Skip to content
.github/workflows/java-ci-secure.yml

chore(deps): bump softprops/action-gh-release from 2.0.6 to 2.5.0 #69

Sign in to view logs

chore(deps): bump softprops/action-gh-release from 2.0.6 to 2.5.0

chore(deps): bump softprops/action-gh-release from 2.0.6 to 2.5.0 #69

Workflow file for this run

.github/workflows/java-ci-secure.yml at 3bb902d
# .github/workflows/java-ci-secure.yml

Check failure on line 1 in .github/workflows/java-ci-secure.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/java-ci-secure.yml

Invalid workflow file 

(Line: 221, Col: 13): Unrecognized named-value: 'secrets'. Located at position 44 within expression: failure() && 
inputs.notify-on-failure && 
secrets.SLACK_WEBHOOK_URL != ''
# Purpose: Secure Java CI workflow with fine-grained permissions and input validation.
# Inputs:
# java-version: Java version to use (default: 25)
# maven-opts: Maven JVM options (default: '-Xmx2g')
# test-pattern: Test pattern for Maven (default: '**/unit/**')
# os-matrix: Operating systems to test on (default: 'ubuntu-latest')
# notify-on-failure: Send notifications on failure (default: false)
# slack-webhook: Slack webhook URL for notifications (optional)
# Outputs:
# test-results: Test execution results
# coverage-percentage: Code coverage percentage
# build-status: Overall build status
# Secrets:
# SLACK_WEBHOOK_URL: Optional Slack webhook for failure notifications
# Usage:
# jobs:
# unit-tests:
# uses: org/workflows/.github/workflows/java-ci-secure.yml@v1.0.0
# with:
# java-version: '17'
# maven-opts: '-Xmx4g'
# test-pattern: '**/integration/**'
# os-matrix: 'ubuntu-latest,windows-latest'
# notify-on-failure: true
# secrets:
# SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
# Versioning: Reference by tag for stability.
name: πŸ§ͺ Secure Unit Tests
on:
workflow_call:
inputs:
java-version:
required: false
type: string
default: '25'
maven-opts:
required: false
type: string
default: '-Xmx2g'
test-pattern:
required: false
type: string
default: '**/unit/**'
os-matrix:
required: false
type: string
default: 'ubuntu-latest'
notify-on-failure:
required: false
type: boolean
default: false
outputs:
test-results:
description: "Test execution results summary"
value: ${{ jobs.unit-tests.outputs.test-results }}
coverage-percentage:
description: "Code coverage percentage"
value: ${{ jobs.unit-tests.outputs.coverage-percentage }}
build-status:
description: "Overall build status"
value: ${{ jobs.unit-tests.outputs.build-status }}
secrets:
SLACK_WEBHOOK_URL:
description: "Slack webhook URL for failure notifications"
required: false
jobs:
validate-inputs:
name: πŸ” Validate Inputs
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
java-versions: ${{ steps.validate.outputs.java-versions }}
os-list: ${{ steps.validate.outputs.os-list }}
maven-opts-validated: ${{ steps.validate.outputs.maven-opts-validated }}
steps:
- name: πŸ” Validate Java version
id: validate
run: |
JAVA_VERSION="${{ inputs.java-version }}"
OS_MATRIX="${{ inputs.os-matrix }}"
MAVEN_OPTS="${{ inputs.maven-opts }}"
# Validate Java version
if [[ ! "$JAVA_VERSION" =~ ^(8|11|17|21|22|23|25)$ ]]; then
echo "❌ Invalid Java version: $JAVA_VERSION. Supported: 8, 11, 17, 21, 22, 23, 25"
exit 1
fi
# Validate OS matrix
IFS=',' read -ra OS_ARRAY <<< "$OS_MATRIX"
VALID_OS=()
for os in "${OS_ARRAY[@]}"; do
os=$(echo "$os" | xargs) # trim whitespace
if [[ "$os" =~ ^(ubuntu-latest|ubuntu-20.04|ubuntu-22.04|windows-latest|windows-2019|windows-2022|macos-latest|macos-11|macos-12)$ ]]; then
VALID_OS+=(""$os"")
else
echo "❌ Invalid OS: $os"
exit 1
fi
done
# Validate Maven opts
if [[ ! "$MAVEN_OPTS" =~ ^-X ]]; then
echo "⚠️ Maven opts should start with -X, using default"
MAVEN_OPTS="-Xmx2g"
fi
