This repository contains reusable workflows for the e-Codex project.
This workflow runs a SonarCloud analysis on a Java project. It requires the following inputs:
on:
push:
pull_request:
types: [opened, synchronize, reopened]
jobs:
sonar:
uses: e-CODEX/workflows/.github/workflows/sonar-java.yaml@main
with:
jacoco-xml-report-path: 'target/site/jacoco/jacoco.xml'
java-version: 21
build-tool: 'maven'
secrets: inherit| Name | Description | Required | Default |
|---|---|---|---|
jacoco-xml-report-path |
Path to the coverage report generated by JaCoCo | No | - |
java-version |
Java version to use for the analysis. Must be 17 or higher | Yes | 21 |
build-tool |
Build tool to use for the analysis. Must be 'maven' or 'gradle' | Yes | 'maven' |
Important
Building with Gradle requires the use of the Gradle wrapper.
Tip
Using jacoco-xml-report-path with multi module can be problematic.
It also requires the following secret:
| Name | Description | Required |
|---|---|---|
SONAR_TOKEN |
SonarCloud token | Yes |
This workflow runs a Qodana analysis on a any project. It requires a qodana.yaml in the root and a project token in the repo.
on:
push:
pull_request:
types: [opened, synchronize, reopened]
jobs:
qodana:
uses: e-CODEX/workflows/.github/workflows/qodana.yaml@main
secrets: inheritIt requires the following secret:
| Name | Description | Required |
|---|---|---|
QODANA_TOKEN |
qodana project token | Yes |
This workflow runs a CodeQL analysis on a Java project. It requires the following inputs:
on:
push:
branches:
- develop
pull_request:
branches:
- develop
schedule:
- cron: '36 15 * * 1'
jobs:
codeql:
uses: e-CODEX/workflows/.github/workflows/codeql-java.yaml@main
with:
java-version: 21
build-tool: 'maven'It requires the following inputs:
| Name | Description | Required | Default |
|---|---|---|---|
java-version |
Java version to use for the analysis. Must be 17 or higher | Yes | 21 |
build-tool |
Build tool to use for the analysis. Must be 'maven' or 'gradle' | Yes | 'maven' |
Important
Building with Gradle requires the use of the Gradle wrapper.
This workflow runs the Checkstyle linter with our custom configuration based on the Google one. You can set up your IDE to track this config file with the URL: https://raw.githubusercontent.com/e-CODEX/workflows/main/checkstyle.xml
on:
push:
pull_request:
merge_group:
name: Java code Checkstyle
jobs:
checkstyle:
uses: e-CODEX/workflows/.github/workflows/java-linting.yaml@mainThis workflow tests a Java project using Maven on multiple operating systems, and creates and publishes a Software Bill of Materials (SBOM) file.
It assumes that the verify goal runs the tests, and the package goal creates the artifacts as well as a sbom file.
on:
push:
pull_request:
types: [opened, synchronize, reopened]
jobs:
CI:
uses: e-CODEX/workflows/.github/workflows/maven-ci.yaml@main
with:
java-version: 21
maven-parameters: '-Djacoco.skip=true'
sbom-path: 'target/bom.xml'
artifact-path: 'target/*.jar'
It requires the following inputs:
| Name | Description | Required | Default |
|---|---|---|---|
java-version |
Java version to use for the build. Tests are run on LTS versions | Yes | 21 |
maven-parameters |
Extra parameters to pass to Maven | No | - |
sbom-path |
Path to the SBOM file generated by the build | Yes | - |
artifact-path |
Path to the artifact generated by the build | Yes | - |
This workflow builds and publishes Docker images to the e-CODEX JFrog registry, following SemVer and GitFlow conventions. It supports multiple tagging strategies and includes security attestation.
on:
push:
branches:
- develop
- main
tags:
- 'v*'
jobs:
docker:
uses: e-CODEX/workflows/.github/workflows/docker-build-push.yaml@main
with:
image-name: 'my-application'
environment: 'production'
registry: 'scm.ecodex.eu/docker'It requires the following inputs:
| Name | Description | Required | Default |
|---|---|---|---|
image-name |
The name of the Docker image to build and push | Yes | ${{ github.repository }} |
tag |
The tag to checkout (optional) | No | - |
environment |
Deployment environment | No | 'development' |
registry |
Docker registry to push images to | No | 'scm.ecodex.eu/docker' |
Important
This workflow requires OIDC authentication to be configured for the JFrog registry.
