From 4586a5dbf42262eb8847978c9b6d5800cd22946e Mon Sep 17 00:00:00 2001
From: Simon Templer <simon@wetransform.to>
Date: Fri, 16 Aug 2024 15:54:53 +0200
Subject: [PATCH] feat(gradle-library): support skipping security scan

---
 .github/workflows/gradle-library-check.yml   | 5 +++++
 .github/workflows/gradle-library-publish.yml | 5 +++++
 .github/workflows/gradle-library.yml         | 9 ++++++++-
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/gradle-library-check.yml b/.github/workflows/gradle-library-check.yml
index 185e6c2..5e1574d 100644
--- a/.github/workflows/gradle-library-check.yml
+++ b/.github/workflows/gradle-library-check.yml
@@ -22,6 +22,10 @@ on:
         description: Custom ref to check out
         type: string
         default: ''
+      skip-scan:
+        description: If security scan and associated tasks should be skipped (e.g. in case no Gradle lock files are configured to be generated)
+        type: boolean
+        default: false
     secrets:
       WETF_ARTIFACTORY_USER:
       WETF_ARTIFACTORY_PASSWORD:
@@ -35,5 +39,6 @@ jobs:
       multi-module: ${{ inputs.multi-module }}
       expect-tests: ${{ inputs.expect-tests }}
       checkout-ref: ${{ inputs.checkout-ref }}
+      skip-scan: ${{ inputs.skip-scan }}
       notify-failure: false
     secrets: inherit
diff --git a/.github/workflows/gradle-library-publish.yml b/.github/workflows/gradle-library-publish.yml
index e400e53..d802f11 100644
--- a/.github/workflows/gradle-library-publish.yml
+++ b/.github/workflows/gradle-library-publish.yml
@@ -35,6 +35,10 @@ on:
         description: If semantic release should do a dryrun
         default: false
         type: boolean
+      skip-scan:
+        description: If security scan and associated tasks should be skipped (e.g. in case no Gradle lock files are configured to be generated)
+        type: boolean
+        default: false
     outputs:
       release-published:
         description: If a release was created
@@ -59,6 +63,7 @@ jobs:
       multi-module: ${{ inputs.multi-module }}
       expect-tests: ${{ inputs.expect-tests }}
       checkout-ref: ${{ inputs.checkout-ref }}
+      skip-scan: ${{ inputs.skip-scan }}
       semantic-release: ${{ inputs.semantic-release }}
       semantic-release-dryrun: ${{ inputs.semantic-release-dryrun }}
     secrets: inherit
diff --git a/.github/workflows/gradle-library.yml b/.github/workflows/gradle-library.yml
index a0659c2..2bd0d5f 100644
--- a/.github/workflows/gradle-library.yml
+++ b/.github/workflows/gradle-library.yml
@@ -62,6 +62,10 @@ on:
         description: If this is a multi-module project
         type: boolean
         default: false
+      skip-scan:
+        description: If security scan and associated tasks should be skipped (e.g. in case no Gradle lock files are configured to be generated)
+        type: boolean
+        default: false
       checkout-ref:
         description: Custom ref to check out
         type: string
@@ -118,6 +122,7 @@ jobs:
         uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3.5.0
 
       - name: Write dependency lockfile for security scan
+        if: ${{ !inputs.skip-scan }}
         env:
           ORG_GRADLE_PROJECT_wetfArtifactoryUser: ${{ secrets.WETF_ARTIFACTORY_USER }}
           ORG_GRADLE_PROJECT_wetfArtifactoryPassword: ${{ secrets.WETF_ARTIFACTORY_PASSWORD }}
@@ -125,7 +130,7 @@ jobs:
         run: ./gradlew dependencies --write-locks
 
       - name: Write dependency lockfile for security scan (submodules)
-        if: ${{ inputs.multi-module }}
+        if: ${{ !inputs.skip-scan && inputs.multi-module }}
         env:
           ORG_GRADLE_PROJECT_wetfArtifactoryUser: ${{ secrets.WETF_ARTIFACTORY_USER }}
           ORG_GRADLE_PROJECT_wetfArtifactoryPassword: ${{ secrets.WETF_ARTIFACTORY_PASSWORD }}
@@ -173,9 +178,11 @@ jobs:
       #
 
       - name: Make sure test-results folder exists
+        if: ${{ !inputs.skip-scan }}
         run: mkdir -p ${{ inputs.multi-module && 'trivy-gha-scan/build/test-results' || 'build/test-results' }}
 
       - name: Vulnerability scan
+        if: ${{ !inputs.skip-scan }}
         uses: wetransform/gha-trivy@8915cc9f5106f6683462a6eec9d093649e50a345 # v2.1.0
         with:
           junit-test-output: "${{ inputs.multi-module && 'trivy-gha-scan/build/test-results/trivy.xml' || 'build/test-results/trivy.xml' }}" # added to unit test report