minutes: 120
+ name: Scan
+ runs-on: ubuntu-24.04
+ steps:
+ - name: Checkout Code
+ uses: actions/checkout@v4
+ - name: Set up Java 21
+ uses: actions/setup-java@v4
+ with:
+ distribution: 'zulu'
+ java-version: '21'
+ cache: 'maven'
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v3
+ with:
+ languages: java
+ - name: Maven Package
+ env:
+ MAVEN_OPTS: >-
+ ${{ env.DEFAULT_MAVEN_OPTS }}
+ run: >
+ ./mvnw
+ --show-version
+ --no-snapshot-updates
+ --no-transfer-progress
+ --fail-fast
+ -DskipTests
+ pmd:check
+ package
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v3
+ - name: Get Project Version
+ run: echo "PROJECT_VERSION=$(./mvnw help:evaluate
-Dexpression=project.version -q -DforceStdout)" >> $GITHUB_ENV
+ - name: Generate SBOM
+ uses: anchore/sbom-action@v0
+ with:
+ format: spdx-json
+ path: ''
+ file: nifi-assembly/target/nifi-${{ env.PROJECT_VERSION }}-bin.zip
+ artifact-name: nifi-${{ env.PROJECT_VERSION }}.spdx.json
+ output-file: nifi-${{ env.PROJECT_VERSION }}.spdx.json
+ - name: Scan SBOM
+ uses: anchore/scan-action@v6
+ with:
+ sbom: nifi-${{ env.PROJECT_VERSION }}.spdx.json
+ severity-cutoff: 'medium'
+ only-fixed: true
+ fail-build: ${{ github.ref_name == 'main' && 'true' || 'false' }}
diff --git a/README.md b/README.md
index 6e996cc087..9ee3a96013 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,7 @@
[](https://github.com/apache/nifi/actions/workflows/system-tests.yml)
[](https://github.com/apache/nifi/actions/workflows/integration-tests.yml)
[](https://github.com/apache/nifi/actions/workflows/docker-tests.yml)
+[](https://github.com/apache/nifi/actions/workflows/code-compliance.yml)
[](https://github.com/apache/nifi/actions/workflows/code-coverage.yml)
[](https://codecov.io/gh/apache/nifi)
