Skip to content
CI caab-data-api pr to main

build(deps): bump the gradle-updates group with 2 updates #81

Sign in to view logs

build(deps): bump the gradle-updates group with 2 updates

build(deps): bump the gradle-updates group with 2 updates #81

Workflow file for this run

.github/workflows/pr-merge-main.yml at 1807e5b
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-gradle
name: CI caab-data-api pr to main
on:
pull_request:
branches: [ main ]
types: [ closed ]
permissions:
contents: read
packages: write
jobs:
build-test-release:
if: |
github.event.pull_request.merged == true && !startsWith(github.event.pull_request.head.ref, 'dependabot/')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: main
token: ${{ secrets.REPO_TOKEN }}
- name: Set up JDK 21
uses: actions/setup-java@v4
with:
java-version: '21'
distribution: 'temurin'
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4
- name: Build & test
run: ./gradlew build
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Test coverage verification
run: ./gradlew jacocoTestCoverageVerification
- name: Integration test
run: ./gradlew integrationTest
- name: Set to github user
run: |
git config --global user.email "github@justice.gov.uk"
git config --global user.name "GitHub Actions Bot"
- name: Update version
run: ./gradlew release -Prelease.useAutomaticVersion=true
- name: Upload checkstyle report
if: always()
uses: actions/upload-artifact@v4
with:
name: checkstyle-report
path: data-service/build/reports/checkstyle
retention-days: 14
- name: Upload test report
if: always()
uses: actions/upload-artifact@v4
with:
name: test-report
path: data-service/build/reports/tests
retention-days: 14
- name: Upload jacoco coverage report
if: always()
uses: actions/upload-artifact@v4
with:
name: jacoco-coverage-report
path: data-service/build/reports/jacoco
retention-days: 14
vulnerability-report:
if: github.event.pull_request.merged == true
runs-on: ubuntu-latest
permissions:
security-events: write
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
SNYK_ORG: legal-aid-agency
SNYK_TEST_EXCLUDE: build,generated
SNYK_TARGET_REFERENCE: main
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v4
- name: Generate Snyk report and upload to LAA Dashboard
uses: snyk/actions/gradle@0.4.0
continue-on-error: true
with:
command: monitor
args: --org=${SNYK_ORG} --all-projects --exclude=$SNYK_TEST_EXCLUDE --target-reference=$SNYK_TARGET_REFERENCE
- name: Generate sarif Snyk report
uses: snyk/actions/gradle@0.4.0
continue-on-error: true
with:
args: --org=$SNYK_ORG --all-projects --exclude=$SNYK_TEST_EXCLUDE --target-reference=$SNYK_TARGET_REFERENCE --sarif-file-output=snyk-report.sarif
- name: Fix undefined values
run: |
cat snyk-report.sarif | jq '
.runs[].tool[].rules[]
|= (
if .properties["security-severity"] == "undefined"
then .properties["security-severity"] =
( if .shortDescription.text | test("(?i)critical") then "9.0"
elif .shortDescription.text | test("(?i)high") then "7.0"
elif .shortDescription.text | test("(?i)medium") then "4.0"
elif .shortDescription.text | test("(?i)low") then "0.1"
else ""
end
)
else .
end
)
' > snyk-report-cleansed.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk-report-cleansed.sarif