-
Notifications
You must be signed in to change notification settings - Fork 44
168 lines (139 loc) · 5.59 KB
/
check.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
name: Check
on:
pull_request:
branches:
- '*' # Trigger on all branches for pull requests
# also run workflow to refresh cache
workflow_dispatch: {}
schedule:
# roughly every 6 days
- cron: '0 0 2,6,10,16,22,28 * *'
# env:
# instead of embedded Maven use local Maven CLI
# HALE_BUILD_MAVEN_EMBEDDED: 'false'
jobs:
check:
runs-on: ubuntu-latest
steps:
- name: Setup Maven
uses: s4u/setup-maven-action@2f53a7669c7543a045d0bb6c92436df0c5a726f8 # v1.14.0
with:
java-version: 17
java-distribution: temurin
maven-version: 3.9.6
- name: Clean
run: ./build.sh clean
working-directory: ./build
- name: Test
run: ./build.sh commitStage
working-directory: ./build
- name: Publish Test Report
uses: mikepenz/action-junit-report@db71d41eb79864e25ab0337e395c352e84523afe # v4.3.1
if: always() # always run even if the previous step fails
with:
# fail if there are no test results
require_tests: true
# Workaround for check that is additionally created being associated
# to the wrong workflow/run. Instead no additional check is created.
# See https://github.com/mikepenz/action-junit-report/issues/40
annotate_only: true
detailed_summary: true
report_paths: 'build/target/testReports/*.xml'
# TODO archive logs?
# build/target/testReports/*.out,build/target/testReports/*.err
build:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write # Note: Write permissions cannot be granted from forks (only works for private repos requiring enabling a related setting)
concurrency:
group: artifacts-${{ github.ref }}
cancel-in-progress: true
steps:
- name: Setup Maven
uses: s4u/setup-maven-action@2f53a7669c7543a045d0bb6c92436df0c5a726f8 # v1.14.0
with:
java-version: 17
java-distribution: temurin
maven-version: 3.9.6
- name: Install genisoimage # required for Mac build
run: sudo apt-get install -y genisoimage
- name: Clean
run: ./build.sh clean
working-directory: ./build
- name: Product
run: |
./build.sh product --arch x86_64 --os linux HALE
./build.sh product --arch x86_64 --os windows HALE
./build.sh product --arch x86_64 --os macosx HALE
working-directory: ./build
- name: Upload hale studio build (Linux)
id: upload-linux
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: hale studio (Linux)
path: build/target/hale-studio-*linux*.tar.gz
retention-days: 14
- name: Upload hale studio build (Windows)
id: upload-windows
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: hale studio (Windows)
path: build/target/hale-studio-*win32*.zip
retention-days: 14
- name: Upload hale studio build (macos)
id: upload-macos
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: hale studio (macos)
path: build/target/hale-studio-*macosx*.dmg
retention-days: 14
- name: Find artifact comment if it exists
if: "! github.event.pull_request.head.repo.fork " # Only run with write permissions
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
id: find-comment
with:
token: ${{ github.token }}
issue-number: ${{github.event.pull_request.number}}
comment-author: github-actions[bot]
body-includes: "hale studio builds for this pull request:"
- name: Comment with links to artifacts
if: "! github.event.pull_request.head.repo.fork " # Only run with write permissions
id: comment-plan
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
token: ${{ github.token }}
edit-mode: replace
comment-id: ${{ steps.find-comment.outputs.comment-id }}
issue-number: ${{github.event.pull_request.number}}
body: |
hale studio builds for this pull request:
- [Linux x64](${{ steps.upload-linux.outputs.artifact-url }})
- [Windows x64](${{ steps.upload-windows.outputs.artifact-url }})
- [macos x64](${{ steps.upload-macos.outputs.artifact-url }})
Build triggered for commit *${{ github.sha }}*.
Artifacts are retained for 14 days.
trivy:
needs: [build]
runs-on: ubuntu-latest
steps:
- name: Download hale studio build (Linux)
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: hale studio (Linux)
- name: Extract the archive file
run: |
mkdir -p hale-studio-linux-trivy
tar -xzf hale-studio-*linux*.tar.gz -C hale-studio-linux-trivy
- name: Run Trivy vulnerability scanner in rootfs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'rootfs'
scan-ref: 'hale-studio-linux-trivy'
format: 'sarif'
severity: 'CRITICAL,HIGH'
output: 'trivy-results.sarif'
- name: Upload Trivy SARIF report
uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
with:
sarif_file: trivy-results.sarif