From deec182df11fac98586512e06eaade096aaf4618 Mon Sep 17 00:00:00 2001 From: Jade Carino Date: Tue, 13 May 2025 15:39:51 +0100 Subject: [PATCH 01/12] Improve Advanced CodeQL workflow check for Java - build of Platform required so it can be found in local Maven repo Signed-off-by: Jade Carino --- .github/workflows/codeql-java.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/codeql-java.yml b/.github/workflows/codeql-java.yml index 872c7438b7..552334ff6d 100644 --- a/.github/workflows/codeql-java.yml +++ b/.github/workflows/codeql-java.yml @@ -54,6 +54,19 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + # Even though CodeQL will be configured to not do a build, + # it will fail to find the Platform unless it has been built, + # and placed into the local Maven repo. + - name: Building Platform (manually) + shell: bash + working-directory: ${{ github.workspace }}/modules/platform + run: | + gradle -b dev.galasa.platform/build.gradle build check publish --info \ + --no-daemon --console plain \ + -PsourceMaven=https://repo.maven.apache.org/maven2/ \ + -PcentralMaven=https://repo.maven.apache.org/maven2/ \ + -PtargetMaven=/home/runner/.m2/repository + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v3 From 320486ae623dbf5896332246ad7b1832e284cfa3 Mon Sep 17 00:00:00 2001 From: Jade Carino Date: Tue, 13 May 2025 15:42:07 +0100 Subject: [PATCH 02/12] Dummy change to Platform README to trigger CodeQL Java check Signed-off-by: Jade Carino --- modules/platform/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/platform/README.md b/modules/platform/README.md index 77d8c37da5..9404633c84 100644 --- a/modules/platform/README.md +++ b/modules/platform/README.md @@ -4,4 +4,4 @@ This module houses the Galasa Platform (dev.galasa.platform). This uses Gradle's ## Contributing -To contribute to this module, take a look at the [Contributor's Guide](https://github.com/galasa-dev/galasa/blob/main/CONTRIBUTING.md). \ No newline at end of file +To contribute to this module, take a look at the [Contributor's Guide](https://github.com/galasa-dev/galasa/blob/main/CONTRIBUTING.md). From a2d68e212ff048fd22696681e66ed83961d7955a Mon Sep 17 00:00:00 2001 From: Jade Carino Date: Tue, 13 May 2025 16:40:41 +0100 Subject: [PATCH 03/12] For CodeQL Advanced, provide development maven repo through the gradle.properties files of modules so CodeQL can find dependencies Signed-off-by: Jade Carino --- .github/workflows/codeql-java.yml | 10 ++++++++++ modules/platform/dev.galasa.platform/gradle.properties | 6 +++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-java.yml b/.github/workflows/codeql-java.yml index 552334ff6d..dcb4ea821f 100644 --- a/.github/workflows/codeql-java.yml +++ b/.github/workflows/codeql-java.yml @@ -54,6 +54,16 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + # CodeQL's script will try to create a dependency tree. + # The development maven repo needs to be provided as a + # repo where dependencies can be found or it won't be + # able to create a dependency tree. + - name: Manually replace sourceMaven value in gradle.properties files + run: | + sed -i 's|^sourceMaven=https://repo.maven.apache.org/maven2/|sourceMaven=https://development.galasa.dev/main/maven-repo/obr|' ${{ github.workspace }}/modules/platform/dev.galasa.platform/gradle.properties + sed -i 's|^sourceMaven=https://repo.maven.apache.org/maven2/|sourceMaven=https://development.galasa.dev/main/maven-repo/obr|' ${{ github.workspace }}/modules/framework/galasa-parent/gradle.properties + sed -i 's|^sourceMaven=https://repo.maven.apache.org/maven2/|sourceMaven=https://development.galasa.dev/main/maven-repo/obr|' ${{ github.workspace }}/modules/extensions/galasa-extensions-parent/gradle.properties + # Even though CodeQL will be configured to not do a build, # it will fail to find the Platform unless it has been built, # and placed into the local Maven repo. diff --git a/modules/platform/dev.galasa.platform/gradle.properties b/modules/platform/dev.galasa.platform/gradle.properties index 9d3bf33362..29e0d97f40 100644 --- a/modules/platform/dev.galasa.platform/gradle.properties +++ b/modules/platform/dev.galasa.platform/gradle.properties @@ -1 +1,5 @@ -isMainOrRelease=false \ No newline at end of file +isMainOrRelease=false + +sourceMaven=https://repo.maven.apache.org/maven2/ +centralMaven=https://repo.maven.apache.org/maven2/ +targetMaven=https://repo.maven.apache.org/maven2/ \ No newline at end of file From 71b4f041f66160f50ea818f00a9bec732d02f717 Mon Sep 17 00:00:00 2001 From: Jade Carino Date: Wed, 14 May 2025 11:06:45 +0100 Subject: [PATCH 04/12] For CodeQL Advanced, provide development ma ven repo through the gradle.properties files of modules so CodeQL can find dependencies Signed-off-by: Jade Carino --- .github/workflows/codeql-java.yml | 1 + modules/ivts/galasa-ivts-parent/buildSrc/gradle.properties | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 modules/ivts/galasa-ivts-parent/buildSrc/gradle.properties diff --git a/.github/workflows/codeql-java.yml b/.github/workflows/codeql-java.yml index dcb4ea821f..54b8f486b8 100644 --- a/.github/workflows/codeql-java.yml +++ b/.github/workflows/codeql-java.yml @@ -63,6 +63,7 @@ jobs: sed -i 's|^sourceMaven=https://repo.maven.apache.org/maven2/|sourceMaven=https://development.galasa.dev/main/maven-repo/obr|' ${{ github.workspace }}/modules/platform/dev.galasa.platform/gradle.properties sed -i 's|^sourceMaven=https://repo.maven.apache.org/maven2/|sourceMaven=https://development.galasa.dev/main/maven-repo/obr|' ${{ github.workspace }}/modules/framework/galasa-parent/gradle.properties sed -i 's|^sourceMaven=https://repo.maven.apache.org/maven2/|sourceMaven=https://development.galasa.dev/main/maven-repo/obr|' ${{ github.workspace }}/modules/extensions/galasa-extensions-parent/gradle.properties + sed -i 's|^sourceMaven=https://repo.maven.apache.org/maven2/|sourceMaven=https://development.galasa.dev/main/maven-repo/obr|' ${{ github.workspace }}/modules/ivts/galasa-ivts-parent/buildSrc/gradle.properties # Even though CodeQL will be configured to not do a build, # it will fail to find the Platform unless it has been built, diff --git a/modules/ivts/galasa-ivts-parent/buildSrc/gradle.properties b/modules/ivts/galasa-ivts-parent/buildSrc/gradle.properties new file mode 100644 index 0000000000..88656ba1dd --- /dev/null +++ b/modules/ivts/galasa-ivts-parent/buildSrc/gradle.properties @@ -0,0 +1,2 @@ +sourceMaven=https://repo.maven.apache.org/maven2/ +targetMaven=https://repo.maven.apache.org/maven2/ From 3e1bd06ca0db6e20a1ce2f237cb20ecfa8f1a728 Mon Sep 17 00:00:00 2001 From: Jade Carino Date: Wed, 14 May 2025 14:53:53 +0100 Subject: [PATCH 05/12] Initial commit for creating an Advanced CodeQL workflow that is called by the Pull Request Build Orchestrator so it can use artifacts built by the PR build Signed-off-by: Jade Carino --- .github/workflows/codeql-java-2.yaml | 55 +++++++++ .github/workflows/pull-requests.yaml | 162 +++++++++++++++++++++++++++ 2 files changed, 217 insertions(+) create mode 100644 .github/workflows/codeql-java-2.yaml diff --git a/.github/workflows/codeql-java-2.yaml b/.github/workflows/codeql-java-2.yaml new file mode 100644 index 0000000000..6a720e996b --- /dev/null +++ b/.github/workflows/codeql-java-2.yaml @@ -0,0 +1,55 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced (Java) TESTING" + +on: + workflow_call: + +jobs: + analyze-java: + name: Analyze (Java) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + + steps: + - name: Download All dev.galasa Artifacts + uses: actions/download-artifact@v4 + with: + name: all-artifacts + path: /home/runner/.m2/repository/dev/galasa + + - name: List Artifacts + run: | + tree /home/runner/.m2/repository/dev/galasa diff --git a/.github/workflows/pull-requests.yaml b/.github/workflows/pull-requests.yaml index 0539001f45..2c1c0981ff 100644 --- a/.github/workflows/pull-requests.yaml +++ b/.github/workflows/pull-requests.yaml @@ -171,6 +171,168 @@ jobs: changed: ${{ needs.get-changed-modules.outputs.ivts_changed }} artifact-id: ${{ needs.find-artifacts.outputs.workflow_for_artifact_download_id }} + download-artifacts-for-codeql: + name: Download artifacts for Advanced CodeQL Java scan + runs-on: ubuntu-latest + needs: [get-changed-modules, find-artifacts, pr-build-ivts] + + steps: + - name: Download Platform from this Workflow Run + if: ${{ needs.get-changed-modules.outputs.platform_changed }} + uses: actions/download-artifact@v4 + with: + name: platform + path: /home/runner/.m2/repository + + - name: Download Platform from last Main Workflow Run + if: ${{ ! needs.get-changed-modules.outputs.platform_changed }} + uses: actions/download-artifact@v4 + with: + name: platform + path: /home/runner/.m2/repository + github-token: ${{ github.token }} + run-id: ${{ needs.find-artifacts.outputs.workflow_for_artifact_download_id }} + + - name: Download Wrapping from this Workflow Run + if: ${{ needs.get-changed-modules.outputs.wrapping_changed }} + uses: actions/download-artifact@v4 + with: + name: wrapping + path: /home/runner/.m2/repository + + - name: Download Wrapping from last Main Workflow Run + if: ${{ ! needs.get-changed-modules.outputs.wrapping_changed }} + uses: actions/download-artifact@v4 + with: + name: wrapping + path: /home/runner/.m2/repository + github-token: ${{ github.token }} + run-id: ${{ needs.find-artifacts.outputs.workflow_for_artifact_download_id }} + + - name: Download Gradle from this Workflow Run + if: ${{ needs.get-changed-modules.outputs.gradle_changed }} + uses: actions/download-artifact@v4 + with: + name: gradle + path: /home/runner/.m2/repository + + - name: Download Gradle from last Main Workflow Run + if: ${{ ! needs.get-changed-modules.outputs.gradle_changed }} + uses: actions/download-artifact@v4 + with: + name: gradle + path: /home/runner/.m2/repository + github-token: ${{ github.token }} + run-id: ${{ needs.find-artifacts.outputs.workflow_for_artifact_download_id }} + + - name: Download Maven from this Workflow Run + if: ${{ needs.get-changed-modules.outputs.maven_changed }} + uses: actions/download-artifact@v4 + with: + name: maven + path: /home/runner/.m2/repository + + - name: Download Maven from last Main Workflow Run + if: ${{ ! needs.get-changed-modules.outputs.maven_changed }} + uses: actions/download-artifact@v4 + with: + name: maven + path: /home/runner/.m2/repository + github-token: ${{ github.token }} + run-id: ${{ needs.find-artifacts.outputs.workflow_for_artifact_download_id }} + + - name: Download Framework from this Workflow Run + if: ${{ needs.get-changed-modules.outputs.framework_changed }} + uses: actions/download-artifact@v4 + with: + name: framework + path: /home/runner/.m2/repository + + - name: Download Framework from last Main Workflow Run + if: ${{ ! needs.get-changed-modules.outputs.framework_changed }} + uses: actions/download-artifact@v4 + with: + name: framework + path: /home/runner/.m2/repository + github-token: ${{ github.token }} + run-id: ${{ needs.find-artifacts.outputs.workflow_for_artifact_download_id }} + + - name: Download Extensions from this Workflow Run + if: ${{ needs.get-changed-modules.outputs.extensions_changed }} + uses: actions/download-artifact@v4 + with: + name: extensions + path: /home/runner/.m2/repository + + - name: Download Extensions from last Main Workflow Run + if: ${{ ! needs.get-changed-modules.outputs.extensions_changed }} + uses: actions/download-artifact@v4 + with: + name: extensions + path: /home/runner/.m2/repository + github-token: ${{ github.token }} + run-id: ${{ needs.find-artifacts.outputs.workflow_for_artifact_download_id }} + + - name: Download Managers from this Workflow Run + if: ${{ needs.get-changed-modules.outputs.managers_changed }} + uses: actions/download-artifact@v4 + with: + name: managers + path: /home/runner/.m2/repository + + - name: Download Managers from last Main Workflow Run + if: ${{ ! needs.get-changed-modules.outputs.managers_changed }} + uses: actions/download-artifact@v4 + with: + name: managers + path: /home/runner/.m2/repository + github-token: ${{ github.token }} + run-id: ${{ needs.find-artifacts.outputs.workflow_for_artifact_download_id }} + + - name: Download OBR from this Workflow Run + if: ${{ needs.get-changed-modules.outputs.obr_changed }} + uses: actions/download-artifact@v4 + with: + name: obr + path: /home/runner/.m2/repository + + - name: Download OBR from last Main Workflow Run + if: ${{ ! needs.get-changed-modules.outputs.obr_changed }} + uses: actions/download-artifact@v4 + with: + name: obr + path: /home/runner/.m2/repository + github-token: ${{ github.token }} + run-id: ${{ needs.find-artifacts.outputs.workflow_for_artifact_download_id }} + + - name: Download IVTs from this Workflow Run + if: ${{ needs.get-changed-modules.outputs.ivts_changed }} + uses: actions/download-artifact@v4 + with: + name: ivts + path: /home/runner/.m2/repository + + - name: Download IVTs from last Main Workflow Run + if: ${{ ! needs.get-changed-modules.outputs.ivts_changed }} + uses: actions/download-artifact@v4 + with: + name: ivts + path: /home/runner/.m2/repository + github-token: ${{ github.token }} + run-id: ${{ needs.find-artifacts.outputs.workflow_for_artifact_download_id }} + + - name: Upload All Artifacts + uses: actions/upload-artifact@v4 + with: + name: all-artifacts + path: /home/runner/.m2/repository/dev/galasa + + codeql-java: + name: CodeQL scans the Java code + needs: [download-artifacts-for-codeql] + uses: ./.github/workflows/codeql-java-2.yaml + secrets: inherit + pr-build-cli: name: Build the 'cli' module needs: [get-changed-modules, find-artifacts, pr-build-obr] From 7cc0a9593b79779b39b62ea23bbe33da0b6c1a15 Mon Sep 17 00:00:00 2001 From: Jade Carino Date: Wed, 14 May 2025 14:59:53 +0100 Subject: [PATCH 06/12] Pass the correct 'permissions' from the Pull Request Build Orchestrator to the nested CodeQL Advanced workflow Signed-off-by: Jade Carino --- .github/workflows/pull-requests.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pull-requests.yaml b/.github/workflows/pull-requests.yaml index 2c1c0981ff..5c3b02fe03 100644 --- a/.github/workflows/pull-requests.yaml +++ b/.github/workflows/pull-requests.yaml @@ -332,6 +332,9 @@ jobs: needs: [download-artifacts-for-codeql] uses: ./.github/workflows/codeql-java-2.yaml secrets: inherit + permissions: + actions: read + security-events: write pr-build-cli: name: Build the 'cli' module From e48ff3678d12890d7492c540d3e1e9d1c9d8ba9f Mon Sep 17 00:00:00 2001 From: Jade Carino Date: Wed, 14 May 2025 15:02:22 +0100 Subject: [PATCH 07/12] Pass the correct 'permissions' from the Pull Request Build Orchestrator to the nested CodeQL Advanced workflow Signed-off-by: Jade Carino --- .github/workflows/pull-requests.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pull-requests.yaml b/.github/workflows/pull-requests.yaml index 5c3b02fe03..bb057953d0 100644 --- a/.github/workflows/pull-requests.yaml +++ b/.github/workflows/pull-requests.yaml @@ -333,8 +333,10 @@ jobs: uses: ./.github/workflows/codeql-java-2.yaml secrets: inherit permissions: - actions: read security-events: write + packages: read + actions: read + contents: read pr-build-cli: name: Build the 'cli' module From 8d64556a35b565c6e6d6b2f293e51769ad0aef5c Mon Sep 17 00:00:00 2001 From: Jade Carino Date: Wed, 14 May 2025 16:54:07 +0100 Subject: [PATCH 08/12] Complete analysis in Advanced CodeQL workflow for Java, which is being called from Pull Requesr Build Orchestrator Signed-off-by: Jade Carino --- .../{codeql-java-2.yaml => codeql-java.yaml} | 29 ++++- .github/workflows/codeql-java.yml | 106 ------------------ 2 files changed, 28 insertions(+), 107 deletions(-) rename .github/workflows/{codeql-java-2.yaml => codeql-java.yaml} (62%) delete mode 100644 .github/workflows/codeql-java.yml diff --git a/.github/workflows/codeql-java-2.yaml b/.github/workflows/codeql-java.yaml similarity index 62% rename from .github/workflows/codeql-java-2.yaml rename to .github/workflows/codeql-java.yaml index 6a720e996b..5e3e0a277e 100644 --- a/.github/workflows/codeql-java-2.yaml +++ b/.github/workflows/codeql-java.yaml @@ -9,7 +9,7 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # -name: "CodeQL Advanced (Java) TESTING" +name: "CodeQL