chore(deps): update dependency com.fasterxml.jackson:jackson-bom to v… #36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# cid-workflow-version: 0.0.24 | |
# This file is generated by the CID Workflow GitHub App. | |
# DO NOT EDIT! | |
# name | |
name: CID - DefaultBranch | |
# triggers | |
on: | |
workflow_dispatch: | |
inputs: | |
loglevel: | |
description: Log level | |
required: true | |
default: info | |
type: choice | |
options: | |
- debug | |
- info | |
- warn | |
- error | |
push: | |
branches: | |
- main | |
tags: | |
- v*.*.* | |
paths-ignore: | |
- README.md | |
- LICENSE | |
- .gitignore | |
- .editorconfig | |
- renovate.json | |
# permissions, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions and https://docs.github.com/en/rest/overview/permissions-required-for-github-apps | |
permissions: | |
actions: read # detection of GitHub Actions environment | |
checks: none | |
contents: read | |
deployments: none | |
id-token: none | |
issues: none | |
packages: none | |
pages: none | |
pull-requests: none | |
repository-projects: none | |
security-events: none | |
statuses: none | |
# cancel in progress when a new run starts | |
concurrency: | |
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' | |
cancel-in-progress: true | |
env: | |
CID_WORKFLOW: main | |
CID_VERSION: latest | |
CID_LOGLEVEL: ${{ github.event.inputs.loglevel || 'info' }} | |
# allowed modes are 'block' and 'audit'. Using https://github.com/step-security/harden-runner to harden the runner. | |
EGRESS_POLICY: block | |
# allowed endpoints for egress traffic if egress-policy is set to 'block'. | |
EGRESS_POLICY_ALLOWED_ENDPOINTS: >- | |
api.github.com:443 | |
cdn01.quay.io:443 | |
cdn02.quay.io:443 | |
cdn03.quay.io:443 | |
codeload.github.com:443 | |
downloads.gradle.org:443 | |
github.com:443 | |
jcenter.bintray.com:443 | |
kotlinlang.org:443 | |
objects.githubusercontent.com:443 | |
plugins-artifacts.gradle.org:443 | |
plugins.gradle.org:443 | |
quay.io:443 | |
raw.githubusercontent.com:443 | |
repo.maven.apache.org:443 | |
repo1.maven.org:443 | |
services.gradle.org:443 | |
uploads.github.com:443 | |
EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: "" | |
EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: "" | |
EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN: >- | |
api.sonarcloud.io:443 | |
scanner.sonarcloud.io:443 | |
semgrep.dev:443 | |
sonarcloud.io:443 | |
EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE: "" | |
EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: >- | |
maven.pkg.github.com | |
oss.sonatype.org:443 | |
s01.oss.sonatype.org:443 | |
# jobs | |
jobs: | |
# info | |
info: | |
name: Info | |
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images | |
timeout-minutes: 30 | |
if: ${{ github.event.inputs.loglevel == 'debug' }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-telemetry: true | |
disable-sudo: true | |
egress-policy: ${{ env.EGRESS_POLICY }} | |
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} | |
- name: prepare environment | |
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 | |
with: | |
version: ${{ env.CID_VERSION }} | |
- name: checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: info | |
env: | |
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} | |
run: | | |
echo "> project modules" | |
cid --log-level=${CID_LOGLEVEL:-info} module ls | |
echo "> catalog" | |
cid --log-level=${CID_LOGLEVEL:-info} catalog list | |
echo "> workflows" | |
cid --log-level=${CID_LOGLEVEL:-info} workflow ls | |
# build | |
build: | |
name: Build | |
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images | |
permissions: | |
id-token: write # provenance signing | |
timeout-minutes: 30 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-telemetry: true | |
disable-sudo: true | |
egress-policy: ${{ env.EGRESS_POLICY }} | |
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }} | |
- name: prepare environment | |
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 | |
with: | |
version: ${{ env.CID_VERSION }} | |
- name: checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: build | |
env: | |
CID_WORKFLOW: ${{ env.CID_WORKFLOW }} | |
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} | |
run: | | |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build | |
- name: upload artifacts | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: build-${{ github.run_id }} | |
path: .dist | |
retention-days: 1 | |
if-no-files-found: ignore | |
# test | |
test: | |
name: Test | |
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images | |
