[Backport 3.28] Fix CVE #4948
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Continuous integration | |
on: | |
push: | |
pull_request: | |
permissions: | |
actions: write | |
contents: write | |
jobs: | |
build: | |
name: Continuous integration | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 40 | |
if: "!startsWith(github.event.head_commit.message, '[skip ci] ')" | |
env: | |
SECRETS: ${{ secrets.SECRETS }} | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
- name: Get tag | |
id: tag2 | |
uses: frabert/[email protected] | |
with: | |
pattern: 'refs/tags/(.*)' | |
string: '{{ github.ref }}' | |
replace-with: '$1' | |
if: "startsWith(github.ref, 'refs/tags/')" | |
- run: echo --${{ steps.tag2.outputs.replaced }}-- | |
- uses: camptocamp/initialise-gopass-summon-action@v2 | |
with: | |
ci-gpg-private-key: ${{secrets.CI_GPG_PRIVATE_KEY}} | |
github-gopass-ci-token: ${{secrets.GOPASS_CI_GITHUB_TOKEN}} | |
patterns: docker | |
if: env.SECRETS == 'TRUE' | |
- run: gpg --export-secret-keys --armor D121AF2DFA8E140688BD968930C9B913FD42EF13 > CI.asc | |
if: env.SECRETS == 'TRUE' | |
- id: tag | |
run: echo "##[set-output name=tag;]$(echo ${{ github.ref }}|sed 's%refs/tags/%%g')" | |
if: startsWith(github.ref, 'refs/tags/') | |
- run: sed --in-place 's/version = .*/version = "${{ steps.tag.outputs.tag }}"/g' build.gradle | |
if: startsWith(github.ref, 'refs/tags/') | |
- id: last-tag | |
run: echo "##[set-output name=tag;]$(git describe --tags --abbrev=0)" | |
if: "!startsWith(github.ref, 'refs/tags/')" | |
- id: no-tag | |
run: echo "##[set-output name=nb;]$(git log --oneline ${{ steps.last-tag.outputs.tag }}..HEAD|wc -l)" | |
if: "!startsWith(github.ref, 'refs/tags/')" | |
- run: sed --in-place 's/version = .*/version = "${{ steps.last-tag.outputs.tag }}"/g' build.gradle | |
if: "!startsWith(github.ref, 'refs/tags/') && steps.no-tag.outputs.nb == 0" | |
- run: | |
sed --in-place 's/version = .*/version = "${{ steps.last-tag.outputs.tag }}+${{ steps.no-tag.outputs.nb | |
}}"/g' build.gradle | |
if: "!startsWith(github.ref, 'refs/tags/') && steps.no-tag.outputs.nb > 0" | |
- run: echo "enablePublishing=true" > gradle.properties | |
if: env.SECRETS == 'TRUE' | |
- run: echo "${HOME}/.local/bin" >> ${GITHUB_PATH} | |
- run: python3 -m pip install --user --requirement=ci/requirements.txt | |
- name: Checks | |
run: c2cciutils-checks | |
- run: make build | |
- run: make acceptance-tests-up | |
- run: make acceptance-tests-run | |
# Extract artifacts | |
- run: docker run --rm --detach --name=builder mapfish_print_builder || true | |
if: always() | |
- run: docker cp builder:/src/core/build/ core/build/ || true | |
if: always() | |
- run: docker cp mapfish-print_tests_1:/src/examples/build/ examples/build/ || true | |
if: always() | |
- run: docker-compose logs || true | |
if: failure() | |
- run: make acceptance-tests-down | |
- run: mkdir -p core/build/resources/actual examples/build/reports core/build/reports examples/build/resources/test/examples | |
if: always() | |
- uses: actions/upload-artifact@v1 | |
with: | |
name: Test results | |
path: core/build/resources/actual | |
if-no-files-found: ignore | |
if: failure() | |
- uses: actions/upload-artifact@v1 | |
with: | |
name: Test generated | |
path: core/build/resources/test/org | |
if-no-files-found: ignore | |
if: failure() | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: Reports examples | |
path: examples/build/reports | |
if-no-files-found: ignore | |
if: failure() | |
- uses: actions/upload-artifact@v1 | |
with: | |
name: Reports core | |
path: core/build/reports | |
if-no-files-found: ignore | |
if: failure() | |
- uses: actions/upload-artifact@v1 | |
with: | |
name: Examples | |
path: examples/build/resources/test/examples | |
if-no-files-found: ignore | |
if: failure() | |
- name: Collect test results | |
run: | | |