Advanced (Java)" on: workflow_call: @@ -53,3 +53,30 @@ jobs: - name: List Artifacts run: | tree /home/runner/.m2/repository/dev/galasa + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: java-kotlin + build-mode: none + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + - name: Perform CodeQL Analysis Java + uses: github/codeql-action/analyze@v3 + with: + category: "/language:java-kotlin" + checkout_path: ${{ github.workspace }} + output: results-java.sarif \ No newline at end of file diff --git a/.github/workflows/codeql-java.yml b/.github/workflows/codeql-java.yml deleted file mode 100644 index 54b8f486b8..0000000000 --- a/.github/workflows/codeql-java.yml +++ /dev/null @@ -1,106 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL Advanced (Java)" - -on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - paths: [ "modules/platform/**", "modules/wrapping/**", "modules/gradle/**", "modules/maven/**", "modules/framework/**", "modules/extensions/**", "modules/managers/**", "modules/obr/**", "modules/ivts/**" ] - - schedule: - - cron: '41 13 * * 0' - -jobs: - analyze-java: - name: Analyze (Java) - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners (GitHub.com only) - # Consider using larger runners or machines with greater resources for possible analysis time improvements. - runs-on: ${{ 'ubuntu-latest' }} - permissions: - # required for all workflows - security-events: write - - # required to fetch internal or private CodeQL packs - packages: read - - # only required for workflows in private repositories - actions: read - contents: read - - # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # CodeQL's script will try to create a dependency tree. - # The development maven repo needs to be provided as a - # repo where dependencies can be found or it won't be - # able to create a dependency tree. - - name: Manually replace sourceMaven value in gradle.properties files - run: | - sed -i 's|^sourceMaven=https://repo.maven.apache.org/maven2/|sourceMaven=https://development.galasa.dev/main/maven-repo/obr|' ${{ github.workspace }}/modules/platform/dev.galasa.platform/gradle.properties - sed -i 's|^sourceMaven=https://repo.maven.apache.org/maven2/|sourceMaven=https://development.galasa.dev/main/maven-repo/obr|' ${{ github.workspace }}/modules/framework/galasa-parent/gradle.properties - sed -i 's|^sourceMaven=https://repo.maven.apache.org/maven2/|sourceMaven=https://development.galasa.dev/main/maven-repo/obr|' ${{ github.workspace }}/modules/extensions/galasa-extensions-parent/gradle.properties - sed -i 's|^sourceMaven=https://repo.maven.apache.org/maven2/|sourceMaven=https://development.galasa.dev/main/maven-repo/obr|' ${{ github.workspace }}/modules/ivts/galasa-ivts-parent/buildSrc/gradle.properties - - # Even though CodeQL will be configured to not do a build, - # it will fail to find the Platform unless it has been built, - # and placed into the local Maven repo. - - name: Building Platform (manually) - shell: bash - working-directory: ${{ github.workspace }}/modules/platform - run: | - gradle -b dev.galasa.platform/build.gradle build check publish --info \ - --no-daemon --console plain \ - -PsourceMaven=https://repo.maven.apache.org/maven2/ \ - -PcentralMaven=https://repo.maven.apache.org/maven2/ \ - -PtargetMaven=/home/runner/.m2/repository - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: java-kotlin - build-mode: none - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - - name: Perform CodeQL Analysis Java - uses: github/codeql-action/analyze@v3 - with: - category: "/language:java-kotlin" - checkout_path: ${{ github.workspace }} - output: results-java.sarif From 28f8f6f5601ac7280e1bccf97fc52a340b13a9c5 Mon Sep 17 00:00:00 2001 From: Jade Carino Date: Wed, 14 May 2025 17:02:50 +0100 Subject: [PATCH 09/12] Fix incorrect name of reusable workflow being called from the Pull Request Build Orchestrator Signed-off-by: Jade Carino --- .github/workflows/pull-requests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull-requests.yaml b/.github/workflows/pull-requests.yaml