Workflow update (#399)

- Migrates to Setup Gradle action
- Removes generated DEPENDECIES file
- Adds license verification and reporting plugin
- Adds SBOM plugin
- Adds Nexus publishing plugin
- Includes LICENSE in META-INF
- Includes dependency licenses in META-INF
- Includes SBOM in META-INF
- Changes release workflow to automatically close Nexus repository

{patch}

Signed-off-by: Esta Nagy <nagyesta@gmail.com>

.github/workflows/add-index-exclusion.yml

@@ -14,22 +14,24 @@ jobs:
     name: Add OSS Index Exclusion action
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - name: Checkout
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
           token: ${{ secrets.PUBLISH_KEY }}
-      - name: "Add exclusion"
+      - name: Add exclusion
         run: |
           echo "${{ github.event.inputs.exclusion }}" >> config/ossindex/exclusions.txt
-      - name: "git branch"
+      - name: Create git branch
         run: |
           git config --global user.name 'Esta Nagy'
           git config --global user.email 'nagyesta@gmail.com'
           git checkout -b feature/exclude-vulnerability-run-${{ github.run_number }}
           git add config/ossindex/exclusions.txt
           git commit -asm "Excluding vulnerability ${{ github.event.inputs.exclusion }} {patch}"
           git push -f --set-upstream origin feature/exclude-vulnerability-run-${{ github.run_number }}
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - name: Create PR
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.PUBLISH_KEY }}
           script: |

.github/workflows/codeql-analysis.yml

@@ -48,7 +48,6 @@ on:
       - '.github/pr-labeler.yml'
       - 'renovate.json'
       - '.whitesource'
-      - 'gradle/libs.versions.toml'
 
 permissions:
   # required for all workflows
@@ -77,18 +76,13 @@ jobs:
         uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
         with:
           languages: 'java'
-          # If you wish to specify custom queries, you can do so here or in a config file.
-          # By default, queries listed here will override any specified in a config file.
-          # Prefix the list here with "+" to use these queries and those in the config file.
-          # queries: ./path/to/local/query, your-org/your-repo/queries@main
-      - name: Build with Gradle
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
         with:
           cache-disabled: true
-          arguments: build -x test
+      - name: Build with Gradle
+        run: ./gradlew build -x test
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
       - name: Check OSS Index with Gradle
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
-        with:
-          arguments: ossIndexAudit -PossIndexUsername=${{ secrets.OSS_INDEX_USER }} -PossIndexPassword=${{ secrets.OSS_INDEX_PASSWORD }}
+        run: ./gradlew ossIndexAudit -PossIndexUsername=${{ secrets.OSS_INDEX_USER }} -PossIndexPassword=${{ secrets.OSS_INDEX_PASSWORD }}

.github/workflows/gradle-ci.yml

@@ -29,7 +29,6 @@ on:
       - '.github/pr-labeler.yml'
       - 'renovate.json'
       - '.whitesource'
-      - 'gradle/libs.versions.toml'
       - 'config/ossindex/exclusions.txt'
 
 permissions: read-all
@@ -41,7 +40,8 @@ jobs:
 
     steps:
       # Set up build environment
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - name: Checkout
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
       - name: Set up JDK 17
@@ -53,19 +53,19 @@ jobs:
         run: |
           mkdir -p ${{ runner.temp }}/.gnupg/
           echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}" | base64 --decode > ${{ runner.temp }}/.gnupg/secring.gpg
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
       - name: Build with Gradle
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
-        with:
-          arguments: |
-            printVersion build sign
-            -Psigning.keyId=${{ secrets.SIGNING_KEY_ID }}
-            -Psigning.password=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
-            -Psigning.secretKeyRingFile=${{ runner.temp }}/.gnupg/secring.gpg
-      - name: 'Clean-up GPG key'
+        run: >
+          ./gradlew printVersion build sign
+          -Psigning.keyId=${{ secrets.SIGNING_KEY_ID }}
+          -Psigning.password=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
+          -Psigning.secretKeyRingFile=${{ runner.temp }}/.gnupg/secring.gpg
+      - name: Clean-up GPG key
         if: always()
         run: |
           rm -rf ${{ runner.temp }}/.gnupg/
-      - name: 'Upload Test reports'
+      - name: Upload Test reports
         if: always()
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:

