java-workflows/.github/workflows/test-workflows.yml at main · techishthoughts-org/java-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
# .github/workflows/test-workflows.yml
# Purpose: Test and validate all reusable workflows
# This workflow validates the reusable workflows to ensure they work correctly

name: 🧪 Test Reusable Workflows

on:
  push:
    branches: [ main ]
    paths:
      - '.github/workflows/**'
      - '.github/actions/**'
  pull_request:
    branches: [ main ]
    paths:
      - '.github/workflows/**'
      - '.github/actions/**'
  workflow_dispatch:

permissions:
  contents: read

jobs:
  validate-yaml:
    name: ✅ Validate YAML Syntax
    runs-on: ubuntu-latest
    steps:
      - name: 📥 Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: 🛠️ Install YAML tooling
        run: |
          python3 -m pip install --upgrade pip
          python3 -m pip install --quiet pyyaml

      - name: 🔍 Validate Workflow YAML
        run: |
          echo "🔍 Validating workflow YAML files..."
          for file in .github/workflows/*.yml; do
            echo "Validating $file"
            python3 -c "import yaml; yaml.safe_load(open('$file', 'r'))"
            echo "✅ $file is valid"
          done

      - name: 🔍 Validate Action YAML
        run: |
          echo "🔍 Validating action YAML files..."
          for file in .github/actions/*/action.yml; do
            echo "Validating $file"
            python3 -c "import yaml; yaml.safe_load(open('$file', 'r'))"
            echo "✅ $file is valid"
          done

  security-scan:
    name: 🔒 Security Scan
    runs-on: ubuntu-latest
    steps:
      - name: 📥 Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: 🔍 Check for hardcoded secrets
        run: |
          echo "🔍 Scanning for potential secrets..."
          SCAN_RESULTS=$(grep -R -n -i -E "(password|secret|token)[[:space:]]*[:=][[:space:]]*[^[:space:]\$]" .github/workflows/ .github/actions/ 2>/dev/null || true)

          # Ignore references to GitHub secrets, documented descriptions, and other safe patterns
          FILTERED_RESULTS=$(echo "$SCAN_RESULTS" |
            grep -vi -E '^[[:space:]]*#' |
            grep -vi -E '\\b(description|example|placeholder)\\b' |
            grep -vi -E 'hashfiles\(|github\\.token|GITHUB_TOKEN|SLACK_WEBHOOK_URL|AWS_(ACCESS|SECRET)_KEY|SNYK_TOKEN|AZURE_CREDENTIALS|KUBECONFIG' |
            grep -vi -E 'id-token:[[:space:]]+write' |
            grep -vi -E 'server-password:[[:space:]]+MAVEN_PASSWORD' |
            grep -vi -E 'SCAN_RESULTS=|FILTERED_RESULTS=|grep -vi -E' |
            grep -vi -E '^$' || true)

          if [ -n "$FILTERED_RESULTS" ]; then
            echo "⚠️ Potential secrets found in workflow files"
            echo "$FILTERED_RESULTS"
            exit 1
          else
            echo "✅ No hardcoded secrets found"
          fi

      - name: 🔍 Check for SHA-pinned actions
        run: |
          echo "🔍 Checking for SHA-pinned actions..."
          for file in .github/workflows/*.yml .github/actions/*/action.yml; do
            if grep -q "uses:.*@[a-f0-9]\{40\}" "$file"; then
              echo "✅ $file uses SHA-pinned actions"
            else
              echo "⚠️ $file may not use SHA-pinned actions"
            fi
          done

  test-composite-actions:
    name: 🔧 Test Composite Actions
    runs-on: ubuntu-latest
    steps:
      - name: 📥 Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: 🔧 Test Java & Maven Setup
        uses: ./.github/actions/setup-java-maven
        with:
          java-version: '25'
          maven-version: '3.8.8'

      - name: ✅ Verify Java Setup
        run: |
          java -version
          mvn -version
          echo "✅ Java and Maven setup verified"

  validate-workflow-structure:
    name: 📋 Validate Workflow Structure
    runs-on: ubuntu-latest
    steps:
      - name: 📥 Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: 🔍 Check workflow files exist
        run: |
          echo "🔍 Checking required workflow files..."
          required_workflows=(
            "java-ci-secure.yml"
            "auto-tag-enhanced.yml"
            "auto-delete-branch-enhanced.yml"
            "dependabot-auto-merge-enhanced.yml"
            "release-workflows.yml"
          )

          for workflow in "${required_workflows[@]}"; do
            if [ -f ".github/workflows/$workflow" ]; then
              echo "✅ $workflow exists"
            else
              echo "❌ $workflow missing"
              exit 1
            fi
          done

      - name: 🔍 Check action files exist
        run: |
          echo "🔍 Checking required action files..."
          required_actions=(
            "setup-java-maven/action.yml"
            "docker-build-push/action.yml"
          )

          for action in "${required_actions[@]}"; do
            if [ -f ".github/actions/$action" ]; then
              echo "✅ $action exists"
            else
              echo "❌ $action missing"
              exit 1
            fi
          done

      - name: 🔍 Validate workflow_call triggers
        run: |
          echo "🔍 Checking workflow_call triggers..."
          for file in .github/workflows/*.yml; do
            if grep -q "workflow_call:" "$file"; then
              echo "✅ $file has workflow_call trigger"
            else
              echo "⚠️ $file may not be reusable (no workflow_call)"
            fi
          done