Ensured a single string aud
(Audience) claim would be retained (wit…
#582
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
pull_request: # all pull requests | |
push: | |
branches: | |
- master | |
env: | |
MVN_CMD: ./mvnw --no-transfer-progress -B | |
jobs: | |
oracle: | |
strategy: | |
matrix: | |
java: [ '17' ] | |
runs-on: 'ubuntu-latest' | |
name: jdk-${{ matrix.java }}-oracle | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up JDK | |
uses: oracle-actions/setup-java@v1 | |
with: | |
release: ${{ matrix.java }} | |
- name: Install softhsm2 | |
run: sudo apt-get install -y softhsm2 | |
- name: Install opensc | |
run: sudo apt-get install -y opensc | |
- name: Ensure SoftHSM user configuration | |
run: impl/src/test/scripts/softhsm configure | |
- name: Populate SoftHSM with JJWT test keys | |
run: impl/src/test/scripts/softhsm import | |
- name: Build | |
# run a full build, just as we would for a release (i.e. the `ossrh` profile), but don't use gpg | |
# to sign artifacts, since we don't want to mess with storing signing credentials in CI: | |
run: ${{env.MVN_CMD}} verify -Possrh -Dgpg.skip=true | |
temurin: | |
strategy: | |
matrix: | |
java: [ '8', '11', '17', '18' ] | |
runs-on: 'ubuntu-latest' | |
name: jdk-${{ matrix.java }}-temurin | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
java-version: ${{ matrix.java }} | |
distribution: 'temurin' | |
cache: 'maven' | |
check-latest: true | |
- name: Install softhsm2 | |
run: sudo apt-get install -y softhsm2 | |
- name: Install opensc | |
run: sudo apt-get install -y opensc | |
- name: Ensure SoftHSM user configuration | |
run: impl/src/test/scripts/softhsm configure | |
- name: Populate SoftHSM with JJWT test keys | |
run: impl/src/test/scripts/softhsm import | |
- name: Build | |
# run a full build, just as we would for a release (i.e. the `ossrh` profile), but don't use gpg | |
# to sign artifacts, since we don't want to mess with storing signing credentials in CI: | |
run: ${{env.MVN_CMD}} verify -Possrh -Dgpg.skip=true | |
zulu: | |
strategy: | |
matrix: | |
java: [ '7', '8', '9', '11', '12', '13', '14', '15', '16', '17', '18', '21' ] | |
runs-on: 'ubuntu-latest' | |
env: | |
JDK_MAJOR_VERSION: ${{ matrix.java }} | |
name: jdk-${{ matrix.java }}-zulu | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
java-version: ${{ matrix.java }} | |
distribution: 'zulu' | |
cache: 'maven' | |
check-latest: true | |
- name: Install softhsm2 | |
run: sudo apt-get install -y softhsm2 | |
- name: Install opensc | |
run: sudo apt-get install -y opensc | |
- name: Ensure SoftHSM user configuration | |
run: impl/src/test/scripts/softhsm configure | |
- name: Populate SoftHSM with JJWT test keys | |
run: impl/src/test/scripts/softhsm import | |
- name: Build | |
# run a full build, just as we would for a release (i.e. the `ossrh` profile), but don't use gpg | |
# to sign artifacts, since we don't want to mess with storing signing credentials in CI: | |
run: | | |
if [ "$JDK_MAJOR_VERSION" == "7" ]; then export MAVEN_OPTS="-Xmx512m -XX:MaxPermSize=128m"; fi | |
${{env.MVN_CMD}} verify -Possrh -Dgpg.skip=true | |
# ensure all of our files have the correct/updated license header | |
license-check: | |
runs-on: 'ubuntu-latest' | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # avoid license plugin history warnings (plus it needs full history) | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
distribution: 'zulu' | |
java-version: '8' | |
cache: 'maven' | |
check-latest: true | |
- name: License Check | |
# This adds about 1 minute to any build, which is why we don't want to do it on every other build: | |
run: | | |
${{env.MVN_CMD}} license:check | |
code-coverage: | |
# (commented out for now - see the comments in 'Wait to start' below for why. Keeping this here as a placeholder | |
# as it may be better to use instead of an artificial delay once we no longer need to build on JDK 7): | |
#needs: zulu # wait until others finish so a coverage failure doesn't cancel others accidentally | |
runs-on: 'ubuntu-latest' | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up JDK | |
uses: actions/setup-java@v3 | |
with: | |
distribution: 'zulu' | |
java-version: '8' | |
cache: 'maven' | |
check-latest: true | |
- name: Install softhsm2 | |
run: sudo apt-get install -y softhsm2 | |
- name: Install opensc | |
run: sudo apt-get install -y opensc | |
- name: Ensure SoftHSM user configuration | |
run: impl/src/test/scripts/softhsm configure | |
- name: Populate SoftHSM with JJWT test keys | |
run: impl/src/test/scripts/softhsm import | |
- name: Wait to start | |
# wait a little to start: code coverage usually only takes about 1 1/2 minutes. If coverage fails, it will | |
# cancel the other running builds, and we don't want that (because we want to see if jobs fail due to | |
# build issues, not due to the code-coverage job causing the others to cancel). We could have used the | |
# 'need' property (commented out above), and that would wait until all the other jobs have finished before | |
# starting this one, but that introduces unnecessary (sometimes 2 1/2 minute) delay, whereas delaying the | |
# start of the code coverage checks a bit should allow everything to finish around the same time without having | |
# much of an adverse effect on the other jobs above. | |
run: sleep 90s | |
shell: bash | |
- name: Code Coverage | |
# run a full build, just as we would for a release (i.e. the `ossrh` profile), but don't use gpg | |
# to sign artifacts, since we don't want to mess with storing signing credentials in CI: | |
run: | | |
${{env.MVN_CMD}} clover:setup test && \ | |
${{env.MVN_CMD}} -pl . clover:clover clover:check coveralls:report \ | |
-DrepoToken="${{ secrets.GITHUB_TOKEN }}" \ | |
-DserviceName=github \ | |
-DserviceBuildNumber="${{ env.GITHUB_RUN_ID }}" |