Skip to content

Add lib / package constraint to address snyk vulnerability #3051

Add lib / package constraint to address snyk vulnerability

Add lib / package constraint to address snyk vulnerability #3051

# This workflow will build a Java project with Gradle
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle
name: Run Service Tests (MariaDB)
on:
push:
branches: [ main ]
paths-ignore:
- 'README.md'
- 'docs/**'
pull_request:
branches: [ '**' ]
paths-ignore:
- 'README.md'
- 'docs/**'
workflow_dispatch:
jobs:
test:
runs-on: ubuntu-latest
services:
mariadb:
image: mariadb:10.4
env:
MARIADB_ROOT_PASSWORD: rootpwd
options: >-
--health-cmd "mysqladmin ping"
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:3306
if: "!contains( github.event.sender.login, 'broadbot')"
steps:
- uses: actions/checkout@v4
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: 17
distribution: 'temurin'
- name: Initialize Maria DB
env:
MARIADB_ROOT_PASSWORD: rootpwd
run: mysql --host=127.0.0.1 --port=5432 --user=root --password=$MARIADB_ROOT_PASSWORD < ./service/local-dev/local-mariadb-init.sql
- name: Cache Gradle packages
uses: actions/cache@v4
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
key: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}-${{ hashFiles('**/*.gradle') }}
restore-keys: v1-${{ runner.os }}-gradle-${{ hashfiles('**/gradle-wrapper.properties') }}
- name: Pull credentials
id: pull_credentials
run: |
# For security reasons, Broad prefers we read GHA secrets instead of reading from vault.
# This step does the equivalent of the pull-credentials.sh script.
# On local machines, the script fetches a SA from Vault.
# In GH actions, the SA key is stored in a GH repo secret.
# Regardless of how it was fetched, tests and scripts expect these
# keys to be stored in rendered/.
mkdir -p rendered/broad/
echo "$TEST_PROJECT_SA_KEY" > rendered/broad/tanagra_sa.json
env:
TEST_PROJECT_SA_KEY: ${{ secrets.TEST_PROJECT_SA_KEY }}
- name: Gradle Build and Check
# The check task includes the build, test and static analysis tasks.
run: ./gradlew service:check --scan
env:
DBMS: mariadb
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GOOGLE_APPLICATION_CREDENTIALS: ../rendered/broad/tanagra_sa.json
- name: Jib build
# Check that jib builds a docker container.
run: ./gradlew service:jibDockerBuild --scan