diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index db2988192b..eaef3f8725 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,7 @@ on: branches: - 'main' -permissions: {} # none +permissions: { } # none # See https://github.com/hibernate/hibernate-orm/pull/4615 for a description of the behavior we're getting. concurrency: @@ -41,10 +41,10 @@ jobs: - rdbms: db2 - rdbms: mssql - rdbms: sybase -# Running with CockroachDB requires at least 2-4 vCPUs, which we don't have on GH Actions runners -# - rdbms: cockroachdb -# Running with HANA requires at least 8GB memory just for the database, which we don't have on GH Actions runners -# - rdbms: hana + # Running with CockroachDB requires at least 2-4 vCPUs, which we don't have on GH Actions runners + # - rdbms: cockroachdb + # Running with HANA requires at least 8GB memory just for the database, which we don't have on GH Actions runners + # - rdbms: hana steps: - uses: actions/checkout@v4 with: @@ -141,7 +141,7 @@ jobs: contents: read name: GraalVM 21 - ${{matrix.rdbms}} # runs-on: ubuntu-latest - runs-on: [self-hosted, Linux, X64, OCI] + runs-on: [ self-hosted, Linux, X64, OCI ] strategy: fail-fast: false matrix: @@ -233,5 +233,94 @@ jobs: name: test-reports-java11-${{ matrix.rdbms }} path: | ./**/target/reports/tests/ + - name: Omit produced artifacts from build cache + run: ./ci/before-cache.sh + + # Static code analysis check + format_checks: + permissions: + contents: read + name: Static code analysis + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Reclaim disk space and sanitize user home + run: .github/ci-prerequisites-atlas.sh + - name: Set up Java 17 + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '17' + + - name: Generate cache key + id: cache-key + run: | + CURRENT_BRANCH="${{ github.repository != 'hibernate/hibernate-orm' && 'fork' || github.base_ref || github.ref_name }}" + CURRENT_MONTH=$(/bin/date -u "+%Y-%m") + CURRENT_DAY=$(/bin/date -u "+%d") + ROOT_CACHE_KEY="buildtool-cache-atlas" + echo "buildtool-monthly-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}" >> $GITHUB_OUTPUT + echo "buildtool-monthly-branch-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}" >> $GITHUB_OUTPUT + echo "buildtool-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}-${CURRENT_DAY}" >> $GITHUB_OUTPUT + - name: Cache Maven/Gradle Dependency/Dist Caches + id: cache-maven + uses: actions/cache@v4 + # if it's not a pull request, we restore and save the cache + if: github.event_name != 'pull_request' + with: + path: | + ~/.m2/repository/ + ~/.m2/wrapper/ + ~/.gradle/caches/modules-2 + ~/.gradle/wrapper/ + # A new cache will be stored daily. After that first store of the day, cache save actions will fail because the cache is immutable but it's not a problem. + # The whole cache is dropped monthly to prevent unlimited growth. + # The cache is per branch but in case we don't find a branch for a given branch, we will get a cache from another branch. + key: ${{ steps.cache-key.outputs.buildtool-cache-key }} + restore-keys: | + ${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}- + ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}- + - name: Restore Maven/Gradle Dependency/Dist Caches + uses: actions/cache/restore@v4 + # if it a pull request, we restore the cache but we don't save it + if: github.event_name == 'pull_request' + with: + path: | + ~/.m2/repository/ + ~/.m2/wrapper/ + ~/.gradle/caches/modules-2 + ~/.gradle/wrapper/ + key: ${{ steps.cache-key.outputs.buildtool-cache-key }} + restore-keys: | + ${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}- + ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}- + + - name: Run build script + run: ./gradlew formatChecks + env: + # For jobs running on 'push', publish build scan and cache immediately. + # This won't work for pull requests, since they don't have access to secrets. + POPULATE_REMOTE_GRADLE_CACHE: ${{ github.event_name == 'push' && github.repository == 'hibernate/hibernate-orm' && 'true' || 'false' }} + DEVELOCITY_ACCESS_KEY: "${{ secrets.DEVELOCITY_ACCESS_KEY }}" + + # For jobs running on 'pull_request', upload build scan data. + # The actual publishing must be done in a separate job (see ci-report.yml). + # We don't write to the remote cache as that would be unsafe. + - name: Upload GitHub Actions artifact for the Develocity build scan + uses: actions/upload-artifact@v4 + if: "${{ github.event_name == 'pull_request' && !cancelled() }}" + with: + name: build-scan-data-sca + path: ~/.gradle/build-scan-data + + - name: Upload test reports (if Gradle failed) + uses: actions/upload-artifact@v4 + if: failure() + with: + name: test-reports-java11-sca + path: | + ./**/target/reports/tests/ - name: Omit produced artifacts from build cache run: ./ci/before-cache.sh \ No newline at end of file diff --git a/ci/build.sh b/ci/build.sh index deba1eb221..a9716a03a1 100755 --- a/ci/build.sh +++ b/ci/build.sh @@ -82,4 +82,4 @@ function logAndExec() { exec "${@}" } -logAndExec ./gradlew check ${goal} "${@}" -Plog-test-progress=true --stacktrace +logAndExec ./gradlew ciCheck ${goal} "${@}" -Plog-test-progress=true --stacktrace diff --git a/gradle/java-module.gradle b/gradle/java-module.gradle index 3cb648efaf..cacd9ef43f 100644 --- a/gradle/java-module.gradle +++ b/gradle/java-module.gradle @@ -447,7 +447,7 @@ tasks.copyResourcesToIntelliJOutFolder.mustRunAfter processTestResources // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ // Report configs -task enforceRules { +tasks.register('enforceRules') { doLast { def illegalImport = ~/^import (sun|java.awt|org.slf4j)/ def missingNewline = ~/^\s*}\s*(else|catch|finally)/ @@ -512,8 +512,34 @@ spotless { } } -tasks.spotlessApply.dependsOn enforceRules +tasks.check.dependsOn enforceRules +tasks.register( "ciCheck" ) { + // Task used by CI builds + group "verification" + description "Checks for CI environments" + dependsOn tasks.check + + // These are already enforced by the formatChecks task + spotlessApply { + enabled = false + } + spotlessJavaApply { + enabled = false + } + enforceRules { + enabled = false + } +} + +tasks.register( "formatChecks" ) { + // Only runs static code analysis, doesn't require compilation + group "verification" + description "Code style and formatting checks" + + dependsOn tasks.spotlessCheck + dependsOn tasks.enforceRules +} class CompilerStubsArgumentProvider implements CommandLineArgumentProvider {