[ci] Move owasp check into the main workflow

.github/changes-filter.yaml

@@ -12,3 +12,8 @@ tests:
   - added|modified: '**/src/test/java/**/*.java'
 cpp:
   - 'pulsar-client-cpp/**'
+need_owasp:
+  - 'pom.xml'
+  - '**/pom.xml'
+  - 'src/owasp-dependency-check-false-positives.xml'
+  - 'src/owasp-dependency-check-suppressions.xml'

.github/workflows/pulsar-ci.yaml

@@ -855,6 +855,74 @@ jobs:
       - name: build package
         run: mvn -B clean package -DskipTests -T 1C -ntp
 
+  owasp-dep-check:
+    name: OWASP dependency check
+    runs-on: ubuntu-20.04
+    timeout-minutes: 120
+    needs: [ 'changed_files_job', 'integration-tests' ]
+    if: ${{ needs.changed_files_job.outputs.need_owasp == 'true' }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+
+      - name: Tune Runner VM
+        uses: ./.github/actions/tune-runner-vm
+
+      - name: Setup ssh access to build runner VM
+        # ssh access is enabled for builds in own forks
+        if: ${{ github.repository != 'apache/pulsar' }}
+        uses: ./.github/actions/ssh-access
+        with:
+          limit-access-to-actor: true
+
+      - name: Cache Maven dependencies
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/.m2/repository/*/*/*
+            !~/.m2/repository/org/apache/pulsar
+          key: ${{ runner.os }}-m2-dependencies-core-modules-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-m2-dependencies-core-modules-
+      - name: Set up JDK ${{ matrix.jdk || '17' }}
+        uses: actions/setup-java@v2
+        with:
+          distribution: 'temurin'
+          java-version: ${{ matrix.jdk || '17' }}
+
+      - name: clean disk
+        run: |
+          sudo swapoff -a
+          sudo rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc
+          sudo apt clean
+          docker rmi $(docker images -q) -f
+          df -h
+      - name: Install gh-actions-artifact-client.js
+        uses: apache/pulsar-test-infra/gh-actions-artifact-client/dist@master
+
+      - name: Restore maven build results from Github artifact cache
+        run: |
+          cd $HOME
+          $GITHUB_WORKSPACE/build/pulsar_ci_tool.sh restore_tar_from_github_actions_artifacts pulsar-maven-repository-binaries
+      # Projects dependent on flume, hdfs, hbase, and presto currently excluded from the scan.
+      - name: run "clean verify" to trigger dependency check
+        run: mvn -q -B -ntp verify -PskipDocker,owasp-dependency-check -DskipTests -pl '!pulsar-sql,!distribution/io,!distribution/offloaders,!tiered-storage/file-system,!pulsar-io/flume,!pulsar-io/hbase,!pulsar-io/hdfs2,!pulsar-io/hdfs3,!pulsar-io/docs,!pulsar-io/jdbc/openmldb'
+
+      - name: Upload report
+        uses: actions/upload-artifact@v3
+        if: ${{ cancelled() || failure() }}
+        continue-on-error: true
+        with:
+          name: dependency report
+          path: target/dependency-check-report.html
+
+      - name: Wait for ssh connection when build fails
+        # ssh access is enabled for builds in own forks
+        uses: ./.github/actions/ssh-access
+        if: ${{ failure() && github.repository != 'apache/pulsar' }}
+        continue-on-error: true
+        with:
+          action: wait
 
   # This job is required for pulls to be merged.
   # It depends on all other jobs in this workflow.