From 3b90be44a24d30b0735fc3360a3db004e1bbe2c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoann=20Rodi=C3=A8re?= Date: Mon, 4 Nov 2024 11:42:38 +0100 Subject: [PATCH 1/2] Align GitHub Actions setup on Hibernate Search --- .github/workflows/ci-report.yml | 68 +++++++++++++++++++++++ .github/workflows/{build.yml => ci.yml} | 71 +++++++++++-------------- 2 files changed, 100 insertions(+), 39 deletions(-) create mode 100644 .github/workflows/ci-report.yml rename .github/workflows/{build.yml => ci.yml} (58%) diff --git a/.github/workflows/ci-report.yml b/.github/workflows/ci-report.yml new file mode 100644 index 0000000000..f5c4ba68d4 --- /dev/null +++ b/.github/workflows/ci-report.yml @@ -0,0 +1,68 @@ +name: GH Actions CI reporting + +on: + workflow_run: + workflows: [ "GH Actions CI" ] + types: [ completed ] + +defaults: + run: + shell: bash + +env: + MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end" + +jobs: + publish-build-scans: + name: Publish Develocity build scans + if: github.repository == 'hibernate/hibernate-validator' && github.event.workflow_run.conclusion != 'cancelled' + runs-on: ubuntu-latest + steps: + # Checkout target branch which has trusted code + - name: Check out target branch + uses: actions/checkout@v4 + with: + persist-credentials: false + ref: ${{ github.ref }} + - name: Set up Java 21 + uses: actions/setup-java@v4 + with: + java-version: 21 + distribution: temurin + # https://github.com/actions/cache/blob/main/examples.md#java---maven + - name: Cache local Maven repository + uses: actions/cache@v4 + with: + path: ~/.m2/repository + # use a different key than workflows running untrusted code + key: trusted-${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} + restore-keys: | + trusted-${{ runner.os }}-maven- + - name: Set up Maven + run: ./mvnw -v + - name: Download GitHub Actions artifacts for the Develocity build scans + id: downloadBuildScan + uses: actions/download-artifact@v4 + with: + pattern: build-scan-data-* + github-token: ${{ github.token }} + repository: ${{ github.repository }} + run-id: ${{ github.event.workflow_run.id }} + path: /tmp/downloaded-build-scan-data/ + # Don't fail the build if there are no matching artifacts + continue-on-error: true + - name: Publish Develocity build scans for previous builds + if: ${{ steps.downloadBuildScan.outcome != 'failure'}} + run: | + shopt -s nullglob # Don't run the loop below if there are no artifacts + status=0 + mkdir -p ~/.m2/.develocity/ + for build_scan_data_directory in /tmp/downloaded-build-scan-data/* + do + rm -rf ~/.m2/.develocity/build-scan-data + mv "$build_scan_data_directory" ~/.m2/.develocity/build-scan-data \ + && ./mvnw $MAVEN_ARGS develocity:build-scan-publish-previous || status=1 + done + exit $status + env: + DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY_PR }} diff --git a/.github/workflows/build.yml b/.github/workflows/ci.yml similarity index 58% rename from .github/workflows/build.yml rename to .github/workflows/ci.yml index 6c8ce68793..d9ebb7a15b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/ci.yml @@ -9,7 +9,7 @@ # See https://docs.github.com/en/actions # for more information about GitHub actions. -name: GitHub Actions Build +name: GH Actions CI on: push: @@ -24,9 +24,7 @@ on: - '!dependabot/**' tags: - '**' - # WARNING: Using pull_request_target to access secrets, but we check out the merge commit. - # See checkout action for details. - pull_request_target: + pull_request: types: [opened, synchronize, reopened, ready_for_review] branches: # Pattern order matters: the last matching inclusion/exclusion wins @@ -43,14 +41,14 @@ on: concurrency: group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}" - cancel-in-progress: ${{ github.event_name == 'pull_request_target' || github.repository != 'hibernate/hibernate-validator' }} + cancel-in-progress: ${{ github.event_name == 'pull_request' || github.repository != 'hibernate/hibernate-validator' }} defaults: run: shell: bash env: - MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end" + MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end -Pci-build --no-transfer-progress" TESTCONTAINERS_REUSE_ENABLE: true jobs: @@ -68,7 +66,7 @@ jobs: version: 17 }, maven: { - args: '-Pci-build --no-transfer-progress' + args: '' } } - { @@ -78,27 +76,16 @@ jobs: