Skip to content

Commit

Permalink
feat: add dependency review for java gradle dependencies (#114)
Browse files Browse the repository at this point in the history 
* feat: add dependency review for java gradle dependencies

* chore: bump self-dependencies
  • Loading branch information
@nepalevov
nepalevov authored Nov 18, 2024
1 parent 1e3f3b8 commit c677fbe
Show file tree
Hide file tree
Showing 17 changed files with 177 additions and 53 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/generic_docker_pr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
- uses: epam/ai-dial-ci/actions/build_docker@1.9.5
- uses: epam/ai-dial-ci/actions/build_docker@1.10.0
with:
image_name: ghcr.io/${{ env.IMAGE_NAME }}
image_tag: test
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/generic_docker_release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ jobs:
is_latest: ${{ steps.semantic_versioning.outputs.is_latest }}
latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
steps:
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.5
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.10.0
id: semantic_versioning

release:
Expand All @@ -78,14 +78,14 @@ jobs:
- calculate_version
- test
steps:
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.5
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.10.0
with:
latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
token: ${{ secrets.ACTIONS_BOT_TOKEN }}
- uses: epam/ai-dial-ci/actions/build_docker@1.9.5
- uses: epam/ai-dial-ci/actions/build_docker@1.10.0
with:
ghcr_username: ${{ github.actor }}
ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }}
Expand All @@ -102,7 +102,7 @@ jobs:
${{ github.ref == 'refs/heads/development' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'development') || ''}}
${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}:{1}', env.IMAGE_NAME, 'latest') || ''}}
${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'latest') || ''}}
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.5
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.10.0
with:
tag_version: ${{ needs.calculate_version.outputs.next_version }}
changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify
66 changes: 66 additions & 0 deletions .github/workflows/java_dependency_review.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
name: Dependency Review

on:
workflow_call:
inputs:
java_version:
type: string
default: "17"
description: Java version to use
java_distribution:
type: string
default: "temurin"
description: Java distribution to use
secrets:
ACTIONS_BOT_TOKEN:
required: true

# decrease from default read/write
permissions:
contents: read

jobs:
dependency-submission:
runs-on: ubuntu-latest
permissions:
contents: write # to submit dependency graph
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.deps.dev:443
api.github.com:443
api.securityscorecards.dev:443
github.com:443
github-cloud.githubusercontent.com:443
*.gradle.org:443
repo.maven.apache.org:443
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
persist-credentials: false
ref: ${{ github.event.pull_request.head.sha }}
- uses: epam/ai-dial-ci/actions/[email protected]
with:
java_version: ${{ inputs.java_version }}
java_distribution: ${{ inputs.java_distribution }}
- uses: gradle/actions/dependency-submission@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0
env:
GITHUB_DEPENDENCY_GRAPH_REF: "refs/heads/${{ github.event.pull_request.head.ref }}"
GITHUB_DEPENDENCY_GRAPH_SHA: ${{ github.event.pull_request.head.sha }}
- id: dependency-review
uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0
with:
retry-on-snapshot-warnings: true
retry-on-snapshot-warnings-timeout: 600
- if: ${{ steps.dependency-review.outputs.comment-content != null }}
# Use separate action to comment because the original one can't do it without PR context
uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0
with:
number: ${{ github.event.pull_request.number }}
header: dependency-analysis
message: ${{ steps.dependency-review.outputs.comment-content }}
GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }}
4 changes: 2 additions & 2 deletions .github/workflows/java_pr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
- uses: epam/ai-dial-ci/actions/java_prepare@1.9.5
- uses: epam/ai-dial-ci/actions/java_prepare@1.10.0
with:
java_version: ${{ inputs.java_version }}
java_distribution: ${{ inputs.java_distribution }}
Expand All @@ -88,7 +88,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
- uses: epam/ai-dial-ci/actions/build_docker@1.9.5
- uses: epam/ai-dial-ci/actions/build_docker@1.10.0
with:
image_name: ghcr.io/${{ env.IMAGE_NAME }}
image_tag: test
Expand Down
11 changes: 6 additions & 5 deletions .github/workflows/java_release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ jobs:
is_latest: ${{ steps.semantic_versioning.outputs.is_latest }}
latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
steps:
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.5
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.10.0
id: semantic_versioning

