Run a Sonatype Lifecycle policy evaluation as part of your GitHub Actions workflow.
Run a Sonatype Lifecycle policy evaluation as part of your GitHub Actions workflow.
| name | description | required | default |
|---|---|---|---|
serverUrl |
Sonatype Lifecycle Server URL |
true |
"" |
username |
Username to connect to Sonatype Lifecycle Server for policy evaluation. Can be the first part of a User Token. |
true |
"" |
password |
Password to connect to Sonatype Lifecycle Server for policy evaluation. Can be the second part of a User Token. |
true |
"" |
applicationId |
Determines the policy elements (policies, labels, and license threat groups) to associate with this build, and is managed via the Sonatype Lifecycle Server. |
true |
"" |
stage |
Controls the stage the policy evaluation will be run against on the Sonatype Lifecycle Server. |
true |
Build |
target |
The scan target path - can be an archive or directory. Value will be prefixed by |
true |
/ |
debug |
Whether to enable Debug Logging. Set to |
false |
false |
proxy |
Proxy host in the format <host[:port]> if you need to transit a Proxy to connect to your Sonatype Lifecycle Server. Added in v2.0.0. |
false |
"" |
proxyUser |
Proxy username and password in the format |
false |
"" |
writePolicyEvaluationJson |
Whether to keep a copy of the Policy Evaluation JSON file or not. If set to |
false |
false |
This action is a docker action.
Best practice is to define the following secrets in your Repository, or perhaps best, in your GitHub Organization.
| Secret Name | Purpose | Notes |
|---|---|---|
| SONATYPE_LIFECYCLE_URL | Full URL to your Sonatype Lifecycle server. | If you are connecting to a SaaS environment, ensure you include the /platform part of the URL. |
| SONATYPE_LIFECYCLE_USERNAME | Username | Ideally a service account |
| SONATYPE_LIFECYCLE_PASSWORD | Password | Ideally a service account |
Most folk expect the Sonatype Lifecycle Application ID to be a derivative of the GitHub Repository and/or Organization Name.
This can easily be achieved in your GitHub Action Workflow by using predefined GitHub Variables and setting the result in an Environment Variable.
The below snipped sets SONATYPE_LIFECYCLE_APPLICATION_ID to the repository name only:
env:
SONATYPE_LIFECYCLE_APPLICATION_ID: $(echo "${{ github.repository }}" | cut -d '/' -f2)The below examples assume you've defined SONATYPE_LIFECYCLE_APPLICATION_ID.
name: Example Workflow with Sonatype Lifecycle Analysis
on: [push]
jobs:
build:
name: My Build Job
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
# Do some setup like install JDK and Maven
- name: Build with Maven
run: mvn package --file pom.xml
- name: Sonatype Lifecycle Policy Evaluation
uses: sonatype-nexus-community/iq-github-action@v2
with:
serverUrl: ${{ secrets.SONATYPE_LIFECYCLE_URL }}
username: ${{ secrets.SONATYPE_LIFECYCLE_USERNAME }}
password: ${{ secrets.SONATYPE_LIFECYCLE_PASSWORD }}
applicationId: ${{ env.SONATYPE_LIFECYCLE_APPLICATION_ID }}
stage: Build
target: ./target/v1 remains available on the v1 branch and can be used by referencing sonatype-nexus-community/iq-github-action@v1.
It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)
Remember:
iq-github-action support in regard to this projectPhew, that was easier than I thought. Last but not least of all:
Have fun creating and using iq-github-action, we are glad to have you here!