version: 17 }, maven: { - args: '-Pci-build --no-transfer-progress' + args: '' } } steps: - name: Support longpaths on Windows if: "startsWith(matrix.os.runs-on, 'windows')" run: git config --global core.longpaths true - - name: Check out commit already pushed to branch - if: "! github.event.pull_request.number" - uses: actions/checkout@v4 - - name: Check out PR head - uses: actions/checkout@v4 - if: github.event.pull_request.number + - uses: actions/checkout@v4 with: - # WARNING: This is potentially dangerous since we're checking out unreviewed code, - # and since we're using the pull_request_target event we can use secrets. - # Thus, we must be extra careful to never expose secrets to steps that execute this code, - # and to strictly limit our set of secrets to those that only pose minor security threats. - # This means in particular we won't expose Develocity credentials to the main maven executions, - # but instead will execute maven a third time just to push build scans to Develocity; (once we have scans enabled) - ref: "refs/pull/${{ github.event.pull_request.number }}/head" + persist-credentials: false - name: Set up Java ${{ matrix.os.java.version }} uses: actions/setup-java@v4 with: @@ -109,9 +96,10 @@ jobs: uses: actions/cache@v4 with: path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} + # use a different key than workflows running in trusted mode + key: ${{ github.event_name == 'push' && 'trusted' || 'untrusted' }}-${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} restore-keys: | - ${{ runner.os }}-maven- + ${{ github.event_name == 'push' && 'trusted' || 'untrusted' }}-${{ runner.os }}-maven- - name: Set up Maven run: ./mvnw -v @@ -119,6 +107,17 @@ jobs: run: | ./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean install \ -Pjqassistant -Pdist -Prelocation + env: + DEVELOCITY_ACCESS_KEY: "${{ secrets.DEVELOCITY_ACCESS_KEY || '' }}" + # For jobs running on 'pull_request', upload build scan data. + # The actual publishing must be done in a separate job (see ci-report.yml). + # We don't write to the remote cache as that would be unsafe. + - name: Upload GitHub Actions artifact for the Develocity build scan + uses: actions/upload-artifact@v4 + if: "${{ github.event_name == 'pull_request' && !cancelled() }}" + with: + name: build-scan-data-initial-${{ matrix.os.name }} + path: ~/.m2/.develocity/build-scan-data - name: Build code and run tests in container mode run: | @@ -126,21 +125,15 @@ jobs: -Pjqassistant -Pskip-checks \ -am -pl :hibernate-validator-tck-runner \ -Dincontainer -Dincontainer-prepared - # Workaround for https://github.com/actions/upload-artifact/issues/240 - - name: List build reports to upload (if build failed) - if: ${{ failure() || cancelled() }} - # The weird syntax is because we're setting a multiline environment variable - # See https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-of-a-multiline-string - run: | - { - echo 'buildReportPaths<> "$GITHUB_ENV" - - name: Upload build reports (if build failed) + env: + DEVELOCITY_ACCESS_KEY: "${{ secrets.DEVELOCITY_ACCESS_KEY || '' }}" + # Same as above, but for the build scan of the latest Maven run. + - name: Upload GitHub Actions artifact for the Develocity build scan uses: actions/upload-artifact@v4 - if: ${{ failure() || cancelled() }} + if: "${{ github.event_name == 'pull_request' && !cancelled() }}" with: - name: ${{ format('build-reports-{0}', matrix.os.name ) }} - path: ${{ env.buildReportPaths }} - retention-days: 7 + name: build-scan-data-tck-container-${{ matrix.os.name }} + path: ~/.m2/.develocity/build-scan-data + + - name: Omit produced artifacts from build cache + run: rm -r ~/.m2/repository/org/hibernate/validator From 405a6baa8eeb589f5f150f0006d6403e40403fb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoann=20Rodi=C3=A8re?