ci: update all workflows

Signed-off-by: Art Shendrik <[email protected]>
fluxo-kt · Apr 28, 2024 · 345199e · 345199e
1 parent 524abe7
commit 345199e
Show file tree

Hide file tree

Showing 9 changed files with 321 additions and 60 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -8,68 +8,118 @@ on:
       - '**.md'
       - '**.txt'
       - '**/pr-**.yml'
+      - '**/release.yml'
       - '**dependabot.yml'
   push:
+    # Avoid useless runs.
+    branches-ignore:
+      # Dependabot creates both branch and PR. Avoid running twice.
+      - 'dependabot/**'
+      - 'pr/**'
+      - 'pull/**'
+      - 'wip/**'
     paths-ignore:
       - '**-validation.yml'
       - '**.*ignore'
       - '**.md'
       - '**.txt'
       - '**/pr-**.yml'
+      - '**/release.yml'
       - '**dependabot.yml'
 
+permissions:
+  contents: write
+  # required for all workflows (CodeQL)
+  security-events: write
+  # required for workflows in private repositories (CodeQL)
+  actions: read
+  # We appear to need write permission for both pull-requests and
+  # issues to post a comment to a pull request.
+  pull-requests: write
+  issues: write
+
 env:
   CI: true
   BUILD_NUMBER: ${{ github.run_number }}
   SCM_TAG: ${{ github.sha }}
   #GRADLE_OPTS: "-Dorg.gradle.daemon=false"
   GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
   DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS: "^(?!(classpath)).*"
-  DEPENDENCY_GRAPH_INCLUDE_PROJECTS: "^:(?!(buildSrc|test-)).*"
+  DEPENDENCY_GRAPH_INCLUDE_PROJECTS: "^:(?!(buildSrc|test|check)).*"
 
 jobs:
   buildAndCheck:
-    name: 'Build and check'
+    strategy:
+      fail-fast: false
+      matrix:
+        java: [ '17' ]
+        os: [ 'macos', 'ubuntu', 'windows' ]
+        # CodeQL supports ['c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift']
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+        language: [ 'java-kotlin' ]
+
+    name: 'Build and check on ${{ matrix.os }}'
     timeout-minutes: 25
-    runs-on: 'ubuntu-latest'
+    runs-on: '${{ matrix.os }}-latest'
     if: ${{ !contains(github.event.head_commit.message, 'ci skip') }}
-    permissions:
-      contents: write
-      security-events: write
-      # We appear to need write permission for both pull-requests and
-      # issues in order to post a comment to a pull request.
-      pull-requests: write
-      issues: write
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           disable-sudo: true
           egress-policy: audit
 
+      # steps.v.outputs.run_url
+      - id: v
+        if: github.event_name == 'pull_request'
+        run: |
+          echo "run_url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> $GITHUB_OUTPUT
+
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: 'Set up JDK 21'
+      - name: 'Set up JDK ${{ matrix.java }}'
         uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
-          java-version: '21'
+          java-version: '${{ matrix.java }}'
+
+      - name: 'Cached KMP things (Konan, Node, Yarn, Binaryen)'
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.konan
+            ~/.gradle/yarn
+            ~/.gradle/nodejs
+            ~/.gradle/binaryen
+            hashFiles('**/gradle/libs.versions.toml')
+          key: ${{ runner.os }}-kmp-${{ hashFiles('**/*.gradle.kts', '**/gradle-wrapper.properties', '**/gradle/libs.versions.toml') }}
+          #restore-keys: ${{ runner.os }}-kmp-
 
       - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2
+        uses: gradle/actions/setup-gradle@v3
         with:
+          gradle-version: 8.7
           gradle-home-cache-cleanup: true
           cache-read-only: ${{ github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' }}
           dependency-graph: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && 'generate-and-submit' || 'disabled'}}
+          artifact-retention-days: 1
+
+      - name: Initialize CodeQL
+        if: matrix.os == 'ubuntu'
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
 
       - name: 'Build and check plugin itself'
+        timeout-minutes: 15
         run: ./gradlew build assemble check --continue --stacktrace --scan
 
       - name: Upload sarif report (Detekt)
-        if: (success() || failure()) && (github.event_name == 'pull_request' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev')
-        uses: github/codeql-action/upload-sarif@v2
+        if: (success() || failure()) &&
+          (github.event_name == 'pull_request' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev')
+        uses: github/codeql-action/upload-sarif@v3
         continue-on-error: true
         with:
           sarif_file: build/detekt-merged.sarif
@@ -82,20 +132,40 @@ jobs:
           GITHUB_DEPENDENCY_GRAPH_ENABLED: false
 
       - name: 'Check "js-only" setup example'
+        timeout-minutes: 10
         working-directory: checks/js-only
         run: ./gradlew check --continue --stacktrace --scan
         env:
           GITHUB_DEPENDENCY_GRAPH_ENABLED: false
 
