Security updates: Create new security module, use that module in the … #1370
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# GitHub runner workflow for building, verifying and testing the XVM repo. | |
# | |
# TODO: Add periodic workflows (that can be manually triggered /w workflow_disspatch and also run through a cron file) | |
# 1) Cleans out old workflows that have finished but not succeeded. | |
# 2) Cleans Gradle and other build caches, maybe one every 24 h | |
# 3) Cleans ... | |
# | |
# Check if "pull-request" makes it possible to add a branch protection status check requirement on master. | |
# gh auth switch --hostname enterprise.internal --user monalisa (switch auth) | |
name: XVM Verification and Package Updates | |
on: | |
push: | |
workflow_dispatch: | |
inputs: | |
extra_gradle_options: | |
description: 'Extra Gradle options to pass to the build' | |
required: false | |
skip_manual_tests: | |
description: 'Skip manual tests' | |
required: false | |
skip_manual_tests_parallel: | |
description: 'Skip parallel manual tests' | |
required: false | |
env: | |
# TODO: Default should be disabled; we only want to be bothered by tagging and publishing for the master branch. | |
always_publish_snapshot: false | |
# Add manual tests as an included build to the composite build configuration, and also build them. | |
ORG_GRADLE_PROJECT_includeBuildManualTests: true | |
ORG_GRADLE_PROJECT_includeBuildAttachManualTests: true | |
ORG_GRADLE_PROJECT_xtcPluginOverrideVerboseLogging: true | |
# Add sanity checks that the javatools fatjar contains appropriate classes and dependencies | |
ORG_XTCLANG_JAVATOOLS_SANITY_CHECK_JAR: true | |
# Secrets (TODO: Verify plugin portal and maven central/sonatype credentials) | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GRADLE_PUBLISH_KEY: ${{ secrets.ORG_XTCLANG_GRADLE_PLUGIN_PORTAL_PUBLISH_KEY }} | |
GRADLE_PUBLISH_SECRET: ${{ secrets.ORG_XTCLANG_GRADLE_PLUGIN_PORTAL_PUBLISH_SECRET }} | |
GPG_SIGNING_KEY: ${{ secrets.ORG_XTCLANG_GPG_SIGNING_KEY }} | |
GPG_SIGNING_PASSWORD: ${{ secrets.ORG_XTCLANG_GPG_SIGNING_PASSWORD }} | |
MAVEN_CENTRAL_USERNAME: ${{ secrets.ORG_XTCLANG_MAVEN_CENTRAL_USERNAME }} | |
MAVEN_CENTRAL_PASSWORD: ${{ secrets.ORG_XTCLANG_MAVEN_CENTRAL_PASSWORD }} | |
gradle_options: "-Dorg.gradle.jvmargs=-Xmx8G -Dorg.gradle.caching.debug=false -Dorg.gradle.vfs.verbose=false --stacktrace --warning-mode=all --console=plain ${{ inputs.extra_gradle_options }}" | |
# Optional flags to skip manual tests, or at least some of them. | |
skip_manual_tests: ${{ github.event.inputs.skip_manual_tests || 'false' }} | |
skip_manual_tests_parallel: ${{ github.event.inputs.skip_manual_tests_parallel || 'false' }} | |
# Build environment and build workflow debug flags. | |
# ACTIONS_RUNNER_DEBUG: true | |
# ACTIONS_STEP_DEBUG: true | |
GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true | |
# Concurrency settings: group by workflow and ref, cancel intermediate builds, but only if it's a pull request build. | |
concurrency: | |
group: "${{ github.workflow }}-${{ github.ref }}" | |
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} | |
jobs: | |
build-verify: | |
strategy: | |
matrix: | |
os: [ ubuntu-latest, windows-latest ] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Fetch Sources | |
uses: actions/checkout@v4 | |
with: | |
show-progress: true | |
- name: Setup Java | |
uses: actions/setup-java@v4 | |
with: | |
distribution: zulu | |
java-version: 21 | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@v4 | |
with: | |
