Skip to content
Build

ci(GitHub): Bump step-security/harden-runner #648

Sign in to view logs

ci(GitHub): Bump step-security/harden-runner

ci(GitHub): Bump step-security/harden-runner #648

Workflow file for this run

.github/workflows/build.yml at 5c663f4
name: Build
on:
pull_request:
paths-ignore:
- '**-check.yml'
- '**-submission.yml'
- '**-validation.yml'
- '**.*ignore'
- '**.md'
- '**.txt'
- '**benchmark.yml'
- '**dependabot.yml'
push:
paths-ignore:
- '**-check.yml'
- '**-submission.yml'
- '**-validation.yml'
- '**.*ignore'
- '**.md'
- '**.txt'
- '**benchmark.yml'
- '**dependabot.yml'
env:
CI: true
BUILD_NUMBER: ${{ github.run_number }}
SCM_TAG: ${{ github.sha }}
GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
GRADLE_OPTS: "\
-Dorg.gradle.configuration-cache=false \
-Dorg.gradle.vfs.watch=false \
-Dorg.gradle.unsafe.watch-fs=false \
"
jobs:
os-checks:
strategy:
fail-fast: false
matrix:
java: [ '17' ]
os: [ 'macos-latest', 'windows-latest', 'ubuntu-latest' ]
name: 'Test on ${{ matrix.os }} JDK ${{ matrix.java }}'
timeout-minutes: 55
runs-on: ${{ matrix.os }}
if: ${{ !contains(github.event.head_commit.message, 'ci skip') }}
steps:
- name: Harden Runner
if: matrix.os == 'ubuntu-latest'
uses: step-security/harden-runner@6d3c2fe731c8f225990c8018cb71c337c0d9dfcd
with:
disable-sudo: true
egress-policy: audit
- name: Checkout
uses: actions/checkout@v4
- name: 'Set up JDK ${{ matrix.java }}'
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '${{ matrix.java }}'
- name: 'Set up NodeJS 18 (LTS)'
if: matrix.os != 'windows-latest'
uses: actions/setup-node@v3
with:
node-version: 18
- name: 'Cache Konan (Kotlin/Native compiler)'
timeout-minutes: 6
uses: actions/cache@v3
continue-on-error: true
with:
path: |
~/.konan
/Users/runner/.konan
key: ${{ runner.os }}-konan-${{ hashFiles('**/*.versions.toml') }}
restore-keys: |
${{ runner.os }}-konan-${{ hashFiles('**/*.versions.toml') }}
${{ runner.os }}-konan-
- name: Setup Gradle
uses: gradle/gradle-build-action@v2
with:
gradle-home-cache-cleanup: true
cache-read-only: ${{ (github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev') || matrix.java != '17' }}
- name: 'Build and check on ${{ matrix.os }} (complete, non-release)'
id: check
if: matrix.os != 'windows-latest'
timeout-minutes: 50
run: ./gradlew build assemble check --stacktrace --continue --scan
- name: 'Build and check on ${{ matrix.os }} (split_targets, release)'
if: matrix.os == 'windows-latest'
timeout-minutes: 35
env:
RELEASE: true
run: ./gradlew build assemble check -Dsplit_targets --stacktrace --continue --scan --no-daemon
- name: "Add build scan URL as PR comment"
uses: actions/github-script@v6
if: github.event_name == 'pull_request' && failure()
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: '❌ ${{ github.workflow }} failed: ${{ steps.gradle.outputs.build-scan-url }}'
})
- name: Summary
if: success() || failure()
continue-on-error: true
run: ./.github/workflows/summary.main.kts >> $GITHUB_STEP_SUMMARY
shell: bash
- name: Upload code coverage
if: (success() || failure()) && !contains(github.event.head_commit.message, 'coverage skip')
uses: codecov/codecov-action@v3
env:
OS: ${{ matrix.os }}
JAVA_VERSION: ${{ matrix.java }}
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: ./build/reports/kover-merged-report.xml
env_vars: OS,JAVA_VERSION
flags: 'unit-tests,${{ matrix.os }}'
name: 'codecov-${{ matrix.os }}'
move_coverage_to_trash: true
fail_ci_if_error: false
- name: Upload reports
if: success() || failure()
uses: actions/upload-artifact@v3
continue-on-error: true
with:
name: 'reports-${{ matrix.os }}'
path: |
**/build/reports/
!**/build/reports/configuration-cache/
!**/build/reports/dependency-analysis/
- name: Upload merged sarif (Lint)
if: (success() || failure()) && matrix.os == 'macos-latest'
&& (github.event_name == 'pull_request' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev')
uses: github/codeql-action/upload-sarif@v2
continue-on-error: true
with:
sarif_file: build/lint-merged.sarif
category: lint
- name: Upload merged sarif (Detekt)
if: (success() || failure()) && matrix.os == 'macos-latest'
&& (github.event_name == 'pull_request' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev')
uses: github/codeql-action/upload-sarif@v2
continue-on-error: true
with:
sarif_file: build/detekt-merged.sarif
category: detekt
- name: Publish JUnit test results as a pull request check
if: (success() || failure()) && matrix.os == 'macos-latest'
&& github.repository == 'fluxo-kt/fluxo' && github.ref == 'refs/heads/main'
uses: mikepenz/action-junit-report@v4
with:
report_paths: '**/build/test-results/*/TEST-*.xml'
- name: 'Check release API and publish SNAPSHOT'
id: snapshot
if: matrix.os == 'macos-latest' && matrix.java == '17'
&& steps.check.outcome == 'success'
&& github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'fluxo-kt/fluxo'
env:
OSSRH_USER: ${{ secrets.OSSRH_USER }}
OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
RELEASE: true
run: ./gradlew apiCheck androidApiCheck publish -DDISABLE_TESTS --rerun-tasks --stacktrace --scan
- name: 'Check release API on ${{ matrix.os }}'
if: matrix.os != 'windows-latest' && steps.snapshot.outcome == 'skipped'
env:
RELEASE: true
run: ./gradlew apiCheck androidApiCheck --stacktrace --scan