-      - name: "Add build scan URL as PR comment"
+      - name: Upload the build report
+        if: success() || failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: '${{ matrix.os }}-build-report'
+          path: |
+            **/build/logs/
+            **/build/reports/
+            **/build/output/
+            build/*-merged.*
+          compression-level: 9
+
+      - name: Perform CodeQL Analysis
+        if: matrix.os == 'ubuntu'
+        timeout-minutes: 6
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"
+
+      - name: "Post result in PR comment"
         uses: actions/github-script@v7
         if: github.event_name == 'pull_request' && failure()
+        env:
+          GITHUB_ACTION_RUN_URL: '${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}'
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: '❌ ${{ github.workflow }} failed: ${{ steps.gradle.outputs.build-scan-url }}'
+              issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo,
+              body: '❌ ${{ github.workflow }} [failed](${{ steps.v.outputs.run_url }}) on ${{ matrix.os }}.'
             })
diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml
@@ -1,4 +1,4 @@
-name: "Validate Gradle Wrapper"
+name: Validate Gradle Wrapper
 
 on:
   pull_request:
@@ -26,14 +26,15 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
-            downloads.gradle-dn.com:443
             github.com:443
-            services.gradle.org:443
+            downloads.gradle-dn.com:443
             downloads.gradle.org:443
+            services.gradle.org:443
+
       - uses: actions/checkout@v4
-      - uses: gradle/wrapper-validation-action@v1
+      - uses: gradle/wrapper-validation-action@v2
diff --git a/.github/workflows/pr-baseline.yml b/.github/workflows/pr-baseline.yml
@@ -0,0 +1,130 @@
+name: PR Deps Baseline
+
+# Add the necessary changes to the dependency update PRs.
+
+on:
+  pull_request:
+    types: [ opened, reopened, synchronize ]
+
+permissions:
+  contents: write
+  # We appear to need write permission for both pull-requests and
+  # issues to post a comment to a pull request.
+  pull-requests: write
+  issues: write
+
+jobs:
+  pr-deps:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    concurrency:
+      group: '${{ github.workflow }}-${{ github.ref }}'
+      cancel-in-progress: true
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+
+      # steps.v.outputs.run_url
+      - id: v
+        run: |
+          echo "run_url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> $GITHUB_OUTPUT
+
+      # Verify that the PR is from Dependabot
+      - uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Confirm start in the comment
+        uses: actions/github-script@v7
+        continue-on-error: true
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: '🔄 Baseline update [started](${{ steps.v.outputs.run_url }})...'
+            })
+
+      - uses: actions/checkout@v4
+        with:
+          # Needed for correct git commit --amend.
+          fetch-depth: 3
+          # Checkout pull request HEAD commit instead of merge commit.
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: 21
+
+      - uses: gradle/actions/setup-gradle@v3
+
+      - name: Baseline
+        run: ./baseline
+
+      - name: Setup GIT
+        run: |
+          # Set GIT user email and name to match author of the last commit.
+          #git config --local user.name "$(git log --pretty=format:'%an' -1)"
+          #git config --local user.email "$(git log --pretty='%ae' -1)"
+          git config --local user.name "Baseline Action"
+          git config --local user.email "[email protected]"
+
+          # Create SSH key
+          #mkdir -p ~/.ssh/
+          #echo "${{ secrets.BOT_GIT_SSH_KEY }}" > ~/.ssh/id_rsa_bot
+          #chmod 666 ~/.ssh/id_rsa_bot
+
+          # Configure GH commit signing key.
+          # TODO: Fix it, doesn't work atm. Fails for SSH key saved and used this way.
+          #git config --local commit.gpgsign true
+          #git config --local gpg.format ssh
+          #git config --local user.signingkey ~/.ssh/id_rsa
+
+      - name: GIT add
+        run: |
+          git add -v .
+
+      - name: Commit amend and push
+        run: |
+          if [ -n "$(git diff --name-only --cached)" ]; then
+            # Show what's available.
+            git log -n 3 --pretty=format:"%h - %an, %ar : %s"
+
+            # Amend the baseline changes to the last commit.
+            git commit --amend --no-edit -vv
+
+            # Show what we are about to push.
+            git log -n 3 --pretty=format:"%h - %an, %ar : %s"
+
+            # Push changes back to branch
+            git push --force -v origin HEAD:refs/heads/${{ github.head_ref }}
+          else
+            echo "No changes needed."
+          fi
+
+      # Track result in the comment
+      - uses: actions/github-script@v7
+        continue-on-error: true
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo,
+              body: '✅ Baseline [updated](${{ steps.v.outputs.run_url }}).'
+            })
+      - uses: actions/github-script@v7
+        if: failure()
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo,
+              body: '❌ Baseline update [failed](${{ steps.v.outputs.run_url }})!'
+            })
diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml
@@ -4,27 +4,30 @@ on:
   pull_request:
     types: [ opened, reopened, synchronize ]
 
+permissions:
+  contents: read
+  # We appear to need write permission for both pull-requests and
+  # issues to post a comment to a pull request.
+  pull-requests: write
+  issues: write
+
 jobs:
-  check-fast-forward:
+  pr-check:
     runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-      # We appear to need write permission for both pull-requests and
-      # issues in order to post a comment to a pull request.
-      pull-requests: write
-      issues: write
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
             github.com:443
 
-      - name: Checking if fast forwarding is possible
+      - name: Check if fast forwarding is possible
         uses: sequoia-pgp/fast-forward@v1
         with:
           merge: false