docs: fix lint in README #98
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| tags-ignore: | |
| - 'v*' | |
| pull_request: | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| permissions: {} | |
| jobs: | |
| build-and-test: | |
| name: All Tests | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write # Required to upload Trivy SARIF results to GitHub code scanning. | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| disable-sudo-and-containers: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| check.trivy.dev:443 | |
| get.trivy.dev:443 | |
| github.com:443 | |
| mirror.gcr.io:443 | |
| registry.npmjs.org:443 | |
| release-assets.githubusercontent.com:443 | |
| repo.maven.apache.org:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Java | |
| uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 | |
| with: | |
| distribution: temurin | |
| java-version: '21' | |
| - name: Set up SBOM tools | |
| uses: ./.github/actions/setup-sbom-tools | |
| with: | |
| github-token: ${{ github.token }} | |
| - name: Build and run tests | |
| run: ./mvnw -B -ntp -P integration-tests,generate-sbom verify | |
| - name: Show WireMock log on failure | |
| if: failure() | |
| run: cat maven-plugin/target/wiremock.log 2>/dev/null || echo "(WireMock log not found)" | |
| # Trivy runs here rather than in ci-guardrails.yml because it scans the | |
| # CycloneDX SBOM produced by the Maven build (target/bom_all.json), which | |
| # contains the exact resolved dependency graph including transitives. | |
| # Scanning the SBOM is strictly more accurate than Trivy's own filesystem | |
| # heuristics, and the SBOM only exists after the build completes. | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| with: | |
| scan-type: sbom | |
| scan-ref: target/bom_all.json | |
| format: sarif | |
| output: trivy-results.sarif | |
| severity: HIGH,CRITICAL | |
| ignore-unfixed: true | |
| - name: Upload Trivy SARIF file | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 | |
| with: | |
| sarif_file: trivy-results.sarif |