= Date: Mon, 4 Nov 2024 11:43:32 +0100 Subject: [PATCH 2/2] Remove Develocity from GitHub Actions for now Revert this commit once Develocity was configured in HV. --- .github/workflows/ci-report.yml | 68 --------------------------------- .github/workflows/ci.yml | 34 ++++++++--------- 2 files changed, 16 insertions(+), 86 deletions(-) delete mode 100644 .github/workflows/ci-report.yml diff --git a/.github/workflows/ci-report.yml b/.github/workflows/ci-report.yml deleted file mode 100644 index f5c4ba68d4..0000000000 --- a/.github/workflows/ci-report.yml +++ /dev/null @@ -1,68 +0,0 @@ -name: GH Actions CI reporting - -on: - workflow_run: - workflows: [ "GH Actions CI" ] - types: [ completed ] - -defaults: - run: - shell: bash - -env: - MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end" - -jobs: - publish-build-scans: - name: Publish Develocity build scans - if: github.repository == 'hibernate/hibernate-validator' && github.event.workflow_run.conclusion != 'cancelled' - runs-on: ubuntu-latest - steps: - # Checkout target branch which has trusted code - - name: Check out target branch - uses: actions/checkout@v4 - with: - persist-credentials: false - ref: ${{ github.ref }} - - name: Set up Java 21 - uses: actions/setup-java@v4 - with: - java-version: 21 - distribution: temurin - # https://github.com/actions/cache/blob/main/examples.md#java---maven - - name: Cache local Maven repository - uses: actions/cache@v4 - with: - path: ~/.m2/repository - # use a different key than workflows running untrusted code - key: trusted-${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - trusted-${{ runner.os }}-maven- - - name: Set up Maven - run: ./mvnw -v - - name: Download GitHub Actions artifacts for the Develocity build scans - id: downloadBuildScan - uses: actions/download-artifact@v4 - with: - pattern: build-scan-data-* - github-token: ${{ github.token }} - repository: ${{ github.repository }} - run-id: ${{ github.event.workflow_run.id }} - path: /tmp/downloaded-build-scan-data/ - # Don't fail the build if there are no matching artifacts - continue-on-error: true - - name: Publish Develocity build scans for previous builds - if: ${{ steps.downloadBuildScan.outcome != 'failure'}} - run: | - shopt -s nullglob # Don't run the loop below if there are no artifacts - status=0 - mkdir -p ~/.m2/.develocity/ - for build_scan_data_directory in /tmp/downloaded-build-scan-data/* - do - rm -rf ~/.m2/.develocity/build-scan-data - mv "$build_scan_data_directory" ~/.m2/.develocity/build-scan-data \ - && ./mvnw $MAVEN_ARGS develocity:build-scan-publish-previous || status=1 - done - exit $status - env: - DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY_PR }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d9ebb7a15b..72d8436c2e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -107,17 +107,6 @@ jobs: run: | ./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean install \ -Pjqassistant -Pdist -Prelocation - env: - DEVELOCITY_ACCESS_KEY: "${{ secrets.DEVELOCITY_ACCESS_KEY || '' }}" - # For jobs running on 'pull_request', upload build scan data. - # The actual publishing must be done in a separate job (see ci-report.yml). - # We don't write to the remote cache as that would be unsafe. - - name: Upload GitHub Actions artifact for the Develocity build scan - uses: actions/upload-artifact@v4 - if: "${{ github.event_name == 'pull_request' && !cancelled() }}" - with: - name: build-scan-data-initial-${{ matrix.os.name }} - path: ~/.m2/.develocity/build-scan-data - name: Build code and run tests in container mode run: | @@ -125,15 +114,24 @@ jobs: -Pjqassistant -Pskip-checks \ -am -pl :hibernate-validator-tck-runner \ -Dincontainer -Dincontainer-prepared - env: - DEVELOCITY_ACCESS_KEY: "${{ secrets.DEVELOCITY_ACCESS_KEY || '' }}" - # Same as above, but for the build scan of the latest Maven run. - - name: Upload GitHub Actions artifact for the Develocity build scan + # Workaround for https://github.com/actions/upload-artifact/issues/240 + - name: List build reports to upload (if build failed) + if: ${{ failure() || cancelled() }} + # The weird syntax is because we're setting a multiline environment variable + # See https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-of-a-multiline-string + run: | + { + echo 'buildReportPaths<> "$GITHUB_ENV" + - name: Upload build reports (if build failed) uses: actions/upload-artifact@v4 - if: "${{ github.event_name == 'pull_request' && !cancelled() }}" + if: ${{ failure() || cancelled() }} with: - name: build-scan-data-tck-container-${{ matrix.os.name }} - path: ~/.m2/.develocity/build-scan-data + name: ${{ format('build-reports-{0}', matrix.os.name ) }} + path: ${{ env.buildReportPaths }} + retention-days: 7 - name: Omit produced artifacts from build cache run: rm -r ~/.m2/repository/org/hibernate/validator