diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..1ba25cd
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,49 @@
+name: CodeQL
+
+on:
+ push:
+ branches: [main]
+ pull_request:
+ branches: [main]
+ schedule:
+ - cron: "27 6 * * 1"
+
+jobs:
+ analyze:
+ name: Analyze (${{ matrix.language }})
+ runs-on: ubuntu-latest
+ permissions:
+ security-events: write
+ packages: read
+ actions: read
+ contents: read
+
+ strategy:
+ fail-fast: false
+ matrix:
+ language: [java-kotlin]
+
+ steps:
+ - uses: actions/checkout@v6
+
+ - name: Set up JDK 17
+ uses: actions/setup-java@v5
+ with:
+ java-version: "17"
+ distribution: temurin
+ cache: maven
+
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v3
+ with:
+ languages: ${{ matrix.language }}
+ build-mode: manual
+ queries: security-extended,security-and-quality
+
+ - name: Build
+ run: mvn -B -ntp -DskipTests compile
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v3
+ with:
+ category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d8c71b5..71f0354 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,6 +14,8 @@ jobs:
release:
permissions:
contents: write
+ id-token: write
+ attestations: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
@@ -41,6 +43,7 @@ jobs:
cat release.properties
RELEASE_TAG=$(grep '^scm.tag=' release.properties | cut -d'=' -f2)
echo "RELEASE_TAG=${RELEASE_TAG}" >> "$GITHUB_ENV"
+ echo "RELEASE_VERSION=${RELEASE_TAG#v}" >> "$GITHUB_ENV"
mvn -B -ntp -Dstyle.color=always release:perform -P sign -DconnectionUrl=scm:git:https://github.com/${{ github.repository }}.git
echo "Released ${RELEASE_TAG} 🚀" >> "$GITHUB_STEP_SUMMARY"
env:
@@ -48,6 +51,40 @@ jobs:
OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
+ - name: Generate build provenance attestation
+ uses: actions/attest-build-provenance@v3
+ with:
+ subject-path: |
+ target/checkout/mjml-java-core/target/mjml-java-core-${{ env.RELEASE_VERSION }}.jar
+ target/checkout/mjml-java-resolvers/target/mjml-java-resolvers-${{ env.RELEASE_VERSION }}.jar
+ target/checkout/mjml-java-spring/target/mjml-java-spring-${{ env.RELEASE_VERSION }}.jar
+
+ - name: Generate SBOM attestation (core)
+ uses: actions/attest-sbom@v3
+ with:
+ subject-path: target/checkout/mjml-java-core/target/mjml-java-core-${{ env.RELEASE_VERSION }}.jar
+ sbom-path: target/checkout/mjml-java-core/target/bom.json
+
+ - name: Generate SBOM attestation (resolvers)
+ uses: actions/attest-sbom@v3
+ with:
+ subject-path: target/checkout/mjml-java-resolvers/target/mjml-java-resolvers-${{ env.RELEASE_VERSION }}.jar
+ sbom-path: target/checkout/mjml-java-resolvers/target/bom.json
+
+ - name: Generate SBOM attestation (spring)
+ uses: actions/attest-sbom@v3
+ with:
+ subject-path: target/checkout/mjml-java-spring/target/mjml-java-spring-${{ env.RELEASE_VERSION }}.jar
+ sbom-path: target/checkout/mjml-java-spring/target/bom.json
+
+ - name: Stage SBOMs for release upload
+ run: |
+ mkdir -p sboms
+ for module in mjml-java-core mjml-java-resolvers mjml-java-spring; do
+ cp "target/checkout/${module}/target/bom.json" "sboms/${module}-${RELEASE_VERSION}-bom.json"
+ cp "target/checkout/${module}/target/bom.xml" "sboms/${module}-${RELEASE_VERSION}-bom.xml"
+ done
+
- name: Update docs with released version
run: |
# Strip leading 'v' if present (e.g., v1.0.1 -> 1.0.1)
@@ -101,7 +138,8 @@ jobs:
gh release create "${RELEASE_TAG}" \
--title "${RELEASE_TAG}" \
--notes "${NOTES}" \
- --latest
+ --latest \
+ sboms/*
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
diff --git a/mjml-java-core/pom.xml b/mjml-java-core/pom.xml
index 1f34321..546fbe7 100644
--- a/mjml-java-core/pom.xml
+++ b/mjml-java-core/pom.xml
@@ -81,6 +81,10 @@
+
+ org.cyclonedx
+ cyclonedx-maven-plugin
+
diff --git a/mjml-java-resolvers/pom.xml b/mjml-java-resolvers/pom.xml
index 9d6af9f..37ef95b 100644
--- a/mjml-java-resolvers/pom.xml
+++ b/mjml-java-resolvers/pom.xml
@@ -86,6 +86,10 @@
+
+ org.cyclonedx
+ cyclonedx-maven-plugin
+
diff --git a/mjml-java-spring/pom.xml b/mjml-java-spring/pom.xml
index 74cd799..cbeb238 100644
--- a/mjml-java-spring/pom.xml
+++ b/mjml-java-spring/pom.xml
@@ -140,6 +140,10 @@
+
+ org.cyclonedx
+ cyclonedx-maven-plugin
+
diff --git a/pom.xml b/pom.xml
index eb58d30..631ee85 100644
--- a/pom.xml
+++ b/pom.xml
@@ -48,6 +48,8 @@
17
6.0.3
0.10.0
+ 2.9.1
+ 1.13.0
3.2.8
3.12.0
3.3.1
@@ -101,8 +103,41 @@
Max
High
true
+
+
+ com.h3xstream.findsecbugs
+ findsecbugs-plugin
+ ${version.plugin.findsecbugs}
+
+
+
+ org.cyclonedx
+ cyclonedx-maven-plugin
+ ${version.plugin.cyclonedx}
+
+ library
+ 1.6
+ false
+ true
+ true
+ true
+ true
+ false
+ bom
+ all
+
+
+
+ make-bom
+ package
+
+ makeBom
+
+
+
+
org.apache.maven.plugins
maven-release-plugin