refactor config-server workflow

inspectIT · Dec 3, 2024 · 4a1cf80 · 4a1cf80
1 parent d5a1a1d
commit 4a1cf80
Show file tree

Hide file tree

Showing 5 changed files with 89 additions and 105 deletions.
diff --git a/.github/workflows/agent_security_check.yml b/.github/workflows/agent_security_check.yml
@@ -15,7 +15,6 @@ jobs:
         run: chmod +x gradlew
       - name: build
         run: ./gradlew :inspectit-ocelot-agent:assemble
-      # the action has not been updated a while, but it always uses the latest plugin version
       - name: Run DependencyCheck plugin
         uses: dependency-check/Dependency-Check_Action@main
         id: depcheck

diff --git a/.github/workflows/configurationserver-security_check.yml b/.github/workflows/configurationserver-security_check.yml
diff --git a/.github/workflows/configurationserver_security_check.yml b/.github/workflows/configurationserver_security_check.yml
@@ -0,0 +1,86 @@
+name: Automatic Security Check Configuration-Server
+
+on:
+  schedule:
+    - cron: "0 8 1,15 * *" # At 08:00 on day-of-month 1 and 15
+
+jobs:
+  security-check:
+    name: Security Check Configuration-Server
+    runs-on: ubuntu-latest
+    container: eclipse-temurin:17
+    steps:
+      - uses: actions/checkout@v3
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+      - name: build Configuration-Server
+        run: ./gradlew :inspectit-ocelot-configurationserver:bootJarWithFrontend
+      - name: Run DependencyCheck Backend
+        uses: dependency-check/Dependency-Check_Action@main
+        id: depcheck
+        continue-on-error: true
+        with:
+          project: inspectIT/inspectit-ocelot-configuration-server
+          path: 'components/inspectit-ocelot-configurationserver'
+          format: 'HTML'
+          out: 'reports/configuration-server'
+          args: >
+            --disableAssembly
+            --disableNodeAudit
+            --nvdApiKey ${{ secrets.NVD_API_KEY }}
+            --nvdApiDelay 10000
+      - name: Run DependencyCheck UI
+        uses: dependency-check/Dependency-Check_Action@main
+        id: depcheck-ui
+        continue-on-error: true
+        with:
+          project: inspectIT/inspectit-ocelot-configuration-server-ui
+          path: 'components/inspectit-ocelot-configurationserver-ui'
+          format: 'HTML'
+          out: 'reports/configuration-server-ui'
+          args: >
+            --disableAssembly
+            --disableNodeAudit
+            --nvdApiKey ${{ secrets.NVD_API_KEY }}
+            --nvdApiDelay 10000
+      - name: build ConfigDocsGenerator
+        run: ./gradlew :inspectit-ocelot-configdocsgenerator:assemble
+      - name: Run DependencyCheck ConfigDocsGenerator
+        uses: dependency-check/Dependency-Check_Action@main
+        id: depcheck-docs
+        continue-on-error: true
+        with:
+          project: inspectIT/inspectit-ocelot-configdocsgenerator
+          path: 'components/inspectit-ocelot-configdocsgenerator'
+          format: 'HTML'
+          out: 'reports/configdocsgenerator'
+          args: >
+            --disableAssembly
+            --disableNodeAudit
+            --nvdApiKey ${{ secrets.NVD_API_KEY }}
+            --nvdApiDelay 10000
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-check-report-ocelot-configurationserver
+          path: ${{ github.workspace }}/reports
+      - name: Set DependencyCheck status
+        run: |
+          if [ ${{ steps.depcheck.outcome == 'failure' || steps.depcheck-ui.outcome == 'failure' || steps.depcheck-docs.outcome == 'failure' }} == "true" ]; then
+            echo "DEP_CHECK_STATUS=failure" >> $GITHUB_ENV
+          else
+            echo "DEP_CHECK_STATUS=success" >> $GITHUB_ENV
+          fi
+      - name: Send Notification
+        uses: slackapi/[email protected]
+        with:
+          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
+          payload: |
+            text: "*Ocelot-Configuration-Server Dependency-Check Report*: ${{ env.DEP_CHECK_STATUS }}\nPlease check the report here: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+      # if DependencyCheck failed, the job should also fail, but only after the results were uploaded
