-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Art Shendrik <[email protected]>
- Loading branch information
Showing
11 changed files
with
640 additions
and
0 deletions.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
* [email protected] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions | ||
name: actionlint | ||
description: ✅ Run actionlint for validating GitHub Actions workflow files. | ||
author: Art Shendrik | ||
branding: | ||
icon: check-circle | ||
color: gray-dark | ||
|
||
inputs: | ||
files: | ||
description: Comma-separated glob pattern list of files to check | ||
required: false | ||
default: '.github/workflows/*.yml, .github/actions/**.yaml' | ||
flags: | ||
description: Extra flags for the actionlint | ||
required: false | ||
default: ${{ null }} | ||
fail-on-error: | ||
description: Fail on error | ||
required: false | ||
default: ${{ true }} | ||
|
||
runs: | ||
using: "composite" | ||
steps: | ||
# https://github.com/marketplace/actions/actionlint | ||
# https://github.com/rhysd/actionlint/releases | ||
# https://github.com/gmazzo/gradle-codeowners-plugin/pull/66/files | ||
- name: actionlint | ||
uses: raven-actions/actionlint@v1 | ||
id: al | ||
with: | ||
fail-on-error: ${{ inputs.fail-on-error }} | ||
files: ${{ inputs.files }} | ||
flags: ${{ inputs.flags }} | ||
|
||
- name: actionlint Summary | ||
continue-on-error: true | ||
shell: bash | ||
env: | ||
AL_VERSION: ${{ steps.al.outputs.version-semver }} | ||
AL_CACHE_HIT: ${{ steps.al.outputs.cache-hit }} | ||
run: | | ||
echo "Used actionlint version $AL_VERSION" | ||
echo "actionlint cache used: $AL_CACHE_HIT" | ||
# Ref: | ||
# https://github.com/gmazzo/gradle-codeowners-plugin/blob/346ed70/.github/actions/setup-host/action.yml (composite action example) | ||
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
# To get started with Dependabot version updates, you'll need to specify, which | ||
# package ecosystems to update and where the package manifests are located. | ||
# Documentation for all configuration options: | ||
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates | ||
|
||
version: 2 | ||
updates: | ||
- package-ecosystem: "gradle" | ||
directory: "/" | ||
commit-message: | ||
prefix: "build(deps)" | ||
schedule: | ||
interval: "monthly" | ||
reviewers: | ||
- "amal" | ||
labels: | ||
- "gradle" | ||
- "dependencies" | ||
|
||
- package-ecosystem: "github-actions" | ||
directory: "/" | ||
commit-message: | ||
prefix: "ci(GitHub)" | ||
schedule: | ||
interval: "monthly" | ||
reviewers: | ||
- "amal" | ||
labels: | ||
- "gh-action" | ||
- "dependencies" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
name: Validate Workflows | ||
|
||
on: | ||
push: | ||
paths: | ||
- '.github/actions/**.yml' | ||
- '.github/workflows/*.yml' | ||
pull_request: | ||
paths: | ||
- '.github/actions/**.yml' | ||
- '.github/workflows/*.yml' | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
actionlint: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
api.github.com:443 | ||
files.pythonhosted.org:443 | ||
github.com:443 | ||
objects.githubusercontent.com:443 | ||
pypi.org:443 | ||
raw.githubusercontent.com:443 | ||
registry.npmjs.org:443 | ||
- uses: actions/checkout@v4 | ||
|
||
- uses: ./.github/actions/actionlint |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,184 @@ | ||
name: Build | ||
|
||
on: | ||
pull_request: | ||
paths-ignore: | ||
- '**-validation.yml' | ||
- '**.*ignore' | ||
- '**.md' | ||
- '**.txt' | ||
- '**/actionlint**' | ||
- '**/pr-**.yml' | ||
- '**/release.yml' | ||
- '**dependabot.yml' | ||