release:
Expand All @@ -90,22 +90,22 @@ jobs:
- calculate_version
- test
steps:
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.5
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.10.0
with:
latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
token: ${{ secrets.ACTIONS_BOT_TOKEN }}
- uses: epam/ai-dial-ci/actions/java_prepare@1.9.5
- uses: epam/ai-dial-ci/actions/java_prepare@1.10.0
with:
java_version: ${{ inputs.java_version }}
java_distribution: ${{ inputs.java_distribution }}
- name: Set version
shell: bash
run: |
sed -i -E "s/^([ \t]*version[ \t]*=[ \t]*)[\"'].*[\"']/\1\"${{ needs.calculate_version.outputs.next_version }}\"/g" build.gradle
- uses: epam/ai-dial-ci/actions/build_docker@1.9.5
- uses: epam/ai-dial-ci/actions/build_docker@1.10.0
with:
ghcr_username: ${{ github.actor }}
ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }}
Expand All @@ -122,7 +122,8 @@ jobs:
${{ github.ref == 'refs/heads/development' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'development') || ''}}
${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}:{1}', env.IMAGE_NAME, 'latest') || ''}}
${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'latest') || ''}}
- uses: epam/ai-dial-ci/actions/[email protected]
- uses: gradle/actions/dependency-submission@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0
- uses: epam/ai-dial-ci/actions/[email protected]
with:
tag_version: ${{ needs.calculate_version.outputs.next_version }}
changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/java_test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
- uses: epam/ai-dial-ci/actions/java_prepare@1.9.5
- uses: epam/ai-dial-ci/actions/java_prepare@1.10.0
with:
java_version: ${{ inputs.java_version }}
java_distribution: ${{ inputs.java_distribution }}
Expand All @@ -69,7 +69,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
- uses: epam/ai-dial-ci/actions/java_prepare@1.9.5
- uses: epam/ai-dial-ci/actions/java_prepare@1.10.0
with:
java_version: ${{ inputs.java_version }}
java_distribution: ${{ inputs.java_distribution }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/node_pr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
- uses: epam/ai-dial-ci/actions/build_docker@1.9.5
- uses: epam/ai-dial-ci/actions/build_docker@1.10.0
with:
image_name: ghcr.io/${{ env.IMAGE_NAME }}
image_tag: test
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/node_release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ jobs:
is_latest: ${{ steps.semantic_versioning.outputs.is_latest }}
latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
steps:
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.5
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.10.0
id: semantic_versioning

release:
Expand All @@ -99,14 +99,14 @@ jobs:
- calculate_version
- test
steps:
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.5
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.10.0
with:
latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
token: ${{ secrets.ACTIONS_BOT_TOKEN }}
- uses: epam/ai-dial-ci/actions/node_prepare@1.9.5
- uses: epam/ai-dial-ci/actions/node_prepare@1.10.0
with:
node_version: ${{ inputs.node_version }}
clean_install: true
Expand All @@ -115,7 +115,7 @@ jobs:
shell: bash
run: |
npm version ${{ needs.calculate_version.outputs.next_version }} --no-git-tag-version || true # upstream branch may already be updated
- uses: epam/ai-dial-ci/actions/build_docker@1.9.5
- uses: epam/ai-dial-ci/actions/build_docker@1.10.0
with:
ghcr_username: ${{ github.actor }}
ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }}
Expand Down Expand Up @@ -155,7 +155,7 @@ jobs:
IS_LATEST: ${{ needs.calculate_version.outputs.is_latest == 'true' }}
IS_DEVELOPMENT_BRANCH: ${{ github.ref == 'refs/heads/development' }}
IS_RELEASE_BRANCH: ${{ startsWith(github.ref, 'refs/heads/release-') }}
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.5
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.10.0
with:
tag_version: ${{ needs.calculate_version.outputs.next_version }}
changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/node_test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
- uses: epam/ai-dial-ci/actions/node_prepare@1.9.5
- uses: epam/ai-dial-ci/actions/node_prepare@1.10.0
with:
node_version: ${{ inputs.node_version }}
clean_install: "true"
Expand All @@ -73,7 +73,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
- uses: epam/ai-dial-ci/actions/node_prepare@1.9.5
- uses: epam/ai-dial-ci/actions/node_prepare@1.10.0
with:
node_version: ${{ inputs.node_version }}
clean_install: "true"
Expand All @@ -90,7 +90,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
- uses: epam/ai-dial-ci/actions/node_prepare@1.9.5
- uses: epam/ai-dial-ci/actions/node_prepare@1.10.0
with:
node_version: ${{ inputs.node_version }}
clean_install: "true"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/python_docker_pr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
- uses: epam/ai-dial-ci/actions/build_docker@1.9.5
- uses: epam/ai-dial-ci/actions/build_docker@1.10.0
with:
image_name: ghcr.io/${{ env.IMAGE_NAME }}
image_tag: test
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/python_docker_release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ jobs:
is_latest: ${{ steps.semantic_versioning.outputs.is_latest }}
latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
steps:
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.5
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.10.0
id: semantic_versioning

