Skip to content

Commit 12b0392

Browse files
beikovyrodiere
beikov
and
yrodiere
committed
Rework/simplify GH Actions jobs
* Use `pull_request` instead of `pull_request_target` * Move Develocity build scan publishing for untrusted code to a separate workflow * Merge Atlas workflow into the main CI workflow * Split caches between trusted and untrusted code * Update secrets to use "Develocity" name instead of "Gradle Enterprise" * Update comments Co-Authored-By: Yoann Rodière <yoann@hibernate.org> (cherry picked from commit df8b163)
1 parent 3737d87 commit 12b0392

File tree

4 files changed

+261
-244
lines changed

4 files changed

+261
-244
lines changed

.github/workflows/atlas.yml

Lines changed: 0 additions & 118 deletions
This file was deleted.

.github/workflows/ci-report.yml

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
name: GH Actions CI reporting
2+
3+
on:
4+
workflow_run:
5+
workflows: [ "GH Actions CI" ]
6+
types: [ completed ]
7+
8+
defaults:
9+
run:
10+
shell: bash
11+
12+
jobs:
13+
publish-build-scans:
14+
name: Publish Develocity build scans
15+
if: github.repository == 'hibernate/hibernate-orm' && github.event.workflow_run.conclusion != 'cancelled'
16+
runs-on: ubuntu-latest
17+
steps:
18+
# Checkout target branch which has trusted code
19+
- name: Check out target branch
20+
uses: actions/checkout@v4
21+
with:
22+
persist-credentials: false
23+
ref: ${{ github.ref }}
24+
- name: Set up Java 11
25+
uses: actions/setup-java@v4
26+
with:
27+
distribution: 'temurin'
28+
java-version: '11'
29+
- name: Get year/month for cache key
30+
id: get-date
31+
run: echo "yearmonth=$(/bin/date -u "+%Y-%m")" >> $GITHUB_OUTPUT
32+
shell: bash
33+
# Note we only restore the caches, we never populate them
34+
- name: Restore Maven/Gradle local caches
35+
uses: actions/cache/restore@v4
36+
id: cache-maven-gradle
37+
with:
38+
path: |
39+
~/.m2/repository/
40+
~/.m2/wrapper/
41+
~/.gradle/caches/
42+
~/.gradle/wrapper/
43+
# refresh cache every month to avoid unlimited growth
44+
# use a different key than workflows running untrusted code
45+
key: trusted-maven-gradle-caches-${{ steps.get-date.outputs.yearmonth }}
46+
- name: Download GitHub Actions artifacts for the Develocity build scans
47+
id: downloadBuildScan
48+
uses: actions/download-artifact@v4
49+
with:
50+
name: build-scan-data-${{ matrix.rdbms }}
51+
github-token: ${{ github.token }}
52+
repository: ${{ github.repository }}
53+
run-id: ${{ github.event.workflow_run.id }}
54+
path: /tmp/downloaded-build-scan-data/
55+
pattern: build-scan-data-*
56+
# Don't fail the build if there are no matching artifacts
57+
continue-on-error: true
58+
- name: Publish Develocity build scans for previous builds
59+
if: ${{ steps.downloadBuildScan.outcome != 'failure'}}
60+
run: |
61+
shopt -s nullglob # Don't run the loop below if there are no artifacts
62+
status=0
63+
for build_scan_data_directory in /tmp/downloaded-build-scan-data/*
64+
do
65+
rm -rf ~/.gradle/build-scan-data
66+
mkdir -p ~/.gradle/build-scan-data
67+
tar -xzf "$build_scan_data_directory/build-scan-data.tgz" -C ~/.gradle/build-scan-data \
68+
&& ./gradlew --no-build-cache buildScanPublishPrevious || status=1
69+
done
70+
exit $status
71+
env:
72+
DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY_PR }}

