GH Actions CI reporting #469
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: Apache-2.0 | |
| # Copyright Red Hat Inc. and Hibernate Authors | |
| name: GH Actions CI reporting | |
| on: | |
| workflow_run: | |
| workflows: [ "GH Actions CI" ] | |
| types: [ completed ] | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end -Pci-build --no-transfer-progress" | |
| permissions: | |
| contents: read | |
| jobs: | |
| publish-build-scans: | |
| name: Publish Develocity build scans | |
| if: github.repository == 'hibernate/hibernate-validator' && github.event.workflow_run.conclusion != 'cancelled' | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Different branches might have different versions of Develocity, and we want to make sure | |
| # that we publish with the one that we built the scan with in the first place: | |
| - name: Determine the Branch Reference for which the original action was triggered | |
| id: determine_branch_ref | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| if [ "${{ github.event.workflow_run.event }}" == "pull_request" ]; then | |
| echo "::notice::Triggering workflow was executed for a pull request" | |
| FORK_OWNER="${{ github.event.workflow_run.head_repository.owner.login }}" | |
| BRANCH_NAME="${{ github.event.workflow_run.head_branch }}" | |
| if [ "${{ github.event.workflow_run.head_repository.owner.login }}" != "${{ github.event.workflow_run.repository.owner.login }}" ]; then | |
| BRANCH_NAME="$FORK_OWNER:$BRANCH_NAME" | |
| fi | |
| TARGET_BRANCH=$(gh pr view "$BRANCH_NAME" --repo ${{ github.event.workflow_run.repository.full_name }} --json baseRefName -q .baseRefName) | |
| echo "::notice::PR found. Target branch is: $TARGET_BRANCH" | |
| echo "original_branch_ref=$TARGET_BRANCH" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "::notice::Triggering workflow was executed for a push event? Using the head_branch value." | |
| echo "original_branch_ref=${{ github.event.workflow_run.head_branch }}" >> "$GITHUB_OUTPUT" | |
| fi | |
| # Checkout target branch which has trusted code | |
| - name: Check out target branch | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0 | |
| with: | |
| persist-credentials: false | |
| # By default, a workflow that is triggered with on workflow_run would run on the main (default) branch. | |
| # Different branches might have different versions of Develocity, and we want to make sure | |
| # that we publish with the one that we built the scan with in the first place. | |
| ref: ${{ steps.determine_branch_ref.outputs.original_branch_ref }} | |
| - name: Set up Java 21 | |
| uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # 5.0.0 | |
| with: | |
| java-version: 21 | |
| distribution: temurin | |
| # https://github.com/actions/cache/blob/main/examples.md#java---maven | |
| - name: Cache local Maven repository | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # 4.3.0 | |
| with: | |
| path: ~/.m2/repository | |
| # use a different key than workflows running untrusted code | |
| key: trusted-${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| trusted-${{ runner.os }}-maven- | |
| - name: Set up Maven | |
| run: ./mvnw -v | |
| - name: Download GitHub Actions artifacts for the Develocity build scans | |
| id: downloadBuildScan | |
| uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # 5.0.0 | |
| with: | |
| pattern: build-scan-data-* | |
| github-token: ${{ github.token }} | |
| repository: ${{ github.repository }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| path: /tmp/downloaded-build-scan-data/ | |
| # Don't fail the build if there are no matching artifacts | |
| continue-on-error: true | |
| - name: Publish Develocity build scans for previous builds | |
| if: ${{ steps.downloadBuildScan.outcome != 'failure'}} | |
| run: | | |
| shopt -s nullglob # Don't run the loop below if there are no artifacts | |
| status=0 | |
| mkdir -p ~/.m2/.develocity/ | |
| for build_scan_data_directory in /tmp/downloaded-build-scan-data/* | |
| do | |
| rm -rf ~/.m2/.develocity/build-scan-data | |
| mv "$build_scan_data_directory" ~/.m2/.develocity/build-scan-data \ | |
| && ./mvnw $MAVEN_ARGS develocity:build-scan-publish-previous || status=1 | |
| done | |
| exit $status | |
| env: | |
| DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY_PR }} |