[TH2-4566] Reusable workflow with dependency check

.github/workflows/dev-java-publish-sonatype.yml

@@ -1,56 +1,39 @@
-
 name: Dev build and publish Java distributions to sonatype snapshot repository
 on:
   push:
     branches-ignore:
     - master
     - version-*
-    # paths:
-    # - gradle.properties
 
 jobs:
-  build:
-    runs-on: ubuntu-20.04
-    permissions:
-      contents: read
-      packages: write
+  build-job:
+    uses: th2-net/.github/.github/workflows/compound-java-dev.yml@main
+    with:
+      scanner-enabled: false
+      build-target: 'Sonatype'
+      runsOn: ubuntu-latest
+    secrets:
+      sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }}
+      sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }}
+      sonatypeSigningKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }}
+      sonatypeSigningPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }}
+  scan-job:
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      # Prepare custom build version
-      - name: Get branch name
-        id: branch
-        run: echo "branch_name=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
-      - name: Get SHA of the commit
-        id: sha
-        run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
-      - name: Get release_version
-        id: ver
-        uses: christian-draeger/[email protected]
-        with:
-          path: gradle.properties
-          properties: release_version
-      - name: Build custom release version
-        id: release_ver
-        run: echo value="${{ steps.ver.outputs.release_version }}-${{ steps.branch.outputs.branch_name }}-${{ github.run_id }}-${{ steps.sha.outputs.sha_short }}-SNAPSHOT" >> $GITHUB_OUTPUT
-      - name: Write custom release version to file
-        uses: christian-draeger/[email protected]
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Create lockfiles
+        run: ./gradlew createLockFiles
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
         with:
-          path: gradle.properties
-          property: release_version
-          value: ${{ steps.release_ver.outputs.value }}                
-      - name: Show custom release version
-        run: echo ${{ steps.release_ver.outputs.value }}
-# Build and publish package
-      - name: Set up JDK 11
-        uses: actions/setup-java@v3
+          scan-type: 'fs'
+          ignore-unfixed: false
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH,MEDIUM'
+          exit-code: '0'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
         with:
-          java-version: '11'
-          distribution: 'zulu'
-      - name: Build with Gradle
-        run: ./gradlew --info clean build publish
-        env:
-          ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }}
-          ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }}
-          ORG_GRADLE_PROJECT_signingKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }}
-          ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }} 
-
+          sarif_file: 'trivy-results.sarif'

.github/workflows/java-publish-sonatype.yml

@@ -1,5 +1,4 @@
 name: Build and release Java distributions to sonatype.
-
 on:
   push:
     branches:
@@ -10,18 +9,33 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
-
+    uses: th2-net/.github/.github/workflows/compound-java.yml@main
+    with:
+      scanner-enabled: false
+      build-target: 'Sonatype'
+      runsOn: ubuntu-latest
+    secrets:
+      sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }}
+      sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }}
+      sonatypeSigningKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }}
+      sonatypeSigningPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }}
+  scan-job:
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - name: Set up JDK 11
-        uses: actions/setup-java@v3
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Create lockfiles
+        run: ./gradlew createLockFiles
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: false
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH,MEDIUM'
+          exit-code: '0'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
         with:
-          java-version: '11'
-      - name: Build with Gradle
-        run: ./gradlew --info clean build publish closeAndReleaseSonatypeStagingRepository
-        env:
-          ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.SONATYPE_NEXUS_USERNAME }}
-          ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_NEXUS_PASSWORD }}
-          ORG_GRADLE_PROJECT_signingKey: ${{ secrets.SONATYPE_GPG_ARMORED_KEY }}
-          ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.SONATYPE_SIGNING_PASSWORD }} 
+          sarif_file: 'trivy-results.sarif'

.gitignore

@@ -6,6 +6,9 @@
 /cradle-cassandra/.project
 /cradle-cassandra/.classpath
 /cradle-cassandra/build
+/cradle-cassandra/gradle/
+/cradle-core/gradle/
+/gradle/dependency-locks/
 /cradle-core/.classpath
 /cradle-core/.project
 /cradle-core/.settings

build.gradle

@@ -4,15 +4,33 @@ plugins {
 }
 
 ext {
-	slf4j_version = '1.7.26'
-	jackson_version = '2.9.7'
+	slf4j_version = '1.7.36'
+	jackson_version = '2.13.4'
 
 	sharedDir = file("${project.rootDir}/shared")
 }
 
 allprojects {
 	version = release_version
 	group   = 'com.exactpro.th2'
+
+	configurations {
+		compileClasspath {
+			resolutionStrategy.activateDependencyLocking()
+		}
+	}
+
+	tasks.register('resolveAndLockAll') {
+		doFirst {
+			println gradle.startParameter.writeDependencyLocks
+		}
+		doLast {
+			configurations.findAll {
+				// Add any custom filtering on the configurations to be resolved
+				it.canBeResolved
+			}.each { it.resolve() }
+		}
+	}
 }
 
 subprojects {
@@ -29,6 +47,22 @@ subprojects {
 			resolutionStrategy.cacheDynamicVersionsFor 0, 'seconds'
 		}
 	}
+
+	configurations {
+		compileClasspath {
+			resolutionStrategy.activateDependencyLocking()
+		}
+	}
+
+	tasks.register('createLockFiles', Copy) {
+		dependsOn('resolveAndLockAll')
+		from "./gradle/dependency-locks/compileClasspath.lockfile"
+		into "./.."
+
+		rename { String filename ->
+			return project.name + '-' + filename
+		}
+	}
 
 
 	defaultTasks 'build'

settings.gradle

@@ -4,3 +4,4 @@ include 'cradle-cassandra'
 // Defined names will be used for jar and artifact names
 project(':cradle-core').name = 'cradle-core'
 project(':cradle-cassandra').name = 'cradle-cassandra'
+startParameter.setWriteDependencyLocks(true)