feat(build): configure SonatypeHost for publishing to S01 #29
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
pull_request: | |
paths-ignore: | |
- '**-validation.yml' | |
- '**.*ignore' | |
- '**.md' | |
- '**.txt' | |
- '**/actionlint**' | |
- '**/pr-**.yml' | |
- '**/release.yml' | |
- '**dependabot.yml' | |
# Avoid useless and/or duplicate runs. | |
# Also, we merge with --ff-only, | |
# so we don't need to run on the merge commit. | |
branches-ignore: | |
# Dependabot creates both branch and PR. Avoid running twice. | |
- 'dependabot/**' | |
- 'dev' | |
- 'feat*/**' | |
- 'fix/**' | |
- 'mr/**' | |
- 'pr/**' | |
- 'pull/**' | |
- 'wip/**' | |
push: | |
paths-ignore: | |
- '**-validation.yml' | |
- '**.*ignore' | |
- '**.md' | |
- '**.txt' | |
- '**/actionlint**' | |
- '**/pr-**.yml' | |
- '**/release.yml' | |
- '**dependabot.yml' | |
permissions: | |
contents: write | |
# required for all workflows (CodeQL) | |
security-events: write | |
# required for workflows in private repositories (CodeQL) | |
actions: read | |
# We appear to need write permission for both pull-requests and | |
# issues to post a comment to a pull request. | |
pull-requests: write | |
issues: write | |
env: | |
CI: true | |
BUILD_NUMBER: ${{ github.run_number }} | |
SCM_TAG: ${{ github.sha }} | |
#GRADLE_OPTS: "-Dorg.gradle.daemon=false" | |
DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS: "^(?!(classpath)).*" | |
DEPENDENCY_GRAPH_INCLUDE_PROJECTS: "^:(?!(buildSrc|test|check)).*" | |
IS_DEFAULT_REPO: ${{ github.repository == 'fluxo-kt/fluxo-io' }} | |
IS_DEFAULT_BRANCH: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} | |
jobs: | |
buildAndCheck: | |
strategy: | |
fail-fast: false | |
matrix: | |
java: [ '23', '17' ] | |
os: [ 'macos', 'windows', 'ubuntu' ] | |
# CodeQL supports ['c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'] | |
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support. | |
language: [ 'java-kotlin' ] | |
name: 'Check ${{ matrix.os }}, JDK ${{ matrix.java }}' | |
timeout-minutes: 30 | |
runs-on: '${{ matrix.os }}-latest' | |
if: ${{ !contains(github.event.head_commit.message, 'ci skip') }} | |
env: | |
GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: false | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
disable-sudo: true | |
egress-policy: audit | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: 'Set up JDK ${{ matrix.java }}' | |
uses: actions/setup-java@v4 | |
with: | |
distribution: graalvm | |
java-version: '${{ matrix.java }}' | |
- name: 'Cached KMP things (Konan, Node, Yarn, Binaryen)' | |
if: false # Seems slower than without it. | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.konan | |
~/.gradle/yarn | |
~/.gradle/nodejs | |
~/.gradle/binaryen | |
key: "${{ runner.os }}-kmp-2.1.0" | |
restore-keys: | | |
${{ runner.os }}-kmp- | |
- name: Setup Gradle | |
uses: gradle/actions/setup-gradle@v4 | |
with: | |
gradle-home-cache-cleanup: true | |
cache-disabled: ${{ matrix.os == 'windows' }} # super slow on Windows. | |
cache-encryption-key: "${{ secrets.GRADLE_ENCRYPTION_KEY }}" | |
cache-read-only: ${{ !env.IS_DEFAULT_BRANCH }} | |
dependency-graph: ${{ env.IS_DEFAULT_BRANCH && 'generate-and-submit' || 'disabled'}} | |
add-job-summary-as-pr-comment: on-failure | |
artifact-retention-days: 1 | |
# TODO: If it's a "build(deps): ..." commit, then run the dependency review actions, | |
# amend the `dependencyGuardBaseline` and `kotlinUpgradeYarnLock` task results | |
- name: Initialize CodeQL | |
if: matrix.os == 'ubuntu' && matrix.java == '17' | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: ${{ matrix.language }} | |
# If you wish to specify custom queries, you can do so here or in a config file. | |
# By default, queries listed here will override any specified in a config file. | |
# Prefix the list with "+" to use these queries, and those in the config file. | |
# | |
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | |
# queries: security-extended, security-and-quality. | |
- name: 'Build and check' | |
id: check | |
timeout-minutes: 18 | |
run: ./gradlew build assemble check --continue --stacktrace --scan | |
- name: Upload sarif report (Detekt) | |
if: always() && matrix.os == 'macos' && matrix.java == '23' | |
&& (github.event_name == 'pull_request' || env.IS_DEFAULT_BRANCH) | |
uses: github/codeql-action/upload-sarif@v3 | |
continue-on-error: true | |
with: | |
sarif_file: build/detekt-merged.sarif | |
category: detekt | |
- name: Upload sarif report (Lint) | |
if: always() && matrix.os == 'macos' && matrix.java == '23' | |
&& (github.event_name == 'pull_request' || env.IS_DEFAULT_BRANCH) | |
uses: github/codeql-action/upload-sarif@v3 | |
continue-on-error: true | |
with: | |
sarif_file: build/lint-merged.sarif | |
category: lint | |
- name: Publish JUnit test results as a pull request check | |
if: (success() || failure()) && matrix.os == 'macos' && env.IS_DEFAULT_REPO && env.IS_DEFAULT_BRANCH | |
uses: mikepenz/action-junit-report@v5 | |
with: | |
report_paths: '**/build/test-results/*/TEST-*.xml' | |
- name: Publish SNAPSHOT | |
id: snapshot | |
continue-on-error: true | |
if: matrix.os == 'macos' && matrix.java == '23' | |
&& steps.check.outcome == 'success'&& github.event_name == 'push' | |
&& env.IS_DEFAULT_REPO && env.IS_DEFAULT_BRANCH | |
env: | |
OSSRH_USER: ${{ secrets.OSSRH_USER }} | |
OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} | |
SIGNING_KEY: ${{ secrets.SIGNING_KEY }} | |
SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }} | |
ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.OSSRH_USER }} | |
ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.OSSRH_PASSWORD }} | |
ORG_GRADLE_PROJECT_signingInMemoryKey: ${{ secrets.SIGNING_KEY }} | |
ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.SIGNING_PASSWORD }} | |
RELEASE: true | |
run: ./gradlew publish -DDISABLE_TESTS --no-configuration-cache --stacktrace --scan | |
- name: Upload the build report | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: '${{ matrix.os }}-JDK${{ matrix.java }}-build-report' | |
path: | | |
**/build/logs/ | |
**/build/reports/ | |
**/build/output/ | |
build/*-merged.* | |
compression-level: 9 | |
- name: Perform CodeQL Analysis | |
if: matrix.os == 'ubuntu' && matrix.java == '17' | |
timeout-minutes: 6 | |
uses: github/codeql-action/analyze@v3 | |
with: | |
category: "/language:${{matrix.language}}" | |
- name: "Post result in PR comment" | |
uses: actions/github-script@v7 | |
if: github.event_name == 'pull_request' && failure() | |
env: | |
OS: ${{ matrix.os }} | |
GH_WORKFLOW: ${{ github.workflow }} | |
RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
const { OS, GH_WORKFLOW, RUN_URL } = process.env | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, | |
body: `❌ ${GH_WORKFLOW} [failed](${RUN_URL}) on ${OS}.`, | |
}) |