SAP · MatKuhr · Feb 8, 2024 · Jan 4, 2024 · Jan 4, 2024 · Jan 4, 2024
diff --git a/.github/actions/await-workflow/action.yaml b/.github/actions/await-workflow/action.yaml
@@ -0,0 +1,100 @@
+name: "Await Workflow"
+description: "Waits until a workflow run completes."
+
+inputs:
+  run-id:
+    description: "The id of the workflow run to wait for."
+    required: true
+  poll-interval:
+    description: "The interval (in seconds) to poll for the workflow run status."
+    required: false
+    default: "60"
+  commit-status:
+    description: "The commit status message. Leave empty to not create a commit status."
+    required: false
+
+outputs:
+  succeeded:
+    description: "Whether the triggered run succeeded."
+    value: ${{ steps.wait-for-workflow.outputs.RUN_SUCCEEDED }}
+  conclusion:
+    description: "The conclusion of the triggered workflow run."
+    value: ${{ steps.wait-for-workflow.outputs.CONCLUSION }}
+
+runs:
+  using: composite
+  steps:
+    - name: Print Action Input
+      run: |
+        echo "[DEBUG] Starting 'Await Workflow' Action; inputs = ${{ toJson(inputs) }}"
+      shell: bash
+
+    - name: View Run
+      if: ${{ inputs.commit-status != '' }}
+      id: view-run
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        JSON=$(gh run view ${{ inputs.run-id }} --json url,headSha)
+        echo "URL=$(echo $JSON | jq -r '.url')" >> $GITHUB_OUTPUT
+        echo "HEAD_SHA=$(echo $JSON | jq -r '.headSha')" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: Create Commit Status
+      if: ${{ inputs.commit-status != '' }}
+      uses: actions/github-script@v7
+      with:
+        script: |
+          github.rest.repos.createCommitStatus({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            sha: '${{ steps.view-run.outputs.HEAD_SHA }}',
+            state: 'pending',
+            target_url: '${{ steps.view-run.outputs.URL }}',
+            context: '${{ inputs.commit-status }}'
+          })
+
+    - name: Wait for Workflow to Complete
+      id: wait-for-workflow
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        echo "[DEBUG] Waiting for run '${{ inputs.run-id }}' to complete..."
+        gh run watch ${{ inputs.run-id }} --interval ${{ inputs.poll-interval }} > /dev/null
+        CONCLUSION=$(gh run view ${{ inputs.run-id }} --json conclusion | jq -r '.conclusion')
+        
+        echo "CONCLUSION=$CONCLUSION" >> $GITHUB_OUTPUT
+        echo "[DEBUG] Run '${{ inputs.run-id }}' finished with conclusion '$CONCLUSION'."
+        
+        if [[ "$CONCLUSION" != "success" ]]; then
+          echo "RUN_SUCCEEDED=false" >> $GITHUB_OUTPUT
+          exit 1
+        fi
+        
+        echo "RUN_SUCCEEDED=true" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: Determine Final Commit Status
+      id: determine-final-commit-status
+      if: ${{ always() && inputs.commit-status != '' }}
+      run: |
+        if [[ "${{ steps.wait-for-workflow.outputs.CONCLUSION }}" == "success" ]]; then
+          echo "FINAL_COMMIT_STATUS=success" >> $GITHUB_OUTPUT
+        else
+          echo "FINAL_COMMIT_STATUS=failure" >> $GITHUB_OUTPUT
+        fi
+      shell: bash
+
+    - name: Update Commit Status
+      if: ${{ always() && inputs.commit-status != '' }}
+      uses: actions/github-script@v7
+      with:
+        script: |
+          github.rest.repos.createCommitStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              sha: '${{ steps.view-run.outputs.HEAD_SHA }}',
