name: Maven Build Artifact on: workflow_call: inputs: java-version: description: 'Java version' required: false default: "17" type: string java-distribution: description: 'Java distribution' required: false default: "temurin" type: string mvn-options: description: 'Additional maven options' required: false default: "" type: string mvn-args: description: 'Additional maven args' required: false default: "" type: string jobs: build: runs-on: ubuntu-20.04 steps: - name: Checkout Repo uses: actions/checkout@v3 - name: Set up JDK uses: actions/setup-java@v3 with: java-version: ${{ inputs.java-version }} distribution: ${{ inputs.java-distribution }} cache: 'maven' - name: Maven Compile run: | mvn \ --no-transfer-progress \ --batch-mode ${{ inputs.mvn-options }} \ clean compile site - name: Upload SBOM uses: actions/upload-artifact@v3 with: name: bom.json path: 'target/bom.json' test-coverage: runs-on: ubuntu-20.04 steps: - name: Checkout Repo uses: actions/checkout@v3 - name: Set up JDK uses: actions/setup-java@v3 with: java-version: ${{ inputs.java-version }} distribution: ${{ inputs.java-distribution }} cache: 'maven' - name: Maven Verify run: | mvn \ --no-transfer-progress \ --batch-mode ${{ inputs.mvn-options }} \ clean verify ${{ inputs.mvn-args }} - name: Upload code coverage uses: codecov/codecov-action@v3 scan: name: Scan with Trivy needs: build runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Install Trivy CLI run: | wget https://github.com/aquasecurity/trivy/releases/download/v0.39.1/trivy_0.39.1_Linux-64bit.deb sudo dpkg -i trivy_0.39.1_Linux-64bit.deb - uses: actions/download-artifact@v3 with: name: bom.json - name: Run Trivy with SBOM run: trivy sbom --exit-code 1 --severity CRITICAL,HIGH ./bom.json