You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/09/09 07:11:58 UTC

[GitHub] [pulsar] nicoloboschi opened a new pull request, #17568: [ci] Move owasp check into the main workflow

nicoloboschi opened a new pull request, #17568:
URL: https://github.com/apache/pulsar/pull/17568

   ### Motivation
   
   Currently for every pull a new runner is requested to run the Owasp check. If your pull doesn't change a pom.xml file, the workflow exits without doing nothing.
   Moving it inside the main workflow will bring these benefits:
   - The runner will be created only if actually necessary
   - The artifacts will be reused from the main build step
   
   ### Modifications
   
   * Moved inside Pulsar CI workflow
   * Added a new changes filter `need_owasp`. I thought to use `poms_only` initially but it may be misleading since it also check for owasp suppressions files.  
   
   - [x] `doc-not-needed` 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nicoloboschi merged pull request #17568: [ci] Move owasp check into the main workflow

Posted by GitBox <gi...@apache.org>.

nicoloboschi merged PR #17568:
URL: https://github.com/apache/pulsar/pull/17568


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nicoloboschi commented on a diff in pull request #17568: [ci] Move owasp check into the main workflow

Posted by GitBox <gi...@apache.org>.

nicoloboschi commented on code in PR #17568:
URL: https://github.com/apache/pulsar/pull/17568#discussion_r966719190


##########
.github/workflows/pulsar-ci.yaml:
##########
@@ -126,6 +128,79 @@ jobs:
         with:
           action: wait
 
+  owasp-dep-check:
+    name: OWASP dependency check
+    runs-on: ubuntu-20.04
+    timeout-minutes: 120
+    needs: [ 'changed_files_job', 'build-and-license-check' ]

Review Comment:
   it makes sense. I modified it. It's better after the integration tests and in parallel with system-tests to make sure contributors will have the result at the same time for the system tests and the owasp check



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] lhotari commented on a diff in pull request #17568: [ci] Move owasp check into the main workflow

Posted by GitBox <gi...@apache.org>.

lhotari commented on code in PR #17568:
URL: https://github.com/apache/pulsar/pull/17568#discussion_r966705931


##########
.github/workflows/pulsar-ci.yaml:
##########
@@ -126,6 +128,79 @@ jobs:
         with:
           action: wait
 
+  owasp-dep-check:
+    name: OWASP dependency check
+    runs-on: ubuntu-20.04
+    timeout-minutes: 120
+    needs: [ 'changed_files_job', 'build-and-license-check' ]

Review Comment:
   I wonder if this should be post-poned to happen after the integration tests, just so that we don't run this if something fails



##########
.github/workflows/pulsar-ci.yaml:
##########
@@ -126,6 +128,79 @@ jobs:
         with:
           action: wait
 
+  owasp-dep-check:
+    name: OWASP dependency check
+    runs-on: ubuntu-20.04
+    timeout-minutes: 120
+    needs: [ 'changed_files_job', 'build-and-license-check' ]
+    if: ${{ needs.changed_files_job.outputs.need_owasp == 'true' }}
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+
+      - name: Tune Runner VM
+        uses: ./.github/actions/tune-runner-vm
+
+      - name: Setup ssh access to build runner VM
+        # ssh access is enabled for builds in own forks
+        if: ${{ github.repository != 'apache/pulsar' }}
+        uses: ./.github/actions/ssh-access
+        with:
+          limit-access-to-actor: true
+
+      - name: Cache Maven dependencies
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/.m2/repository/*/*/*
+            !~/.m2/repository/org/apache/pulsar
+          key: ${{ runner.os }}-m2-dependencies-core-modules-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-m2-dependencies-core-modules-
+
+      - name: Set up JDK ${{ matrix.jdk || '17' }}
+        uses: actions/setup-java@v2
+        with:
+          distribution: 'temurin'
+          java-version: ${{ matrix.jdk || '17' }}

Review Comment:
   I guess there's no `matrix.jdk` in this case, perhaps better to remove



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org