ci: update all workflows

Signed-off-by: Art Shendrik <[email protected]>
fluxo-kt · Jun 8, 2024 · ebec4bf · ebec4bf
1 parent 0e5a9d4
commit ebec4bf
Show file tree

Hide file tree

Showing 8 changed files with 139 additions and 88 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -10,14 +10,20 @@ on:
       - '**/pr-**.yml'
       - '**/release.yml'
       - '**dependabot.yml'
-  push:
-    # Avoid useless runs.
+    # Avoid useless and/or duplicate runs.
+    # Also, we merge with --ff-only,
+    # so we don't need to run on the merge commit.
     branches-ignore:
       # Dependabot creates both branch and PR. Avoid running twice.
       - 'dependabot/**'
+      - 'dev'
+      - 'feat*/**'
+      - 'fix/**'
+      - 'mr/**'
       - 'pr/**'
       - 'pull/**'
       - 'wip/**'
+  push:
     paths-ignore:
       - '**-validation.yml'
       - '**.*ignore'
@@ -43,9 +49,9 @@ env:
   BUILD_NUMBER: ${{ github.run_number }}
   SCM_TAG: ${{ github.sha }}
   #GRADLE_OPTS: "-Dorg.gradle.daemon=false"
-  GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
   DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS: "^(?!(classpath)).*"
   DEPENDENCY_GRAPH_INCLUDE_PROJECTS: "^:(?!(buildSrc|test|check)).*"
+  IS_DEFAULT_BRANCH: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
 
 jobs:
   buildAndCheck:
@@ -54,56 +60,40 @@ jobs:
       matrix:
         java: [ '17' ]
         os: [ 'macos', 'ubuntu', 'windows' ]
-        # CodeQL supports ['c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift']
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
         language: [ 'java-kotlin' ]
 
     name: 'Build and check on ${{ matrix.os }}'
     timeout-minutes: 25
     runs-on: '${{ matrix.os }}-latest'
     if: ${{ !contains(github.event.head_commit.message, 'ci skip') }}
+    env:
+      GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: false
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
           disable-sudo: true
           egress-policy: audit
 
-      # steps.v.outputs.run_url
-      - id: v
-        if: github.event_name == 'pull_request'
-        run: |
-          echo "run_url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> $GITHUB_OUTPUT
-
       - name: Checkout
         uses: actions/checkout@v4
 
       - name: 'Set up JDK ${{ matrix.java }}'
         uses: actions/setup-java@v4
         with:
-          distribution: 'temurin'
+          distribution: temurin
           java-version: '${{ matrix.java }}'
 
-      - name: 'Cached KMP things (Konan, Node, Yarn, Binaryen)'
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.konan
-            ~/.gradle/yarn
-            ~/.gradle/nodejs
-            ~/.gradle/binaryen
-            hashFiles('**/gradle/libs.versions.toml')
-          key: ${{ runner.os }}-kmp-${{ hashFiles('**/*.gradle.kts', '**/gradle-wrapper.properties', '**/gradle/libs.versions.toml') }}
-          #restore-keys: ${{ runner.os }}-kmp-
-
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@v3
         with:
-          gradle-version: 8.7
           gradle-home-cache-cleanup: true
-          cache-read-only: ${{ github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' }}
-          dependency-graph: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && 'generate-and-submit' || 'disabled'}}
+          cache-disabled: ${{ matrix.os == 'windows' }} # super slow on Windows.
+          cache-encryption-key: "${{ secrets.GRADLE_ENCRYPTION_KEY }}"
+          cache-read-only: ${{ !env.IS_DEFAULT_BRANCH }}
+          dependency-graph: ${{ env.IS_DEFAULT_BRANCH && 'generate-and-submit' || 'disabled'}}
+          add-job-summary-as-pr-comment: on-failure
           artifact-retention-days: 1
 
       - name: Initialize CodeQL
@@ -117,30 +107,39 @@ jobs:
         run: ./gradlew build assemble check --continue --stacktrace --scan
 
       - name: Upload sarif report (Detekt)
-        if: (success() || failure()) &&
-          (github.event_name == 'pull_request' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev')
+        if: always() && (github.event_name == 'pull_request' || env.IS_DEFAULT_BRANCH)
         uses: github/codeql-action/upload-sarif@v3
         continue-on-error: true
         with:
           sarif_file: build/detekt-merged.sarif
           category: detekt
 
-      - name: 'Check "latest" setup example'
+      - name: Upload sarif report (Lint)
+        if: always() && (github.event_name == 'pull_request' || env.IS_DEFAULT_BRANCH)
+        uses: github/codeql-action/upload-sarif@v3
+        continue-on-error: true
+        with:
+          sarif_file: build/lint-merged.sarif
+          category: lint
+
+      - name: Run check-latest
+        if: always()
         timeout-minutes: 10
         working-directory: checks/latest
         run: ./gradlew check --continue --stacktrace --scan
         env:
           GITHUB_DEPENDENCY_GRAPH_ENABLED: false
 
-      - name: 'Check "js-only" setup example'
+      - name: Run check-js-only
+        if: always()
         timeout-minutes: 10
         working-directory: checks/js-only
         run: ./gradlew check --continue --stacktrace --scan
         env:
           GITHUB_DEPENDENCY_GRAPH_ENABLED: false
 
       - name: Upload the build report
-        if: success() || failure()
+        if: always()
         uses: actions/upload-artifact@v4
         with:
           name: '${{ matrix.os }}-build-report'
@@ -162,11 +161,14 @@ jobs:
         uses: actions/github-script@v7
         if: github.event_name == 'pull_request' && failure()
         env:
-          GITHUB_ACTION_RUN_URL: '${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}'
+          OS: ${{ matrix.os }}
+          GH_WORKFLOW: ${{ github.workflow }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
+            const { OS, GH_WORKFLOW, RUN_URL } = process.env
             github.rest.issues.createComment({
               issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo,
-              body: '❌ ${{ github.workflow }} [failed](${{ steps.v.outputs.run_url }}) on ${{ matrix.os }}.'
+              body: `❌ ${GH_WORKFLOW} [failed](${RUN_URL}) on ${OS}.`,
             })
diff --git a/.github/workflows/clear_cache.yml b/.github/workflows/clear_cache.yml
@@ -0,0 +1,33 @@
+name: Clear cache
+
+on:
+  workflow_dispatch:
+
+permissions:
+  actions: write
+
+jobs:
+  clear-cache:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clear cache
+        uses: actions/github-script@v7
+        continue-on-error: true
+        with:
+          script: |
+            console.log("About to clear all GitHub Actions caches")
+            const owner = context.repo.owner
+            const repo = context.repo.repo
+            const caches = await github.rest.actions.getActionsCacheList({
+              owner: owner,
+              repo: repo,
+            })
+            for (const cache of caches.data.actions_caches) {
+              await github.rest.actions.deleteActionsCacheById({
+                owner: owner,
+                repo: repo,
+                cache_id: cache.id,
+              })
+              console.log(`cleaned cache "${cache.key}"`)
+            }
+            console.log("Clear completed")
diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml
@@ -26,7 +26,7 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -37,4 +37,4 @@ jobs:
             services.gradle.org:443
 
       - uses: actions/checkout@v4
-      - uses: gradle/wrapper-validation-action@v2
+      - uses: gradle/wrapper-validation-action@v3
diff --git a/.github/workflows/pr-baseline.yml b/.github/workflows/pr-baseline.yml
@@ -20,19 +20,16 @@ jobs:
     concurrency:
       group: '${{ github.workflow }}-${{ github.ref }}'
       cancel-in-progress: true
+    env:
+      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
           disable-sudo: true
           egress-policy: audit
 
-      # steps.v.outputs.run_url
-      - id: v
-        run: |
-          echo "run_url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> $GITHUB_OUTPUT
-
       # Verify that the PR is from Dependabot
       - uses: dependabot/fetch-metadata@v2
         with:
@@ -44,11 +41,12 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
+            const { RUN_URL } = process.env
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
-              body: '🔄 Baseline update [started](${{ steps.v.outputs.run_url }})...'
+              body: `🔄 Baseline update [started](${RUN_URL})...`
             })
 
       - uses: actions/checkout@v4
@@ -58,15 +56,20 @@ jobs:
           # Checkout pull request HEAD commit instead of merge commit.
           ref: ${{ github.event.pull_request.head.sha }}
 
-      - uses: actions/setup-java@v4
+      - name: Set up JDK
+        uses: actions/setup-java@v4
         with:
           distribution: temurin
-          java-version: 21
+          java-version: 22
 
-      - uses: gradle/actions/setup-gradle@v3
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v3
+        with:
+          cache-disabled: true
+          cache-read-only: true
 
-      - name: Baseline
-        run: ./baseline
+      - name: Update baseline
+        run: ./updateBaseline
 
       - name: Setup GIT
         run: |
@@ -92,6 +95,8 @@ jobs:
           git add -v .
 
       - name: Commit amend and push
+        env:
+          GITHUB_HEAD_REF: ${{ github.head_ref }}
         run: |
           if [ -n "$(git diff --name-only --cached)" ]; then
             # Show what's available.
@@ -104,7 +109,7 @@ jobs:
             git log -n 3 --pretty=format:"%h - %an, %ar : %s"
 
             # Push changes back to branch
-            git push --force -v origin HEAD:refs/heads/${{ github.head_ref }}
+            git push --force -v origin "HEAD:refs/heads/${GITHUB_HEAD_REF}"
           else
             echo "No changes needed."
           fi
@@ -115,16 +120,18 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
+            const { RUN_URL } = process.env
             github.rest.issues.createComment({
               issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo,
-              body: '✅ Baseline [updated](${{ steps.v.outputs.run_url }}).'
+              body: `✅ Baseline [updated](${RUN_URL}).`
             })
       - uses: actions/github-script@v7
         if: failure()
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
+            const { RUN_URL } = process.env
             github.rest.issues.createComment({
               issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo,
-              body: '❌ Baseline update [failed](${{ steps.v.outputs.run_url }})!'
+              body: `❌ Baseline update [failed](${RUN_URL})!`
             })
diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
           disable-sudo: true
           egress-policy: block

diff --git a/.github/workflows/pr-clean-cache.yml b/.github/workflows/pr-clean-cache.yml
@@ -10,7 +10,7 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -19,22 +19,22 @@ jobs:
             objects.githubusercontent.com:443
 
       - name: Clean up
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge
         run: |
           gh extension install actions/gh-actions-cache
 
           echo "Fetching list of cache key"
-          cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH -L 100 | cut -f 1 )
+          cacheKeysForPR=$(gh actions-cache list -R "$REPO" -B "$BRANCH" -L 100 | cut -f 1 )
 
           ## Setting this to not fail the workflow while deleting cache keys.
           set +e
           echo "Deleting caches..."
           for cacheKey in $cacheKeysForPR
           do
-              gh actions-cache delete $cacheKey -R $REPO -B $BRANCH --confirm
+              gh actions-cache delete "$cacheKey" -R "$REPO" -B "$BRANCH" --confirm
               echo " - Deleted cache key: $cacheKey"
           done
           echo "Done"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          REPO: ${{ github.repository }}
-          BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge
diff --git a/.github/workflows/pr-fast-forward.yml b/.github/workflows/pr-fast-forward.yml
@@ -21,12 +21,12 @@ jobs:
       (github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER')
     runs-on: ubuntu-latest
     concurrency:
-      group: "${{ github.workflow }}-${{ github.ref }}"
+      group: ${{ github.workflow }}-${{ github.ref }}
       cancel-in-progress: false
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
         with:
           disable-sudo: true
           egress-policy: block