Align GitHub Actions setup on Hibernate Search

yrodiere · yrodiere · commit 697cbc32b653 · 2024-11-04T12:20:55.000+01:00
diff --git a/.github/workflows/ci-report.yml b/.github/workflows/ci-report.yml
@@ -0,0 +1,68 @@
+name: GH Actions CI reporting
+
+on:
+  workflow_run:
+    workflows: [ "GH Actions CI" ]
+    types: [ completed ]
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end"
+
+jobs:
+  publish-build-scans:
+    name: Publish Develocity build scans
+    if: github.repository == 'hibernate/hibernate-validator' && github.event.workflow_run.conclusion != 'cancelled'
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout target branch which has trusted code
+      - name: Check out target branch
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          ref: ${{ github.ref }}
+      - name: Set up Java 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: 21
+          distribution: temurin
+      # https://github.com/actions/cache/blob/main/examples.md#java---maven
+      - name: Cache local Maven repository
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository
+          # use a different key than workflows running untrusted code
+          key: trusted-${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            trusted-${{ runner.os }}-maven-
+      - name: Set up Maven
+        run: ./mvnw -v
+      - name: Download GitHub Actions artifacts for the Develocity build scans
+        id: downloadBuildScan
+        uses: actions/download-artifact@v4
+        with:
+          pattern: build-scan-data-*
+          github-token: ${{ github.token }}
+          repository: ${{ github.repository }}
+          run-id: ${{ github.event.workflow_run.id }}
+          path: /tmp/downloaded-build-scan-data/
+        # Don't fail the build if there are no matching artifacts
+        continue-on-error: true
+      - name: Publish Develocity build scans for previous builds
+        if: ${{ steps.downloadBuildScan.outcome != 'failure'}}
+        run: |
+          shopt -s nullglob # Don't run the loop below if there are no artifacts
+          status=0
+          mkdir -p ~/.m2/.develocity/
+          for build_scan_data_directory in /tmp/downloaded-build-scan-data/*
+          do
+            rm -rf ~/.m2/.develocity/build-scan-data
+            mv "$build_scan_data_directory" ~/.m2/.develocity/build-scan-data \
+            && ./mvnw $MAVEN_ARGS develocity:build-scan-publish-previous || status=1
+          done
+          exit $status
+        env:
+          DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY_PR }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,7 +9,7 @@
 # See https://docs.github.com/en/actions
 # for more information about GitHub actions.
 
-name: GitHub Actions Build
+name: GH Actions CI
 
 on:
   push:
@@ -24,9 +24,7 @@ on:
       - '!dependabot/**'
     tags:
       - '**'
-  # WARNING: Using pull_request_target to access secrets, but we check out the merge commit.
-  # See checkout action for details.
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
     branches:
       # Pattern order matters: the last matching inclusion/exclusion wins
@@ -43,14 +41,14 @@ on:
 
 concurrency:
   group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}"
-  cancel-in-progress: ${{ github.event_name == 'pull_request_target' || github.repository != 'hibernate/hibernate-validator' }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || github.repository != 'hibernate/hibernate-validator' }}
 
 defaults:
   run:
     shell: bash
 
 env:
-  MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end"
+  MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end -Pci-build --no-transfer-progress"
   TESTCONTAINERS_REUSE_ENABLE: true
 
 jobs:
@@ -68,7 +66,7 @@ jobs:
               version: 17
             },
             maven: {
-              args: '-Pci-build --no-transfer-progress'
+              args: ''
             }
           }
           - {
@@ -78,27 +76,16 @@ jobs:
               version: 17
             },
             maven: {
-              args: '-Pci-build --no-transfer-progress'
+              args: ''
             }
           }
     steps:
       - name: Support longpaths on Windows
         if: "startsWith(matrix.os.runs-on, 'windows')"
         run: git config --global core.longpaths true
-      - name: Check out commit already pushed to branch
-        if: "! github.event.pull_request.number"
-        uses: actions/checkout@v4
-      - name: Check out PR head
-        uses: actions/checkout@v4
-        if: github.event.pull_request.number
+      - uses: actions/checkout@v4
         with:
-          # WARNING: This is potentially dangerous since we're checking out unreviewed code,
-          # and since we're using the pull_request_target event we can use secrets.
-          # Thus, we must be extra careful to never expose secrets to steps that execute this code,
-          # and to strictly limit our set of secrets to those that only pose minor security threats.
-          # This means in particular we won't expose Develocity credentials to the main maven executions,
-          # but instead will execute maven a third time just to push build scans to Develocity; (once we have scans enabled)
-          ref: "refs/pull/${{ github.event.pull_request.number }}/head"
+          persist-credentials: false
       - name: Set up Java ${{ matrix.os.java.version }}
         uses: actions/setup-java@v4
         with:
@@ -109,38 +96,44 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ~/.m2/repository
-          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          # use a different key than workflows running in trusted mode
+          key: ${{ github.event_name == 'push' && 'trusted' || 'untrusted' }}-${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
-            ${{ runner.os }}-maven-
+            ${{ github.event_name == 'push' && 'trusted' || 'untrusted' }}-${{ runner.os }}-maven-
       - name: Set up Maven
         run: ./mvnw -v
 
       - name: Build code and run tests and basic checks
         run: |
           ./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean install \
           -Pjqassistant -Pdist -Prelocation
+        env:
+          DEVELOCITY_ACCESS_KEY: "${{ secrets.DEVELOCITY_ACCESS_KEY || '' }}"
+      # For jobs running on 'pull_request', upload build scan data.
+      # The actual publishing must be done in a separate job (see ci-report.yml).
+      # We don't write to the remote cache as that would be unsafe.
+      - name: Upload GitHub Actions artifact for the Develocity build scan
+        uses: actions/upload-artifact@v4
+        if: "${{ github.event_name == 'pull_request' && !cancelled() }}"
+        with:
+          name: build-scan-data-initial-${{ matrix.os.name }}
+          path: ~/.m2/.develocity/build-scan-data
 
       - name: Build code and run tests in container mode
         run: |
           ./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean verify \
           -Pjqassistant -Pskip-checks \
           -am -pl :hibernate-validator-tck-runner \
           -Dincontainer -Dincontainer-prepared
-      # Workaround for https://github.com/actions/upload-artifact/issues/240
-      - name: List build reports to upload (if build failed)
-        if: ${{ failure() || cancelled() }}
-        # The weird syntax is because we're setting a multiline environment variable
-        # See https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-of-a-multiline-string
-        run: |
-          {
-            echo 'buildReportPaths<<EOF'
-            find . -path '**/*-reports'
-            echo EOF
-          } >> "$GITHUB_ENV"
-      - name: Upload build reports (if build failed)
+        env:
+          DEVELOCITY_ACCESS_KEY: "${{ secrets.DEVELOCITY_ACCESS_KEY || '' }}"
+      # Same as above, but for the build scan of the latest Maven run.
+      - name: Upload GitHub Actions artifact for the Develocity build scan
         uses: actions/upload-artifact@v4
-        if: ${{ failure() || cancelled() }}
+        if: "${{ github.event_name == 'pull_request' && !cancelled() }}"
         with:
-          name: ${{ format('build-reports-{0}', matrix.os.name ) }}
-          path: ${{ env.buildReportPaths }}
-          retention-days: 7
+          name: build-scan-data-tck-container-${{ matrix.os.name }}
+          path: ~/.m2/.develocity/build-scan-data
+
+      - name: Omit produced artifacts from build cache
+        run: rm -r ~/.m2/repository/org/hibernate/validator
