Skip to content

build: add vulnerability scan to PR build #715

build: add vulnerability scan to PR build

build: add vulnerability scan to PR build #715

Workflow file for this run

name: PR Build Check
on:
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
editorconfig-checker:
name: Check editorconfig
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: editorconfig-checker/action-editorconfig-checker@main
- run: editorconfig-checker
commitlint:
name: Lint commits for semantic-release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4

Check failure on line 27 in .github/workflows/pr.yml

View workflow run for this annotation

GitHub Actions / PR Build Check

Invalid workflow file

The workflow is not valid. substrait-io/substrait-java/.github/workflows/vulnerability-scan.yml@618a681a1bf50d9b0d4f6b9fb8801c6de09ef336 (Line: 27, Col: 3): Error calling workflow 'google/osv-scanner-action/.github/workflows/[email protected]'. The workflow is requesting 'contents: read', but is only allowed 'contents: none'.
with:
node-version: "20"
- run: npx commitlint --from=${{ github.event.pull_request.base.sha }} --to=${{ github.sha }} --verbose
security:
name: Security validation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: gradle/actions/wrapper-validation@v3
scan:
uses: ./.github/workflows/vulnerability-scan.yml
permissions:
contents: read
security-events: write
java:
name: Build and Test Java
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
- name: Build with Gradle
run: gradle build --rerun-tasks
isthmus-native-image-mac-linux:
name: Build Isthmus Native Image
needs: java
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, macOS-latest]
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- uses: graalvm/setup-graalvm@v1
with:
java-version: '17'
distribution: 'graalvm'
# helps avoid rate-limiting issues
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
- name: Report Java Version
run: java -version
- name: Install GraalVM native image
run: gu install native-image
- name: Build with Gradle
run: gradle nativeImage
- name: Smoke Test
run: |
./isthmus-cli/src/test/script/smoke.sh
./isthmus-cli/src/test/script/tpch_smoke.sh
- name: Rename the artifact to OS-unique name
shell: bash
run: |
value=`mv isthmus-cli/build/graal/isthmus isthmus-cli/build/graal/isthmus-${{ matrix.os }}`
- name: Publish artifact
uses: actions/upload-artifact@v4
with:
name: isthmus-${{ matrix.os }}
path: isthmus-cli/build/graal/isthmus-${{ matrix.os }}
dry-run-release:
name: Dry-run release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: "20"
- name: Check current status before next release
run: ./ci/release/dry_run.sh