From adffa2eb91b92d67f5eb755e720ab2c898ce6585 Mon Sep 17 00:00:00 2001
From: Yonathan Mengesha <yonathan.mengesha@hivemq.com>
Date: Fri, 7 Jul 2023 06:19:36 +0200
Subject: [PATCH] Add snyk workflows

---
 .github/workflows/snyk-pr.yml      | 23 +++++++++++++++++++++++
 .github/workflows/snyk-push.yml    | 25 +++++++++++++++++++++++++
 .github/workflows/snyk-release.yml | 25 +++++++++++++++++++++++++
 3 files changed, 73 insertions(+)
 create mode 100644 .github/workflows/snyk-pr.yml
 create mode 100644 .github/workflows/snyk-push.yml
 create mode 100644 .github/workflows/snyk-release.yml

diff --git a/.github/workflows/snyk-pr.yml b/.github/workflows/snyk-pr.yml
new file mode 100644
index 000000000..ec87af16c
--- /dev/null
+++ b/.github/workflows/snyk-pr.yml
@@ -0,0 +1,23 @@
+name: Run Snyk scan on PRs
+
+on:
+  pull_request:
+    branches:
+      - master**
+
+jobs:
+  scan-for-new-issues:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: hivemq/hivemq-checkout-composite-action@v1
+        with:
+          path: mqtt-cli
+
+      - name: Check for new issues
+        uses: hivemq/hivemq-snyk-composite-action@v1
+        with:
+          snyk-args: --configuration-matching=^runtimeClasspath$ -d mqtt-cli
+          snyk-token: ${{ secrets.SNYK_TOKEN }}
+          github-username: ${{ secrets.PUBLISH_GITHUB_USERNAME }}
+          github-token: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
diff --git a/.github/workflows/snyk-push.yml b/.github/workflows/snyk-push.yml
new file mode 100644
index 000000000..8e16e1ae7
--- /dev/null
+++ b/.github/workflows/snyk-push.yml
@@ -0,0 +1,25 @@
+name: Run Snyk monitor on push
+
+on:
+  push:
+    branches:
+      - master**
+
+jobs:
+  run-snyk-monitor:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: hivemq/hivemq-checkout-composite-action@v1
+        with:
+          path: mqtt-cli
+
+      - name: Run Snyk monitor
+        uses: snyk/actions/gradle-jdk11@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          ORG_GRADLE_PROJECT_hivemqCommonsUsername: ${{ secrets.PUBLISH_GITHUB_USERNAME }}
+          ORG_GRADLE_PROJECT_hivemqCommonsPassword: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
+        with:
+          command: monitor
+          args: --all-sub-projects --configuration-matching=^runtimeClasspath$ --target-reference=${{ github.ref_name }} -d mqtt-cli
diff --git a/.github/workflows/snyk-release.yml b/.github/workflows/snyk-release.yml
new file mode 100644
index 000000000..248f9a1f2
--- /dev/null
+++ b/.github/workflows/snyk-release.yml
@@ -0,0 +1,25 @@
+name: Run Snyk monitor on releases
+
+on:
+  release:
+    types: [ published ]
+
+jobs:
+  run-snyk-monitor:
+    runs-on: ubuntu-latest
+    environment: snyk-monitor-releases
+
+    steps:
+      - uses: hivemq/hivemq-checkout-composite-action@v1
+        with:
+          path: mqtt-cli
+
+      - name: Run Snyk monitor
+        uses: snyk/actions/gradle-jdk11@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          ORG_GRADLE_PROJECT_hivemqCommonsUsername: ${{ secrets.PUBLISH_GITHUB_USERNAME }}
+          ORG_GRADLE_PROJECT_hivemqCommonsPassword: ${{ secrets.PUBLISH_GITHUB_TOKEN }}
+        with:
+          command: monitor
+          args: --all-sub-projects --configuration-matching=^runtimeClasspath$ --target-reference=${{ github.ref_name }} -d mqtt-cli