Added code-compliance workflow

exceptionfactory · Jan 8, 2025 · 9405c25 · 9405c25
1 parent 34dad34
commit 9405c25
Show file tree

Hide file tree

Showing 2 changed files with 110 additions and 50 deletions.
diff --git a/.github/workflows/ci-workflow.yml b/.github/workflows/ci-workflow.yml
@@ -49,60 +49,10 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  security-events: write
   contents: read
   pull-requests: read
 
 jobs:
-  static-analysis:
-    timeout-minutes: 120
-    name: Static Analysis
-    runs-on: ubuntu-latest
-    steps:
-      - name: Clear Disk Space
-        run: |
-          sudo rm -rf /usr/share/dotnet
-          sudo rm -rf /opt/ghc
-          sudo rm -rf "/usr/local/share/boost"
-          sudo rm -rf /usr/local/lib/android
-      - name: Checkout Code
-        uses: actions/checkout@v4
-      - name: Cache Maven Modules
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.m2/repository
-          # Cache Maven modules using a cache key different from setup-java steps
-          key: ${{ runner.os }}-maven-static-analysis-${{ hashFiles('**/pom.xml') }}
-      - name: Set up Java 21
-        uses: actions/setup-java@v4
-        with:
-          distribution: 'zulu'
-          java-version: '21'
-      - name: Maven Build
-        run: >
-          ${{ env.MAVEN_COMMAND }}
-          validate
-          --no-snapshot-updates
-          --no-transfer-progress
-          --fail-fast
-          -P contrib-check
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: java
-      - name: Maven Compile
-        env:
-          MAVEN_OPTS: >-
-            ${{ env.COMPILE_MAVEN_OPTS }}
-        # Run PMD Check with compile phase to resolve modules
-        run: >
-          ${{ env.MAVEN_COMMAND }}
-          pmd:check
-          ${{ env.MAVEN_COMPILE_COMMAND }}
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
-
   ubuntu-build-en:
     timeout-minutes: 120
     runs-on: ubuntu-latest

diff --git a/.github/workflows/code-compliance.yml b/.github/workflows/code-compliance.yml
@@ -0,0 +1,110 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+name: code-compliance
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *"
+  pull_request:
+  push:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  security-events: write
+  contents: write
+  pull-requests: read
+
+env:
+  DEFAULT_MAVEN_OPTS: >-
+    -Xms6g
+    -Xmx6g
+    -Dorg.slf4j.simpleLogger.defaultLogLevel=WARN
+
+jobs:
+  validate:
+    timeout-minutes: 60
+    name: Validate
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+      - name: Set up Java 21
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'zulu'
+          java-version: '21'
+          cache: 'maven'
+      - name: Maven Validate
+        run: >
+          ./mvnw
+          --show-version
+          --no-snapshot-updates
+          --no-transfer-progress
+          --fail-fast
+          --activate-profiles contrib-check
+          validate
+
+  package:
+    timeout-minutes: 120
+    name: Package
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+      - name: Set up Java 21
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'zulu'
+          java-version: '21'
+          cache: 'maven'
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: java
+      - name: Maven Package
+        env:
+          MAVEN_OPTS: >-
+            ${{ env.DEFAULT_MAVEN_OPTS }}
+        run: >
+          ./mvnw
+          --show-version
+          --no-snapshot-updates
+          --no-transfer-progress
+          --fail-fast
+          -DskipTests
+          pmd:check
+          package
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+      - name: Get Project Version
+        run: echo "PROJECT_VERSION=$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_ENV
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          format: spdx-json
+          path: ''
+          file: nifi-assembly/target/nifi-${{ env.PROJECT_VERSION }}-bin.zip
+          artifact-name: nifi-${{ env.PROJECT_VERSION }}.spdx.json
+          output-file: nifi-${{ env.PROJECT_VERSION }}.spdx.json
+      - name: Scan SBOM
+        uses: anchore/scan-action@v6
+        with:
+          sbom: nifi-${{ env.PROJECT_VERSION }}.spdx.json
+          fail-build: false