Merge branch 'main' of https://github.com/jcputney/magika-java #7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependency-Check | |
| on: | |
| push: | |
| branches: [main] | |
| schedule: | |
| # Weekly Tuesday 09:30 ET (13:30 UTC). Offset from CodeQL's Monday cron so | |
| # a slow NVD API morning doesn't pile both onto the same hour. | |
| - cron: '30 13 * * 2' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| jobs: | |
| scan: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-java@v5 | |
| with: | |
| distribution: temurin | |
| java-version: '17' | |
| - uses: actions/cache@v5 | |
| with: | |
| path: ~/.m2/repository | |
| key: maven-depcheck-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| maven-depcheck- | |
| # NVD data cache: pom.xml relocates the dependency-check dataDirectory | |
| # to ~/.cache/dependency-check-data so this cache path is disjoint from | |
| # the ~/.m2/repository cache above (overlapping paths cause redundant | |
| # storage and unpredictable restores). Key on ISO year-week (`%G-%V`) | |
| # so PR/push runs share one entry within the week; the weekly cron | |
| # naturally rolls to a new key, refreshing the NVD feed. | |
| - name: Compute weekly cache bucket | |
| id: cachekey | |
| run: echo "week=$(date -u +%G-%V)" >> "$GITHUB_OUTPUT" | |
| - uses: actions/cache@v5 | |
| with: | |
| path: ~/.cache/dependency-check-data | |
| key: depcheck-nvd-${{ runner.os }}-${{ steps.cachekey.outputs.week }} | |
| restore-keys: | | |
| depcheck-nvd-${{ runner.os }}- | |
| - name: Run dependency-check | |
| run: | | |
| mvn -B -ntp -P security \ | |
| -DskipTests=true \ | |
| -Dspotless.check.skip=true \ | |
| -Dlicense.skip=true \ | |
| ${NVD_API_KEY:+-DnvdApiKey=$NVD_API_KEY} \ | |
| verify | |
| env: | |
| # Optional: set NVD_API_KEY in repo secrets to lift NVD rate limits. | |
| # Without it, the job still works but is slower on cold caches. | |
| NVD_API_KEY: ${{ secrets.NVD_API_KEY }} | |
| - name: Upload SARIF to GitHub Security tab | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: target/dependency-check/dependency-check-report.sarif | |
| category: dependency-check | |
| - name: Upload HTML/JSON report | |
| if: always() | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: dependency-check-report | |
| path: target/dependency-check/ | |
| retention-days: 14 |