ci(GitHub): Bump step-security/harden-runner #601
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
pull_request: | |
paths-ignore: | |
- '**-check.yml' | |
- '**-submission.yml' | |
- '**-validation.yml' | |
- '**.*ignore' | |
- '**.md' | |
- '**.txt' | |
- '**benchmark.yml' | |
- '**dependabot.yml' | |
push: | |
paths-ignore: | |
- '**-check.yml' | |
- '**-submission.yml' | |
- '**-validation.yml' | |
- '**.*ignore' | |
- '**.md' | |
- '**.txt' | |
- '**benchmark.yml' | |
- '**dependabot.yml' | |
env: | |
CI: true | |
BUILD_NUMBER: ${{ github.run_number }} | |
SCM_TAG: ${{ github.sha }} | |
GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true | |
GRADLE_OPTS: "\ | |
-Dorg.gradle.configuration-cache=false \ | |
-Dorg.gradle.vfs.watch=false \ | |
-Dorg.gradle.unsafe.watch-fs=false \ | |
" | |
jobs: | |
os-checks: | |
strategy: | |
fail-fast: false | |
matrix: | |
java: [ '17' ] | |
os: [ 'macos-latest', 'windows-latest', 'ubuntu-latest' ] | |
name: 'Test on ${{ matrix.os }} JDK ${{ matrix.java }}' | |
timeout-minutes: 55 | |
runs-on: ${{ matrix.os }} | |
if: ${{ !contains(github.event.head_commit.message, 'ci skip') }} | |
steps: | |
- name: Harden Runner | |
if: matrix.os == 'ubuntu-latest' | |
uses: step-security/harden-runner@bf4cac97a49476daf40896c7ba9e4c1ffbc530f5 | |
with: | |
disable-sudo: true | |
egress-policy: audit | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: 'Set up JDK ${{ matrix.java }}' | |
uses: actions/setup-java@v3 | |
with: | |
distribution: 'temurin' | |
java-version: '${{ matrix.java }}' | |
- name: 'Set up NodeJS 18 (LTS)' | |
if: matrix.os != 'windows-latest' | |
uses: actions/setup-node@v3 | |
with: | |
node-version: 18 | |
- name: 'Cache Konan (Kotlin/Native compiler)' | |
timeout-minutes: 6 | |
uses: actions/cache@v3 | |
continue-on-error: true | |
with: | |
path: | | |
~/.konan | |
/Users/runner/.konan | |
key: ${{ runner.os }}-konan-${{ hashFiles('**/*.versions.toml') }} | |
restore-keys: | | |
${{ runner.os }}-konan-${{ hashFiles('**/*.versions.toml') }} | |
${{ runner.os }}-konan- | |
- name: Setup Gradle | |
uses: gradle/gradle-build-action@v2 | |
with: | |
gradle-home-cache-cleanup: true | |
cache-read-only: ${{ (github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev') || matrix.java != '17' }} | |
- name: 'Build and check on ${{ matrix.os }} (complete, non-release)' | |
id: check | |
if: matrix.os != 'windows-latest' | |
timeout-minutes: 50 | |
run: ./gradlew build assemble check --stacktrace --continue --scan | |
- name: 'Build and check on ${{ matrix.os }} (split_targets, release)' | |
if: matrix.os == 'windows-latest' | |
timeout-minutes: 35 | |
env: | |
RELEASE: true | |
run: ./gradlew build assemble check -Dsplit_targets --stacktrace --continue --scan --no-daemon | |
- name: "Add build scan URL as PR comment" | |
uses: actions/github-script@v6 | |
if: github.event_name == 'pull_request' && failure() | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: '❌ ${{ github.workflow }} failed: ${{ steps.gradle.outputs.build-scan-url }}' | |
}) | |
- name: Summary | |
if: success() || failure() | |
continue-on-error: true | |
run: ./.github/workflows/summary.main.kts >> $GITHUB_STEP_SUMMARY | |
shell: bash | |
- name: Upload code coverage | |
if: (success() || failure()) && !contains(github.event.head_commit.message, 'coverage skip') | |
uses: codecov/codecov-action@v3 | |
env: | |
OS: ${{ matrix.os }} | |
JAVA_VERSION: ${{ matrix.java }} | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
files: ./build/reports/kover-merged-report.xml | |
env_vars: OS,JAVA_VERSION | |
flags: 'unit-tests,${{ matrix.os }}' | |
name: 'codecov-${{ matrix.os }}' | |
move_coverage_to_trash: true | |
fail_ci_if_error: false | |
- name: Upload reports | |
if: success() || failure() | |
uses: actions/upload-artifact@v3 | |
continue-on-error: true | |
with: | |
name: 'reports-${{ matrix.os }}' | |
path: | | |
**/build/reports/ | |
!**/build/reports/configuration-cache/ | |
!**/build/reports/dependency-analysis/ | |
- name: Upload merged sarif (Lint) | |
if: (success() || failure()) && matrix.os == 'macos-latest' | |
&& (github.event_name == 'pull_request' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev') | |
uses: github/codeql-action/upload-sarif@v2 | |
continue-on-error: true | |
with: | |
sarif_file: build/lint-merged.sarif | |
category: lint | |
- name: Upload merged sarif (Detekt) | |
if: (success() || failure()) && matrix.os == 'macos-latest' | |
&& (github.event_name == 'pull_request' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev') | |
uses: github/codeql-action/upload-sarif@v2 | |
continue-on-error: true | |
with: | |
sarif_file: build/detekt-merged.sarif | |
category: detekt | |
- name: Publish JUnit test results as a pull request check | |
if: (success() || failure()) && matrix.os == 'macos-latest' | |
&& github.repository == 'fluxo-kt/fluxo' && github.ref == 'refs/heads/main' | |
uses: mikepenz/action-junit-report@v4 | |
with: | |
report_paths: '**/build/test-results/*/TEST-*.xml' | |
- name: 'Check release API and publish SNAPSHOT' | |
id: snapshot | |
if: matrix.os == 'macos-latest' && matrix.java == '17' | |
&& steps.check.outcome == 'success' | |
&& github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'fluxo-kt/fluxo' | |
env: | |
OSSRH_USER: ${{ secrets.OSSRH_USER }} | |
OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} | |
SIGNING_KEY: ${{ secrets.SIGNING_KEY }} | |
SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }} | |
RELEASE: true | |
run: ./gradlew apiCheck androidApiCheck publish -DDISABLE_TESTS --rerun-tasks --stacktrace --scan | |
- name: 'Check release API on ${{ matrix.os }}' | |
if: matrix.os != 'windows-latest' && steps.snapshot.outcome == 'skipped' | |
env: | |
RELEASE: true | |
run: ./gradlew apiCheck androidApiCheck --stacktrace --scan |