ORC-1006: Build and test in github workflow using the maven version specified in pom #914
Conversation
| - name: Set maven version to env | ||
| run: echo "maven_version=$(grep "<maven.version>" "./java/pom.xml" | head -n1 | awk -F '[<>]' '{print $3}')" >> $GITHUB_ENV | ||
| - name: Set up Maven ${{ env.maven_version }} | ||
| uses: stCarolas/setup-maven@v4 |
There was a problem hiding this comment.
Hi, @guiyanakuang . Is it approved by Apache Software Foundation?
AFS doesn't allow the un-approved GitHub Actions.
There was a problem hiding this comment.
Oh, I hadn't noticed that, just a moment while I make sure.
There was a problem hiding this comment.
@dongjoon-hyun I read this link: https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+status.
Learn about security. This pr hands over the installation of maven to a third party, which does pose a significant security risk.
NEVER use 3rd-party actions directly in your worfklows - use the "submodule" pattern. Example PR Tobiasz Kędzierski opened in SuperSet showing how this could be done.
Although I did not find an ASF Approved Action list, I will close this pr first and open it again if I find a safe and approved solution.
|
Thank you for closing, @guiyanakuang . |
What changes were proposed in this pull request?
Two steps have been added to the build job to set the maven version specified in pom.
Why are the changes needed?
Make the github workflow consistent with the build environment expressed in the readme.
Provides a capability: github workflow facilitates switching between maven versions and even supports build testing of multiple maven versions.
This can be used as a workaround for the warning indicated in ORC-894.
How was this patch tested?
Pass the CIs.