ci(workflows): improve security scanning and deploy workflows

- Integrate Trivy vulnerability scanning into maven-build workflow
- Add PR comments with security scan results for pull requests
- Upload SARIF to GitHub Security tab only on push to main
- Fix SonarCloud conditional to skip gracefully when token missing
- Add timeout and remove unused env vars in build workflow
- Secure maven-deploy credentials using heredoc with env vars
- Add batch mode flags and skip tests during deploy
- Update maven-help-plugin to 3.5.1
- Remove redundant trivy.yml workflow

Author: fhussonnois

.github/workflows/maven-build.yml

@@ -14,14 +14,20 @@ on:
 env:
   JAVA_VERSION: '25'
   JAVA_DISTRO: 'zulu'
-  GRAAL_VERSION: '25.0.1'
-  GRAAL_DISTRIBUTION: 'graalvm-community'
+
+permissions:
+  contents: read
+  security-events: write
+  pull-requests: write
+
 jobs:
   build:
     name: Build and analyze
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     steps:
-    - uses: actions/checkout@v4
+    - name: 'Checkout code'
+      uses: actions/checkout@v4
 
     - name: 'Set up JDK'
       uses: actions/setup-java@v5
@@ -41,9 +47,90 @@ jobs:
     - name: Grant execute permission to MVN Wrapper
       run: chmod +x ./mvnw
 
-    - name: Build and analyze
+    - name: Build with Maven
+      run: ./mvnw -ntp -B verify
+
+    - name: Analyze with SonarCloud
       env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        SONAR_SKIP: ${{ secrets.SONAR_TOKEN && 'false' || 'true' }} # skip analysis if token is missing
-      run: ./mvnw -ntp -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=streamthoughts_jikkou
+      run: |
+        if [ -n "$SONAR_TOKEN" ]; then
+          ./mvnw -ntp -B org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=streamthoughts_jikkou
+        else
+          echo "Skipping SonarCloud analysis (SONAR_TOKEN not set)"
+        fi
+
+    - name: Run Trivy vulnerability scanner (SARIF)
+      if: github.event_name == 'push'
+      uses: aquasecurity/trivy-action@0.28.0
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        ignore-unfixed: true
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL,HIGH'
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      if: github.event_name == 'push'
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: 'trivy-results.sarif'
+
+    - name: Run Trivy vulnerability scanner (Table)
+      if: github.event_name == 'pull_request'
+      uses: aquasecurity/trivy-action@0.28.0
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        ignore-unfixed: true
+        format: 'table'
+        output: 'trivy-results.txt'
+        severity: 'CRITICAL,HIGH'
+
+    - name: Add vulnerability report to PR
+      if: github.event_name == 'pull_request'
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const fs = require('fs');
+          const trivyResults = fs.readFileSync('trivy-results.txt', 'utf8');
+
+          let body = '## Security Scan Results\n\n';
+
+          if (trivyResults.trim().length === 0) {
+            body += 'No vulnerabilities found with CRITICAL or HIGH severity.\n';
+          } else {
+            body += 'Vulnerabilities detected:\n\n';
+            body += '```\n' + trivyResults + '\n```\n';
+          }
+
+          body += '\n\n<sub>Scanned by [Trivy](https://github.com/aquasecurity/trivy)</sub>';
+
+          const { data: comments } = await github.rest.issues.listComments({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            issue_number: context.issue.number,
+          });
+
+          const botComment = comments.find(comment =>
+            comment.user.type === 'Bot' &&
+            comment.body.includes('Security Scan Results')
+          );
+
+          if (botComment) {
+            await github.rest.issues.updateComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: botComment.id,
+              body: body
+            });
+          } else {
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: body
+            });
+          }

.github/workflows/maven-deploy.yml

@@ -46,13 +46,26 @@ jobs:
 
       - name: 'Set env VERSION'
         run: |
-          VERSION=$(./mvnw org.apache.maven.plugins:maven-help-plugin:3.1.0:evaluate -Dexpression=project.version -q -DforceStdout)
+          VERSION=$(./mvnw org.apache.maven.plugins:maven-help-plugin:3.5.1:evaluate -Dexpression=project.version -q -DforceStdout)
           echo "VERSION=$VERSION" >> $GITHUB_ENV
 
       - name: 'Set up Maven settings'
         run: |
-          echo "<settings><interactiveMode>false</interactiveMode><servers><server><id>sonatype-central</id><username>${{ secrets.OSSRH_USERNAME }}</username><password>${{ secrets.OSSRH_PASSWORD }}</password></server></servers></settings>" > ./settings.xml
+          cat > ./settings.xml << 'EOF'
+          <settings>
+            <interactiveMode>false</interactiveMode>
+            <servers>
+              <server>
+                <id>sonatype-central</id>
+                <username>${env.OSSRH_USERNAME}</username>
+                <password>${env.OSSRH_PASSWORD}</password>
+              </server>
+            </servers>
+          </settings>
+          EOF
+        env:
+          OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+          OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
 
       - name: 'Deploy Maven Central'
-        run: |
-          ./mvnw -s ./settings.xml deploy -Possrh
+        run: ./mvnw -s ./settings.xml -B -ntp deploy -DskipTests -Possrh