From a1948fb431370995ae8d210c7e4f9e5ff7a41019 Mon Sep 17 00:00:00 2001 From: Nir Peleg Date: Sat, 31 Jan 2026 16:17:26 +0200 Subject: [PATCH] modify workflow --- .github/workflows/build-publish-scan.yml | 74 +++++++++--------------- 1 file changed, 27 insertions(+), 47 deletions(-) diff --git a/.github/workflows/build-publish-scan.yml b/.github/workflows/build-publish-scan.yml index 63a297453..8ac50f4cd 100644 --- a/.github/workflows/build-publish-scan.yml +++ b/.github/workflows/build-publish-scan.yml @@ -9,72 +9,52 @@ on: permissions: contents: read pull-requests: write + id-token: write # Required for OIDC jobs: - build-publish: - name: Build and Publish + build-publish-scan: # Combined into one job for better OIDC context and speed + name: Build, Publish, and Scan runs-on: ubuntu-latest - strategy: - matrix: - java: [ '17' ] - + steps: - name: Checkout uses: actions/checkout@v4 - - name: Set up JDK ${{ matrix.java }} + - name: Set up JDK 17 uses: actions/setup-java@v4 with: - java-version: ${{ matrix.java }} - distribution: temurin + java-version: '17' + distribution: 'temurin' cache: maven + # 1. Setup CLI with OIDC + - name: Set up JFrog CLI + uses: jfrog/setup-jfrog-cli@v4 # Use v4 for better OIDC support + env: + JF_URL: ${{ secrets.JF_URL }} + with: + oidc-provider-name: github-oidc + oidc-audience: jfrog-github + - name: Build with Maven run: ./mvnw -B -DskipTests package - - name: Set up JFrog CLI - uses: jfrog/setup-jfrog-cli@v2 - with: - version: latest - - - name: Configure JFrog CLI - env: - JF_URL: ${{ secrets.JF_URL }} - JF_USER: ${{ secrets.JF_USER }} - JF_PASSWORD: ${{ secrets.JF_PASSWORD }} - run: | - jfrog rt config --url "$JF_URL" --user "$JF_USER" --password "$JF_PASSWORD" --interactive=false - + # 2. Upload using the modern 'jf' command - name: Publish artifact to Artifactory - env: - JF_REPO: ${{ secrets.JF_REPO }} run: | - # Upload built artifacts (adjust path/pattern if needed) - jfrog rt u "target/*.jar" "$JF_REPO/{{ github.repository }}-${{ github.run_number }}/" --flat=false - # Publish build-info so Xray can scan the published build - jfrog rt bp build-publish-scan ${{ github.run_number }} + # Use 'jf rt upload' which uses the OIDC config automatically + jf rt u "target/*.jar" "${{ secrets.JF_REPO }}/${{ github.run_number }}/" --build-name=maven-build --build-number=${{ github.run_number }} + + # Publish Build Info so Xray knows what to scan + jf rt bp maven-build ${{ github.run_number }} - frogbot-scan: - name: Run Frogbot Xray Scan - needs: build-publish - runs-on: ubuntu-latest - steps: - - name: Run Frogbot + # 3. Trigger the Scan via Frogbot + - name: Run Frogbot Scan uses: jfrog/frogbot@v2 env: - # Mandatory: JFrog platform URL JF_URL: ${{ secrets.JF_URL }} - - # Mandatory: token to allow Frogbot to post PR comments (use built-in GITHUB_TOKEN) JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - # Optional: Xray Watches to apply - JF_WATCHES: "build-watch" - - # Optional: Show all vulnerabilities - JF_INCLUDE_ALL_VULNERABILITIES: "true" - + # Frogbot will pick up the OIDC configuration from the 'with' block below with: - version: latest - oidc-provider-name: github-oidc - oidc-audience: jfrog-github + oidc-provider-name: github-oidc + oidc-audience: jfrog-github \ No newline at end of file