mirror of
https://github.com/davidalves04/Trabalho-Pratico-SD.git
synced 2025-12-08 20:43:32 +00:00
Enhance CI workflow with security and dependency checks
Added security scan and dependency review jobs to the workflow.
This commit is contained in:
GitHub
97
.github/workflows/maven.yml
vendored
97
.github/workflows/maven.yml
vendored
@@ -1,11 +1,6 @@
|
|||||||
# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time
|
# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time
|
||||||
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven
|
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven
|
||||||
|
|
||||||
# This workflow uses actions that are not certified by GitHub.
|
|
||||||
# They are provided by a third-party and are governed by
|
|
||||||
# separate terms of service, privacy policy, and support
|
|
||||||
# documentation.
|
|
||||||
|
|
||||||
name: Java CI with Maven
|
name: Java CI with Maven
|
||||||
|
|
||||||
on:
|
on:
|
||||||
@@ -16,9 +11,7 @@ on:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
|
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
@@ -33,13 +26,95 @@ jobs:
|
|||||||
run: mvn -B package
|
run: mvn -B package
|
||||||
working-directory: main
|
working-directory: main
|
||||||
|
|
||||||
# Generate dependency graph explicitly (run step supports -f)
|
# Generate dependency graph explicitly
|
||||||
- name: Generate dependency graph
|
- name: Generate dependency graph
|
||||||
run: mvn -B -f main/pom.xml com.github.ferstl:depgraph-maven-plugin:4.0.1:graph
|
run: mvn -B com.github.ferstl:depgraph-maven-plugin:4.0.1:graph
|
||||||
|
working-directory: main
|
||||||
|
|
||||||
# Upload the generated dependency files so you can inspect them in the workflow run
|
# Upload the packaged JAR file as an artifact
|
||||||
|
- name: Upload package artifact
|
||||||
|
uses: actions/upload-artifact@v4
|
||||||
|
with:
|
||||||
|
name: package
|
||||||
|
path: main/target/*.jar # Upload only the JAR
|
||||||
|
|
||||||
|
# Upload the generated dependency graph so you can inspect it
|
||||||
- name: Upload dependency graph artifact
|
- name: Upload dependency graph artifact
|
||||||
uses: actions/upload-artifact@v4
|
uses: actions/upload-artifact@v4
|
||||||
with:
|
with:
|
||||||
name: dependency-graph
|
name: dependency-graph
|
||||||
path: main/target/**
|
path: main/target/dependency-graph.dot # Upload the specific graph file
|
||||||
|
|
||||||
|
test-and-coverage:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
needs: build # Make it dependent on the build job to ensure code compiles
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Set up JDK 17
|
||||||
|
uses: actions/setup-java@v4
|
||||||
|
with:
|
||||||
|
java-version: '17'
|
||||||
|
distribution: 'temurin'
|
||||||
|
cache: maven
|
||||||
|
|
||||||
|
- name: Run tests and generate coverage report
|
||||||
|
# 'verify' runs all tests. 'jacoco:report' generates the coverage report.
|
||||||
|
# This assumes you have the JaCoCo plugin configured in your pom.xml
|
||||||
|
run: mvn -B verify jacoco:report
|
||||||
|
working-directory: main
|
||||||
|
|
||||||
|
- name: Upload coverage report
|
||||||
|
# This uploads the HTML coverage report as an artifact
|
||||||
|
uses: actions/upload-artifact@v4
|
||||||
|
with:
|
||||||
|
name: code-coverage-report
|
||||||
|
path: main/target/site/jacoco/ # Path to the JaCoCo HTML report
|
||||||
|
|
||||||
|
security-scan:
|
||||||
|
# NEW JOB: This job runs GitHub's CodeQL to find security vulnerabilities.
|
||||||
|
# It runs in parallel with other jobs.
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
# Required permissions for CodeQL to write results
|
||||||
|
permissions:
|
||||||
|
security-events: write # for github/codeql-action/analyze
|
||||||
|
actions: read # for github/codeql-action/init
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Checkout repository
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Initialize CodeQL
|
||||||
|
uses: github/codeql-action/init@v3
|
||||||
|
with:
|
||||||
|
languages: 'java' # Specify the language to analyze
|
||||||
|
|
||||||
|
- name: Build project for CodeQL
|
||||||
|
# CodeQL needs to monitor the build process.
|
||||||
|
# We skip tests here (-DskipTests) because we only need the compiled code
|
||||||
|
# for static analysis, and tests are run in the 'test-and-coverage' job.
|
||||||
|
run: mvn -B clean package -DskipTests
|
||||||
|
working-directory: main
|
||||||
|
|
||||||
|
- name: Perform CodeQL Analysis
|
||||||
|
uses: github/codeql-action/analyze@v3
|
||||||
|
|
||||||
|
dependency-review:
|
||||||
|
# NEW JOB: This job checks for vulnerable dependencies on Pull Requests.
|
||||||
|
# It prevents merging PRs that introduce known vulnerabilities.
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
# This job only needs to run on pull requests
|
||||||
|
if: github.event_name == 'pull_request'
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read # To read dependency files
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Checkout repository
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Dependency Review
|
||||||
|
uses: actions/dependency-review-action@v4
|
||||||
|
|||||||
Reference in New Issue
Block a user