+              state: '${{ steps.determine-final-commit-status.outputs.FINAL_COMMIT_STATUS }}',
+              target_url: '${{ steps.view-run.outputs.URL }}',
+              context: '${{ inputs.commit-status }}'
+          })
diff --git a/.github/actions/pr-is-mergeable/action.yaml b/.github/actions/pr-is-mergeable/action.yaml
@@ -0,0 +1,106 @@
+name: "PR Is Mergeable"
+description: "Checks whether the provided PR is approved and all status checks either succeeded or have been skipped"
+
+inputs:
+  pr-ref:
+    description: "The reference (i.e. either number or a branch) of the PR to check"
+    required: true
+  fail-on-unmergeable:
+    description: "Whether to fail the action if the PR is not mergeable"
+    required: false
+    default: "true"
+  repo:
+    description: "The repository of the PR"
+    required: false
+    default: ${{ github.repository }}
+  token:
+    description: "The GitHub access token (with PR read permissions) to access the PR"
+    required: false
+    default: ${{ github.token }}
+  excluded-check-runs:
+    description: "A comma-separated list of workflow names that are excluded from the Check Runs check"
+    required: false
+    default: ${{ github.workflow }}
+
+outputs:
+  pr-number:
+    description: "The number of the PR that was checked"
+    value: ${{ steps.check.outputs.PR_NUMBER }}
+  is-mergeable:
+    description: "Whether the PR is mergeable"
+    value: ${{ steps.check.outputs.RESULT }}
+
+runs:
+  using: composite
+  steps:
+    - name: "Print Action Start"
+      run: echo ">>>>> Starting PR Is Mergeable Action; inputs = ${{ toJson(inputs) }}"
+      shell: bash
+
+    - name: "Check Whether PR Is Mergeable"
+      id: check
+      run: |
+        PR_JSON=$(gh pr view "${{ inputs.pr-ref }}" --repo "${{ inputs.repo }}" --json number,mergeable,reviewDecision,statusCheckRollup)
+        
+        PR_NUMBER=$(jq -r '.number' <<< "$PR_JSON")
+        PR_MERGEABLE=$(jq -r '.mergeable' <<< "$PR_JSON")
+        PR_DECISION=$(jq -r '.reviewDecision' <<< "$PR_JSON")
+        
+        echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT
+        echo "[DEBUG] PR #$PR_NUMBER (in ${{ inputs.repo }}) is mergeable: $PR_MERGEABLE with decision $PR_DECISION"
+        
+        if [[ "$PR_DECISION" != "APPROVED" ]]; then
+          echo "PR #$PR_NUMBER (in ${{ inputs.repo }}) has not been approved."
+          echo "RESULT=false" >> $GITHUB_OUTPUT
+          exit 0
+        fi
+        
+        if [[ "$PR_MERGEABLE" != "MERGEABLE" ]]; then
+          echo "PR #$PR_NUMBER (in ${{ inputs.repo }}) is not mergeable (i.e. there are conflicts)."
+          echo "RESULT=false" >> $GITHUB_OUTPUT
+          exit 0
+        fi
+        
+        PR_CHECKS=$(jq -r '.statusCheckRollup' <<< "$PR_JSON")
+        
+        # check runs are things like our CI pipeline
+        FAILED_CHECK_RUNS=$(jq -r '.[] | select(.__typename == "CheckRun" and .conclusion != "SUCCESS" and .conclusion != "NEUTRAL")' <<< "$PR_CHECKS")
+        IFS=',' read -ra EXCLUDED_WORKFLOWS <<< "${{ inputs.excluded-check-runs }}"
+        for EXCLUDED_WORKFLOW in "${EXCLUDED_WORKFLOWS[@]}"; do
+          if [[ -z "$FAILED_CHECK_RUNS" ]]; then
+            break
+          fi
+        
+          FAILED_CHECK_RUNS=$(jq -r 'select(.workflowName != "$EXCLUDED_WORKFLOW")' <<< "$FAILED_CHECK_RUNS")
+        done
+        
+        if [[ -n "$FAILED_CHECK_RUNS" ]]; then