index bb057953d0..b4123aa957 100644 --- a/.github/workflows/pull-requests.yaml +++ b/.github/workflows/pull-requests.yaml @@ -330,7 +330,7 @@ jobs: codeql-java: name: CodeQL scans the Java code needs: [download-artifacts-for-codeql] - uses: ./.github/workflows/codeql-java-2.yaml + uses: ./.github/workflows/codeql-java.yaml secrets: inherit permissions: security-events: write From 641517efad326968edcfecc1ad8599142a8a1c15 Mon Sep 17 00:00:00 2001 From: Jade Carino Date: Wed, 14 May 2025 17:36:18 +0100 Subject: [PATCH 10/12] Call CodeQL Advanced Golang check from Pull Request Build Orchestrator, also checkout the repo before scanning as thats required Signed-off-by: Jade Carino --- .github/workflows/codeql-go.yml | 133 ++++----------------------- .github/workflows/codeql-java.yaml | 19 +++- .github/workflows/pull-requests.yaml | 25 ++++- 3 files changed, 59 insertions(+), 118 deletions(-) diff --git a/.github/workflows/codeql-go.yml b/.github/workflows/codeql-go.yml index 893a0aa3ec..3849cbe722 100644 --- a/.github/workflows/codeql-go.yml +++ b/.github/workflows/codeql-go.yml @@ -12,11 +12,7 @@ name: "CodeQL Advanced (Go)" on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - paths: [ "modules/buildutils/**", "modules/cli/**" ] + workflow_call: schedule: - cron: '41 13 * * 0' @@ -54,6 +50,21 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + - name: Download All 'dev.galasa' Artifacts + if: github.event_name == 'workflow_call' + uses: actions/download-artifact@v4 + with: + name: all-artifacts + path: /home/runner/.m2/repository/dev/galasa + + # Download from the last Main Build Orchestrator + # - name: Download All 'dev.galasa' Artifacts + # if: github.event_name == 'schedule' + # uses: actions/download-artifact@v4 + # with: + # name: all-artifacts + # path: /home/runner/.m2/repository/dev/galasa + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v3 @@ -74,116 +85,12 @@ jobs: # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - name: Building Platform (manually) - shell: bash - working-directory: ${{ github.workspace }}/modules/platform - run: | - set -o pipefail - gradle -b dev.galasa.platform/build.gradle build check publish --info \ - --no-daemon --console plain \ - -PsourceMaven=https://repo.maven.apache.org/maven2/ \ - -PcentralMaven=https://repo.maven.apache.org/maven2/ \ - -PtargetMaven=/home/runner/.m2/repository 2>&1 | tee build.log - - - - name: Building Wrapping (manually) - shell: bash - working-directory: ${{ github.workspace }}/modules/wrapping - run: | - set -o pipefail - mvn deploy \ - -Dgalasa.source.repo=https://development.galasa.dev/main/maven-repo/obr \ - -Dgalasa.central.repo=https://repo.maven.apache.org/maven2/ \ - -Dgalasa.release.repo=file:///home/runner/.m2/repository \ - -Dgalasa.jacocoEnabled=false \ - -Dgalasa.isRelease=false \ - -Dgpg.skip=true \ - --batch-mode --errors --fail-at-end \ - --settings settings.xml 2>&1 | tee build.log - - - name: Building Gradle (manually) - shell: bash - working-directory: ${{ github.workspace }}/modules/gradle - run: | - set -o pipefail - gradle check publish --info \ - --no-daemon --console plain \ - -PsourceMaven=https://development.galasa.dev/main/maven-repo/obr \ - -PcentralMaven=https://repo.maven.apache.org/maven2/ \ - -PtargetMaven=/home/runner/.m2/repository \ - -PjacocoEnabled=false \ - -PisMainOrRelease=false 2>&1 | tee build.log - - - name: Building Maven (manually) + - name: Building Buildutils (manually) shell: bash - working-directory: ${{ github.workspace }}/modules/maven + working-directory: ${{ github.workspace }}/modules/buildutils run: | - set -o pipefail - mvn -f galasa-maven-plugin/pom.xml deploy -X \ - -Dgalasa.source.repo=https://development.galasa.dev/main/maven-repo/obr \ - -Dgalasa.central.repo=https://repo.maven.apache.org/maven2/ \ - -Dgalasa.release.repo=file:///home/runner/.m2/repository \ - -Dgalasa.jacocoEnabled=false \ - -Dgalasa.isRelease=false \ - -Dgpg.skip=true \ - --batch-mode --errors --fail-at-end \ - --settings settings.xml 2>&1 | tee build.log - - - name: Building