mkdir -p /tmp/test_results/junit | |
find . -name '*TEST-*.xml' -exec cp -v {} /tmp/test_results/junit/ \; | |
if: failure() | |
- uses: actions/upload-artifact@v1 | |
with: | |
name: Test results | |
path: /tmp/test_results | |
if: failure() | |
- name: Publish | |
run: c2cciutils-publish | |
if: env.SECRETS == 'TRUE' | |
- run: git diff | |
- run: | |
docker run --rm --env=GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} mapfish_print_builder bash -c 'gradle | |
build && gradle publish' | |
if: ( startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/master' ) && env.SECRETS == 'TRUE' | |
- id: version | |
run: echo "##[set-output name=version;]$(grep version build.gradle|sed "s/ \+version = .\(.*\)./\1/g")" | |
- name: Create Release | |
id: create_release | |
uses: actions/create-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: ${{ github.ref }} | |
release_name: Release ${{ steps.tag.outputs.tag }} | |
draft: false | |
prerelease: false | |
if: startsWith(github.ref, 'refs/tags/') && env.SECRETS == 'TRUE' | |
- name: Upload Release Asset | |
uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} | |
asset_path: ./core/build/libs/print-servlet-${{ steps.version.outputs.version }}.war | |
asset_name: print-servlet-${{ steps.version.outputs.version }}.war | |
asset_content_type: application/java-archive | |
if: startsWith(github.ref, 'refs/tags/') && env.SECRETS == 'TRUE' | |
- name: Upload Release Asset | |
uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} | |
asset_path: ./core/build/distributions/core-${{ steps.version.outputs.version }}.zip | |
asset_name: print-cli-${{ steps.version.outputs.version }}.zip | |
asset_content_type: application/zip | |
if: startsWith(github.ref, 'refs/tags/') && env.SECRETS == 'TRUE' | |
- name: Upload Release Asset | |
uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} | |
asset_path: ./core/build/libs/print-lib-${{ steps.version.outputs.version }}.jar | |
asset_name: print-lib-${{ steps.version.outputs.version }}.jar | |
asset_content_type: application/java-archive | |
if: startsWith(github.ref, 'refs/tags/') && env.SECRETS == 'TRUE' | |
- name: Upload Release Asset | |
uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} | |
asset_path: ./core/build/libs/print-lib-${{ steps.version.outputs.version }}-sources.jar | |
asset_name: print-lib-${{ steps.version.outputs.version }}-sources.jar | |
asset_content_type: application/java-archive | |
if: startsWith(github.ref, 'refs/tags/') && env.SECRETS == 'TRUE' | |
- name: Upload Release Asset | |
uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} | |
asset_path: ./core/build/libs/print-lib-${{ steps.version.outputs.version }}-javadoc.jar | |
asset_name: print-lib-${{ steps.version.outputs.version }}-javadoc.jar | |
asset_content_type: application/java-archive | |
if: startsWith(github.ref, 'refs/tags/') && env.SECRETS == 'TRUE' | |
# Update the documentation | |
- uses: actions/checkout@v2 | |
with: | |
repository: mapfish/mapfish-print-doc | |
token: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }} | |
path: mapfish-print-doc | |
if: github.ref == 'refs/heads/master' && env.SECRETS == 'TRUE' | |
- name: Publish documentation | |
run: | | |
cd ${GITHUB_WORKSPACE}/mapfish-print-doc | |
git config user.email "[email protected]" | |
git config user.name "CI" | |
git rm --ignore-unmatch -rqf . | |
docker cp builder:/src/docs/build/site/. . | |
git add -A . | |
git commit -m 'Update docs' | |
git push origin gh-pages | |
if: github.ref == 'refs/heads/master' && env.SECRETS == 'TRUE' | |
- name: Trigger changelog workflow | |
uses: actions/github-script@v7 | |
with: | |
script: |- | |
if (process.env.GITHUB_REF_TYPE == 'tag') { | |
console.log('Trigger changelog'); | |
await github.rest.repos.createDispatchEvent({ | |
owner: 'mapfish', | |
repo: 'mapfish-print', | |
event_type: 'changelog', | |
}); | |
} |