+          echo "PR #$PR_NUMBER (in ${{ inputs.repo }}) contains failed check runs: "
+          echo "$FAILED_CHECK_RUNS"
+          echo "RESULT=false" >> $GITHUB_OUTPUT
+          exit 0
+        fi
+        
+        # context checks are things like the license agreement check
+        FAILED_CONTEXT_CHECKS=$(jq -r '.[] | select(.__typename == "StatusContext" and .state != "SUCCESS" and .state != "NEUTRAL")' <<< "$PR_CHECKS")
+        if [[ -n "$FAILED_CONTEXT_CHECKS" ]]; then
+          echo "PR #$PR_NUMBER (in ${{ inputs.repo }}) contains failed context checks: "
+          echo "$FAILED_CONTEXT_CHECKS"
+          echo "RESULT=false" >> $GITHUB_OUTPUT
+          exit 0
+        fi
+        
+        echo "RESULT=true" >> $GITHUB_OUTPUT
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.token }}
+
+    - name: "Fail If PR Is Not Mergeable"
+      if: ${{ inputs.fail-on-unmergeable == 'true' && steps.check.outputs.RESULT != 'true' }}
+      run: exit 1
+      shell: bash
+
+    - name: "Print Action End"
+      if: always()
+      run: echo "<<<<< Finished PR Is Mergeable Action"
+      shell: bash
diff --git a/.github/actions/scan-with-blackduck/action.yaml b/.github/actions/scan-with-blackduck/action.yaml
@@ -0,0 +1,37 @@
+name: "Scan with BlackDuck"
+description: "Scans the project with BlackDuck"
+
+runs:
+  using: composite
+  steps:
+    - name: Print Action Start
+      run: echo ">>>>> Starting Scan with BlackDuck Action; inputs = ${{ toJson(inputs) }}"
+      shell: bash
+
+    - name: Get Major Version
+      id: get-major-version
+      run: echo "MAJOR_VERSION=$(cat latest.json | jq -r .version | cut -d '.' -f 1)" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: Determine Maven Excludes
+      id: get-maven-excludes-for-blackduck
+      run: python .pipeline/scripts/get-maven-excludes.py --filter-key excludeFromBlackDuckScan --filter-value True
+      shell: bash
+
+    - name: BlackDuck Scan
+      uses: SAP/project-piper-action@master
+      with:
+        command: detectExecuteScan
+        flags: \
+          --version=$PROJECT_VERSION \
+      env:
+        PIPER_token: ${{ secrets.BLACKDUCK_TOKEN }}
+        DETECT_MAVEN_EXCLUDED_MODULES: ${{ steps.get-maven-excludes-for-blackduck.outputs.EXCLUDES }}
+        DETECT_MAVEN_BUILD_COMMAND: -pl ${{ steps.get-maven-excludes-for-blackduck.outputs.PREFIXED_EXCLUDES }}
+        DETECT_TIMEOUT: "7200"
+        PROJECT_VERSION: ${{ steps.get-major-version.outputs.MAJOR_VERSION }}
+
+    - name: Print Action End
+      if: always()
+      run: echo "<<<<< Finished Scan with BlackDuck Action"
+      shell: bash
diff --git a/.github/actions/trigger-workflow/action.yaml b/.github/actions/trigger-workflow/action.yaml
@@ -0,0 +1,67 @@
+name: "Trigger Workflow"
+description: "Triggers a workflow without waiting for it to complete."
+
+inputs:
+  workflow:
+    description: "The workflow file name"
+    required: true
+  workflow-ref:
+    description: "The ref (i.e. branch name, or tag name) where the workflow is located."
+    required: true
+  parameters:
+    description: "The workflow parameters"
+    required: false
+  commit-sha:
+    description: "The commit SHA to trigger the workflow on"
+    required: false
+    default: ${{ github.sha }}
+
+outputs:
+  run-id:
+    description: "The id of the workflow run that was triggered."
+    value: ${{ steps.trigger-workflow.outputs.RUN_ID }}
+  run-url:
+    description: "The url of the workflow run that was triggered."
