Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(ci): improvements to gha workflows #7089

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
214 changes: 214 additions & 0 deletions .github/workflows/ci.build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,214 @@
# Guava GitHub CI
# ---------------------------------------------------------------------------------------------------------------------
# This is the main CI build on GitHub for the Google Guava project. This workflow is not invoked directly; instead, the
# `on.pr.yml` and `on.push.yml` workflows kick in on PR and push events, respectively, and call this workflow as a
# Reusable Workflow.
#
# This workflow can be tested independently of the entrypoint flow through the `workflow_dispatch` hook, which adds a
# button within the UI of the GitHub repository. You can trigger the workflow from here:
Comment on lines +1 to +8
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docs at the top of each workflow.

#
# https://github.com/google/guava/actions/workflows/ci.build.yml
#
# ## Inputs
#
# See the set of input parameters underneath the `workflow_call` and `workflow_dispatch` hooks for ways this workflow
# can be controlled when called.
#
# ## SLSA Provenance
#
# After building Guava in both JRE and Android variants, this workflow will (if enabled) generate provenance material
# and upload it to an associated release. Learn more about SLSA here: https://slsa.dev.

name: Build

on:
workflow_call:
inputs:
provenance:
type: boolean
description: "Provenance"
default: false
Comment on lines +25 to +30
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

workflow_call allows reuse of the build and test workflows.

provenance_publish:
type: boolean
description: "Publish: Provenance"
default: true
snapshot:
type: boolean
description: "Publish: Snapshot"
default: false
repository:
type: string
description: "Publish Repository"
default: "sonatype-nexus-snapshots"

workflow_dispatch:
inputs:
provenance:
type: boolean
description: "Provenance"
default: false
provenance_publish:
type: boolean
description: "Publish: Provenance"
default: false
snapshot:
type: boolean
description: "Publish: Snapshot"
default: true
repository:
type: string
description: "Publish Repository"
default: "sonatype-nexus-snapshots"

permissions:
contents: read

jobs:
build:
strategy:
fail-fast: false
matrix:
mode: ["JRE", "Android"]
name: "Build Guava (${{ matrix.mode }})"
runs-on: ubuntu-latest
permissions:
contents: read # for actions/checkout to fetch code
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
env:
ROOT_POM: ${{ matrix.mode == 'Android' && 'android/pom.xml' || 'pom.xml' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.azul.com:443
api.github.com:443
cdn.azul.com:443
dl.google.com:443
docs.oracle.com:443
errorprone.info:443
github.com:443
objects.githubusercontent.com:443
oss.sonatype.org:443
repo.maven.apache.org:443
services.gradle.org:443
- name: 'Check out repository'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- name: 'Set up JDK 21'
uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0
with:
java-version: 21
distribution: 'zulu'
cache: 'maven'
- name: 'Install'
shell: bash
run: |
./mvnw \
--strict-checksums \
-B \
-Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
install \
-U \
-DskipTests=true \
-Dmaven.javadoc.skip=false \
-Dgpg.skip \
-f $ROOT_POM
- name: Generate hashes
shell: bash
id: hash
if: matrix.mode == 'JRE'
run: |
echo "Building SLSA provenance material..."
ls guava/target/*.jar guava-gwt/target/*.jar guava-testlib/target/*.jar
echo "hashes=$(sha256sum guava/target/*.jar guava-gwt/target/*.jar guava-testlib/target/*.jar | base64 -w0)" >> ./provenance-hashes.txt
cat ./provenance-hashes.txt >> "$GITHUB_OUTPUT"
echo "Gathered provenance hashes:"
cat ./provenance-hashes.txt
Comment on lines +125 to +131
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Builds SLSA hashes

- name: 'Upload artifacts'
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
if: matrix.mode == 'JRE'
with:
name: guava-artifacts-${{ matrix.mode == 'Android' && 'android' || 'jre' }}-${{ github.sha }}
path: |
guava/target/*.jar
guava-gwt/target/*.jar
guava-testlib/target/*.jar
./provenance-hashes.txt
if-no-files-found: warn
retention-days: 7

# Generate SLSA provenance
provenance:
needs: [build]
if: inputs.provenance
name: "SLSA Provenance"
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
permissions:
actions: read
id-token: write
contents: write
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: ${{ inputs.provenance_publish }}

# Publish snapshot JAR
publish_snapshot:
name: 'Publish Snapshot'
needs: [build, provenance]
if: inputs.snapshot
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: 'Check out repository'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: 'Set up JDK 21'
uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0
with:
java-version: 21
distribution: 'zulu'
server-id: ${{ inputs.repository }}
server-username: CI_DEPLOY_USERNAME
server-password: CI_DEPLOY_PASSWORD
cache: 'maven'
- name: "Download artifacts"
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: guava-artifacts-jre-${{ github.sha }}
- name: 'Publish'
env:
CI_DEPLOY_USERNAME: ${{ secrets.CI_DEPLOY_USERNAME }}
CI_DEPLOY_PASSWORD: ${{ secrets.CI_DEPLOY_PASSWORD }}
run: ./util/deploy_snapshot.sh

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sgammon Thanks for opening this PR. It would be great to harden the build pipelines for Guava artifacts. I think one issue with the current workflow though is that only the snapshot artifacts are automatically published and not the main artifacts. So, the SLSA provenances can only attest to the snapshot artifacts. We also need to automate the publishing of main artifacts to Maven Central, and generate SLSA provenances for them.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@behnazh-w Yes, you're right. I wanted to get things started and churning, and then, with good PR feedback, I am happy to extend the SLSA provenance changes to other parts of the workflow. I believe there are Maven and Bazel generators that could be put to good use.


generate_docs:
permissions:
contents: write
name: 'Generate Docs'
needs: build
if: github.event_name == 'push' && github.repository == 'google/guava'
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: 'Check out repository'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: 'Set up JDK 21'
uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0
with:
java-version: 21
distribution: 'zulu'
cache: 'maven'
- name: 'Generate latest docs'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: ./util/update_snapshot_docs.sh
114 changes: 114 additions & 0 deletions .github/workflows/ci.test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
# Guava GitHub CI
# ---------------------------------------------------------------------------------------------------------------------
# This is the main CI testsuite on GitHub for the Google Guava project. This workflow is not invoked directly; instead,
# the `on.pr.yml` and `on.push.yml` workflows kick in on PR and push events, respectively, and call this workflow as a
# Reusable Workflow.
#
# This workflow can be tested independently of the entrypoint flow through the `workflow_dispatch` hook, which adds a
# button within the UI of the GitHub repository. You can trigger the workflow from here:
#
# https://github.com/google/guava/actions/workflows/ci.test.yml
#
# ## Inputs
#
# See the set of input parameters underneath the `workflow_call` and `workflow_dispatch` hooks for ways this workflow
# can be controlled when called.
#
# ## Multi-OS and Multi-JVM Testing
#
# Guava is tested against each LTS release at JDK 8 through JDK 21, on Linux and on Windows (starting at JDK 17), and
# in Android and JRE flavors.

name: Tests

on:
workflow_call: {}
workflow_dispatch: {}

permissions:
contents: read

jobs:
test:
permissions:
contents: read # for actions/checkout to fetch code
name: "JDK ${{ matrix.java }} ${{ matrix.mode }} (${{ matrix.os }})"
strategy:
matrix:
os: [ ubuntu-latest ]
java: [ 8, 11, 17, 21 ]
mode: [ 'JRE', 'Android' ]
include:
- os: windows-latest
java: 21
mode: JRE
- os: windows-latest
java: 21
mode: Android
runs-on: ${{ matrix.os }}
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
env:
ROOT_POM: ${{ matrix.mode == 'Android' && 'android/pom.xml' || 'pom.xml' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.azul.com:443
api.github.com:443
cdn.azul.com:443
dl.google.com:443
docs.oracle.com:443
errorprone.info:443
github.com:443
objects.githubusercontent.com:443
oss.sonatype.org:443
repo.maven.apache.org:443
services.gradle.org:443
- name: 'Check out repository'
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
persist-credentials: false
- name: 'Set up JDK ${{ matrix.java }}'
uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0
with:
java-version: ${{ matrix.java }}
distribution: 'zulu'
cache: 'maven'
- name: 'Install'
shell: bash
run: |
./mvnw \
--strict-checksums \
-B \
-Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
install \
-U \
-DskipTests=true \
-Dgpg.skip \
-Dmaven.javadoc.skip=true \
-f $ROOT_POM
- name: 'Test'
shell: bash
run: |
./mvnw \
--strict-checksums \
-B \
-P!standard-with-extra-repos \
verify \
-U \
-Dmaven.javadoc.skip=true \
-f $ROOT_POM
- name: 'Print Surefire reports'
# Note: Normally a step won't run if the job has failed, but this causes it to
if: ${{ failure() }}
shell: bash
run: ./util/print_surefire_reports.sh
- name: 'Integration Test'
if: matrix.java == 11
shell: bash
run: util/gradle_integration_tests.sh

Loading
Loading