cache-disabled: ${{ github.ref == 'refs/heads/master' }} | |
cache-read-only: false | |
gradle-version: "8.9" | |
- name: Validate Gradle Wrapper | |
uses: gradle/actions/wrapper-validation@v4 | |
- name: Dump environment info | |
shell: bash | |
run: | | |
echo "*** Branch (github.ref) : ${{ github.ref }}" | |
echo "*** Commit (github.sha) : ${{ github.sha }}" | |
echo "*** Runner OS : ${{ runner.os }}" | |
echo "*** Java system properties :" | |
java -XshowSettings:properties --version | |
- name: Build the XDK and create a distribution layout | |
shell: bash | |
run: | | |
cwd_path=$(pwd) | |
echo "Executing Gradle 'installDist' task from path: '$cwd_path'" | |
./gradlew ${{ env.gradle_options }} installDist | |
- name: Build a machine specific XDK installation with native launchers, test run launchers on native platform | |
shell: bash | |
run: | | |
./gradlew ${{ env.gradle_options }} xdk:installWithLaunchersDist | |
xcc_path=$(find xdk/build/install/ -name xcc) | |
xec_path=$(find xdk/build/install/ -name xec) | |
echo "Location of native launcher (xcc): $xcc_path" | |
echo "Location of native launcher (xec): $xec_path" | |
echo "*** Testing native launchers, verifying their binary format and that they run on this platform..." | |
xcc_file=$(file $xcc_path) | |
xec_file=$(file $xec_path) | |
xcc_version=$($xcc_path --version) | |
xec_version=$($xec_path --version) | |
echo " xcc:" | |
echo " file : $xcc_file" | |
echo " version: $xcc_version" | |
echo " xec:" | |
echo " file : $xec_file" | |
echo " version: $xec_version" | |
echo "*** Native launchers work." | |
- name: Default manualTest tasks | |
if: ${{ env.skip_manual_tests != 'true' }} | |
timeout-minutes: 5 | |
shell: bash | |
run: | | |
./gradlew ${{ env.gradle_options }} manualTests:runXtc | |
./gradlew ${{ env.gradle_options }} manualTests:runOne -PtestName=TestMisc | |
./gradlew ${{ env.gradle_options }} manualTests:runTwoTestsInSequence | |
echo "*** manualTests:runParallel: ${{ env.skip_manual_tests_parallel }}" | |
- name: Parallel manualTest task | |
timeout-minutes: 5 | |
if: ${{ env.skip_manual_tests_parallel != 'true' }} | |
shell: bash | |
run: | | |
./gradlew ${{ env.gradle_options }} manualTests:runParallel | |
publish-snapshot: | |
name: Publish to GitHub packages iff snapshot + non-redundant build platform + branch is master | |
needs: build-verify | |
runs-on: ubuntu-latest | |
#if: ${{ (github.ref == 'refs/heads/master') }} | |
steps: | |
# Check out current repository | |
- name: Fetch Sources | |
uses: actions/checkout@v4 | |
# Set up Java environment for the next steps | |
- name: Setup Java | |
uses: actions/setup-java@v4 | |
with: | |
distribution: zulu | |
java-version: 21 | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@v4 | |
with: | |
cache-disabled: ${{ github.ref == 'refs/heads/master' }} | |
cache-read-only: false | |
gradle-version: "8.9" | |
- name: Dump environment info | |
shell: bash | |
run: | | |
echo "*** Branch (github.ref) : ${{ github.ref }}" | |
echo "*** Commit (github.sha) : ${{ github.sha }}" | |
echo "*** Runner OS : ${{ runner.os }}" | |
echo "*** Java system properties :" | |
java -XshowSettings:properties --version | |
- name: Create or Update Snapshot (if pushed to 'master', or env.always_publish_snapshot is true) | |
if: ${{ (env.always_publish_snapshot == 'true') || (github.ref == 'refs/heads/master') }} | |
shell: bash | |
run: | | |
./gradlew ${{ env.gradle_options }} xdk:ensureTags -PsnapshotOnly=true | |
./gradlew ${{ env.gradle_options }} publishRemote -PsnapshotOnly=true |