From d9410aebcc5935ede2fc877d74f227afce16063d Mon Sep 17 00:00:00 2001 From: micronaut-build <65172877+micronaut-build@users.noreply.github.com> Date: Wed, 15 Jan 2025 14:38:06 +0100 Subject: [PATCH] Sonatype Scan Gradle Plugin (#500) --- .github/renovate.json | 22 +++++++++++----- .github/workflows/central-sync.yml | 6 ++--- .github/workflows/graalvm-dev.yml | 12 ++++----- .github/workflows/graalvm-latest.yml | 12 ++++----- .github/workflows/gradle.yml | 17 ++++++++---- .github/workflows/publish-snapshot.yml | 6 ++--- .github/workflows/release.yml | 26 +++++++++---------- buildSrc/build.gradle | 1 + ...onaut.build.internal.reactor-module.gradle | 11 ++++++++ gradle/libs.versions.toml | 2 ++ gradle/wrapper/gradle-wrapper.properties | 2 +- gradlew | 3 +-- 12 files changed, 74 insertions(+), 46 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index 09c2a598..99eeec10 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -1,24 +1,32 @@ { "extends": [ - "config:base" + "config:recommended" + ], + "addLabels": [ + "type: dependency-upgrade" ], - "addLabels": ["type: dependency-upgrade"], "schedule": [ - "after 10pm every day" + "after 10pm" ], "prHourlyLimit": 1, "prConcurrentLimit": 20, "timezone": "Europe/Prague", "packageRules": [ { - "matchPackagePatterns": ["actions.*"], "dependencyDashboardApproval": true, - "matchUpdateTypes": ["patch"], + "matchUpdateTypes": [ + "patch" + ], "matchCurrentVersion": "!/^0/", - "automerge": true + "automerge": true, + "matchPackageNames": [ + "/actions.*/" + ] }, { - "matchUpdateTypes": ["patch"], + "matchUpdateTypes": [ + "patch" + ], "matchCurrentVersion": "!/^0/", "automerge": true } diff --git a/.github/workflows/central-sync.yml b/.github/workflows/central-sync.yml index 23b80ba2..5945f447 100644 --- a/.github/workflows/central-sync.yml +++ b/.github/workflows/central-sync.yml @@ -31,9 +31,9 @@ jobs: GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }} GPG_FILE: ${{ secrets.GPG_FILE }} - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} - GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} + DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} + DEVELOCITY_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} + DEVELOCITY_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} run: | echo $GPG_FILE | base64 -d > secring.gpg ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository diff --git a/.github/workflows/graalvm-dev.yml b/.github/workflows/graalvm-dev.yml index eb0203b2..fcb66c1f 100644 --- a/.github/workflows/graalvm-dev.yml +++ b/.github/workflows/graalvm-dev.yml @@ -12,9 +12,9 @@ jobs: if: github.repository != 'micronaut-projects/micronaut-project-template' runs-on: ubuntu-latest env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} - GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} + DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} + DEVELOCITY_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} + DEVELOCITY_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} outputs: matrix: ${{ steps.build-matrix.outputs.matrix }} steps: @@ -38,9 +38,9 @@ jobs: - java: 'latest-ea' distribution: 'graalvm-community' env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} - GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} + DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} + DEVELOCITY_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} + DEVELOCITY_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} steps: - uses: actions/checkout@v4 - name: Pre-Build Steps diff --git a/.github/workflows/graalvm-latest.yml b/.github/workflows/graalvm-latest.yml index d150aa60..e3053b0d 100644 --- a/.github/workflows/graalvm-latest.yml +++ b/.github/workflows/graalvm-latest.yml @@ -18,9 +18,9 @@ jobs: if: github.repository != 'micronaut-projects/micronaut-project-template' runs-on: ubuntu-latest env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} - GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} + DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} + DEVELOCITY_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} + DEVELOCITY_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} outputs: matrix: ${{ steps.build-matrix.outputs.matrix }} steps: @@ -38,9 +38,9 @@ jobs: java: ['17', '21'] native_test_task: ${{ fromJson(needs.build_matrix.outputs.matrix).native_test_task }} env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} - GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} + DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} + DEVELOCITY_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} + DEVELOCITY_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} steps: - uses: actions/checkout@v4 - name: Pre-Build Steps diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index e72393c3..91016fdb 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -21,15 +21,17 @@ jobs: matrix: java: ['17', '21'] env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} - GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} + DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} + DEVELOCITY_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} + DEVELOCITY_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} GH_TOKEN_PUBLIC_REPOS_READONLY: ${{ secrets.GH_TOKEN_PUBLIC_REPOS_READONLY }} GH_USERNAME: ${{ secrets.GH_USERNAME }} TESTCONTAINERS_RYUK_DISABLED: true PREDICTIVE_TEST_SELECTION: "${{ github.event_name == 'pull_request' && 'true' || 'false' }}" SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }} + OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }} steps: # https://github.com/actions/virtual-environments/issues/709 - name: "🗑 Free disk space" @@ -58,6 +60,11 @@ jobs: run: | [ -f ./setup.sh ] && ./setup.sh || [ ! -f ./setup.sh ] + - name: "🚔 Sonatype Scan" + id: sonatypescan + run: | + ./gradlew ossIndexAudit --no-parallel --info + - name: "🛠 Build with Gradle" id: gradle run: | @@ -70,7 +77,7 @@ jobs: - name: "📊 Publish Test Report" if: always() - uses: mikepenz/action-junit-report@v4 + uses: mikepenz/action-junit-report@v5 with: check_name: Java CI / Test Report (${{ matrix.java }}) report_paths: '**/build/test-results/test/TEST-*.xml' @@ -78,7 +85,7 @@ jobs: - name: "📜 Upload binary compatibility check results" if: matrix.java == '17' - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: binary-compatibility-reports path: "**/build/reports/binary-compatibility-*.html" diff --git a/.github/workflows/publish-snapshot.yml b/.github/workflows/publish-snapshot.yml index 0875db92..fdfadd59 100644 --- a/.github/workflows/publish-snapshot.yml +++ b/.github/workflows/publish-snapshot.yml @@ -27,7 +27,7 @@ jobs: env: SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} - GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} + DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} + DEVELOCITY_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} + DEVELOCITY_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} run: ./gradlew publishToSonatype --no-daemon diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0d18f0b7..21503ec7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,9 +40,9 @@ jobs: GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }} GPG_FILE: ${{ secrets.GPG_FILE }} - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} - GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} + DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} + DEVELOCITY_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} + DEVELOCITY_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} run: | echo $GPG_FILE | base64 -d > secring.gpg # Publish both locally and to Sonatype. @@ -66,13 +66,13 @@ jobs: # Store the hash in a file, which is uploaded as a workflow artifact. sha256sum $ARTIFACTS | base64 -w0 > artifacts-sha256 - name: Upload build artifacts - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: gradle-build-outputs path: build/repo/${{ steps.publish.outputs.group }}/*/${{ steps.publish.outputs.version }}/* retention-days: 5 - name: Upload artifacts-sha256 - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: artifacts-sha256 path: artifacts-sha256 @@ -80,9 +80,9 @@ jobs: - name: Generate docs run: ./gradlew docs env: - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} - GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} + DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} + DEVELOCITY_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} + DEVELOCITY_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} GH_TOKEN_PUBLIC_REPOS_READONLY: ${{ secrets.GH_TOKEN_PUBLIC_REPOS_READONLY }} GH_USERNAME: ${{ secrets.GH_USERNAME }} - name: Export Gradle Properties @@ -97,9 +97,9 @@ jobs: FOLDER: build/docs VERSION: ${{ steps.release_version.outputs.release_version }} TARGET_REPOSITORY: ${{ github.repository == 'micronaut-projects/micronaut-core' && env.docsRepository || github.repository }} - GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} - GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} - GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} + DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }} + DEVELOCITY_CACHE_USERNAME: ${{ secrets.GRADLE_ENTERPRISE_CACHE_USERNAME }} + DEVELOCITY_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }} - name: Run post-release if: success() uses: micronaut-projects/github-actions/post-release@master @@ -146,7 +146,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/') steps: - name: Checkout repository - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Download artifacts uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: @@ -160,6 +160,6 @@ jobs: - name: Upload assets # Upload the artifacts to the existing release. Note that the SLSA provenance will # attest to each artifact file and not the aggregated ZIP file. - uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2.0.9 + uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1 with: files: artifacts.zip diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle index 21e3c454..2fdd54a0 100644 --- a/buildSrc/build.gradle +++ b/buildSrc/build.gradle @@ -9,4 +9,5 @@ repositories { dependencies { implementation libs.gradle.micronaut + implementation(libs.sonatype.scan) } diff --git a/buildSrc/src/main/groovy/io.micronaut.build.internal.reactor-module.gradle b/buildSrc/src/main/groovy/io.micronaut.build.internal.reactor-module.gradle index 46d6a9ba..dbe1e5bf 100644 --- a/buildSrc/src/main/groovy/io.micronaut.build.internal.reactor-module.gradle +++ b/buildSrc/src/main/groovy/io.micronaut.build.internal.reactor-module.gradle @@ -1,4 +1,15 @@ plugins { id "io.micronaut.build.internal.reactor-base" id "io.micronaut.build.internal.module" + id("org.sonatype.gradle.plugins.scan") } +String ossIndexUsername = System.getenv("OSS_INDEX_USERNAME") ?: project.properties["ossIndexUsername"] +String ossIndexPassword = System.getenv("OSS_INDEX_PASSWORD") ?: project.properties["ossIndexPassword"] +boolean sonatypePluginConfigured = ossIndexUsername != null && ossIndexPassword != null +if (sonatypePluginConfigured) { + ossIndexAudit { + username = ossIndexUsername + password = ossIndexPassword + } +} + diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index cf4211dc..990fe7a0 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -18,6 +18,7 @@ managed-reactor-bom = "2023.0.13" managed-micrometer-context-propagation = "1.1.2" micronaut-gradle-plugin = "4.4.5" +sonatype-scan = "3.0.0" [libraries] # Core @@ -37,3 +38,4 @@ rxjava3 = { module = "io.reactivex.rxjava3:rxjava", version.ref = "rxjava3" } managed-micrometer-context-propagation = { module = "io.micrometer:context-propagation", version.ref = "managed-micrometer-context-propagation" } gradle-micronaut = { module = "io.micronaut.gradle:micronaut-gradle-plugin", version.ref = "micronaut-gradle-plugin" } +sonatype-scan = { module = "org.sonatype.gradle.plugins:scan-gradle-plugin", version.ref = "sonatype-scan" } diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index df97d72b..cea7a793 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME diff --git a/gradlew b/gradlew index f5feea6d..f3b75f3b 100755 --- a/gradlew +++ b/gradlew @@ -86,8 +86,7 @@ done # shellcheck disable=SC2034 APP_BASE_NAME=${0##*/} # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) -APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s -' "$PWD" ) || exit +APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. MAX_FD=maximum