Run a Sonatype Lifecycle policy evaluation as part of your GitHub Actions workflow.
Run a Sonatype Lifecycle policy evaluation as part of your GitHub Actions workflow.
name | description | required | default |
---|---|---|---|
serverUrl |
Sonatype Lifecycle Server URL |
true |
"" |
username |
Username to connect to Sonatype Lifecycle Server for policy evaluation. Can be the first part of a User Token. |
true |
"" |
password |
Password to connect to Sonatype Lifecycle Server for policy evaluation. Can be the second part of a User Token. |
true |
"" |
applicationId |
Determines the policy elements (policies, labels, and license threat groups) to associate with this build, and is managed via the Sonatype Lifecycle Server. |
true |
"" |
stage |
Controls the stage the policy evaluation will be run against on the Sonatype Lifecycle Server. |
true |
Build |
target |
The scan target path - can be an archive or directory. Value will be prefixed by |
true |
/ |
debug |
Whether to enable Debug Logging. Set to |
false |
false |
proxy |
Proxy host in the format <host[:port]> if you need to transit a Proxy to connect to your Sonatype Lifecycle Server. Added in v2.0.0. |
false |
"" |
proxyUser |
Proxy username and password in the format username:password if you need to transit a Proxy to connect to your Sonatype Lifecycle Server and it requires authentication. Added in v2.0.0. |
false |
"" |
writePolicyEvaluationJson |
Whether to keep a copy of the Policy Evaluation JSON file or not. If set to |
false |
false |
This action is a docker
action.
Best practice is to define the following secrets in your Repository, or perhaps best, in your GitHub Organization.
Secret Name | Purpose | Notes |
---|---|---|
SONATYPE_LIFECYCLE_URL | Full URL to your Sonatype Lifecycle server. | If you are connecting to a SaaS environment, ensure you include the /platform part of the URL. |
SONATYPE_LIFECYCLE_USERNAME | Username | Ideally a service account |
SONATYPE_LIFECYCLE_PASSWORD | Password | Ideally a service account |
Most folk expect the Sonatype Lifecycle Application ID to be a derivative of the GitHub Repository and/or Organization Name.
This can easily be achieved in your GitHub Action Workflow by using predefined GitHub Variables and setting the result in an Environment Variable.
The below snipped sets SONATYPE_LIFECYCLE_APPLICATION_ID
to the repository name only:
env:
SONATYPE_LIFECYCLE_APPLICATION_ID: $(echo "${{ github.repository }}" | cut -d '/' -f2)
The below examples assume you've defined SONATYPE_LIFECYCLE_APPLICATION_ID
.
name: Example Workflow with Sonatype Lifecycle Analysis
on: [push]
jobs:
build:
name: My Build Job
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
# Do some setup like install JDK and Maven
- name: Build with Maven
run: mvn package --file pom.xml
- name: Sonatype Lifecycle Policy Evaluation
uses: sonatype-nexus-community/iq-github-action@v2
with:
serverUrl: ${{ secrets.SONATYPE_LIFECYCLE_URL }}
username: ${{ secrets.SONATYPE_LIFECYCLE_USERNAME }}
password: ${{ secrets.SONATYPE_LIFECYCLE_PASSWORD }}
applicationId: ${{ env.SONATYPE_LIFECYCLE_APPLICATION_ID }}
stage: Build
target: ./target/
v1
remains available on the v1
branch and can be used by referencing sonatype-nexus-community/iq-github-action@v1
.
It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)
Remember:
- Use this contribution at the risk tolerance that you have
- Do NOT file Sonatype support tickets related to
iq-github-action
support in regard to this project - DO file issues here on GitHub, so that the community can pitch in
Phew, that was easier than I thought. Last but not least of all:
Have fun creating and using iq-github-action
, we are glad to have you here!