build(deps): bump bouncycastle from 1.78.1 to 1.79 #470
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| pull_request: | |
| paths-ignore: | |
| - '**-validation.yml' | |
| - '**.*ignore' | |
| - '**.md' | |
| - '**.txt' | |
| - '**/actionlint**' | |
| - '**/pr-**.yml' | |
| - '**/release.yml' | |
| - '**dependabot.yml' | |
| # Avoid useless and/or duplicate runs. | |
| # Also, we merge with --ff-only, | |
| # so we don't need to run on the merge commit. | |
| branches-ignore: | |
| # Dependabot creates both branch and PR. Avoid running twice. | |
| - 'dependabot/**' | |
| - 'dev' | |
| - 'feat*/**' | |
| - 'fix/**' | |
| - 'mr/**' | |
| - 'pr/**' | |
| - 'pull/**' | |
| - 'wip/**' | |
| push: | |
| paths-ignore: | |
| - '**-validation.yml' | |
| - '**.*ignore' | |
| - '**.md' | |
| - '**.txt' | |
| - '**/actionlint**' | |
| - '**/pr-**.yml' | |
| - '**/release.yml' | |
| - '**dependabot.yml' | |
| permissions: | |
| contents: write | |
| # required for all workflows (CodeQL) | |
| security-events: write | |
| # required for workflows in private repositories (CodeQL) | |
| actions: read | |
| # We appear to need write permission for both pull-requests and | |
| # issues to post a comment to a pull request. | |
| pull-requests: write | |
| issues: write | |
| env: | |
| CI: true | |
| BUILD_NUMBER: ${{ github.run_number }} | |
| SCM_TAG: ${{ github.sha }} | |
| #GRADLE_OPTS: "-Dorg.gradle.daemon=false" | |
| DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS: "^(?!(classpath)).*" | |
| DEPENDENCY_GRAPH_INCLUDE_PROJECTS: "^:(?!(buildSrc|test|check)).*" | |
| IS_DEFAULT_BRANCH: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} | |
| jobs: | |
| buildAndCheck: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| java: [ '22' ] | |
| os: [ 'macos', 'windows', 'ubuntu' ] | |
| # CodeQL supports ['c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'] | |
| # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support. | |
| language: [ 'java-kotlin' ] | |
| name: 'Build and check on ${{ matrix.os }}' | |
| timeout-minutes: 30 | |
| runs-on: '${{ matrix.os }}-latest' | |
| if: ${{ !contains(github.event.head_commit.message, 'ci skip') }} | |
| env: | |
| GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: false | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: 'Set up JDK ${{ matrix.java }}' | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: temurin | |
| java-version: '${{ matrix.java }}' | |
| - name: 'Cached KMP things (Konan, Node, Yarn, Binaryen)' | |
| if: false # Seems slower than without it. | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.konan | |
| ~/.gradle/yarn | |
| ~/.gradle/nodejs | |
| ~/.gradle/binaryen | |
| key: "${{ runner.os }}-kmp-2.0.0" | |
| restore-keys: | | |
| ${{ runner.os }}-kmp- | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| with: | |
| cache-disabled: ${{ matrix.os == 'windows' }} # super slow on Windows. | |
| cache-encryption-key: "${{ secrets.GRADLE_ENCRYPTION_KEY }}" | |
| cache-read-only: ${{ !env.IS_DEFAULT_BRANCH }} | |
| dependency-graph: ${{ env.IS_DEFAULT_BRANCH && 'generate-and-submit' || 'disabled'}} | |
| add-job-summary-as-pr-comment: on-failure | |
| artifact-retention-days: 1 | |
| # TODO: If it's a "build(deps): ..." commit, then run the dependency review actions, | |
| # amend the `dependencyGuardBaseline` and `kotlinUpgradeYarnLock` task results | |
| - name: Initialize CodeQL | |
| if: matrix.os == 'ubuntu' | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| # If you wish to specify custom queries, you can do so here or in a config file. | |
| # By default, queries listed here will override any specified in a config file. | |
| # Prefix the list with "+" to use these queries, and those in the config file. | |
| # | |
| # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | |
| # queries: security-extended, security-and-quality | |
| - name: 'Build and check plugin itself' | |
| timeout-minutes: 18 | |
| run: ./gradlew build assemble check --continue --stacktrace --scan | |
| - name: Upload sarif report (Detekt) | |
| if: always() && (github.event_name == 'pull_request' || env.IS_DEFAULT_BRANCH) | |
| uses: github/codeql-action/upload-sarif@v3 | |
| continue-on-error: true | |
| with: | |
| sarif_file: build/detekt-merged.sarif | |
| category: detekt | |
| - name: Upload sarif report (Lint) | |
| if: always() && (github.event_name == 'pull_request' || env.IS_DEFAULT_BRANCH) | |
| uses: github/codeql-action/upload-sarif@v3 | |
| continue-on-error: true | |
| with: | |
| sarif_file: build/lint-merged.sarif | |
| category: lint | |
| - name: 'Run check-gradle-plugin' | |
| if: always() | |
| timeout-minutes: 6 | |
| working-directory: checks/gradle-plugin | |
| run: ./gradlew build assemble check --continue --stacktrace --scan | |
| env: | |
| GITHUB_DEPENDENCY_GRAPH_ENABLED: false | |
| - name: 'Run check-kmp' | |
| if: always() | |
| timeout-minutes: 12 | |
| working-directory: checks/kmp | |
| run: ./gradlew build assemble check printKotlinSourceSetsGraph --continue --stacktrace --scan | |
| env: | |
| GITHUB_DEPENDENCY_GRAPH_ENABLED: false | |
| - name: 'Run check-compose-desktop' | |
| if: always() | |
| timeout-minutes: 14 | |
| working-directory: checks/compose-desktop | |
| run: ./gradlew build assemble check packageReleaseDistributionForCurrentOS --continue --stacktrace --scan | |
| env: | |
| GITHUB_DEPENDENCY_GRAPH_ENABLED: false | |
| - name: 'Run self check' | |
| timeout-minutes: 4 | |
| working-directory: self | |
| run: ./gradlew build assemble check --continue --stacktrace --scan | |
| env: | |
| GITHUB_DEPENDENCY_GRAPH_ENABLED: false | |
| - name: Upload the build report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: '${{ matrix.os }}-build-report' | |
| path: | | |
| **/build/logs/ | |
| **/build/reports/ | |
| **/build/output/ | |
| build/*-merged.* | |
| compression-level: 9 | |
| - name: Perform CodeQL Analysis | |
| if: matrix.os == 'ubuntu' | |
| timeout-minutes: 6 | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| - name: "Post result in PR comment" | |
| uses: actions/github-script@v7 | |
| if: github.event_name == 'pull_request' && failure() | |
| env: | |
| OS: ${{ matrix.os }} | |
| GH_WORKFLOW: ${{ github.workflow }} | |
| RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const { OS, GH_WORKFLOW, RUN_URL } = process.env | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, | |
| body: `❌ ${GH_WORKFLOW} [failed](${RUN_URL}) on ${OS}.`, | |
| }) | |
| # TODO: Integrate commits linting | |
| # https://github.com/lsc/serenity/blob/6ef8100/.github/workflows/lintcommits.yml | |
| # https://github.com/p-gentili/ockam/blob/c3a4139/.github/workflows/commits.yml | |
| # TODO: Integrate the dependency-review-action | |
| # https://github.com/marketplace/actions/gradle-build-action#integrating-the-dependency-review-action | |
| # TODO: CI Improvements | |
| # https://github.com/ajalt/clikt/blob/master/.github/workflows/build.yml |