Note
The workflow automatically generates different tags:
edgefor pushes to develop branchlatest, semantic version tags (e.g.,1.2.3,1.2,1) for version tags- Short SHA for all pushes
This workflow publishes a Maven snapshot to a JFROG Maven repository. It assumes that the deploy goal is configured to deploy the artifacts to a repository.
It also assumes that the repository URL is configured in the pom.xml file, also that the server id is the same as the one supplied in the maven-repo-id input.
on:
push:
branches:
- develop
jobs:
publish:
uses: e-CODEX/workflows/.github/workflows/maven-publish-snapshot.yaml@main
with:
java-version: 21
maven-parameters: '-DrepositoryId=artifactory'
maven-repo-id: 'artifactory'It requires the following inputs:
| Name | Description | Required | Default |
|---|---|---|---|
java-version |
Java version to use for the build. | Yes | 21 |
maven-parameters |
Extra parameters to pass to Maven | No | - |
maven-repo-id |
Maven repository ID | Yes | - |
The Maven release process involves three separate workflows that should be used together:
on:
push:
branches:
- main
jobs:
validate:
uses: e-CODEX/workflows/.github/workflows/maven-validate-release-version.yaml@main
tag:
needs: validate
uses: e-CODEX/workflows/.github/workflows/maven-tag-release-version.yaml@main
with:
environment: 'production'
publish:
needs: tag
uses: e-CODEX/workflows/.github/workflows/maven-publish-release.yaml@main
with:
java-version: 21
maven-repo-id: 'releases'Maven Validate Release Version:
- Checks that the version in
pom.xmlis not a SNAPSHOT - Verifies that the tag doesn't already exist
Maven Tag Release Version:
- Creates a Git tag based on the version in
pom.xml - Pushes the tag to the repository
It requires the following inputs:
| Name | Description | Required | Default |
|---|---|---|---|
environment |
Deployment environment | No | 'production' |
Maven Publish Release:
- Publishes the release artifacts to the Maven repository
It requires the following inputs:
| Name | Description | Required | Default |
|---|---|---|---|
java-version |
Java version to use for the build | Yes | 21 |
maven-parameters |
Extra parameters to pass to Maven | No | - |
maven-repo-id |
Maven repository ID | Yes | - |
This workflow runs automated tests for the CTP (Connecting to Performance) system. It can be triggered manually with specific PR and branch information.
on:
workflow_dispatch:
inputs:
pr_number:
description: 'PR Number'
required: true
type: string
branch:
description: 'Branch name'
required: true
type: string
jobs:
test:
uses: e-CODEX/workflows/.github/workflows/ctp-automated-testing.yml@mainThis workflow can also be called by other workflows:
jobs:
ctp-tests:
uses: e-CODEX/workflows/.github/workflows/ctp-automated-testing.yml@mainNote
This is currently a dummy implementation that simulates test execution.
This workflow scans dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR.
on: [pull_request]
jobs:
dependency-review:
uses: e-CODEX/workflows/.github/workflows/dependency-review.yml@mainImportant
Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
This is a custom action that installs Graphviz (dot command) on Ubuntu, Windows, or macOS runners.
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Graphviz
uses: e-CODEX/workflows/.github/actions/install-graphviz@main
- name: Use dot command
run: dot -VThis workflow checks if the commit messages follow the Conventional Commit format. It does not require any inputs.
on:
push:
pull_request:
types: [opened, synchronize]
jobs:
commitlint:
uses: e-CODEX/workflows/.github/workflows/commitlint.yaml@main