.github/workflows/ci.yml

Lines changed: 189 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,189 @@
1+
name: GH Actions CI
2+
3+
on:
4+
push:
5+
branches:
6+
- '6.6'
7+
pull_request:
8+
branches:
9+
- '6.6'
10+
11+
permissions: {} # none
12+
13+
# See https://github.com/hibernate/hibernate-orm/pull/4615 for a description of the behavior we're getting.
14+
concurrency:
15+
# Consider that two builds are in the same concurrency group (cannot run concurrently)
16+
# if they use the same workflow and are about the same branch ("ref") or pull request.
17+
group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}"
18+
# Cancel previous builds in the same concurrency group even if they are in progress
19+
# for pull requests or pushes to forks (not the upstream repository).
20+
cancel-in-progress: ${{ github.event_name == 'pull_request' || github.repository != 'hibernate/hibernate-orm' }}
21+
22+
jobs:
23+
24+
# Main job for h2/docker DBs.
25+
build:
26+
permissions:
27+
contents: read
28+
name: OpenJDK 11 - ${{matrix.rdbms}}
29+
runs-on: ubuntu-latest
30+
strategy:
31+
fail-fast: false
32+
matrix:
33+
include:
34+
- rdbms: h2
35+
- rdbms: hsqldb
36+
- rdbms: derby
37+
- rdbms: mysql
38+
- rdbms: mariadb
39+
- rdbms: postgresql
40+
- rdbms: edb
41+
- rdbms: oracle
42+
- rdbms: db2
43+
- rdbms: mssql
44+
- rdbms: sybase
45+
# Running with CockroachDB requires at least 2-4 vCPUs, which we don't have on GH Actions runners
46+
# - rdbms: cockroachdb
47+
# Running with HANA requires at least 8GB memory just for the database, which we don't have on GH Actions runners
48+
# - rdbms: hana
49+
steps:
50+
- uses: actions/checkout@v4
51+
with:
52+
persist-credentials: false
53+
- name: Reclaim Disk Space
54+
run: .github/ci-prerequisites.sh
55+
- name: Start database
56+
env:
57+
RDBMS: ${{ matrix.rdbms }}
58+
run: ci/database-start.sh
59+
- name: Set up Java 11
60+
uses: actions/setup-java@v4
61+
with:
62+
distribution: 'temurin'
63+
java-version: '11'
64+
- name: Get year/month for cache key
65+
id: get-date
66+
run: echo "yearmonth=$(/bin/date -u "+%Y-%m")" >> $GITHUB_OUTPUT
67+
shell: bash
68+
- name: Cache Maven/Gradle local caches
69+
uses: actions/cache@v4
70+
id: cache-maven-gradle
71+
with:
72+
path: |
73+
~/.m2/repository/
74+
~/.m2/wrapper/
75+
~/.gradle/caches/
76+
~/.gradle/wrapper/
77+
# refresh cache every month to avoid unlimited growth
78+
# use a different key depending on whether we run in trusted or untrusted mode
79+
key: ${{ github.event_name == 'push' && 'trusted' || 'untrusted' }}-maven-gradle-caches-${{ steps.get-date.outputs.yearmonth }}
80+
- name: Run build script
81+
run: ./ci/build-github.sh
82+
shell: bash
83+
env:
84+
RDBMS: ${{ matrix.rdbms }}
85+
# For jobs running on 'push', publish build scan and cache immediately.
86+
# This won't work for pull requests, since they don't have access to secrets.
87+
POPULATE_REMOTE_GRADLE_CACHE: ${{ github.event_name == 'push' && github.repository == 'hibernate/hibernate-orm' && 'true' || 'false' }}
88+
DEVELOCITY_ACCESS_KEY: "${{ secrets.DEVELOCITY_ACCESS_KEY }}"
89+
90+
# For jobs running on 'pull_request', tar and upload build scan data.
91+
# The actual publishing must be done in a separate job (see ci-report.yml).
92+
# We don't write to the remote cache as that would be unsafe.
93+
- name: Tar build scan content pushed to subsequent jobs
94+
