Safely publish build scans even for pull requests
This commit is contained in:
parent
e233879fce
commit
6863174a8c
|
@ -10,7 +10,9 @@ on:
|
||||||
push:
|
push:
|
||||||
branches:
|
branches:
|
||||||
- 'main'
|
- 'main'
|
||||||
pull_request:
|
# WARNING: Using pull_request_target to access secrets, but we check out the PR head commit.
|
||||||
|
# See checkout action for details.
|
||||||
|
pull_request_target:
|
||||||
branches:
|
branches:
|
||||||
- 'main'
|
- 'main'
|
||||||
|
|
||||||
|
@ -23,7 +25,7 @@ concurrency:
|
||||||
group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}"
|
group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}"
|
||||||
# Cancel previous builds in the same concurrency group even if they are in process
|
# Cancel previous builds in the same concurrency group even if they are in process
|
||||||
# for pull requests or pushes to forks (not the upstream repository).
|
# for pull requests or pushes to forks (not the upstream repository).
|
||||||
cancel-in-progress: ${{ github.event_name == 'pull_request' || github.repository != 'hibernate/hibernate-orm' }}
|
cancel-in-progress: ${{ github.event_name == 'pull_request_target' || github.repository != 'hibernate/hibernate-orm' }}
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
|
@ -51,9 +53,24 @@ jobs:
|
||||||
# Running with HANA requires at least 8GB memory just for the database, which we don't have on GH Actions runners
|
# Running with HANA requires at least 8GB memory just for the database, which we don't have on GH Actions runners
|
||||||
# - rdbms: hana
|
# - rdbms: hana
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- name: Check out commit already pushed to branch
|
||||||
|
if: "! github.event.pull_request.number"
|
||||||
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
persist-credentials: false
|
persist-credentials: false
|
||||||
|
- name: Check out PR head
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
if: github.event.pull_request.number
|
||||||
|
with:
|
||||||
|
# WARNING: This is potentially dangerous since we're checking out unreviewed code,
|
||||||
|
# and since we're using the pull_request_target event we can use secrets.
|
||||||
|
# Thus, we must be extra careful to never expose secrets to steps that execute this code,
|
||||||
|
# and to strictly limit our of secrets to those that only pose minor security threats.
|
||||||
|
# This means in particular we won't expose Develocity credentials to the main gradle executions,
|
||||||
|
# but instead will execute gradle a second time just to push build scans to Develocity;
|
||||||
|
# see below.
|
||||||
|
ref: "refs/pull/${{ github.event.pull_request.number }}/head"
|
||||||
|
persist-credentials: false
|
||||||
- name: Reclaim Disk Space
|
- name: Reclaim Disk Space
|
||||||
run: .github/ci-prerequisites.sh
|
run: .github/ci-prerequisites.sh
|
||||||
- name: Start database
|
- name: Start database
|
||||||
|
@ -84,9 +101,17 @@ jobs:
|
||||||
RDBMS: ${{ matrix.rdbms }}
|
RDBMS: ${{ matrix.rdbms }}
|
||||||
# Don't populate Develocity cache in pull requests as that's potentially dangerous
|
# Don't populate Develocity cache in pull requests as that's potentially dangerous
|
||||||
POPULATE_REMOTE_GRADLE_CACHE: "${{ github.event_name == 'push' }}"
|
POPULATE_REMOTE_GRADLE_CACHE: "${{ github.event_name == 'push' }}"
|
||||||
GRADLE_ENTERPRISE_ACCESS_KEY: "${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }}"
|
# WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code.
|
||||||
|
GRADLE_ENTERPRISE_ACCESS_KEY: "${{ github.event_name == 'push' && secrets.GRADLE_ENTERPRISE_ACCESS_KEY || '' }}"
|
||||||
run: ./ci/build-github.sh
|
run: ./ci/build-github.sh
|
||||||
shell: bash
|
shell: bash
|
||||||
|
- name: Publish Develocity build scan for previous build (pull request)
|
||||||
|
if: "${{ !cancelled() && github.event_name == 'pull_request_target' && github.repository == 'hibernate/hibernate-orm' }}"
|
||||||
|
run: |
|
||||||
|
./gradlew buildScanPublishPrevious
|
||||||
|
env:
|
||||||
|
# WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code.
|
||||||
|
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY_PR }}
|
||||||
- name: Upload test reports (if Gradle failed)
|
- name: Upload test reports (if Gradle failed)
|
||||||
uses: actions/upload-artifact@v4
|
uses: actions/upload-artifact@v4
|
||||||
if: failure()
|
if: failure()
|
||||||
|
|
|
@ -159,28 +159,24 @@ stage('Build') {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
stage('Test') {
|
stage('Test') {
|
||||||
String cmd = "./ci/build.sh ${buildEnv.additionalOptions ?: ''} ${state[buildEnv.tag]['additionalOptions'] ?: ''}"
|
String args = "${buildEnv.additionalOptions ?: ''} ${state[buildEnv.tag]['additionalOptions'] ?: ''}"
|
||||||
withEnv(["RDBMS=${buildEnv.dbName}"]) {
|
withEnv(["RDBMS=${buildEnv.dbName}"]) {
|
||||||
withCredentials([string(credentialsId: helper.scmSource.pullRequest ?