+      - name: Validate DependencyCheck outcome
+        if: ${{ env.DEP_CHECK_STATUS == 'failure' }}
+        run: |
+          echo "DependencyCheck failed"
+          exit 1
diff --git a/.github/workflows/configurationserver_test.yml b/.github/workflows/configurationserver_test.yml
@@ -41,9 +41,9 @@ jobs:
       - uses: actions/checkout@v3
       - name: Grant execute permission for gradlew
         run: chmod +x gradlew
-      - name: build Configuration-server
+      - name: build Configuration-Server
         run: ./gradlew :inspectit-ocelot-configurationserver:bootJarWithFrontend
-      - name: Run DependencyCheck plugin
+      - name: Run DependencyCheck
         uses: dependency-check/Dependency-Check_Action@main
         id: depcheck
         continue-on-error: true
@@ -57,44 +57,14 @@ jobs:
             --disableNodeAudit
             --nvdApiKey ${{ secrets.NVD_API_KEY }}
             --nvdApiDelay 10000
-      - name: Run DependencyCheck plugin
-        uses: dependency-check/Dependency-Check_Action@main
-        id: depcheck-ui
-        continue-on-error: true
-        with:
-          project: inspectIT/inspectit-ocelot-configuration-server-ui
-          path: 'components/inspectit-ocelot-configurationserver-ui'
-          format: 'HTML'
-          out: 'reports/configuration-server-ui'
-          args: >
-            --disableAssembly
-            --disableNodeAudit
-            --nvdApiKey ${{ secrets.NVD_API_KEY }}
-            --nvdApiDelay 10000
-      - name: build Configdocsgenerator
-        run: ./gradlew :inspectit-ocelot-configdocsgenerator:assemble
-      - name: Run DependencyCheck plugin
-        uses: dependency-check/Dependency-Check_Action@main
-        id: depcheck-docs
-        continue-on-error: true
-        with:
-          project: inspectIT/inspectit-ocelot-configdocsgenerator
-          path: 'components/inspectit-ocelot-configdocsgenerator'
-          format: 'HTML'
-          out: 'reports/configdocsgenerator'
-          args: >
-            --disableAssembly
-            --disableNodeAudit
-            --nvdApiKey ${{ secrets.NVD_API_KEY }}
-            --nvdApiDelay 10000
       - name: Upload test results
         uses: actions/upload-artifact@v4
         with:
           name: dependency-check-report-ocelot-configurationserver
           path: ${{ github.workspace }}/reports
       # if DependencyCheck failed, the job should also fail, but only after the results were uploaded
       - name: Validate DependencyCheck outcome
-        if: ${{ steps.depcheck.outcome == 'failure' || steps.depcheck-ui.outcome == 'failure' || steps.depcheck-docs.outcome == 'failure' }}
+        if: ${{ steps.depcheck.outcome == 'failure' }}
         run: |
           echo "DependencyCheck failed"
           exit 1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -35,28 +35,6 @@ jobs:
       - name: Calculate checksums of release artifacts
         working-directory: ./artifacts
         run: for f in *; do sha256sum "$f" >> inspectit-ocelot-sha256-checksums.txt; done
-      - name: Scan dependencies agent
-        uses: dependency-check/Dependency-Check_Action@main
-        with:
-          project: inspectIT/inspectit-ocelot-agent
-          path: 'inspectit-ocelot-agent'
-          format: 'HTML'
-          args: >
-            --disableAssembly
-            --disableNodeAudit
-            --nvdApiKey ${{ secrets.NVD_API_KEY }}
-            --nvdApiDelay 10000
-      - name: Scan dependencies configuration-server
-        uses: dependency-check/Dependency-Check_Action@main
-        with:
-          project: inspectIT/inspectit-ocelot-configuration-server
-          path: 'components/inspectit-ocelot-configurationserver'
-          format: 'HTML'
-          args: >
-            --disableAssembly
-            --disableNodeAudit
-            --nvdApiKey ${{ secrets.NVD_API_KEY }}
-            --nvdApiDelay 10000
       - name: "Get previous tag"
         id: previoustag
         # this gets the tag of the previous release based on the tags in the repo