Add dependency check job and archive dependency scan and AOT build re…

…ports

.github/actions/maven-build/action.yml → .github/actions/maven/action.yml

@@ -7,6 +7,10 @@ inputs:
   MAVEN_JOB_ARGS:
     description: "Maven arguments to add"
     required: true
+  JVMOPT_NATIVE_ACCESS:
+    description: "Allow native access at JVM level"
+    required: false
+    default: ""
 
 runs:
   using: composite
@@ -16,6 +20,11 @@ runs:
       run: |
         set -euo pipefail
 
+        if [ -n "${{ inputs.JVMOPT_NATIVE_ACCESS }}" ]; then
+          echo "Allow native access to modules/classes: ${{ inputs.JVMOPT_NATIVE_ACCESS }}"
+          export MAVEN_OPTS="$MAVEN_OPTS --enable-native-access=${{ inputs.JVMOPT_NATIVE_ACCESS }}"
+        fi
+
         mvn -B -e -fae --show-version \
             -Dmaven.repo.local="${{ github.workspace }}/.ci/transient/m2-repo" \
             -DsurefireTmpDir="${{ github.workspace }}/.ci/transient/surefireTmpDir" \

.github/workflows/ci.yml

@@ -35,6 +35,39 @@ jobs:
           DOCKER_IMAGE="$(echo "$GITHUB_REPOSITORY" | tr '[:upper:]' '[:lower:]')"
           echo "docker_image=$DOCKER_IMAGE"   | tee -a "$GITHUB_OUTPUT"
 
+  dependency_report:
+    name: "OWASP DepCheck"
+    runs-on: "ubuntu-latest"
+    needs: [ "set_variables" ]
+    steps:
+      - name: "Checkout repository"
+        uses: "actions/checkout@v4"
+        with:
+          persist-credentials: false
+      - name: "Install JDK"
+        uses: "actions/setup-java@v4"
+        with:
+          distribution: "corretto"
+          java-version: "${{ needs.set_variables.outputs.java_version }}"
+      - name: "Cache Maven repository"
+        uses: "actions/cache@v4"
+        with:
+          path: "${{ github.workspace }}/.ci/transient/m2-repo"
+          key: "${{ runner.os }}-${{ runner.arch }}-owasp-${{ hashFiles('pom.xml') }}"
+          restore-keys: |
+            ${{ runner.os }}-${{ runner.arch }}-owasp-
+      - name: "Maven Build"
+        uses: "./.github/actions/maven-build"
+        with:
+          BUILD_REVISION: "${{ needs.set_variables.outputs.build_version }}"
+          MAVEN_JOB_ARGS: "dependency-check:check -DnvdApiKey=${{ secrets.NVD_API_KEY }}"
+          JVMOPT_NATIVE_ACCESS: "ALL-UNNAMED"
+      - name: "Archive jarfile"
+        uses: "actions/upload-artifact@v4"
+        with:
+          name: "dependency-check-report.html"
+          path: "target/dependency-check-report.html"
+
   build_hotspot:
     name: "Build (HotSpot)"
     runs-on: "ubuntu-latest"
@@ -53,10 +86,9 @@ jobs:
         uses: "actions/cache@v4"
         with:
           path: "${{ github.workspace }}/.ci/transient/m2-repo"
-          key: "${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('pom.xml') }}"
+          key: "${{ runner.os }}-${{ runner.arch }}-hostpot-${{ hashFiles('pom.xml') }}"
           restore-keys: |
-            ${{ runner.os }}-${{ runner.arch }}-
-            ${{ runner.os }}-
+            ${{ runner.os }}-${{ runner.arch }}-hotspot-
       - name: "Maven Build"
         uses: "./.github/actions/maven-build"
         with:
@@ -97,10 +129,9 @@ jobs:
         uses: "actions/cache@v4"
         with:
           path: "${{ github.workspace }}/.ci/transient/m2-repo"
-          key: "${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('pom.xml') }}"
+          key: "${{ runner.os }}-${{ runner.arch }}-graal-${{ hashFiles('pom.xml') }}"
           restore-keys: |
-            ${{ runner.os }}-${{ runner.arch }}-
-            ${{ runner.os }}-
+            ${{ runner.os }}-${{ runner.arch }}-graal-
       - name: "Maven Build"
         uses: "./.github/actions/maven-build"
         with:
@@ -109,16 +140,21 @@ jobs:
       - name: "Archive binary"
         uses: "actions/upload-artifact@v4"
         with:
-          name: "mcw-bin"
+          name: "mcw-aot"
           path: "target/mcw"
+      - name: "Archive build report"
+        uses: "actions/upload-artifact@v4"
+        with:
+          name: "mcw-aot-build-report.html"
+          path: "target/mcw-build-report.html"
 
   publish_graal:
     name: "Publish (GraalVM)"
     needs: [ "set_variables", "build_graal" ]
     uses: "./.github/workflows/publish.yml"
     with:
       JAVA_VERSION: "${{ needs.set_variables.outputs.java_version }}"
-      ARTIFACT_NAME: "mcw-bin"
+      ARTIFACT_NAME: "mcw-aot"
       DOCKER_REGISTRY: "ghcr.io"
       DOCKER_IMAGE: "${{ needs.set_variables.outputs.docker_image }}"
       DOCKER_TARGET: "graal"

pom.xml

@@ -20,7 +20,9 @@
     <properties>
         <java.version>23</java.version>
         <revision>local-SNAPSHOT</revision>
+
         <build.timestamp>${maven.build.timestamp}</build.timestamp>
+        <nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
         <surefireTmpDir>${java.io.tmpdir}</surefireTmpDir>
 
         <maven-compiler-plugin.version>3.13.0</maven-compiler-plugin.version>
@@ -134,7 +136,7 @@
                     <formats>
                         <format>HTML</format>
                     </formats>
-                    <nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
+                    <nvdApiKey>${nvdApiKey}</nvdApiKey>
                     <nvdValidForHours>168</nvdValidForHours>
                     <prettyPrint>true</prettyPrint>
                 </configuration>