# Avoid useless and/or duplicate runs. | ||
# Also, we merge with --ff-only, | ||
# so we don't need to run on the merge commit. | ||
branches-ignore: | ||
# Dependabot creates both branch and PR. Avoid running twice. | ||
- 'dependabot/**' | ||
- 'dev' | ||
- 'feat*/**' | ||
- 'fix/**' | ||
- 'mr/**' | ||
- 'pr/**' | ||
- 'pull/**' | ||
- 'wip/**' | ||
push: | ||
paths-ignore: | ||
- '**-validation.yml' | ||
- '**.*ignore' | ||
- '**.md' | ||
- '**.txt' | ||
- '**/actionlint**' | ||
- '**/pr-**.yml' | ||
- '**/release.yml' | ||
- '**dependabot.yml' | ||
|
||
permissions: | ||
contents: write | ||
# required for all workflows (CodeQL) | ||
security-events: write | ||
# required for workflows in private repositories (CodeQL) | ||
actions: read | ||
# We appear to need write permission for both pull-requests and | ||
# issues to post a comment to a pull request. | ||
pull-requests: write | ||
issues: write | ||
|
||
env: | ||
CI: true | ||
BUILD_NUMBER: ${{ github.run_number }} | ||
SCM_TAG: ${{ github.sha }} | ||
#GRADLE_OPTS: "-Dorg.gradle.daemon=false" | ||
DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS: "^(?!(classpath)).*" | ||
DEPENDENCY_GRAPH_INCLUDE_PROJECTS: "^:(?!(buildSrc|test|check)).*" | ||
IS_DEFAULT_BRANCH: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} | ||
|
||
jobs: | ||
buildAndCheck: | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
java: [ '22' ] | ||
os: [ 'macos', 'windows', 'ubuntu' ] | ||
# CodeQL supports ['c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'] | ||
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support. | ||
language: [ 'java-kotlin' ] | ||
|
||
name: 'Build and check on ${{ matrix.os }}' | ||
timeout-minutes: 30 | ||
runs-on: '${{ matrix.os }}-latest' | ||
if: ${{ !contains(github.event.head_commit.message, 'ci skip') }} | ||
env: | ||
GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: false | ||
|
||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 | ||
with: | ||
disable-sudo: true | ||
egress-policy: audit | ||
|
||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
|
||
- name: 'Set up JDK ${{ matrix.java }}' | ||
uses: actions/setup-java@v4 | ||
with: | ||
distribution: temurin | ||
java-version: '${{ matrix.java }}' | ||
|
||
- name: 'Cached KMP things (Konan, Node, Yarn, Binaryen)' | ||
if: false # Seems slower than without it. | ||
uses: actions/cache@v4 | ||
with: | ||
path: | | ||
~/.konan | ||
~/.gradle/yarn | ||
~/.gradle/nodejs | ||
~/.gradle/binaryen | ||
key: "${{ runner.os }}-kmp-2.0.20" | ||
restore-keys: | | ||
${{ runner.os }}-kmp- | ||
- name: Setup Gradle | ||
uses: gradle/actions/setup-gradle@v3 | ||
with: | ||
gradle-home-cache-cleanup: true | ||
cache-disabled: ${{ matrix.os == 'windows' }} # super slow on Windows. | ||
cache-encryption-key: "${{ secrets.GRADLE_ENCRYPTION_KEY }}" | ||
cache-read-only: ${{ !env.IS_DEFAULT_BRANCH }} | ||
dependency-graph: ${{ env.IS_DEFAULT_BRANCH && 'generate-and-submit' || 'disabled'}} | ||
add-job-summary-as-pr-comment: on-failure | ||
artifact-retention-days: 1 | ||
|
||
# TODO: If it's a "build(deps): ..." commit, then run the dependency review actions, | ||
# amend the `dependencyGuardBaseline` and `kotlinUpgradeYarnLock` task results | ||
|
||
- name: Initialize CodeQL | ||
if: matrix.os == 'ubuntu' | ||
uses: github/codeql-action/init@v3 | ||
with: | ||
languages: ${{ matrix.language }} | ||
# If you wish to specify custom queries, you can do so here or in a config file. | ||
# By default, queries listed here will override any specified in a config file. | ||
# Prefix the list with "+" to use these queries, and those in the config file. | ||
# | ||
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | ||
