Fix CWE 770 and CWE 835 (#2029) #422
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy snapshots | |
| on: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: { } | |
| jobs: | |
| deploy-snapshots: | |
| name: Deploy snapshot artifacts | |
| runs-on: ubuntu-latest | |
| concurrency: deploy-snapshots | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Import Secrets | |
| id: secrets # important to refer to it in later steps | |
| uses: hashicorp/[email protected] | |
| with: | |
| url: ${{ secrets.VAULT_ADDR }} | |
| method: approle | |
| roleId: ${{ secrets.VAULT_ROLE_ID }} | |
| secretId: ${{ secrets.VAULT_SECRET_ID }} | |
| exportEnv: false # we rely on step outputs, no need for environment variables | |
| secrets: | | |
| secret/data/products/connectors/ci/common DOCKERHUB_USER; | |
| secret/data/products/connectors/ci/common DOCKERHUB_PASSWORD; | |
| secret/data/products/connectors/ci/common ARTIFACTORY_USR; | |
| secret/data/products/connectors/ci/common ARTIFACTORY_PSW; | |
| - name: Restore cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.m2/repository | |
| key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-maven- | |
| - name: Setup Java Build | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| server-id: camunda-nexus | |
| server-username: MAVEN_USERNAME | |
| server-password: MAVEN_PASSWORD | |
| # Use CI Nexus as co-located pull-through cache for Maven artifacts via ~/.m2/settings.xml | |
| - name: 'Create settings.xml' | |
| uses: s4u/[email protected] | |
| with: | |
| githubServer: false | |
| servers: | | |
| [{ | |
| "id": "camunda-nexus", | |
| "username": "${{ steps.secrets.outputs.ARTIFACTORY_USR }}", | |
| "password": "${{ steps.secrets.outputs.ARTIFACTORY_PSW }}" | |
| }] | |
| mirrors: '[{"url": "https://repository.nexus.camunda.cloud/content/groups/internal/", "id": "camunda-nexus", "mirrorOf": "camunda-nexus", "name": "camunda Nexus"}]' | |
| - name: Build Artifacts | |
| run: mvn -B compile generate-sources source:jar javadoc:jar deploy -DskipTests | |
| env: | |
| MAVEN_USERNAME: ${{ steps.secrets.outputs.ARTIFACTORY_USR }} | |
| MAVEN_PASSWORD: ${{ steps.secrets.outputs.ARTIFACTORY_PSW }} | |
| - name: Lint Connector Bundle Dockerfile - SaaS | |
| uses: hadolint/[email protected] | |
| with: | |
| dockerfile: bundle/camunda-saas-bundle/Dockerfile | |
| - name: Lint Connector Bundle Dockerfile - default-bundle | |
| uses: hadolint/[email protected] | |
| with: | |
| dockerfile: bundle/default-bundle/Dockerfile | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| with: | |
| platforms: 'arm64,arm' | |
| - name: Set up Docker Build | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ steps.secrets.outputs.DOCKERHUB_USER }} | |
| password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }} | |
| - name: Build and Push Docker Image tag SNAPSHOT - connector-runtime | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: connector-runtime/connector-runtime-application/ | |
| push: true | |
| tags: camunda/connectors:SNAPSHOT | |
| platforms: linux/amd64,linux/arm64 | |
| provenance: false | |
| - name: Build and Push Docker Image tag SNAPSHOT - bundle-default | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: bundle/default-bundle/ | |
| push: true | |
| tags: camunda/connectors-bundle:SNAPSHOT | |
| platforms: linux/amd64,linux/arm64 | |
| provenance: false | |
| - name: Build and Push Docker Image tag SNAPSHOT - bundle-saas | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: bundle/camunda-saas-bundle/ | |
| push: true | |
| tags: camunda/connectors-bundle-saas:SNAPSHOT | |
| platforms: linux/amd64,linux/arm64 | |
| provenance: false |