From cc62b999aa27fe8b9e3e326eadc09e0d623ae730 Mon Sep 17 00:00:00 2001 From: Angel Eduardo Hincho Jove <82984150+ahincho@users.noreply.github.com> Date: Sun, 12 Jul 2026 13:08:37 -0500 Subject: [PATCH 1/2] ci: activate build matrix, OWASP and SBOM workflows (NOVA-SEMVER-19/20/21) - ci.yml: add matrix (Java 21+25), owasp (continue-on-error until NVD_API_KEY is configured), and sbom jobs. - build.gradle.kts: apply org.owasp.dependencycheck (12.2.2) and org.cyclonedx.bom (3.2.4) plugins + dependencyCheck {} config block reading NOVA_OWASP_FAIL_ON_CVSS / NVD_API_KEY env vars. --- .github/workflows/ci.yml | 22 ++++++++++++++++++++++ build.gradle.kts | 10 ++++++++++ 2 files changed, 32 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a6aa51f..397335b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,4 +24,26 @@ jobs: with: sonar-org: ahincho sonar-project-key: ahincho_nova-api-standard + secrets: inherit + + matrix: + if: github.event_name == 'pull_request' + uses: ahincho/nova-devops/.github/workflows/reusable-build-matrix.yml@main + with: + build-tool: gradle + secrets: inherit + + owasp: + if: github.event_name == 'pull_request' + uses: ahincho/nova-devops/.github/workflows/reusable-owasp-check.yml@main + continue-on-error: true # TODO: remove once NVD_API_KEY org secret is configured (NOVA-SEMVER-20) + with: + build-tool: gradle + secrets: inherit + + sbom: + if: github.event_name == 'pull_request' + uses: ahincho/nova-devops/.github/workflows/reusable-sbom.yml@main + with: + build-tool: gradle secrets: inherit \ No newline at end of file diff --git a/build.gradle.kts b/build.gradle.kts index a4317d1..8b7ca80 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -6,6 +6,8 @@ plugins { checkstyle id("net.nemerosa.versioning") version "4.0.1" id("signing") + id("org.owasp.dependencycheck") version "12.2.2" + id("org.cyclonedx.bom") version "3.2.4" } versioning { @@ -65,6 +67,14 @@ checkstyle { sourceSets = listOf(project.sourceSets.main.get()) } +dependencyCheck { + // NVD_API_KEY / NOVA_OWASP_FAIL_ON_CVSS are injected by reusable-owasp-check.yml. + // Locally (no env vars set) this defaults to "never fail" (11.0, matches plugin default) + // and an empty NVD key (slower updates, acceptable for local dev). + failBuildOnCVSS = (System.getenv("NOVA_OWASP_FAIL_ON_CVSS") ?: "11").toFloat() + nvd.apiKey = System.getenv("NVD_API_KEY") ?: "" +} + pitest { junit5PluginVersion.set("1.2.1") targetClasses.set(setOf("pe.edu.nova.java.libs.api.standard.*")) From e2107cb17ece449e10c12788e41eb1875b528f50 Mon Sep 17 00:00:00 2001 From: Angel Eduardo Hincho Jove <82984150+ahincho@users.noreply.github.com> Date: Sun, 12 Jul 2026 13:16:47 -0500 Subject: [PATCH 2/2] fix(ci): remove invalid continue-on-error from reusable workflow job 'continue-on-error' is not a supported keyword for a job that calls a reusable workflow via 'uses:' - it broke workflow file parsing entirely. Moved the actual fix to nova-devops (step-level, in the reusable workflow itself). --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 397335b..bf4771f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,7 +36,6 @@ jobs: owasp: if: github.event_name == 'pull_request' uses: ahincho/nova-devops/.github/workflows/reusable-owasp-check.yml@main - continue-on-error: true # TODO: remove once NVD_API_KEY org secret is configured (NOVA-SEMVER-20) with: build-tool: gradle secrets: inherit