forked from hibernate/hibernate-search
-
Notifications
You must be signed in to change notification settings - Fork 0
185 lines (175 loc) · 7.68 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
# SPDX-License-Identifier: Apache-2.0
# Copyright Red Hat Inc. and Hibernate Authors
# The main CI of Hibernate Search is https://ci.hibernate.org/job/hibernate-search/.
# However, Hibernate Search builds run on GitHub actions regularly
# to build on Windows
# and check that both the Linux and Windows workflows still work
# and can be used in GitHub forks.
# See https://docs.github.com/en/actions
# for more information about GitHub actions.
name: GitHub Actions Build
on:
push:
branches:
# Pattern order matters: the last matching inclusion/exclusion wins
- '**'
- '!3.*'
- '!4.*'
- '!5.*'
- '!6.*'
- '!dependabot/**'
- '!wip/**/dependency-update/**'
tags:
- '**'
# WARNING: Using pull_request_target to access secrets, but we check out the merge commit.
# See checkout action for details.
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review]
branches:
# Pattern order matters: the last matching inclusion/exclusion wins
- '**'
- '!3.*'
- '!4.*'
- '!5.*'
- '!6.*'
# Ignore dependabot PRs that are not just about build dependencies;
# we'll reject such dependant PRs and send a PR ourselves.
- '!dependabot/**'
- 'dependabot/maven/build-dependencies-**'
- 'dependabot/docker/**/build-containers-**'
- 'dependabot/docker/**/database-containers-**'
concurrency:
group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}"
cancel-in-progress: ${{ github.event_name == 'pull_request_target' || github.repository != 'hibernate/hibernate-search' }}
defaults:
run:
shell: bash
env:
MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end"
TESTCONTAINERS_REUSE_ENABLE: true
jobs:
build:
name: ${{matrix.os.name}}
runs-on: ${{ matrix.os.runs-on }}
strategy:
fail-fast: false
matrix:
os:
- {
name: "Linux JDK 21",
runs-on: 'ubuntu-latest',
java: {
version: 21
},
maven: {
# Since we only start an Elasticsearch container on Linux we add the profile to enable container reuse here:
args: '-Pci-build'
}
}
# We can't start Linux containers on GitHub Actions' Windows VMs,
# so we can't run Elasticsearch tests.
# See https://github.com/actions/runner-images/issues/1143#issuecomment-972929995
- {
name: "Windows JDK 21",
runs-on: 'windows-latest',
java: {
version: 21
},
maven: {
args: '-Dtest.elasticsearch.skip=true'
}
}
steps:
- name: Support longpaths on Windows
if: "startsWith(matrix.os.runs-on, 'windows')"
run: git config --global core.longpaths true
- name: Check out commit already pushed to branch
if: "! github.event.pull_request.number"
uses: actions/checkout@v4
- name: Check out PR head
uses: actions/checkout@v4
if: github.event.pull_request.number
with:
# WARNING: This is potentially dangerous since we're checking out unreviewed code,
# and since we're using the pull_request_target event we can use secrets.
# Thus, we must be extra careful to never expose secrets to steps that execute this code,
# and to strictly limit our of secrets to those that only pose minor security threads.
# This means in particular we won't expose Develocity credentials to the main maven executions,
# but instead will execute maven a third time just to push build scans to Develocity;
# see below.
ref: "refs/pull/${{ github.event.pull_request.number }}/head"
# Fetch the whole history to make sure that gitflow incremental builder
# can find the base commit.
fetch-depth: 0
- name: Set up Java ${{ matrix.os.java.version }}
uses: actions/setup-java@v4
with:
java-version: ${{ matrix.os.java.version }}
distribution: temurin
# https://github.com/actions/cache/blob/main/examples.md#java---maven
- name: Cache local Maven repository
uses: actions/cache@v4
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Set up Maven
run: ./mvnw -v
- name: Docker cleanup
run: ./ci/docker-cleanup.sh
- name: Build code and run unit tests and basic checks
run: |
./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean install \
-Pjqassistant -Pdist -Pci-build -DskipITs
env:
# WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code.
DEVELOCITY_ACCESS_KEY: "${{ github.event_name == 'push' && secrets.GRADLE_ENTERPRISE_ACCESS_KEY || '' }}"
- name: Publish Develocity build scan for previous build (pull request)
# Don't fail a build if publishing fails
continue-on-error: true
if: "${{ !cancelled() && github.event_name == 'pull_request_target' && github.repository == 'hibernate/hibernate-search' }}"
run: |
./mvnw $MAVEN_ARGS develocity:build-scan-publish-previous
env:
# WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code.
DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY_PR }}
- name: Run integration tests in the default environment
run: |
./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean verify \
-Pskip-checks \
${{ github.event.pull_request.base.ref && format('-Dincremental -Dgib.referenceBranch=refs/remotes/origin/{0}', github.event.pull_request.base.ref) || '' }}
env:
# WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code.
DEVELOCITY_ACCESS_KEY: "${{ github.event_name == 'push' && secrets.GRADLE_ENTERPRISE_ACCESS_KEY || '' }}"
- name: Publish Develocity build scan for previous build (pull request)
# Don't fail a build if publishing fails
continue-on-error: true
if: "${{ !cancelled() && github.event_name == 'pull_request_target' && github.repository == 'hibernate/hibernate-search' }}"
run: |
./mvnw $MAVEN_ARGS develocity:build-scan-publish-previous
env:
# WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code.
DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY_PR }}
- name: Docker cleanup
run: ./ci/docker-cleanup.sh
- name: Omit produced artifacts from build cache
run: rm -r ~/.m2/repository/org/hibernate/search
# Workaround for https://github.com/actions/upload-artifact/issues/240
- name: List build reports to upload (if build failed)
if: ${{ failure() || cancelled() }}
# The weird syntax is because we're setting a multiline environment variable
# See https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-of-a-multiline-string
run: |
{
echo 'buildReportPaths<<EOF'
find . -path '**/*-reports'
echo EOF
} >> "$GITHUB_ENV"
- name: Upload build reports (if build failed)
uses: actions/upload-artifact@v4
if: ${{ failure() || cancelled() }}
with:
name: ${{ format('build-reports-{0}', matrix.os.name ) }}
path: ${{ env.buildReportPaths }}
retention-days: 7