timeout-minutes: 30 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-telemetry: true | |
disable-sudo: true | |
egress-policy: ${{ env.EGRESS_POLICY }} | |
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }} | |
- name: prepare environment | |
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 | |
with: | |
version: ${{ env.CID_VERSION }} | |
- name: checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: test | |
env: | |
CID_WORKFLOW: ${{ env.CID_WORKFLOW }} | |
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} | |
run: | | |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test | |
- name: upload artifacts | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: test-${{ github.run_id }} | |
path: .dist | |
retention-days: 1 | |
if-no-files-found: ignore | |
# scan | |
scan: | |
name: Scan | |
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images | |
needs: [build, test] | |
permissions: | |
security-events: write | |
timeout-minutes: 30 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-telemetry: true | |
disable-sudo: true | |
egress-policy: ${{ env.EGRESS_POLICY }} | |
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }} | |
- name: prepare environment | |
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 | |
with: | |
version: ${{ env.CID_VERSION }} | |
- name: checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: download artifacts > build | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: build-${{ github.run_id }} | |
path: .dist | |
continue-on-error: true | |
- name: download artifacts > test | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: test-${{ github.run_id }} | |
path: .dist | |
continue-on-error: true | |
- name: scan | |
env: | |
CID_WORKFLOW: ${{ env.CID_WORKFLOW }} | |
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }} | |
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }} | |
run: | | |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage scan | |
# package | |
package: | |
name: Package | |
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images | |
needs: [build] | |
permissions: | |
id-token: write # provenance signing | |
timeout-minutes: 30 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-telemetry: true | |
disable-sudo: true | |
egress-policy: ${{ env.EGRESS_POLICY }} | |
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE }} | |
- name: prepare environment | |
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 | |
with: | |
version: ${{ env.CID_VERSION }} | |
- name: checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: download artifacts > build | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: build-${{ github.run_id }} | |
path: .dist | |
continue-on-error: true | |
- name: package | |
env: | |
CID_WORKFLOW: ${{ env.CID_WORKFLOW }} | |
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} | |
run: | | |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage package | |
- name: upload artifacts | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: package-${{ github.run_id }} | |
path: .dist | |
retention-days: 1 | |
if-no-files-found: ignore | |
# publish | |
publish: | |
name: Publish | |
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images | |
needs: [package, scan] | |
permissions: | |
# create release | |
contents: write | |
# publish packages | |
packages: write | |
if: startsWith(github.ref, 'refs/pull/') == false | |
timeout-minutes: 30 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
disable-telemetry: true | |
disable-sudo: true | |
egress-policy: ${{ env.EGRESS_POLICY }} | |
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH }} | |
- name: prepare environment | |
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 | |
with: | |
version: ${{ env.CID_VERSION }} | |
- name: checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: download artifacts > package | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: package-${{ github.run_id }} | |
path: .dist | |
continue-on-error: true | |
- name: publish | |
env: | |
CID_WORKFLOW: ${{ env.CID_WORKFLOW }} | |
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
MAVEN_REPO_URL: ${{ secrets.MAVEN_REPO_URL }} | |
MAVEN_REPO_USERNAME: ${{ secrets.MAVEN_REPO_USERNAME }} | |
MAVEN_REPO_PASSWORD: ${{ secrets.MAVEN_REPO_PASSWORD }} | |
MAVEN_GPG_SIGN_PRIVATEKEY: ${{ secrets.MAVEN_GPG_SIGN_PRIVATEKEY }} | |
MAVEN_GPG_SIGN_PASSWORD: ${{ secrets.MAVEN_GPG_SIGN_PASSWORD }} | |
MAVEN_GPG_SIGN_KEYID: ${{ secrets.MAVEN_GPG_SIGN_KEYID }} | |
run: | | |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage publish |