Publish build scans on Atlas builds too

This commit is contained in:
Yoann Rodière 2024-04-02 14:49:17 +02:00
parent 6863174a8c
commit 631beeb1fb
1 changed files with 31 additions and 3 deletions

View File

@ -10,7 +10,9 @@ on:
push:
branches:
- 'main'
pull_request:
# WARNING: Using pull_request_target to access secrets, but we check out the PR head commit.
# See checkout action for details.
pull_request_target:
branches:
- 'main'
@ -23,7 +25,7 @@ concurrency:
group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}"
# Cancel previous builds in the same concurrency group even if they are in process
# for pull requests or pushes to forks (not the upstream repository).
cancel-in-progress: ${{ github.event_name == 'pull_request' || github.repository != 'hibernate/hibernate-orm' }}
cancel-in-progress: ${{ github.event_name == 'pull_request_target' || github.repository != 'hibernate/hibernate-orm' }}
jobs:
build:
@ -41,9 +43,24 @@ jobs:
- rdbms: oracle_db21c
- rdbms: oracle_db23c
steps:
- uses: actions/checkout@v4
- name: Check out commit already pushed to branch
if: "! github.event.pull_request.number"
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Check out PR head
uses: actions/checkout@v4
if: github.event.pull_request.number
with:
# WARNING: This is potentially dangerous since we're checking out unreviewed code,
# and since we're using the pull_request_target event we can use secrets.
# Thus, we must be extra careful to never expose secrets to steps that execute this code,
# and to strictly limit our of secrets to those that only pose minor security threats.
# This means in particular we won't expose Develocity credentials to the main gradle executions,
# but instead will execute gradle a second time just to push build scans to Develocity;
# see below.
ref: "refs/pull/${{ github.event.pull_request.number }}/head"
persist-credentials: false
- name: Reclaim Disk Space
run: .github/ci-prerequisites.sh
- name: Start database
@ -74,8 +91,19 @@ jobs:
env:
RDBMS: ${{ matrix.rdbms }}
RUNID: ${{ github.run_number }}
# WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code.
# WARNING: As this runs on untrusted nodes, we use the same access key as for PRs:
# it has limited access, essentially it can only push build scans.
GRADLE_ENTERPRISE_ACCESS_KEY: "${{ github.event_name == 'push' && secrets.GRADLE_ENTERPRISE_ACCESS_KEY_PR || '' }}"
run: ./ci/build-github.sh
shell: bash
- name: Publish Develocity build scan for previous build
if: "${{ !cancelled() && github.event_name == 'pull_request_target' && github.repository == 'hibernate/hibernate-orm' }}"
run: |
./gradlew buildScanPublishPrevious
env:
# WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code.
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY_PR }}
- name: Upload test reports (if Gradle failed)
uses: actions/upload-artifact@v4
if: failure()