diff --git a/.github/workflows/build.yml b/.github/workflows/ci.yml similarity index 72% rename from .github/workflows/build.yml rename to .github/workflows/ci.yml index 6c8ce68793..72d8436c2e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/ci.yml @@ -9,7 +9,7 @@ # See https://docs.github.com/en/actions # for more information about GitHub actions. -name: GitHub Actions Build +name: GH Actions CI on: push: @@ -24,9 +24,7 @@ on: - '!dependabot/**' tags: - '**' - # WARNING: Using pull_request_target to access secrets, but we check out the merge commit. - # See checkout action for details. - pull_request_target: + pull_request: types: [opened, synchronize, reopened, ready_for_review] branches: # Pattern order matters: the last matching inclusion/exclusion wins @@ -43,14 +41,14 @@ on: concurrency: group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}" - cancel-in-progress: ${{ github.event_name == 'pull_request_target' || github.repository != 'hibernate/hibernate-validator' }} + cancel-in-progress: ${{ github.event_name == 'pull_request' || github.repository != 'hibernate/hibernate-validator' }} defaults: run: shell: bash env: - MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end" + MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end -Pci-build --no-transfer-progress" TESTCONTAINERS_REUSE_ENABLE: true jobs: @@ -68,7 +66,7 @@ jobs: version: 17 }, maven: { - args: '-Pci-build --no-transfer-progress' + args: '' } } - { @@ -78,27 +76,16 @@ jobs: version: 17 }, maven: { - args: '-Pci-build --no-transfer-progress' + args: '' } } steps: - name: Support longpaths on Windows if: "startsWith(matrix.os.runs-on, 'windows')" run: git config --global core.longpaths true - - name: Check out commit already pushed to branch - if: "! github.event.pull_request.number" - uses: actions/checkout@v4 - - name: Check out PR head - uses: actions/checkout@v4 - if: github.event.pull_request.number + - uses: actions/checkout@v4 with: - # WARNING: This is potentially dangerous since we're checking out unreviewed code, - # and since we're using the pull_request_target event we can use secrets. - # Thus, we must be extra careful to never expose secrets to steps that execute this code, - # and to strictly limit our set of secrets to those that only pose minor security threats. - # This means in particular we won't expose Develocity credentials to the main maven executions, - # but instead will execute maven a third time just to push build scans to Develocity; (once we have scans enabled) - ref: "refs/pull/${{ github.event.pull_request.number }}/head" + persist-credentials: false - name: Set up Java ${{ matrix.os.java.version }} uses: actions/setup-java@v4 with: @@ -109,9 +96,10 @@ jobs: uses: actions/cache@v4 with: path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} + # use a different key than workflows running in trusted mode + key: ${{ github.event_name == 'push' && 'trusted' || 'untrusted' }}-${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} restore-keys: | - ${{ runner.os }}-maven- + ${{ github.event_name == 'push' && 'trusted' || 'untrusted' }}-${{ runner.os }}-maven- - name: Set up Maven run: ./mvnw -v @@ -144,3 +132,6 @@ jobs: name: ${{ format('build-reports-{0}', matrix.os.name ) }} path: ${{ env.buildReportPaths }} retention-days: 7 + + - name: Omit produced artifacts from build cache + run: rm -r ~/.m2/repository/org/hibernate/validator