# queries: security-extended, security-and-quality | ||
|
||
- name: 'Build and check' | ||
timeout-minutes: 18 | ||
run: ./gradlew build assemble check --continue --stacktrace --scan | ||
|
||
- name: Upload sarif report (Detekt) | ||
if: always() && (github.event_name == 'pull_request' || env.IS_DEFAULT_BRANCH) | ||
uses: github/codeql-action/upload-sarif@v3 | ||
continue-on-error: true | ||
with: | ||
sarif_file: build/detekt-merged.sarif | ||
category: detekt | ||
|
||
- name: Upload sarif report (Lint) | ||
if: always() && (github.event_name == 'pull_request' || env.IS_DEFAULT_BRANCH) | ||
uses: github/codeql-action/upload-sarif@v3 | ||
continue-on-error: true | ||
with: | ||
sarif_file: build/lint-merged.sarif | ||
category: lint | ||
|
||
- name: Upload the build report | ||
if: always() | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: '${{ matrix.os }}-build-report' | ||
path: | | ||
**/build/logs/ | ||
**/build/reports/ | ||
**/build/output/ | ||
build/*-merged.* | ||
compression-level: 9 | ||
|
||
- name: Perform CodeQL Analysis | ||
if: matrix.os == 'ubuntu' | ||
timeout-minutes: 6 | ||
uses: github/codeql-action/analyze@v3 | ||
with: | ||
category: "/language:${{matrix.language}}" | ||
|
||
- name: "Post result in PR comment" | ||
uses: actions/github-script@v7 | ||
if: github.event_name == 'pull_request' && failure() | ||
env: | ||
OS: ${{ matrix.os }} | ||
GH_WORKFLOW: ${{ github.workflow }} | ||
RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | ||
with: | ||
github-token: ${{ secrets.GITHUB_TOKEN }} | ||
script: | | ||
const { OS, GH_WORKFLOW, RUN_URL } = process.env | ||
github.rest.issues.createComment({ | ||
issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, | ||
body: `❌ ${GH_WORKFLOW} [failed](${RUN_URL}) on ${OS}.`, | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
name: Clear cache | ||
|
||
on: | ||
workflow_dispatch: | ||
|
||
permissions: | ||
actions: write | ||
|
||
jobs: | ||
clear-cache: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Clear cache | ||
uses: actions/github-script@v7 | ||
continue-on-error: true | ||
with: | ||
script: | | ||
console.log("About to clear all GitHub Actions caches") | ||
const owner = context.repo.owner | ||
const repo = context.repo.repo | ||
const caches = await github.rest.actions.getActionsCacheList({ | ||
owner: owner, | ||
repo: repo, | ||
}) | ||
for (const cache of caches.data.actions_caches) { | ||
await github.rest.actions.deleteActionsCacheById({ | ||
owner: owner, | ||
repo: repo, | ||
cache_id: cache.id, | ||
}) | ||
console.log(`cleaned cache "${cache.key}"`) | ||
} | ||
console.log("Clear completed") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
name: Validate Gradle Wrapper | ||
|
||
on: | ||
pull_request: | ||
paths: | ||
- '**/gradle-wrapper-validation.yml' | ||
- '**/gradle/wrapper/' | ||
- '**/gradle-wrapper.jar' | ||
- '**/gradle*.properties' | ||
- '**/gradlew*' | ||
push: | ||
paths: | ||
- '**/gradle-wrapper-validation.yml' | ||
- '**/gradle/wrapper/' | ||
- '**/gradle-wrapper.jar' | ||
- '**/gradle*.properties' | ||
- '**/gradlew*' | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
validation: | ||
name: "Validate Gradle Wrapper" | ||
runs-on: ubuntu-latest | ||
timeout-minutes: 5 | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
github.com:443 | ||
downloads.gradle-dn.com:443 | ||
downloads.gradle.org:443 | ||
services.gradle.org:443 | ||
- uses: actions/checkout@v4 | ||
- uses: gradle/wrapper-validation-action@v3 |
Oops, something went wrong.