From 3555f90f1a2b87056ee19eaba50d5e6dc4567ae8 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Sat, 4 Feb 2023 12:15:00 +0100 Subject: [PATCH] Add GitHub actions configuration --- .github/workflows/build.yml | 109 ++++++++++++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..cfd78449 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,109 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: build + +on: + push: + # Avoid workflow run for _merged_ `dependabot` PRs. + # They were (hopefully!) already tested in PR-triggered workflow. + branches-ignore: "dependabot/**" + pull_request: + paths-ignore: + - "**.adoc" + - "**.md" + - "**.txt" + +permissions: + contents: write + pull-requests: write + +jobs: + + build: + + runs-on: ${{ matrix.os }} + + strategy: + matrix: + os: [ macos-latest, ubuntu-latest, windows-latest ] + + steps: + + - name: Checkout repository + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # 3.3.0 + + - name: Setup JDK 11 + uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b # 3.7.0 + with: + distribution: temurin + java-version: 11 + java-package: jdk + architecture: x64 + cache: maven + + # We could have used `verify`, but `clean install` is required while generating the build reproducibility report, which is performed in the next step. + # For details, see: https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility + - name: Build + shell: bash + run: | + ./mvnw \ + --show-version --batch-mode --errors --no-transfer-progress \ + -DtrimStackTrace=false \ + -DinstallAtEnd=true \ + clean install + + # `clean verify artifact:compare` is required to generate the build reproducibility report. + # For details, see: https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility + - name: Report build reproducibility + shell: bash + run: | + ./mvnw \ + --show-version --batch-mode --errors --no-transfer-progress \ + -DskipTests=true \ + clean verify artifact:compare + + - name: Verify build reproducibility + shell: bash + run: | + for report_file in target/*.buildcompare **/target/*.buildcompare; do + if ! grep -q "^ko=0$" "$report_file"; then + echo "Spotted build reproducibility failure in \`$report_file\`:" + cat "$report_file" + exit 1 + fi + done + + merge: + + runs-on: ubuntu-latest + needs: build + + steps: + + - name: "[dependabot] Fetch metadata" + id: metadata + if: github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' + uses: dependabot/fetch-metadata@v1.3.5 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: "[dependabot] Auto-merge the PR" + if: github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +