# The main CI of Hibernate ORM is https://ci.hibernate.org/job/hibernate-orm-pipeline/.
# However, Hibernate ORM builds run on GitHub actions regularly
# to check that it still works and can be used in GitHub forks.
# See https://docs.github.com/en/free-pro-team@latest/actions
# for more information about GitHub actions.

name: Hibernate ORM build-Atlas

on:
  push:
    branches:
      - 'main'
  # WARNING: Using pull_request_target to access secrets, but we check out the PR head commit.
  # See checkout action for details.
  pull_request_target:
    branches:
      - 'main'

permissions: {} # none

# See https://github.com/hibernate/hibernate-orm/pull/4615 for a description of the behavior we're getting.
concurrency:
  # Consider that two builds are in the same concurrency group (cannot run concurrently)
  # if they use the same workflow and are about the same branch ("ref") or pull request.
  group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}"
  # Cancel previous builds in the same concurrency group even if they are in process
  # for pull requests or pushes to forks (not the upstream repository).
  cancel-in-progress: ${{ github.event_name == 'pull_request_target' || github.repository != 'hibernate/hibernate-orm' }}

jobs:
  build:
    permissions:
      contents: read
    name: ORM
    #    runs-on: ubuntu-latest
    runs-on: [self-hosted, Linux, X64, OCI]
    strategy:
      fail-fast: false
      matrix:
        include:
          - rdbms: oracle_atps
          - rdbms: oracle_db19c
          - rdbms: oracle_db21c
          - rdbms: oracle_db23c
    steps:
      - name: Check out commit already pushed to branch
        if: "! github.event.pull_request.number"
        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Check out PR head
        uses: actions/checkout@v4
        if: github.event.pull_request.number
        with:
          # WARNING: This is potentially dangerous since we're checking out unreviewed code,
          # and since we're using the pull_request_target event we can use secrets.
          # Thus, we must be extra careful to never expose secrets to steps that execute this code,
          # and to strictly limit our of secrets to those that only pose minor security threats.
          # This means in particular we won't expose Develocity credentials to the main gradle executions,
          # but instead will execute gradle a second time just to push build scans to Develocity;
          # see below.
          ref: "refs/pull/${{ github.event.pull_request.number }}/head"
          persist-credentials: false
      - name: Reclaim Disk Space
        run: .github/ci-prerequisites.sh
      - name: Start database
        env:
          RDBMS: ${{ matrix.rdbms }}
          RUNID: ${{ github.run_number }}
        run: ci/database-start.sh
      - name: Set up Java 17
        uses: graalvm/setup-graalvm@v1
        with:
          distribution: 'graalvm'
          java-version: '21'
      - name: Get year/month for cache key
        id: get-date
        run: echo "yearmonth=$(/bin/date -u "+%Y-%m")" >> $GITHUB_OUTPUT
        shell: bash
      - name: Cache Maven local repository
        uses: actions/cache@v4
        id: cache-maven
        with:
          path: |
            ~/.m2/repository
            ~/.gradle/caches/
            ~/.gradle/wrapper/
          # refresh cache every month to avoid unlimited growth
          key: maven-localrepo-${{ steps.get-date.outputs.yearmonth }}
      - name: Run build script
        env:
          RDBMS: ${{ matrix.rdbms }}
          RUNID: ${{ github.run_number }}
          # WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code.
          # WARNING: As this runs on untrusted nodes, we use the same access key as for PRs:
          #          it has limited access, essentially it can only push build scans.
          DEVELOCITY_ACCESS_KEY: "${{ github.event_name == 'push' && secrets.GRADLE_ENTERPRISE_ACCESS_KEY_PR || '' }}"
        run: ./ci/build-github.sh
        shell: bash
      - name: Publish Develocity build scan for previous build
        # Don't fail a build if publishing fails
        continue-on-error: true
        if: "${{ !cancelled() && github.event_name == 'pull_request_target' && github.repository == 'hibernate/hibernate-orm' }}"
        run: |
          ./gradlew buildScanPublishPrevious
        env:
          # WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code.
          DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY_PR }}
      - name: Upload test reports (if Gradle failed)
        uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: test-reports-java11-${{ matrix.rdbms }}
          path: |
            ./**/target/reports/tests/
            ./**/target/reports/checkstyle/
      - name: Omit produced artifacts from build cache
        run: ./ci/before-cache.sh