Framework (manually) - shell: bash - working-directory: ${{ github.workspace }}/modules/framework - env: - YAML_LOCATION: "modules/framework/galasa-parent/dev.galasa.framework.api.openapi/src/main/resources/openapi.yaml" - OUTPUT_LOCATION: "modules/framework/galasa-parent/dev.galasa.framework.api.beans/src/main/java" - PACKAGE: "dev.galasa.framework.api.beans.generated" - run: | - docker run --rm -v ${{ github.workspace }}:/var/workspace ghcr.io/galasa-dev/openapi2beans:main generate --yaml var/workspace/${{ env.YAML_LOCATION }} --output var/workspace/${{ env.OUTPUT_LOCATION }} --package ${{ env.PACKAGE }} - set -o pipefail - gradle -b galasa-parent/build.gradle check publish --info \ - --no-daemon --console plain \ - -Dorg.gradle.jvmargs=-Xmx5120M \ - -PsourceMaven=https://development.galasa.dev/main/maven-repo/obr \ - -PcentralMaven=https://repo.maven.apache.org/maven2/ \ - -PtargetMaven=/home/runner/.m2/repository \ - -PjacocoEnabled=false \ - -PisMainOrRelease=false 2>&1 | tee build.log - - - name: Building Managers (manually) - shell: bash - working-directory: ${{ github.workspace }}/modules/managers - run: | - set -o pipefail - gradle -b galasa-managers-parent/build.gradle check publish --info \ - --no-daemon --console plain \ - -Dorg.gradle.jvmargs=-Xmx4096M \ - -PsourceMaven=https://development.galasa.dev/main/maven-repo/obr \ - -PcentralMaven=https://repo.maven.apache.org/maven2/ \ - -PtargetMaven=/home/runner/.m2/repository \ - -PjacocoEnabled=false \ - -PisMainOrRelease=false 2>&1 | tee build.log - - - name: Building OBR (manually) - shell: bash - working-directory: ${{ github.workspace }}/modules/obr - run: | - docker run --rm -v ${{ github.workspace }}/modules:/var/root/ ghcr.io/galasa-dev/galasabld-amd64:main template --releaseMetadata var/root/framework/release.yaml --releaseMetadata /var/root/extensions/release.yaml --releaseMetadata /var/root/managers/release.yaml --releaseMetadata /var/root/obr/release.yaml --template /var/root/obr/galasa-bom/pom.template --output /var/root/obr/galasa-bom/pom.xml --bom - set -o pipefail - mvn -f galasa-bom/pom.xml deploy -X \ - -Dgalasa.source.repo=https://development.galasa.dev/main/maven-repo/obr \ - -Dgalasa.central.repo=https://repo.maven.apache.org/maven2/ \ - -Dgalasa.release.repo=file:///home/runner/.m2/repository \ - -Dgpg.skip=true \ - --batch-mode --errors --fail-at-end \ - --settings settings.xml 2>&1 | tee galasa-bom-build.log - docker run --rm -v ${{ github.workspace }}/modules:/var/root/ ghcr.io/galasa-dev/galasabld-amd64:main template --releaseMetadata var/root/framework/release.yaml --releaseMetadata /var/root/extensions/release.yaml --releaseMetadata /var/root/managers/release.yaml --releaseMetadata /var/root/obr/release.yaml --template /var/root/obr/dev.galasa.uber.obr/pom.template --output /var/root/obr/dev.galasa.uber.obr/pom.xml --obr - set -o pipefail - mvn -f dev.galasa.uber.obr/pom.xml deploy -X \ - -Dgalasa.source.repo=https://development.galasa.dev/main/maven-repo/obr \ - -Dgalasa.central.repo=https://repo.maven.apache.org/maven2/ \ - -Dgalasa.release.repo=file:///home/runner/.m2/repository \ - -Dgpg.skip=true \ - --batch-mode --errors --fail-at-end \ - --settings settings.xml 2>&1 | tee galasa-obr-build.log + make all + make all -C openapi2beans - name: Building CLI (manually) shell: bash diff --git a/.github/workflows/codeql-java.yaml b/.github/workflows/codeql-java.yaml index 5e3e0a277e..c6c91d478e 100644 --- a/.github/workflows/codeql-java.yaml +++ b/.github/workflows/codeql-java.yaml @@ -14,6 +14,9 @@ name: "CodeQL Advanced (Java)" on: workflow_call: + schedule: + - cron: '41 13 * * 0' + jobs: analyze-java: name: Analyze (Java) @@ -44,15 +47,23 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - - name: Download All dev.galasa Artifacts + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Download All 'dev.galasa' Artifacts + if: github.event_name == 'workflow_call' uses: actions/download-artifact@v4 with: name: all-artifacts path: /home/runner/.m2/repository/dev/galasa - - name: List Artifacts - run: | - tree /home/runner/.m2/repository/dev/galasa + # Download from the last Main Build Orchestrator + # - name: Download All 'dev.galasa' Artifacts + # if: github.event_name == 'schedule' + # uses: actions/download-artifact@v4 + # with: + # name: all-artifacts + # path: /home/runner/.m2/repository/dev/galasa # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/pull-requests.yaml b/.github/workflows/pull-requests.yaml index b4123aa957..42b20981af 100644 --- a/.github/workflows/pull-requests.yaml +++ b/.github/workflows/pull-requests.yaml @@ -329,7 +329,18 @@ jobs: codeql-java: name: CodeQL scans the Java code - needs: [download-artifacts-for-codeql] + if: ${{ + needs.get-changed-modules.outputs.platform_changed || + needs.get-changed-modules.outputs.wrapping_changed || + needs.get-changed-modules.outputs.gradle_changed || + needs.get-changed-modules.outputs.maven_changed || + needs.get-changed-modules.outputs.framework_changed || + needs.get-changed-modules.outputs.extensions_changed || + needs.get-changed-modules.outputs.managers_changed || + needs.get-changed-modules.outputs.obr_changed || + needs.get-changed-modules.outputs.ivts_changed + }} + needs: [get-changed-modules, download-artifacts-for-codeql] uses: ./.github/workflows/codeql-java.yaml secrets: inherit permissions: @@ -338,6 +349,18 @@ jobs: actions: read contents: read + codeql-go: + name: CodeQL scans the Golang code + if: ${{ needs.get-changed-modules.outputs.buildutils_changed || needs.get-changed-modules.outputs.cli_changed }} + needs: [get-changed-modules, download-artifacts-for-codeql] + uses: ./.github/workflows/codeql-go.yaml + secrets: inherit + permissions: + security-events: write + packages: read + actions: read + contents: read + pr-build-cli: name: Build the 'cli' module needs: [get-changed-modules, find-artifacts, pr-build-obr] From 532fae8694541c9e267dcde103ebc804a37415d8 Mon Sep 17 00:00:00 2001 From: Jade Carino Date: Wed, 14 May 2025 17:38:32 +0100 Subject: [PATCH 11/12] Fix incorrect path to reusable workflow to call the Advanced CodeQL Go workflow from the Pull Request Build Orchestrator Signed-off-by: Jade Carino --- .github/workflows/pull-requests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull-requests.yaml b/.github/workflows/pull-requests.yaml index 42b20981af..38dbd6702b 100644 --- a/.github/workflows/pull-requests.yaml +++ b/.github/workflows/pull-requests.yaml @@ -353,7 +353,7 @@ jobs: name: CodeQL scans the Golang code if: ${{ needs.get-changed-modules.outputs.buildutils_changed || needs.get-changed-modules.outputs.cli_changed }} needs: [get-changed-modules, download-artifacts-for-codeql] - uses: ./.github/workflows/codeql-go.yaml + uses: ./.github/workflows/codeql-go.yml secrets: inherit permissions: security-events: write From 4685ebe73d53fd91dd39b5d3aa11b06b5e85bbd6 Mon Sep 17 00:00:00 2001 From: Jade Carino Date: Thu, 15 May 2025 10:22:48 +0100 Subject: [PATCH 12/12] Fix conditional check for only downloading dev.galasa artifacts to the workflow if the github.event_name is 'workflow_call' Signed-off-by: Jade Carino --- .github/workflows/codeql-go.yml | 2 +- .github/workflows/codeql-java.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-go.yml b/.github/workflows/codeql-go.yml index 3849cbe722..29761cc4bb 100644 --- a/.github/workflows/codeql-go.yml +++ b/.github/workflows/codeql-go.yml @@ -51,7 +51,7 @@ jobs: uses: actions/checkout@v4 - name: Download All 'dev.galasa' Artifacts - if: github.event_name == 'workflow_call' + if: ${{ github.event_name == 'workflow_call' }} uses: actions/download-artifact@v4 with: name: all-artifacts diff --git a/.github/workflows/codeql-java.yaml b/.github/workflows/codeql-java.yaml index c6c91d478e..87220076e2 100644 --- a/.github/workflows/codeql-java.yaml +++ b/.github/workflows/codeql-java.yaml @@ -51,7 +51,7 @@ jobs: uses: actions/checkout@v4 - name: Download All 'dev.galasa' Artifacts - if: github.event_name == 'workflow_call' + if: ${{ github.event_name == 'workflow_call' }} uses: actions/download-artifact@v4 with: name: all-artifacts