.github/workflows/gradle-oss-index-scan.yml

@@ -22,7 +22,7 @@ jobs:
         with:
           distribution: temurin
           java-version: 17
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
       - name: Check dependencies with Gradle
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
-        with:
-          arguments: ossIndexAudit -PossIndexUsername=${{ secrets.OSS_INDEX_USER }} -PossIndexPassword=${{ secrets.OSS_INDEX_PASSWORD }}
+        run: ./gradlew ossIndexAudit -PossIndexUsername=${{ secrets.OSS_INDEX_USER }} -PossIndexPassword=${{ secrets.OSS_INDEX_PASSWORD }}

.github/workflows/gradle.yml

@@ -38,9 +38,11 @@ jobs:
 
     steps:
       # Set up build environment
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - name: Checkout
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
+          token: ${{ secrets.PUBLISH_KEY }}
       - name: Set up JDK 17
         uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
         with:
@@ -50,20 +52,21 @@ jobs:
         run: |
           mkdir -p ${{ runner.temp }}/.gnupg/
           echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}" | base64 --decode > ${{ runner.temp }}/.gnupg/secring.gpg
-      - name: Build with Gradle and publish
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
         with:
           gradle-home-cache-cleanup: true
-          arguments: |
-            build tagVersion publish
-            -PgithubUser=${{ secrets.PUBLISH_USER_NAME }}
-            -PgithubToken=${{ secrets.PUBLISH_KEY }}
-            -PossrhUsername=${{ secrets.OSSRH_USER }}
-            -PossrhPassword=${{ secrets.OSSRH_PASS }}
-            -Psigning.keyId=${{ secrets.SIGNING_KEY_ID }}
-            -Psigning.password=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
-            -Psigning.secretKeyRingFile=${{ runner.temp }}/.gnupg/secring.gpg
-      - name: 'Clean-up GPG key'
+      - name: Build with Gradle and publish
+        run: >
+          ./gradlew build tagVersion publish publishToSonatype closeSonatypeStagingRepository
+          -PgithubUser=${{ secrets.PUBLISH_USER_NAME }}
+          -PgithubToken=${{ secrets.PUBLISH_KEY }}
+          -PossrhUsername=${{ secrets.OSSRH_USER }}
+          -PossrhPassword=${{ secrets.OSSRH_PASS }}
+          -Psigning.keyId=${{ secrets.SIGNING_KEY_ID }}
+          -Psigning.password=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
+          -Psigning.secretKeyRingFile=${{ runner.temp }}/.gnupg/secring.gpg
+      - name: Clean-up GPG key
         if: always()
         run: |
           rm -rf ${{ runner.temp }}/.gnupg/

.github/workflows/pr-labeler.yml

@@ -9,7 +9,8 @@ jobs:
   pr-labeler:
     runs-on: ubuntu-latest
     steps:
-      - uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af # v5.0.0
+      - name: Label PR
+        uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af # v5.0.0
         with:
           configuration-path: .github/pr-labeler.yml # optional, .github/pr-labeler.yml is the default value
         env:

.github/workflows/release-trigger.yml

@@ -20,11 +20,12 @@ jobs:
     name: Release trigger action
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - name: Checkout
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
           token: ${{ secrets.PUBLISH_KEY }}
-      - name: "Check existing tag"
+      - name: Check existing tag
         id: check
         run: |
           echo "::set-output name=has_tag::$(git log --format='format:%d' --decorate-refs="refs/tags/v*" -n 1 | grep tag | wc -l)"
@@ -35,11 +36,11 @@ jobs:
           echo "Execution: ${{ github.event.inputs.execution }}"
           echo "---"
           echo "Should run: ${{ steps.check.outputs.has_tag == 0 || github.event.inputs.execution == 'Manual' }}"
-      - name: "Update trigger"
+      - name: Update trigger
         if: ${{ steps.check.outputs.has_tag == 0 || github.event.inputs.execution == 'Manual' }}
         run: |
           date +%s > .release-trigger
-      - name: "git branch"
+      - name: Create git branch
         if: ${{ steps.check.outputs.has_tag == 0 || github.event.inputs.execution == 'Manual' }}
         run: |
           git config --global user.name 'Esta Nagy'
@@ -48,7 +49,8 @@ jobs:
           git add .release-trigger
           git commit -asm "Triggering a release {patch}"
           git push -f --set-upstream origin release/run-${{ github.run_number }}
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - name: Create PR
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         if: ${{ steps.check.outputs.has_tag == 0 || github.event.inputs.execution == 'Manual' }}
         with:
           github-token: ${{ secrets.PUBLISH_KEY }}

.github/workflows/update-dependency-checksums.yml

@@ -9,7 +9,8 @@ jobs:
     name: Dependency checksum compaction action
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - name: Checkout
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
           token: ${{ secrets.PUBLISH_KEY }}
@@ -18,22 +19,24 @@ jobs:
         with:
           distribution: temurin
           java-version: 17
-      - name: "Remove previous version"
+      - name: Remove previous version
         run: cp gradle/verification-metadata-clean.xml gradle/verification-metadata.xml
-      - name: "Update checksums"
-        uses: gradle/gradle-build-action@4c39dd82cd5e1ec7c6fa0173bb41b4b6bb3b86ff # v3.3.2
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
         with:
           cache-disabled: true
-          arguments: --write-verification-metadata sha256
-      - name: "Git commit"
+      - name: Update checksums
+        run: ./gradlew help licensee --write-verification-metadata sha256
+      - name: Git commit
         run: |
           git config --global user.name 'Esta Nagy'
           git config --global user.email 'nagyesta@gmail.com'
           git checkout -b feature/update-dependency-checksums-${{ github.run_number }}
           git add gradle/verification-metadata.xml
           git commit -asm "Updating dependency checksums {patch}"
           git push -f --set-upstream origin feature/update-dependency-checksums-${{ github.run_number }}
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - name: Create PR
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.PUBLISH_KEY }}
           script: |

build.gradle

@@ -9,6 +9,9 @@ plugins {
     alias(libs.plugins.versioner)
     alias(libs.plugins.index.scan)
     alias(libs.plugins.owasp.dependencycheck)
+    alias(libs.plugins.cyclonedx.bom)
+    alias(libs.plugins.licensee.plugin)
+    alias(libs.plugins.nexus.publish.plugin)
 }
 
 group = 'com.github.nagyesta'
@@ -90,22 +93,36 @@ dependencies {
     testImplementation libs.logback.classic
 }
 
