feat(gradle-library): support skipping security scan

wetransform · Aug 20, 2024 · 4586a5d · 4586a5d
1 parent be1659a
commit 4586a5d
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 1 deletion.
diff --git a/.github/workflows/gradle-library-check.yml b/.github/workflows/gradle-library-check.yml
@@ -22,6 +22,10 @@ on:
         description: Custom ref to check out
         type: string
         default: ''
+      skip-scan:
+        description: If security scan and associated tasks should be skipped (e.g. in case no Gradle lock files are configured to be generated)
+        type: boolean
+        default: false
     secrets:
       WETF_ARTIFACTORY_USER:
       WETF_ARTIFACTORY_PASSWORD:
@@ -35,5 +39,6 @@ jobs:
       multi-module: ${{ inputs.multi-module }}
       expect-tests: ${{ inputs.expect-tests }}
       checkout-ref: ${{ inputs.checkout-ref }}
+      skip-scan: ${{ inputs.skip-scan }}
       notify-failure: false
     secrets: inherit
diff --git a/.github/workflows/gradle-library-publish.yml b/.github/workflows/gradle-library-publish.yml
@@ -35,6 +35,10 @@ on:
         description: If semantic release should do a dryrun
         default: false
         type: boolean
+      skip-scan:
+        description: If security scan and associated tasks should be skipped (e.g. in case no Gradle lock files are configured to be generated)
+        type: boolean
+        default: false
     outputs:
       release-published:
         description: If a release was created
@@ -59,6 +63,7 @@ jobs:
       multi-module: ${{ inputs.multi-module }}
       expect-tests: ${{ inputs.expect-tests }}
       checkout-ref: ${{ inputs.checkout-ref }}
+      skip-scan: ${{ inputs.skip-scan }}
       semantic-release: ${{ inputs.semantic-release }}
       semantic-release-dryrun: ${{ inputs.semantic-release-dryrun }}
     secrets: inherit
diff --git a/.github/workflows/gradle-library.yml b/.github/workflows/gradle-library.yml
@@ -62,6 +62,10 @@ on:
         description: If this is a multi-module project
         type: boolean
         default: false
+      skip-scan:
+        description: If security scan and associated tasks should be skipped (e.g. in case no Gradle lock files are configured to be generated)
+        type: boolean
+        default: false
       checkout-ref:
         description: Custom ref to check out
         type: string
@@ -118,14 +122,15 @@ jobs:
         uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3.5.0
 
       - name: Write dependency lockfile for security scan
+        if: ${{ !inputs.skip-scan }}
         env:
           ORG_GRADLE_PROJECT_wetfArtifactoryUser: ${{ secrets.WETF_ARTIFACTORY_USER }}
           ORG_GRADLE_PROJECT_wetfArtifactoryPassword: ${{ secrets.WETF_ARTIFACTORY_PASSWORD }}
           JAVA_TOOL_OPTIONS: ${{ inputs.java-options }}
         run: ./gradlew dependencies --write-locks
 
       - name: Write dependency lockfile for security scan (submodules)
-        if: ${{ inputs.multi-module }}
+        if: ${{ !inputs.skip-scan && inputs.multi-module }}
         env:
           ORG_GRADLE_PROJECT_wetfArtifactoryUser: ${{ secrets.WETF_ARTIFACTORY_USER }}
           ORG_GRADLE_PROJECT_wetfArtifactoryPassword: ${{ secrets.WETF_ARTIFACTORY_PASSWORD }}
@@ -173,9 +178,11 @@ jobs:
       #
 
       - name: Make sure test-results folder exists
+        if: ${{ !inputs.skip-scan }}
         run: mkdir -p ${{ inputs.multi-module && 'trivy-gha-scan/build/test-results' || 'build/test-results' }}
 
       - name: Vulnerability scan
+        if: ${{ !inputs.skip-scan }}
         uses: wetransform/gha-trivy@8915cc9f5106f6683462a6eec9d093649e50a345 # v2.1.0
         with:
           junit-test-output: "${{ inputs.multi-module && 'trivy-gha-scan/build/test-results/trivy.xml' || 'build/test-results/trivy.xml' }}" # added to unit test report