-
Notifications
You must be signed in to change notification settings - Fork 10.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(ci): improvements to gha workflows #7089
base: master
Are you sure you want to change the base?
Changes from all commits
095952a
a5826e6
7faf45d
9417e1c
3403c87
0d6f994
9c03223
5a3edfe
36538cc
c5846e1
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,214 @@ | ||
# Guava GitHub CI | ||
# --------------------------------------------------------------------------------------------------------------------- | ||
# This is the main CI build on GitHub for the Google Guava project. This workflow is not invoked directly; instead, the | ||
# `on.pr.yml` and `on.push.yml` workflows kick in on PR and push events, respectively, and call this workflow as a | ||
# Reusable Workflow. | ||
# | ||
# This workflow can be tested independently of the entrypoint flow through the `workflow_dispatch` hook, which adds a | ||
# button within the UI of the GitHub repository. You can trigger the workflow from here: | ||
# | ||
# https://github.com/google/guava/actions/workflows/ci.build.yml | ||
# | ||
# ## Inputs | ||
# | ||
# See the set of input parameters underneath the `workflow_call` and `workflow_dispatch` hooks for ways this workflow | ||
# can be controlled when called. | ||
# | ||
# ## SLSA Provenance | ||
# | ||
# After building Guava in both JRE and Android variants, this workflow will (if enabled) generate provenance material | ||
# and upload it to an associated release. Learn more about SLSA here: https://slsa.dev. | ||
|
||
name: Build | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
provenance: | ||
type: boolean | ||
description: "Provenance" | ||
default: false | ||
Comment on lines
+25
to
+30
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
provenance_publish: | ||
type: boolean | ||
description: "Publish: Provenance" | ||
default: true | ||
snapshot: | ||
type: boolean | ||
description: "Publish: Snapshot" | ||
default: false | ||
repository: | ||
type: string | ||
description: "Publish Repository" | ||
default: "sonatype-nexus-snapshots" | ||
|
||
workflow_dispatch: | ||
inputs: | ||
provenance: | ||
type: boolean | ||
description: "Provenance" | ||
default: false | ||
provenance_publish: | ||
type: boolean | ||
description: "Publish: Provenance" | ||
default: false | ||
snapshot: | ||
type: boolean | ||
description: "Publish: Snapshot" | ||
default: true | ||
repository: | ||
type: string | ||
description: "Publish Repository" | ||
default: "sonatype-nexus-snapshots" | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
build: | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
mode: ["JRE", "Android"] | ||
name: "Build Guava (${{ matrix.mode }})" | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read # for actions/checkout to fetch code | ||
outputs: | ||
hashes: ${{ steps.hash.outputs.hashes }} | ||
env: | ||
ROOT_POM: ${{ matrix.mode == 'Android' && 'android/pom.xml' || 'pom.xml' }} | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
api.azul.com:443 | ||
api.github.com:443 | ||
cdn.azul.com:443 | ||
dl.google.com:443 | ||
docs.oracle.com:443 | ||
errorprone.info:443 | ||
github.com:443 | ||
objects.githubusercontent.com:443 | ||
oss.sonatype.org:443 | ||
repo.maven.apache.org:443 | ||
services.gradle.org:443 | ||
- name: 'Check out repository' | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
with: | ||
persist-credentials: false | ||
- name: 'Set up JDK 21' | ||
uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0 | ||
with: | ||
java-version: 21 | ||
distribution: 'zulu' | ||
cache: 'maven' | ||
- name: 'Install' | ||
shell: bash | ||
run: | | ||
./mvnw \ | ||
--strict-checksums \ | ||
-B \ | ||
-Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ | ||
install \ | ||
-U \ | ||
-DskipTests=true \ | ||
-Dmaven.javadoc.skip=false \ | ||
-Dgpg.skip \ | ||
-f $ROOT_POM | ||
- name: Generate hashes | ||
shell: bash | ||
id: hash | ||
if: matrix.mode == 'JRE' | ||
run: | | ||
echo "Building SLSA provenance material..." | ||
ls guava/target/*.jar guava-gwt/target/*.jar guava-testlib/target/*.jar | ||
echo "hashes=$(sha256sum guava/target/*.jar guava-gwt/target/*.jar guava-testlib/target/*.jar | base64 -w0)" >> ./provenance-hashes.txt | ||
cat ./provenance-hashes.txt >> "$GITHUB_OUTPUT" | ||
echo "Gathered provenance hashes:" | ||
cat ./provenance-hashes.txt | ||
Comment on lines
+125
to
+131
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Builds SLSA hashes |
||
- name: 'Upload artifacts' | ||
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | ||
if: matrix.mode == 'JRE' | ||
with: | ||
name: guava-artifacts-${{ matrix.mode == 'Android' && 'android' || 'jre' }}-${{ github.sha }} | ||
path: | | ||
guava/target/*.jar | ||
guava-gwt/target/*.jar | ||
guava-testlib/target/*.jar | ||
./provenance-hashes.txt | ||
if-no-files-found: warn | ||
retention-days: 7 | ||
|
||
# Generate SLSA provenance | ||
provenance: | ||
needs: [build] | ||
if: inputs.provenance | ||
name: "SLSA Provenance" | ||
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | ||
permissions: | ||
actions: read | ||
id-token: write | ||
contents: write | ||
with: | ||
base64-subjects: "${{ needs.build.outputs.hashes }}" | ||
upload-assets: ${{ inputs.provenance_publish }} | ||
|
||
# Publish snapshot JAR | ||
publish_snapshot: | ||
name: 'Publish Snapshot' | ||
needs: [build, provenance] | ||
if: inputs.snapshot | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | ||
with: | ||
egress-policy: audit | ||
- name: 'Check out repository' | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
- name: 'Set up JDK 21' | ||
uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0 | ||
with: | ||
java-version: 21 | ||
distribution: 'zulu' | ||
server-id: ${{ inputs.repository }} | ||
server-username: CI_DEPLOY_USERNAME | ||
server-password: CI_DEPLOY_PASSWORD | ||
cache: 'maven' | ||
- name: "Download artifacts" | ||
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | ||
with: | ||
name: guava-artifacts-jre-${{ github.sha }} | ||
- name: 'Publish' | ||
env: | ||
CI_DEPLOY_USERNAME: ${{ secrets.CI_DEPLOY_USERNAME }} | ||
CI_DEPLOY_PASSWORD: ${{ secrets.CI_DEPLOY_PASSWORD }} | ||
run: ./util/deploy_snapshot.sh | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @sgammon Thanks for opening this PR. It would be great to harden the build pipelines for Guava artifacts. I think one issue with the current workflow though is that only the snapshot artifacts are automatically published and not the main artifacts. So, the SLSA provenances can only attest to the snapshot artifacts. We also need to automate the publishing of main artifacts to Maven Central, and generate SLSA provenances for them. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @behnazh-w Yes, you're right. I wanted to get things started and churning, and then, with good PR feedback, I am happy to extend the SLSA provenance changes to other parts of the workflow. I believe there are Maven and Bazel generators that could be put to good use. |
||
|
||
generate_docs: | ||
permissions: | ||
contents: write | ||
name: 'Generate Docs' | ||
needs: build | ||
if: github.event_name == 'push' && github.repository == 'google/guava' | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | ||
with: | ||
egress-policy: audit | ||
- name: 'Check out repository' | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
- name: 'Set up JDK 21' | ||
uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0 | ||
with: | ||
java-version: 21 | ||
distribution: 'zulu' | ||
cache: 'maven' | ||
- name: 'Generate latest docs' | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
run: ./util/update_snapshot_docs.sh |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,114 @@ | ||
# Guava GitHub CI | ||
# --------------------------------------------------------------------------------------------------------------------- | ||
# This is the main CI testsuite on GitHub for the Google Guava project. This workflow is not invoked directly; instead, | ||
# the `on.pr.yml` and `on.push.yml` workflows kick in on PR and push events, respectively, and call this workflow as a | ||
# Reusable Workflow. | ||
# | ||
# This workflow can be tested independently of the entrypoint flow through the `workflow_dispatch` hook, which adds a | ||
# button within the UI of the GitHub repository. You can trigger the workflow from here: | ||
# | ||
# https://github.com/google/guava/actions/workflows/ci.test.yml | ||
# | ||
# ## Inputs | ||
# | ||
# See the set of input parameters underneath the `workflow_call` and `workflow_dispatch` hooks for ways this workflow | ||
# can be controlled when called. | ||
# | ||
# ## Multi-OS and Multi-JVM Testing | ||
# | ||
# Guava is tested against each LTS release at JDK 8 through JDK 21, on Linux and on Windows (starting at JDK 17), and | ||
# in Android and JRE flavors. | ||
|
||
name: Tests | ||
|
||
on: | ||
workflow_call: {} | ||
workflow_dispatch: {} | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
test: | ||
permissions: | ||
contents: read # for actions/checkout to fetch code | ||
name: "JDK ${{ matrix.java }} ${{ matrix.mode }} (${{ matrix.os }})" | ||
strategy: | ||
matrix: | ||
os: [ ubuntu-latest ] | ||
java: [ 8, 11, 17, 21 ] | ||
mode: [ 'JRE', 'Android' ] | ||
include: | ||
- os: windows-latest | ||
java: 21 | ||
mode: JRE | ||
- os: windows-latest | ||
java: 21 | ||
mode: Android | ||
runs-on: ${{ matrix.os }} | ||
outputs: | ||
hashes: ${{ steps.hash.outputs.hashes }} | ||
env: | ||
ROOT_POM: ${{ matrix.mode == 'Android' && 'android/pom.xml' || 'pom.xml' }} | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
api.azul.com:443 | ||
api.github.com:443 | ||
cdn.azul.com:443 | ||
dl.google.com:443 | ||
docs.oracle.com:443 | ||
errorprone.info:443 | ||
github.com:443 | ||
objects.githubusercontent.com:443 | ||
oss.sonatype.org:443 | ||
repo.maven.apache.org:443 | ||
services.gradle.org:443 | ||
- name: 'Check out repository' | ||
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | ||
with: | ||
persist-credentials: false | ||
- name: 'Set up JDK ${{ matrix.java }}' | ||
uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0 | ||
with: | ||
java-version: ${{ matrix.java }} | ||
distribution: 'zulu' | ||
cache: 'maven' | ||
- name: 'Install' | ||
shell: bash | ||
run: | | ||
./mvnw \ | ||
--strict-checksums \ | ||
-B \ | ||
-Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ | ||
install \ | ||
-U \ | ||
-DskipTests=true \ | ||
-Dgpg.skip \ | ||
-Dmaven.javadoc.skip=true \ | ||
-f $ROOT_POM | ||
- name: 'Test' | ||
shell: bash | ||
run: | | ||
./mvnw \ | ||
--strict-checksums \ | ||
-B \ | ||
-P!standard-with-extra-repos \ | ||
verify \ | ||
-U \ | ||
-Dmaven.javadoc.skip=true \ | ||
-f $ROOT_POM | ||
- name: 'Print Surefire reports' | ||
# Note: Normally a step won't run if the job has failed, but this causes it to | ||
if: ${{ failure() }} | ||
shell: bash | ||
run: ./util/print_surefire_reports.sh | ||
- name: 'Integration Test' | ||
if: matrix.java == 11 | ||
shell: bash | ||
run: util/gradle_integration_tests.sh | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Docs at the top of each workflow.