release:
Expand All @@ -86,7 +86,7 @@ jobs:
- calculate_version
- test
steps:
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.5
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.10.0
with:
latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand All @@ -97,7 +97,7 @@ jobs:
shell: bash
run: |
sed -i "s/^version = .*/version = \"${{ needs.calculate_version.outputs.non_semver_next_version }}\"/g" pyproject.toml
- uses: epam/ai-dial-ci/actions/build_docker@1.9.5
- uses: epam/ai-dial-ci/actions/build_docker@1.10.0
with:
ghcr_username: ${{ github.actor }}
ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }}
Expand All @@ -114,7 +114,7 @@ jobs:
${{ github.ref == 'refs/heads/development' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'development') || ''}}
${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}:{1}', env.IMAGE_NAME, 'latest') || ''}}
${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'latest') || ''}}
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.5
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.10.0
with:
tag_version: ${{ needs.calculate_version.outputs.next_version }}
changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/python_docker_test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.5
- uses: epam/ai-dial-ci/actions/python_prepare@1.10.0
with:
python_version: ${{ inputs.python_version }}
- name: Test
Expand All @@ -64,7 +64,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.5
- uses: epam/ai-dial-ci/actions/python_prepare@1.10.0
with:
python_version: ${{ inputs.python_version }}
- name: Test
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/python_package_pr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.5
- uses: epam/ai-dial-ci/actions/python_prepare@1.10.0
with:
python_version: ${{ inputs.python_version }}
- run: make build
8 changes: 4 additions & 4 deletions .github/workflows/python_package_release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ jobs:
non_semver_next_version: ${{ steps.semantic_versioning.outputs.non_semver_next_version }}
latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
steps:
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.5
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.10.0
id: semantic_versioning

release:
Expand All @@ -88,14 +88,14 @@ jobs:
- calculate_version
- test
steps:
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.5
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.10.0
with:
latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
token: ${{ secrets.ACTIONS_BOT_TOKEN }}
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.5
- uses: epam/ai-dial-ci/actions/python_prepare@1.10.0
with:
python_version: ${{ inputs.python_version }}
- name: Set version
Expand All @@ -109,7 +109,7 @@ jobs:
make publish
env:
PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.5
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.10.0
with:
tag_version: ${{ needs.calculate_version.outputs.non_semver_next_version }}
changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/python_package_test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.5
- uses: epam/ai-dial-ci/actions/python_prepare@1.10.0
with:
python_version: ${{ inputs.python_version }}
- name: Test
Expand All @@ -92,7 +92,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
lfs: true
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.5
- uses: epam/ai-dial-ci/actions/python_prepare@1.10.0
with:
python_version: ${{ matrix.python-version }}
- name: Test
Expand Down
Loading

0 comments on commit c677fbe

Please sign in to comment.