# The main CI of Hibernate ORM is https://ci.hibernate.org/job/hibernate-orm-pipeline/. # However, Hibernate ORM builds run on GitHub actions regularly # to check that it still works and can be used in GitHub forks. # See https://docs.github.com/en/free-pro-team@latest/actions # for more information about GitHub actions. name: Hibernate ORM build-Atlas on: push: branches: - 'main' # WARNING: Using pull_request_target to access secrets, but we check out the PR head commit. # See checkout action for details. pull_request_target: branches: - 'main' permissions: {} # none # See https://github.com/hibernate/hibernate-orm/pull/4615 for a description of the behavior we're getting. concurrency: # Consider that two builds are in the same concurrency group (cannot run concurrently) # if they use the same workflow and are about the same branch ("ref") or pull request. group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}" # Cancel previous builds in the same concurrency group even if they are in process # for pull requests or pushes to forks (not the upstream repository). cancel-in-progress: ${{ github.event_name == 'pull_request_target' || github.repository != 'hibernate/hibernate-orm' }} jobs: build: permissions: contents: read name: ORM # runs-on: ubuntu-latest runs-on: [self-hosted, Linux, X64, OCI] strategy: fail-fast: false matrix: include: - rdbms: oracle_atps - rdbms: oracle_db19c - rdbms: oracle_db21c - rdbms: oracle_db23c steps: - name: Check out commit already pushed to branch if: "! github.event.pull_request.number" uses: actions/checkout@v4 with: persist-credentials: false - name: Check out PR head uses: actions/checkout@v4 if: github.event.pull_request.number with: # WARNING: This is potentially dangerous since we're checking out unreviewed code, # and since we're using the pull_request_target event we can use secrets. # Thus, we must be extra careful to never expose secrets to steps that execute this code, # and to strictly limit our of secrets to those that only pose minor security threats. # This means in particular we won't expose Develocity credentials to the main gradle executions, # but instead will execute gradle a second time just to push build scans to Develocity; # see below. ref: "refs/pull/${{ github.event.pull_request.number }}/head" persist-credentials: false - name: Reclaim Disk Space run: .github/ci-prerequisites.sh - name: Start database env: RDBMS: ${{ matrix.rdbms }} RUNID: ${{ github.run_number }} run: ci/database-start.sh - name: Set up Java 17 uses: graalvm/setup-graalvm@v1 with: distribution: 'graalvm' java-version: '21' - name: Get year/month for cache key id: get-date run: echo "yearmonth=$(/bin/date -u "+%Y-%m")" >> $GITHUB_OUTPUT shell: bash - name: Cache Maven local repository uses: actions/cache@v4 id: cache-maven with: path: | ~/.m2/repository ~/.gradle/caches/ ~/.gradle/wrapper/ # refresh cache every month to avoid unlimited growth key: maven-localrepo-${{ steps.get-date.outputs.yearmonth }} - name: Run build script env: RDBMS: ${{ matrix.rdbms }} RUNID: ${{ github.run_number }} # WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code. # WARNING: As this runs on untrusted nodes, we use the same access key as for PRs: # it has limited access, essentially it can only push build scans. DEVELOCITY_ACCESS_KEY: "${{ github.event_name == 'push' && secrets.GRADLE_ENTERPRISE_ACCESS_KEY_PR || '' }}" run: ./ci/build-github.sh shell: bash - name: Publish Develocity build scan for previous build # Don't fail a build if publishing fails continue-on-error: true if: "${{ !cancelled() && github.event_name == 'pull_request_target' && github.repository == 'hibernate/hibernate-orm' }}" run: | ./gradlew buildScanPublishPrevious env: # WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code. DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY_PR }} - name: Upload test reports (if Gradle failed) uses: actions/upload-artifact@v4 if: failure() with: name: test-reports-java11-${{ matrix.rdbms }} path: | ./**/target/reports/tests/ - name: Omit produced artifacts from build cache run: ./ci/before-cache.sh