if: "${{ github.event_name == 'pull_request' && !cancelled() }}"
95+
run: tar -czf build-scan-data.tgz -C ~/.gradle/build-scan-data .
96+
- name: Upload GitHub Actions artifact for the Develocity build scan
97+
uses: actions/upload-artifact@v4
98+
if: "${{ github.event_name == 'pull_request' && !cancelled() }}"
99+
with:
100+
name: build-scan-data-${{ matrix.rdbms }}
101+
path: build-scan-data.tgz
102+
103+
- name: Upload test reports (if Gradle failed)
104+
uses: actions/upload-artifact@v4
105+
if: failure()
106+
with:
107+
name: test-reports-java11-${{ matrix.rdbms }}
108+
path: |
109+
./**/target/reports/tests/
110+
- name: Omit produced artifacts from build cache
111+
run: ./ci/before-cache.sh
112+
113+
# Job for builds on Atlas (Oracle) infrastructure.
114+
# This is untrusted, even for pushes, see below.
115+
atlas:
116+
permissions:
117+
contents: read
118+
name: GraalVM 21 - ${{matrix.rdbms}}
119+
# runs-on: ubuntu-latest
120+
runs-on: [self-hosted, Linux, X64, OCI]
121+
strategy:
122+
fail-fast: false
123+
matrix:
124+
include:
125+
- rdbms: oracle_atps
126+
- rdbms: oracle_db19c
127+
- rdbms: oracle_db21c
128+
- rdbms: oracle_db23c
129+
steps:
130+
- uses: actions/checkout@v4
131+
with:
132+
persist-credentials: false
133+
- name: Reclaim Disk Space
134+
run: .github/ci-prerequisites.sh
135+
- name: Start database
136+
env:
137+
RDBMS: ${{ matrix.rdbms }}
138+
RUNID: ${{ github.run_number }}
139+
run: ci/database-start.sh
140+
- name: Set up Java 21
141+
uses: graalvm/setup-graalvm@v1
142+
with:
143+
distribution: 'graalvm'
144+
java-version: '21'
145+
- name: Get year/month for cache key
146+
id: get-date
147+
run: echo "yearmonth=$(/bin/date -u "+%Y-%m")" >> $GITHUB_OUTPUT
148+
shell: bash
149+
- name: Cache Maven/Gradle local caches
150+
uses: actions/cache@v4
151+
id: cache-maven-gradle
152+
with:
153+
path: |
154+
~/.m2/repository/
155+
~/.m2/wrapper/
156+
~/.gradle/caches/
157+
~/.gradle/wrapper/
158+
# refresh cache every month to avoid unlimited growth
159+
# use a different key than jobs running in trusted mode
160+
key: untrusted-maven-gradle-caches-${{ steps.get-date.outputs.yearmonth }}
161+
- name: Run build script
162+
env:
163+
RDBMS: ${{ matrix.rdbms }}
164+
RUNID: ${{ github.run_number }}
165+
run: ./ci/build-github.sh
166+
shell: bash
167+
# Tar and upload build scan data.
168+
# The actual publishing must be done in a separate job (see ci-report.yml).
169+
# We don't write to the remote cache as that would be unsafe.
170+
# That's even on push, because we do not trust Atlas runners to hold secrets: they are shared infrastructure.
171+
- name: Tar build scan content pushed to subsequent jobs
172+
if: "${{ !cancelled() }}"
173+
run: tar -czf build-scan-data.tgz -C ~/.gradle/build-scan-data .
174+
- name: Upload GitHub Actions artifact for the Develocity build scan
175+
uses: actions/upload-artifact@v4
176+
if: "${{ !cancelled() }}"
177+
with:
178+
name: build-scan-data-${{ matrix.rdbms }}
179+
path: build-scan-data.tgz
180+
- name: Upload test reports (if Gradle failed)
181+
uses: actions/upload-artifact@v4
182+
if: failure()
183+
with:
184+
name: test-reports-java11-${{ matrix.rdbms }}
185+
path: |
186+
./**/target/reports/tests/
187+
./**/target/reports/checkstyle/
188+
- name: Omit produced artifacts from build cache
189+
run: ./ci/before-cache.sh

0 commit comments

Comments
 (0)