diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b70d235a5bb..fd6094643d4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,7 +5,7 @@ on: branches: - master - '[0-9]+.[0-9]+.x' # Patch branches like 2.10.x, 2.9.x - pull_request: + pull_request_target: branches: - master - '[0-9]+.[0-9]+.x' @@ -27,7 +27,7 @@ env: jobs: # Incremental build for PRs incremental-build: - if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request_target' runs-on: ubuntu-latest timeout-minutes: 180 steps: @@ -41,6 +41,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: + ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 # Full history needed for incremental build - name: Set up JDK 17 @@ -77,7 +78,7 @@ jobs: # Full build for master/patch branches full-build: - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request_target' runs-on: ubuntu-latest timeout-minutes: 180 steps: @@ -98,21 +99,6 @@ jobs: distribution: 'temurin' cache: maven - - name: Configure Maven settings - uses: s4u/maven-settings-action@v3.0.0 - with: - servers: | - [{ - "id": "codice", - "username": "${{ github.actor }}", - "password": "${{ secrets.READ_PACKAGES }}" - }, - { - "id": "connexta", - "username": "${{ github.actor }}", - "password": "${{ secrets.READ_PACKAGES }}" - }] - - name: Full build (excluding itests) run: mvn clean install $MAVEN_CLI_OPTS -P !itests @@ -133,7 +119,7 @@ jobs: # DDF Core integration tests (for PRs) integration-tests: needs: incremental-build - if: github.event_name == 'pull_request' && needs.incremental-build.result == 'success' + if: github.event_name == 'pull_request_target' && needs.incremental-build.result == 'success' runs-on: ubuntu-latest timeout-minutes: 60 steps: @@ -146,6 +132,8 @@ jobs: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} - name: Set up JDK 17 uses: actions/setup-java@v4 @@ -164,15 +152,17 @@ jobs: -pl distribution/test/itests/test-itests-ddf-core \ -nsu - # OWASP Dependency Check - dependency-check: - needs: [incremental-build, full-build] - if: always() && (needs.incremental-build.result == 'success' || needs.full-build.result == 'success') + # OWASP Dependency Check (PRs) + dependency-check-pr: + needs: incremental-build + if: always() && needs.incremental-build.result == 'success' runs-on: ubuntu-latest timeout-minutes: 60 steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} - name: Set up JDK 17 uses: actions/setup-java@v4 @@ -198,19 +188,10 @@ jobs: - name: OWASP Dependency Check run: | - if [ "${{ github.event_name }}" != "pull_request" ]; then - # Full scan with distribution for non-PR builds - mvn org.commonjava.maven.plugins:directory-maven-plugin:highest-basedir@directories \ - dependency-check:aggregate $MAVEN_CLI_OPTS \ - -q -pl '!distribution/docs' \ - -P '!itests,owasp-dist' - else - # Incremental scan for PRs - mvn org.commonjava.maven.plugins:directory-maven-plugin:highest-basedir@directories \ - dependency-check:aggregate $MAVEN_CLI_OPTS \ - -q -pl '!distribution/docs' \ - -P '!itests' - fi + mvn org.commonjava.maven.plugins:directory-maven-plugin:highest-basedir@directories \ + dependency-check:aggregate $MAVEN_CLI_OPTS \ + -q -pl '!distribution/docs' \ + -P '!itests' - name: Upload dependency check report uses: actions/upload-artifact@v4 @@ -220,10 +201,49 @@ jobs: path: target/dependency-check-report.html retention-days: 30 + # OWASP Dependency Check (master/patch branches) + dependency-check: + needs: full-build + if: always() && needs.full-build.result == 'success' + runs-on: ubuntu-latest + timeout-minutes: 60 + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + cache: maven + + - name: Configure Maven settings + uses: s4u/maven-settings-action@v3.0.0 + with: + servers: | + [{ + "id": "codice", + "username": "${{ github.actor }}", + "password": "${{ secrets.READ_PACKAGES }}" + }, + { + "id": "connexta", + "username": "${{ github.actor }}", + "password": "${{ secrets.READ_PACKAGES }}" + }] + + - name: OWASP Dependency Check + run: | + mvn org.commonjava.maven.plugins:directory-maven-plugin:highest-basedir@directories \ + dependency-check:aggregate $MAVEN_CLI_OPTS \ + -q -pl '!distribution/docs' \ + -P '!itests,owasp-dist' + # SonarCloud analysis (master only) sonarcloud: needs: full-build - if: github.ref == 'refs/heads/master' && github.event_name != 'pull_request' + if: github.ref == 'refs/heads/master' && github.event_name != 'pull_request_target' runs-on: ubuntu-latest timeout-minutes: 60 steps: @@ -262,7 +282,7 @@ jobs: needs: [full-build, dependency-check] if: | always() && - github.event_name != 'pull_request' && + github.event_name != 'pull_request_target' && (github.ref == 'refs/heads/master' || contains(github.ref, '.x')) && needs.full-build.result == 'success' && needs.dependency-check.result == 'success'