fts-next/.github/workflows/analyze.yml at 04efae9aa0673335f7f0e80dfcc246faf1ec4b9f · medizininformatik-initiative/fts-next · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
name: Analyze

on:
  push:
    tags: [ "v*.*.*" ]
    branches: [ "main" ]
  pull_request:
    branches: [ "**" ]
  merge_group:
  branch_protection_rule:
  schedule:
  - cron: '15 7 * * 2'

# Declare default permissions as read only.
permissions: read-all

concurrency:
  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.ref || github.run_id }}
  cancel-in-progress: true

jobs:
  format:
    runs-on: ubuntu-24.04
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
      with:
        egress-policy: audit

    - name: Checkout
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Set up JDK 21
      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
      with:
        distribution: 'temurin'
        java-version: 21

    - name: Install google-java-format
      env:
        # renovate: datasource=github-release-attachments depName=google/google-java-format
        JAVA_FORMAT_VERSION: v1.35.0
        JAVA_FORMAT_CHECKSUM: bfb7f9ead6cd328389bc2da53860443bc0e805dfd08cc889bfdf43b26cb2a6e8
      run: .github/scripts/install-google-java-format.sh

    - name: Format Java files
      env:
        JAVA_TOOL_OPTIONS: >-
          --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED
          --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED
          --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED
          --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED
          --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED
      run: |
        java -jar /tmp/google-java-format.jar --replace --set-exit-if-changed @<(find . -name "*.java")

    - name: Print diffs
      if: failure() || cancelled()
      run: git --no-pager diff

  lint:
    runs-on: ubuntu-24.04
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
      with:
        egress-policy: audit

    - name: Checkout
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Install Actionlint
      env:
        # Check the actionlint binary against a pinned checksum here, it must be updated accordingly
        # renovate: datasource=github-release-attachments depName=rhysd/actionlint
        ACTIONLINT_VERSION: v1.7.11
        ACTIONLINT_CHECKSUM: 900919a84f2229bac68ca9cd4103ea297abc35e9689ebb842c6e34a3d1b01b0a
      run: .github/scripts/install-actionlint.sh

    - name: Run Actionlint
      run: actionlint

  codeql:
    env:
      MAVEN_ARGS: -B -U -T1C -Dfts.retryTimeout=false
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Used in `settings.xml` generated by actions/setup-java
    permissions:
      security-events: write
    runs-on: ubuntu-24.04
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
      with:
        egress-policy: audit

    - name: Checkout
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Set up JDK 21
      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
      with:
        distribution: 'temurin'
        java-version: 21
        cache: 'maven'

    - name: Initialize CodeQL
      uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
      with:
        languages: java
        queries: security-and-quality

    - name: Build
      run: make compile

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0

  ossf-scorecard:
    runs-on: ubuntu-24.04
    if: github.ref_name == github.event.repository.default_branch || github.event_name == 'pull_request'
    permissions:
      security-events: write
      id-token: write
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
      with:
        egress-policy: audit

    - name: Checkout
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Run analysis
      uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
      with:
        results_file: results.sarif
        results_format: sarif
        publish_results: ${{ github.ref_name == github.event.repository.default_branch }}

  dependency-review:
    runs-on: ubuntu-24.04
    permissions:
      contents: write
      pull-requests: write
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Used in `settings.xml` generated by actions/setup-java
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
      with:
        egress-policy: audit

    - name: Checkout
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

    - name: Set up JDK 21
      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
      with:
        distribution: 'temurin'
        java-version: 21
        cache: 'maven'

    - name: Submit Dependency Tree
      uses: advanced-security/maven-dependency-submission-action@b275d12641ac2d2108b2cbb7598b154ad2f2cee8 # v5