|
|
||||||
'ge.hibernate.org-access-key-pr' : 'ge.hibernate.org-access-key',
|
|
||||||
variable: 'GRADLE_ENTERPRISE_ACCESS_KEY')]) {
|
|
||||||
withGradle { // withDevelocity, actually: https://plugins.jenkins.io/gradle/#plugin-content-capturing-build-scans-from-jenkins-pipeline
|
|
||||||
tryFinally({
|
tryFinally({
|
||||||
if (buildEnv.dbLockableResource == null) {
|
if (buildEnv.dbLockableResource == null) {
|
||||||
withCredentials([file(credentialsId: 'sybase-jconnect-driver', variable: 'jconnect_driver')]) {
|
withCredentials([file(credentialsId: 'sybase-jconnect-driver', variable: 'jconnect_driver')]) {
|
||||||
sh 'cp -f $jconnect_driver ./drivers/jconn4.jar'
|
sh 'cp -f $jconnect_driver ./drivers/jconn4.jar'
|
||||||
timeout( [time: buildEnv.longRunning ? 480 : 120, unit: 'MINUTES'] ) {
|
timeout( [time: buildEnv.longRunning ? 480 : 120, unit: 'MINUTES'] ) {
|
||||||
sh cmd
|
ciBuild buildEnv, args
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
lock(label: buildEnv.dbLockableResource, quantity: 1, variable: 'LOCKED_RESOURCE') {
|
lock(label: buildEnv.dbLockableResource, quantity: 1, variable: 'LOCKED_RESOURCE') {
|
||||||
if ( buildEnv.dbLockResourceAsHost ) {
|
if ( buildEnv.dbLockResourceAsHost ) {
|
||||||
cmd += " -DdbHost=${LOCKED_RESOURCE}"
|
args += " -DdbHost=${LOCKED_RESOURCE}"
|
||||||
}
|
}
|
||||||
timeout( [time: buildEnv.longRunning ? 480 : 120, unit: 'MINUTES'] ) {
|
timeout( [time: buildEnv.longRunning ? 480 : 120, unit: 'MINUTES'] ) {
|
||||||
sh cmd
|
ciBuild buildEnv, args
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -189,8 +185,6 @@ stage('Build') {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
}
|
|
||||||
}, { // Finally
|
}, { // Finally
|
||||||
if ( state[buildEnv.tag]['containerName'] != null ) {
|
if ( state[buildEnv.tag]['containerName'] != null ) {
|
||||||
sh "docker rm -f ${state[buildEnv.tag]['containerName']}"
|
sh "docker rm -f ${state[buildEnv.tag]['containerName']}"
|
||||||
|
@ -239,6 +233,39 @@ void runBuildOnNode(String label, Closure body) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void ciBuild(buildEnv, String args) {
|
||||||
|
if ( !helper.scmSource.pullRequest ) {
|
||||||
|
// Not a PR: we can pass credentials to the build, allowing it to populate the build cache
|
||||||
|
// and to publish build scans directly.
|
||||||
|
|
||||||
|
// On untrusted nodes, we use the same access key as for PRs:
|
||||||
|
// it has limited access, essentially it can only push build scans.
|
||||||
|
def develocityCredentialsId = buildEnv.node ? 'ge.hibernate.org-access-key-pr' : 'ge.hibernate.org-access-key'
|
||||||
|
|
||||||
|
withCredentials([string(credentialsId: develocityCredentialsId,
|
||||||
|
variable: 'GRADLE_ENTERPRISE_ACCESS_KEY')]) {
|
||||||
|
withGradle { // withDevelocity, actually: https://plugins.jenkins.io/gradle/#plugin-content-capturing-build-scans-from-jenkins-pipeline
|
||||||
|
sh "./ci/build.sh $args"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
// Pull request: we can't pass credentials to the build, since we'd be exposing secrets to e.g. tests.
|
||||||
|
// We do the build first, then publish the build scan separately.
|
||||||
|
tryFinally({
|
||||||
|
sh "./ci/build.sh $args"
|
||||||
|
}, { // Finally
|
||||||
|
withCredentials([string(credentialsId: 'ge.hibernate.org-access-key-pr',
|
||||||
|
variable: 'GRADLE_ENTERPRISE_ACCESS_KEY')]) {
|
||||||
|
withGradle { // withDevelocity, actually: https://plugins.jenkins.io/gradle/#plugin-content-capturing-build-scans-from-jenkins-pipeline
|
||||||
|
sh './gradlew buildScanPublishPrevious'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
void pruneDockerContainers() {
|
void pruneDockerContainers() {
|
||||||
if ( !sh( script: 'command -v docker || true', returnStdout: true ).trim().isEmpty() ) {
|
if ( !sh( script: 'command -v docker || true', returnStdout: true ).trim().isEmpty() ) {
|
||||||
sh 'docker container prune -f || true'
|
sh 'docker container prune -f || true'
|
||||||
|
|
Loading…
Reference in New Issue