# Output validated values
OS_JSON="[$(IFS=,; echo "${VALID_OS[*]}")]"
echo "java-versions=["$JAVA_VERSION"]" >> $GITHUB_OUTPUT
echo "os-list=$OS_JSON" >> $GITHUB_OUTPUT
echo "maven-opts-validated=$MAVEN_OPTS" >> $GITHUB_OUTPUT
echo "βœ… Validation completed"
echo " Java: $JAVA_VERSION"
echo " OS: $OS_JSON"
echo " Maven opts: $MAVEN_OPTS"
unit-tests:
name: πŸ§ͺ Tests (${{ matrix.os }}, Java ${{ matrix.java-version }})
runs-on: ${{ matrix.os }}
needs: validate-inputs
permissions:
contents: read
checks: write
pull-requests: write # For coverage comments
strategy:
fail-fast: false
matrix:
os: ${{ fromJson(needs.validate-inputs.outputs.os-list) }}
java-version: ${{ fromJson(needs.validate-inputs.outputs.java-versions) }}
outputs:
test-results: ${{ steps.test-summary.outputs.results }}
coverage-percentage: ${{ steps.coverage.outputs.percentage }}
build-status: ${{ steps.test-summary.outputs.status }}
steps:
- name: πŸ“₯ Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: β˜• Set up JDK ${{ matrix.java-version }}
uses: actions/setup-java@de5a937a1dc73fbc1a67d7d1aa4bebc1082f3190 # v4.2.1
with:
java-version: ${{ matrix.java-version }}
distribution: 'temurin'
- name: πŸ“¦ Cache Maven dependencies
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: πŸ§ͺ Run unit tests with coverage
id: tests
run: |
echo "πŸ§ͺ Running tests with pattern: ${{ inputs.test-pattern }}"
./mvnw test -Dtest="${{ inputs.test-pattern }}" -B -Djacoco.skip=false -Dmaven.test.failure.ignore=true
env:
MAVEN_OPTS: ${{ needs.validate-inputs.outputs.maven-opts-validated }}
continue-on-error: true
- name: πŸ“Š Generate coverage report
id: coverage
run: |
./mvnw jacoco:report -B
# Extract coverage percentage
if [ -f target/site/jacoco/index.html ]; then
COVERAGE=$(grep -o 'Total[^%]*%' target/site/jacoco/index.html | grep -o '[0-9]*%' | head -1 || echo "0%")
echo "percentage=${COVERAGE}" >> $GITHUB_OUTPUT
echo "πŸ“Š Code coverage: $COVERAGE"
else
echo "percentage=0%" >> $GITHUB_OUTPUT
echo "⚠️ No coverage report found"
fi
- name: πŸ“Š Generate test report
uses: dorny/test-reporter@dc3a92680fcc15842eef52e8c4606ea7ce6bd3f3 # v2.1.1
if: always()
with:
name: Unit Tests Results (${{ matrix.os }}, Java ${{ matrix.java-version }})
path: target/surefire-reports/*.xml
reporter: java-junit
fail-on-error: false
- name: πŸ“‹ Test summary
id: test-summary
if: always()
run: |
if [ -f target/surefire-reports/TEST-*.xml ]; then
TOTAL=$(grep -o 'tests="[0-9]*"' target/surefire-reports/TEST-*.xml | grep -o '[0-9]*' | awk '{sum+=$1} END {print sum}' || echo "0")
FAILURES=$(grep -o 'failures="[0-9]*"' target/surefire-reports/TEST-*.xml | grep -o '[0-9]*' | awk '{sum+=$1} END {print sum}' || echo "0")
ERRORS=$(grep -o 'errors="[0-9]*"' target/surefire-reports/TEST-*.xml | grep -o '[0-9]*' | awk '{sum+=$1} END {print sum}' || echo "0")
PASSED=$((TOTAL - FAILURES - ERRORS))
if [ $FAILURES -eq 0 ] && [ $ERRORS -eq 0 ]; then
STATUS="success"
echo "βœ… All tests passed"
else
STATUS="failure"
echo "❌ Tests failed"
fi
RESULTS="Total: $TOTAL, Passed: $PASSED, Failed: $FAILURES, Errors: $ERRORS"
echo "results=$RESULTS" >> $GITHUB_OUTPUT
echo "status=$STATUS" >> $GITHUB_OUTPUT
echo "πŸ“Š Test Results: $RESULTS"
else
echo "results=No test results found" >> $GITHUB_OUTPUT
echo "status=failure" >> $GITHUB_OUTPUT
fi
- name: 🚨 Notify on failure
if: |
failure() &&
inputs.notify-on-failure &&
secrets.SLACK_WEBHOOK_URL != ''
uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
with:
status: failure
webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
text: |
🚨 Java CI Tests Failed
Repository: ${{ github.repository }}
Branch: ${{ github.ref_name }}
OS: ${{ matrix.os }}
Java: ${{ matrix.java-version }}
Actor: ${{ github.actor }}