+    value: ${{ steps.trigger-workflow.outputs.RUN_URL }}
+
+runs:
+  using: composite
+  steps:
+    - name: Print Action Input
+      run: |
+        echo "[DEBUG] Starting 'Trigger Workflow' Action; inputs = ${{ toJson(inputs) }}"
+      shell: bash
+
+    - name: Trigger Workflow
+      id: trigger-workflow
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        PREVIOUS_RUN_ID=$(gh run list --workflow=${{ inputs.workflow}} --commit=${{ inputs.commit-sha }} --json databaseId | jq -r '.[0].databaseId')
+        echo "[DEBUG] Previous run id = '$PREVIOUS_RUN_ID'"
+
+        gh workflow run "${{ inputs.workflow }}" --ref "${{ inputs.workflow-ref }}" ${{ inputs.parameters }}
+        # allow for some initial delay as workflows take a moment to spin up
+        sleep 20
+
+        for i in {0..6}; do
+          LATEST_RUN_ID=$(gh run list --workflow=${{ inputs.workflow }} --commit=${{ inputs.commit-sha }} --json databaseId | jq -r '.[0].databaseId')
+
+          if [[ -z "$LATEST_RUN_ID" || "$LATEST_RUN_ID" == "$PREVIOUS_RUN_ID" ]]; then
+            echo "[DEBUG] No new run detected. Waiting for 10 seconds."
+            sleep 10
+          else
+            echo "[DEBUG] New workflow run detected: '$LATEST_RUN_ID'."
+
+            RUN_URL=$(gh run view $LATEST_RUN_ID --json url | jq -r '.url')
+            echo "[DEBUG] ${{ inputs.workflow }} run #$LATEST_RUN_ID successfully triggered: $RUN_URL"
+            echo "[${{ inputs.workflow }} run (#$LATEST_RUN_ID)]($RUN_URL)" >> $GITHUB_STEP_SUMMARY        
+            echo "RUN_ID=$LATEST_RUN_ID" >> $GITHUB_OUTPUT
+            echo "RUN_URL=$RUN_URL" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+        done
+
+        echo "[DEBUG] Unable to detect new run of workflow '${{ inputs.workflow }}'."
+        exit 1
+      shell: bash
diff --git a/.github/workflows/blackduck.yaml b/.github/workflows/blackduck.yaml
@@ -11,44 +11,17 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@v3
-      - run: git fetch --depth=1
-      - name: Setup java
-        uses: actions/setup-java@v3
-        with:
-          distribution: "temurin"
-          java-version: "17"
-          cache: maven
+      - uses: actions/checkout@v4
+      - name: "Scan With Black Duck"
+        uses: ./.github/actions/scan-with-blackduck
 
-      # Fixme: Use major version from pom once it is 5.x
-      - name: Get SDK Version
-        run: |
-          echo "project_version_NOT_YET_IN_USE=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout | cut -d '.' -f 1)" >> $GITHUB_ENV
-
-      - name: Determine Maven Excludes
-        run: |
-          python .pipeline/scripts/get-maven-excludes.py --filter-key excludeFromBlackDuckScan --filter-value True
-        id: get-maven-excludes-for-blackduck
-
-      - name: Blackduck Scan
-        uses: SAP/project-piper-action@27cadf261545552a68660531476c0915a97ee3d8
-        with:
-          command: detectExecuteScan
-          flags: \
-            --version=$PROJECT_VERSION \
-        env:
-          PIPER_token: ${{ secrets.BLACKDUCK_TOKEN }}
-          DETECT_MAVEN_EXCLUDED_MODULES: ${{ steps.get-maven-excludes-for-blackduck.outputs.EXCLUDES }}
-          DETECT_MAVEN_BUILD_COMMAND: -pl ${{ steps.get-maven-excludes-for-blackduck.outputs.PREFIXED_EXCLUDES }}
-          DETECT_TIMEOUT: 7200
-          PROJECT_VERSION: "5"
   notify-job:
     runs-on: ubuntu-latest
     needs: [ scan ]
     if: ${{ failure() && github.ref == 'refs/heads/main' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Notify
         run: python .pipeline/scripts/notify.py
         env: