# The main CI of Hibernate Search is https://ci.hibernate.org/job/hibernate-search/. # However, Hibernate Search builds run on GitHub actions regularly # to build on Windows # and check that both the Linux and Windows workflows still work # and can be used in GitHub forks. # See https://docs.github.com/en/actions # for more information about GitHub actions. name: GitHub Actions Build on: push: branches: # Pattern order matters: the last matching inclusion/exclusion wins - '**' - '!3.*' - '!4.*' - '!5.*' - '!6.*' - '!dependabot/**' - '!wip/**/dependency-update/**' tags: - '**' # WARNING: Using pull_request_target to access secrets, but we check out the merge commit. # See checkout action for details. pull_request_target: types: [opened, synchronize, reopened, ready_for_review] branches: # Pattern order matters: the last matching inclusion/exclusion wins - '**' - '!3.*' - '!4.*' - '!5.*' - '!6.*' # Ignore dependabot PRs that are not just about build dependencies; # we'll reject such dependant PRs and send a PR ourselves. - '!dependabot/**' - 'dependabot/maven/build-dependencies-**' - 'dependabot/docker/**/build-containers-**' - 'dependabot/docker/**/database-containers-**' concurrency: group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}" cancel-in-progress: ${{ github.event_name == 'pull_request_target' || github.repository != 'hibernate/hibernate-search' }} defaults: run: shell: bash env: MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end" TESTCONTAINERS_REUSE_ENABLE: true jobs: build: name: ${{matrix.os.name}} runs-on: ${{ matrix.os.runs-on }} strategy: fail-fast: false matrix: os: - { name: "Linux JDK 17", runs-on: 'ubuntu-latest', java: { version: 17 }, maven: { # Since we only start an Elasticsearch container on Linux we add the profile to enable container reuse here: args: '-Pci-build' } } # We can't start Linux containers on GitHub Actions' Windows VMs, # so we can't run Elasticsearch tests. # See https://github.com/actions/runner-images/issues/1143#issuecomment-972929995 - { name: "Windows JDK 17", runs-on: 'windows-latest', java: { version: 17 }, maven: { args: '-Dtest.elasticsearch.skip=true' } } steps: - name: Support longpaths on Windows if: "startsWith(matrix.os.runs-on, 'windows')" run: git config --global core.longpaths true - name: Check out commit already pushed to branch if: "! github.event.pull_request.number" uses: actions/checkout@v4 - name: Check out PR head uses: actions/checkout@v4 if: github.event.pull_request.number with: # WARNING: This is potentially dangerous since we're checking out unreviewed code, # and since we're using the pull_request_target event we can use secrets. # Thus, we must be extra careful to never expose secrets to steps that execute this code, # and to strictly limit our of secrets to those that only pose minor security threads. # This means in particular we won't expose Develocity credentials to the main maven executions, # but instead will execute maven a third time just to push build scans to Develocity; # see below. ref: "refs/pull/${{ github.event.pull_request.number }}/head" # Fetch the whole history to make sure that gitflow incremental builder # can find the base commit. fetch-depth: 0 - name: Set up Java ${{ matrix.os.java.version }} uses: actions/setup-java@v4 with: java-version: ${{ matrix.os.java.version }} distribution: temurin # https://github.com/actions/cache/blob/main/examples.md#java---maven - name: Cache local Maven repository uses: actions/cache@v4 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} restore-keys: | ${{ runner.os }}-maven- - name: Set up Maven run: ./mvnw -v - name: Docker cleanup run: ./ci/docker-cleanup.sh - name: Build code and run unit tests and basic checks run: | ./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean install \ -Pjqassistant -Pdist -Pci-build -DskipITs env: # WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code. GRADLE_ENTERPRISE_ACCESS_KEY: "${{ github.event_name == 'push' && secrets.GRADLE_ENTERPRISE_ACCESS_KEY || '' }}" - name: Publish Develocity build scan for previous build (pull request) if: "${{ !cancelled() && github.event_name == 'pull_request_target' && github.repository == 'hibernate/hibernate-search' }}" run: | ./mvnw $MAVEN_ARGS gradle-enterprise:build-scan-publish-previous env: # WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code. GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY_PR }} - name: Run integration tests in the default environment run: | ./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean verify \ -Pskip-checks \ ${{ github.event.pull_request.base.ref && format('-Dincremental -Dgib.referenceBranch=refs/remotes/origin/{0}', github.event.pull_request.base.ref) || '' }} env: # WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code. GRADLE_ENTERPRISE_ACCESS_KEY: "${{ github.event_name == 'push' && secrets.GRADLE_ENTERPRISE_ACCESS_KEY || '' }}" - name: Publish Develocity build scan for previous build (pull request) if: "${{ !cancelled() && github.event_name == 'pull_request_target' && github.repository == 'hibernate/hibernate-search' }}" run: | ./mvnw $MAVEN_ARGS gradle-enterprise:build-scan-publish-previous env: # WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code. GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY_PR }} - name: Docker cleanup run: ./ci/docker-cleanup.sh - name: Omit produced artifacts from build cache run: rm -r ~/.m2/repository/org/hibernate/search # Workaround for https://github.com/actions/upload-artifact/issues/240 - name: List build reports to upload (if build failed) if: ${{ failure() || cancelled() }} # The weird syntax is because we're setting a multiline environment variable # See https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-of-a-multiline-string run: | { echo 'buildReportPaths<<EOF' find . -path '**/*-reports' echo EOF } >> "$GITHUB_ENV" - name: Upload build reports (if build failed) uses: actions/upload-artifact@v4 if: ${{ failure() || cancelled() }} with: name: ${{ format('build-reports-{0}', matrix.os.name ) }} path: ${{ env.buildReportPaths }} retention-days: 7