-tasks.register('copyLicense', Copy.class) {
-    from file("${projectDir}/LICENSE")
-    into layout.buildDirectory.dir("resources/main/META-INF").get().asFile
+cyclonedxBom {
+    includeConfigs = ["runtimeClasspath"]
+    skipConfigs = ["compileClasspath", "testCompileClasspath"]
+    skipProjects = []
+    projectType = project.name == "lowkey-vault-app" ? "application" : "library"
+    schemaVersion = "1.5"
+    destination = file("build/reports")
+    outputName = "bom"
+    outputFormat = "json"
 }
-tasks.register('copyDependencies', Copy.class) {
-    from file("${projectDir}/DEPENDENCIES")
+
+licensee {
+    allow("Apache-2.0")
+    allow("MIT")
+}
+
+tasks.register('copyLegalDocs', Copy.class) {
+    from file("${projectDir}/LICENSE")
+    from layout.buildDirectory.file("reports/licensee/artifacts.json").get().asFile
+    from layout.buildDirectory.file("reports/bom.json").get().asFile
     into layout.buildDirectory.dir("resources/main/META-INF").get().asFile
+    rename('artifacts.json', 'dependency-licenses.json')
+    rename('bom.json', 'SBOM.json')
 }
-tasks.javadoc.dependsOn(tasks.copyLicense)
-tasks.javadoc.dependsOn(tasks.copyDependencies)
-tasks.compileTestJava.dependsOn(tasks.copyLicense)
-tasks.compileTestJava.dependsOn(tasks.copyDependencies)
-tasks.checkstyleMain.dependsOn(tasks.copyLicense)
-tasks.checkstyleMain.dependsOn(tasks.copyDependencies)
-tasks.processResources.finalizedBy(tasks.copyLicense)
-tasks.processResources.finalizedBy(tasks.copyDependencies)
+tasks.copyLegalDocs.dependsOn(tasks.licensee)
+tasks.copyLegalDocs.dependsOn(tasks.cyclonedxBom)
+tasks.javadoc.dependsOn(tasks.copyLegalDocs)
+tasks.compileTestJava.dependsOn(tasks.copyLegalDocs)
+tasks.checkstyleMain.dependsOn(tasks.copyLegalDocs)
+tasks.processResources.finalizedBy(tasks.copyLegalDocs)
 
 jacocoTestReport {
     reports {
@@ -117,7 +134,6 @@ jacocoTestReport {
     }
 }
 
-
 test {
     useJUnitPlatform()
 }
@@ -182,6 +198,15 @@ tasks.withType(Checkstyle).configureEach {
 }
 checkstyle.toolVersion = libs.versions.checkstyle.get()
 
+nexusPublishing {
+    repositories {
+        sonatype {
+            username = project.ext.ossrhUser
+            password = project.ext.ossrhPass
+        }
+    }
+}
+
 publishing {
     repositories {
         maven {
@@ -192,14 +217,6 @@ publishing {
                 password = project.ext.gitToken
             }
         }
-        maven {
-            name = "ossrh"
-            url = uri("https://oss.sonatype.org/service/local/staging/deploy/maven2")
-            credentials {
-                username = project.ext.ossrhUser
-                password = project.ext.ossrhPass
-            }
-        }
     }
     publications {
         //noinspection GroovyAssignabilityCheck
@@ -240,7 +257,6 @@ publishing {
 }
 
 
-
 //Disable metadata publishing and rely on Maven only
 tasks.withType(GenerateModuleMetadata).configureEach {
     enabled = false

gradle/libs.versions.toml

@@ -15,6 +15,9 @@ owaspPlugin = "9.1.0"
 
 checkstyle = "10.12.2"
 jacoco = "0.8.10"
+cycloneDxBomPlugin = "1.8.2"
+licenseePlugin = "1.11.0"
+nexusPublishPlugin = "2.0.0"
 
 [libraries]
 spring-test = { module = "org.springframework:spring-test", version.ref = "spring" }
@@ -32,3 +35,6 @@ lombok = { id = "io.freefair.lombok", version.ref = "lombokPlugin" }
 versioner = { id = "io.toolebox.git-versioner", version.ref = "gitVersionerPlugin" }
 index-scan = { id = "org.sonatype.gradle.plugins.scan", version.ref = "indexScanPlugin" }
 owasp-dependencycheck = { id = "org.owasp.dependencycheck", version.ref = "owaspPlugin" }
+cyclonedx-bom = { id = "org.cyclonedx.bom", version.ref = "cycloneDxBomPlugin" }
+licensee-plugin = { id = "app.cash.licensee", version.ref = "licenseePlugin" }
+nexus-publish-plugin = { id = "io.github.gradle-nexus.publish-plugin", version.ref = "nexusPublishPlugin" }