127 lines
5.2 KiB
YAML
127 lines
5.2 KiB
YAML
# The main CI of Hibernate ORM is https://ci.hibernate.org/job/hibernate-orm-pipeline/.
|
|
# However, Hibernate ORM builds run on GitHub actions regularly
|
|
# to check that it still works and can be used in GitHub forks.
|
|
# See https://docs.github.com/en/free-pro-team@latest/actions
|
|
# for more information about GitHub actions.
|
|
|
|
name: Hibernate ORM build
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- 'main'
|
|
# WARNING: Using pull_request_target to access secrets, but we check out the PR head commit.
|
|
# See checkout action for details.
|
|
pull_request_target:
|
|
branches:
|
|
- 'main'
|
|
|
|
permissions: {} # none
|
|
|
|
# See https://github.com/hibernate/hibernate-orm/pull/4615 for a description of the behavior we're getting.
|
|
concurrency:
|
|
# Consider that two builds are in the same concurrency group (cannot run concurrently)
|
|
# if they use the same workflow and are about the same branch ("ref") or pull request.
|
|
group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}"
|
|
# Cancel previous builds in the same concurrency group even if they are in process
|
|
# for pull requests or pushes to forks (not the upstream repository).
|
|
cancel-in-progress: ${{ github.event_name == 'pull_request_target' || github.repository != 'hibernate/hibernate-orm' }}
|
|
|
|
jobs:
|
|
build:
|
|
permissions:
|
|
contents: read
|
|
name: Java 17
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- rdbms: h2
|
|
- rdbms: hsqldb
|
|
- rdbms: derby
|
|
- rdbms: mysql
|
|
- rdbms: mariadb
|
|
- rdbms: postgresql
|
|
- rdbms: edb
|
|
- rdbms: oracle
|
|
- rdbms: db2
|
|
- rdbms: mssql
|
|
- rdbms: sybase
|
|
# Running with CockroachDB requires at least 2-4 vCPUs, which we don't have on GH Actions runners
|
|
# - rdbms: cockroachdb
|
|
# Running with HANA requires at least 8GB memory just for the database, which we don't have on GH Actions runners
|
|
# - rdbms: hana
|
|
steps:
|
|
- name: Check out commit already pushed to branch
|
|
if: "! github.event.pull_request.number"
|
|
uses: actions/checkout@v4
|
|
with:
|
|
persist-credentials: false
|
|
- name: Check out PR head
|
|
uses: actions/checkout@v4
|
|
if: github.event.pull_request.number
|
|
with:
|
|
# WARNING: This is potentially dangerous since we're checking out unreviewed code,
|
|
# and since we're using the pull_request_target event we can use secrets.
|
|
# Thus, we must be extra careful to never expose secrets to steps that execute this code,
|
|
# and to strictly limit our of secrets to those that only pose minor security threats.
|
|
# This means in particular we won't expose Develocity credentials to the main gradle executions,
|
|
# but instead will execute gradle a second time just to push build scans to Develocity;
|
|
# see below.
|
|
ref: "refs/pull/${{ github.event.pull_request.number }}/head"
|
|
persist-credentials: false
|
|
- name: Reclaim Disk Space
|
|
run: .github/ci-prerequisites.sh
|
|
- name: Start database
|
|
env:
|
|
RDBMS: ${{ matrix.rdbms }}
|
|
run: ci/database-start.sh
|
|
- name: Set up Java 17
|
|
uses: actions/setup-java@v4
|
|
with:
|
|
distribution: 'temurin'
|
|
java-version: '17'
|
|
- name: Get year/month for cache key
|
|
id: get-date
|
|
run: echo "yearmonth=$(/bin/date -u "+%Y-%m")" >> $GITHUB_OUTPUT
|
|
shell: bash
|
|
- name: Cache Maven local repository
|
|
uses: actions/cache@v4
|
|
id: cache-maven
|
|
with:
|
|
path: |
|
|
~/.m2/repository
|
|
~/.gradle/caches/
|
|
~/.gradle/wrapper/
|
|
# refresh cache every month to avoid unlimited growth
|
|
key: maven-localrepo-${{ steps.get-date.outputs.yearmonth }}
|
|
- name: Run build script
|
|
env:
|
|
RDBMS: ${{ matrix.rdbms }}
|
|
# Don't populate Develocity cache in pull requests as that's potentially dangerous
|
|
POPULATE_REMOTE_GRADLE_CACHE: "${{ github.event_name == 'push' }}"
|
|
# WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code.
|
|
DEVELOCITY_ACCESS_KEY: "${{ github.event_name == 'push' && secrets.GRADLE_ENTERPRISE_ACCESS_KEY || '' }}"
|
|
run: ./ci/build-github.sh
|
|
shell: bash
|
|
- name: Publish Develocity build scan for previous build (pull request)
|
|
# Don't fail a build if publishing fails
|
|
continue-on-error: true
|
|
if: "${{ !cancelled() && github.event_name == 'pull_request_target' && github.repository == 'hibernate/hibernate-orm' }}"
|
|
run: |
|
|
./gradlew buildScanPublishPrevious
|
|
env:
|
|
# WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code.
|
|
DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY_PR }}
|
|
- name: Upload test reports (if Gradle failed)
|
|
uses: actions/upload-artifact@v4
|
|
if: failure()
|
|
with:
|
|
name: test-reports-java11-${{ matrix.rdbms }}
|
|
path: |
|
|
./**/target/reports/tests/
|
|
./**/target/reports/checkstyle/
|
|
- name: Omit produced artifacts from build cache
|
|
run: ./ci/before-cache.sh
|