From f1361451ba8ec5b3f16279f049855f3bc2f4a3dd Mon Sep 17 00:00:00 2001 From: Cedric Willekens Date: Fri, 24 May 2024 13:27:54 +0200 Subject: [PATCH 1/3] Fix gha smells: - Use fixed version for runs-on argument - Avoid jobs without timeouts - Steps should only perform a single command --- .github/workflows/build.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 50f6b3d0d0..8f76f917f5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -16,8 +16,8 @@ jobs: - java: 21 # Disable Enforcer check which (intentionally) prevents using JDK 21 for building extra-mvn-args: -Denforcer.fail=false - runs-on: ubuntu-latest - + runs-on: ubuntu-22.04 + timeout-minutes: 3 steps: - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: "Set up JDK ${{ matrix.java }}" @@ -32,8 +32,8 @@ jobs: native-image-test: name: "GraalVM Native Image test" - runs-on: ubuntu-latest - + runs-on: ubuntu-22.04 + timeout-minutes: 3 steps: - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: "Set up GraalVM" @@ -51,8 +51,8 @@ jobs: verify-reproducible-build: name: "Verify reproducible build" - runs-on: ubuntu-latest - + runs-on: ubuntu-22.04 + timeout-minutes: 3 steps: - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: "Set up JDK 17" @@ -65,11 +65,12 @@ jobs: - name: "Verify no plugin issues" run: mvn artifact:check-buildplan --batch-mode --no-transfer-progress - - name: "Verify reproducible build" + - name: "Do clean install of dependencies" # See https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility run: | mvn clean install --batch-mode --no-transfer-progress -Dproguard.skip -DskipTests # Run with `-Dbuildinfo.attach=false`; otherwise `artifact:compare` fails because it creates a `.buildinfo` file which # erroneously references the existing `.buildinfo` file (respectively because it is overwriting it, a file with size 0) # See https://issues.apache.org/jira/browse/MARTIFACT-57 - mvn clean verify artifact:compare --batch-mode --no-transfer-progress -Dproguard.skip -DskipTests -Dbuildinfo.attach=false + - name: "Verify reproducible build" + run: mvn clean verify artifact:compare --batch-mode --no-transfer-progress -Dproguard.skip -DskipTests -Dbuildinfo.attach=false From 1bde0778ba15bfacb82787e144f7c6efed56d548 Mon Sep 17 00:00:00 2001 From: Cedric Willekens Date: Mon, 27 May 2024 14:15:53 +0200 Subject: [PATCH 2/3] Include suggestions from PR: - Increase timeout - Change name for build step - Move documentation closer to run. --- .github/workflows/build.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8f76f917f5..166a8e0b89 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -17,7 +17,7 @@ jobs: # Disable Enforcer check which (intentionally) prevents using JDK 21 for building extra-mvn-args: -Denforcer.fail=false runs-on: ubuntu-22.04 - timeout-minutes: 3 + timeout-minutes: 5 steps: - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: "Set up JDK ${{ matrix.java }}" @@ -33,7 +33,7 @@ jobs: native-image-test: name: "GraalVM Native Image test" runs-on: ubuntu-22.04 - timeout-minutes: 3 + timeout-minutes: 10 steps: - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: "Set up GraalVM" @@ -52,7 +52,7 @@ jobs: verify-reproducible-build: name: "Verify reproducible build" runs-on: ubuntu-22.04 - timeout-minutes: 3 + timeout-minutes: 10 steps: - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: "Set up JDK 17" @@ -65,12 +65,12 @@ jobs: - name: "Verify no plugin issues" run: mvn artifact:check-buildplan --batch-mode --no-transfer-progress - - name: "Do clean install of dependencies" # See https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility - run: | - mvn clean install --batch-mode --no-transfer-progress -Dproguard.skip -DskipTests - # Run with `-Dbuildinfo.attach=false`; otherwise `artifact:compare` fails because it creates a `.buildinfo` file which - # erroneously references the existing `.buildinfo` file (respectively because it is overwriting it, a file with size 0) - # See https://issues.apache.org/jira/browse/MARTIFACT-57 + - name: "Build project" + run: mvn clean install --batch-mode --no-transfer-progress -Dproguard.skip -DskipTests + - name: "Verify reproducible build" + # Run with `-Dbuildinfo.attach=false`; otherwise `artifact:compare` fails because it creates a `.buildinfo` file which + # erroneously references the existing `.buildinfo` file (respectively because it is overwriting it, a file with size 0) + # See https://issues.apache.org/jira/browse/MARTIFACT-57 run: mvn clean verify artifact:compare --batch-mode --no-transfer-progress -Dproguard.skip -DskipTests -Dbuildinfo.attach=false From 2b20b0b56946043e69f733209127e29cb6069171 Mon Sep 17 00:00:00 2001 From: Cedric Willekens Date: Mon, 27 May 2024 14:24:38 +0200 Subject: [PATCH 3/3] Fix gha smells in other workflows as well: - Use fixed version for runs-on argument - Avoid jobs without timeouts - Steps should only perform a single command --- .../workflows/check-android-compatibility.yml | 9 ++++----- .github/workflows/check-api-compatibility.yml | 20 +++++++++---------- .github/workflows/cifuzz.yml | 3 ++- .github/workflows/codeql-analysis.yml | 6 +++--- 4 files changed, 18 insertions(+), 20 deletions(-) diff --git a/.github/workflows/check-android-compatibility.yml b/.github/workflows/check-android-compatibility.yml index 9122d4207c..dfe58681c1 100644 --- a/.github/workflows/check-android-compatibility.yml +++ b/.github/workflows/check-android-compatibility.yml @@ -11,8 +11,8 @@ permissions: jobs: check-android-compatibility: - runs-on: ubuntu-latest - + runs-on: ubuntu-22.04 + timeout-minutes: 5 steps: - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 @@ -24,6 +24,5 @@ jobs: cache: 'maven' - name: Check Android compatibility - run: | - # Run 'test' phase because plugin normally expects to be executed after tests have been compiled - mvn --batch-mode --no-transfer-progress test animal-sniffer:check@check-android-compatibility -DskipTests + # Run 'test' phase because plugin normally expects to be executed after tests have been compiled + run: mvn --batch-mode --no-transfer-progress test animal-sniffer:check@check-android-compatibility -DskipTests diff --git a/.github/workflows/check-api-compatibility.yml b/.github/workflows/check-api-compatibility.yml index 635ed4ef63..b8ce6e9c5c 100644 --- a/.github/workflows/check-api-compatibility.yml +++ b/.github/workflows/check-api-compatibility.yml @@ -6,8 +6,8 @@ on: pull_request jobs: check-api-compatibility: - runs-on: ubuntu-latest - + runs-on: ubuntu-22.04 + timeout-minutes: 5 steps: - name: Checkout old version uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 @@ -22,21 +22,19 @@ jobs: java-version: '11' cache: 'maven' - - name: Build old version - run: | - cd gson-old-japicmp - # Set dummy version - mvn --batch-mode --no-transfer-progress org.codehaus.mojo:versions-maven-plugin:2.11.0:set -DnewVersion=JAPICMP-OLD - # Install artifacts with dummy version in local repository; used later by Maven plugin for comparison - mvn --batch-mode --no-transfer-progress install -DskipTests + - name: Set dummy version + working-directory: gson-old-japicmp + run: mvn --batch-mode --no-transfer-progress org.codehaus.mojo:versions-maven-plugin:2.11.0:set -DnewVersion=JAPICMP-OLD + - name: Install artifacts with dummy version + working-directory: gson-old-japicmp + run: mvn --batch-mode --no-transfer-progress install -DskipTests - name: Checkout new version uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: Check API compatibility id: check-compatibility - run: | - mvn --batch-mode --fail-at-end --no-transfer-progress package japicmp:cmp -DskipTests + run: mvn --batch-mode --fail-at-end --no-transfer-progress package japicmp:cmp -DskipTests - name: Upload API differences artifacts uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index 90b709dac2..256313248f 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -2,7 +2,8 @@ name: CIFuzz on: [pull_request] jobs: Fuzzing: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 + timeout-minutes: 20 steps: - name: Build Fuzzers id: build diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index daa61677a0..60aec5eda1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -14,7 +14,8 @@ on: jobs: analyze: name: Analyze - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 + timeout-minutes: 5 permissions: security-events: write @@ -46,8 +47,7 @@ jobs: # be that relevant (though GitHub security view also allows filtering by source type) # Can replace this with github/codeql-action/autobuild action to run complete build - name: Compile sources - run: | - mvn compile --batch-mode --no-transfer-progress + run: mvn compile --batch-mode --no-transfer-progress - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3