HV-2059 Update GH actions build to upload/publish build scans

marko-bekhta · marko-bekhta · commit 81d572b98a91 · 2024-11-05T13:34:41.000+01:00
diff --git a/.github/workflows/ci-report.yml b/.github/workflows/ci-report.yml
@@ -0,0 +1,71 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright Red Hat Inc. and Hibernate Authors
+
+name: GH Actions CI reporting
+
+on:
+  workflow_run:
+    workflows: [ "GH Actions CI" ]
+    types: [ completed ]
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end -Pci-build --no-transfer-progress"
+
+jobs:
+  publish-build-scans:
+    name: Publish Develocity build scans
+    if: github.repository == 'hibernate/hibernate-validator' && github.event.workflow_run.conclusion != 'cancelled'
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout target branch which has trusted code
+      - name: Check out target branch
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          ref: ${{ github.ref }}
+      - name: Set up Java 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: 21
+          distribution: temurin
+      # https://github.com/actions/cache/blob/main/examples.md#java---maven
+      - name: Cache local Maven repository
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository
+          # use a different key than workflows running untrusted code
+          key: trusted-${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            trusted-${{ runner.os }}-maven-
+      - name: Set up Maven
+        run: ./mvnw -v
+      - name: Download GitHub Actions artifacts for the Develocity build scans
+        id: downloadBuildScan
+        uses: actions/download-artifact@v4
+        with:
+          pattern: build-scan-data-*
+          github-token: ${{ github.token }}
+          repository: ${{ github.repository }}
+          run-id: ${{ github.event.workflow_run.id }}
+          path: /tmp/downloaded-build-scan-data/
+        # Don't fail the build if there are no matching artifacts
+        continue-on-error: true
+      - name: Publish Develocity build scans for previous builds
+        if: ${{ steps.downloadBuildScan.outcome != 'failure'}}
+        run: |
+          shopt -s nullglob # Don't run the loop below if there are no artifacts
+          status=0
+          mkdir -p ~/.m2/.develocity/
+          for build_scan_data_directory in /tmp/downloaded-build-scan-data/*
+          do
+            rm -rf ~/.m2/.develocity/build-scan-data
+            mv "$build_scan_data_directory" ~/.m2/.develocity/build-scan-data \
+            && ./mvnw $MAVEN_ARGS develocity:build-scan-publish-previous || status=1
+          done
+          exit $status
+        env:
+          DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY_PR }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -103,35 +103,37 @@ jobs:
       - name: Set up Maven
         run: ./mvnw -v
 
-      - name: Build code and run tests and basic checks
+      - name: Build code and run tests and basic checks (Standalone)
         run: |
           ./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean install \
           -Pjqassistant -Pdist -Prelocation
+        env:
+          DEVELOCITY_ACCESS_KEY: "${{ secrets.DEVELOCITY_ACCESS_KEY || '' }}"
+      # For jobs running on 'pull_request', upload build scan data.
+      # The actual publishing must be done in a separate job (see ci-report.yml).
+      # We don't write to the remote cache as that would be unsafe.
+      - name: Upload GitHub Actions artifact for the Develocity build scan
+        uses: actions/upload-artifact@v4
+        if: "${{ github.event_name == 'pull_request' && !cancelled() }}"
+        with:
+          name: build-scan-data-standalone-${{ matrix.os.name }}
+          path: ~/.m2/.develocity/build-scan-data
 
-      - name: Build code and run tests in container mode
+      - name: Run TCK tests in container mode
         run: |
           ./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean verify \
           -Pjqassistant -Pskip-checks \
           -am -pl :hibernate-validator-tck-runner \
           -Dincontainer -Dincontainer-prepared
-      # Workaround for https://github.com/actions/upload-artifact/issues/240
-      - name: List build reports to upload (if build failed)
-        if: ${{ failure() || cancelled() }}
-        # The weird syntax is because we're setting a multiline environment variable
-        # See https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-of-a-multiline-string
-        run: |
-          {
-            echo 'buildReportPaths<<EOF'
-            find . -path '**/*-reports'
-            echo EOF
-          } >> "$GITHUB_ENV"
-      - name: Upload build reports (if build failed)
+        env:
+          DEVELOCITY_ACCESS_KEY: "${{ secrets.DEVELOCITY_ACCESS_KEY || '' }}"
+
+      - name: Upload GitHub Actions artifact for the Develocity build scan
         uses: actions/upload-artifact@v4
-        if: ${{ failure() || cancelled() }}
+        if: "${{ github.event_name == 'pull_request' && !cancelled() }}"
         with:
-          name: ${{ format('build-reports-{0}', matrix.os.name ) }}
-          path: ${{ env.buildReportPaths }}
-          retention-days: 7
+          name: build-scan-data-incontainer-${{ matrix.os.name }}
+          path: ~/.m2/.develocity/build-scan-data
 
       - name: Omit produced artifacts from build cache
         run: rm -r ~/.m2/repository/org/hibernate/validator
