From f6281dab42876f027be772accdd2179412735936 Mon Sep 17 00:00:00 2001 From: Tobias Gesellchen Date: Sat, 26 Aug 2023 17:37:35 +0200 Subject: [PATCH 1/2] Publish test results using EnricoMi/publish-unit-test-result-action --- .github/workflows/cd.yml | 40 +++++++++++---- .github/workflows/ci.yml | 29 ++++++++--- .github/workflows/publish-test-results.yml | 57 +++++++++++----------- .github/workflows/release.yml | 40 +++++++++++---- 4 files changed, 114 insertions(+), 52 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 04a8c924..975a16ee 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -5,29 +5,51 @@ on: branches: - main jobs: - publish: + event-file: + # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches + name: "Event File" runs-on: ubuntu-latest + steps: + - name: Upload + uses: actions/upload-artifact@v3 + with: + name: event-file + path: ${{ github.event_path }} + publish: + strategy: + matrix: + os: + - ubuntu-latest + # - windows-latest + # - macos-latest + java: + - 8 + # - 17 + runs-on: ${{ matrix.os }} timeout-minutes: 20 steps: - uses: actions/checkout@v3 with: fetch-depth: 1 - name: Set up JDK - uses: actions/setup-java@v3 + uses: actions/setup-java@v3.12.0 with: distribution: 'zulu' - java-version: 8 - cache: 'gradle' + java-version: ${{ matrix.java }} + - name: Setup Gradle + uses: gradle/gradle-build-action@v2 - name: build publish run: ./gradlew clean build publish --no-daemon --info --stacktrace env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ORG_GRADLE_PROJECT_signingKey: ${{ secrets.GPG_SIGNING_KEY }} ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.GPG_SIGNING_PASSWORD }} - - name: Publish Test Report - if: ${{ always() }} - uses: scacap/action-surefire-report@v1 + - name: Upload Test Results + # see publish-test-results.yml for workflow that publishes test results without security issues for forks + # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches + if: always() + uses: actions/upload-artifact@v3 with: - github_token: ${{ secrets.GITHUB_TOKEN }} - report_paths: '**/build/test-results/test/TEST-*.xml' + name: Test Results (Java ${{ matrix.java }} on ${{ matrix.os }}) + path: '**/build/test-results/test/TEST-*.xml' ... diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d7dd5dbe..d6cbd055 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,11 +6,26 @@ on: branches-ignore: - main jobs: + event-file: + # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches + name: "Event File" + runs-on: ubuntu-latest + steps: + - name: Upload + uses: actions/upload-artifact@v3 + with: + name: event-file + path: ${{ github.event_path }} ci-build: strategy: matrix: - os: [ ubuntu-latest, windows-latest, macos-latest ] - java: [ 8, 17 ] + os: + - ubuntu-latest + - windows-latest + - macos-latest + java: + - 8 + - 17 runs-on: ${{ matrix.os }} timeout-minutes: 20 steps: @@ -18,11 +33,12 @@ jobs: with: fetch-depth: 1 - name: Set up JDK - uses: actions/setup-java@v3 + uses: actions/setup-java@v3.12.0 with: distribution: 'zulu' java-version: ${{ matrix.java }} - cache: 'gradle' + - name: Setup Gradle + uses: gradle/gradle-build-action@v2 # checks if updating the generated sources would succeed - name: clean updateApiModelSources run: ./gradlew clean updateApiModelSources --no-daemon --info --stacktrace @@ -34,9 +50,10 @@ jobs: run: ./gradlew clean build --no-daemon --info --stacktrace - name: Upload Test Results # see publish-test-results.yml for workflow that publishes test results without security issues for forks + # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches + if: always() uses: actions/upload-artifact@v3 - if: ${{ always() }} with: - name: test-results + name: Test Results (Java ${{ matrix.java }} on ${{ matrix.os }}) path: '**/build/test-results/test/TEST-*.xml' ... diff --git a/.github/workflows/publish-test-results.yml b/.github/workflows/publish-test-results.yml index 0a4cc3fb..bbb0ba2c 100644 --- a/.github/workflows/publish-test-results.yml +++ b/.github/workflows/publish-test-results.yml @@ -10,41 +10,42 @@ on: workflow_run: workflows: - CI + - Publish + - Release types: - completed +permissions: {} jobs: - # Job based on https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + # Job based on + # - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + # - https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches publish-test-results: runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.conclusion == 'success' }} + if: github.event.workflow_run.conclusion != 'skipped' + + permissions: + checks: write + # needed unless run with comment_mode: off + pull-requests: write + # only needed for private repository + #contents: read + # only needed for private repository + #issues: read + # required by download step to access artifacts API + actions: read + steps: - # Unfortunately, the official actions/download-artifact action is very limited in scope. - # Can't use it yet in this context, https://github.com/actions/download-artifact/issues/60 - - name: Download artifact - uses: actions/github-script@v6 + - name: Download and Extract Artifacts + uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 with: - script: | - var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ - owner: context.repo.owner, - repo: context.repo.repo, - run_id: ${{ github.event.workflow_run.id }}, - }); - var matchArtifact = artifacts.data.artifacts.filter((artifact) => { - return artifact.name == "test-results" - })[0]; - var download = await github.rest.actions.downloadArtifact({ - owner: context.repo.owner, - repo: context.repo.repo, - artifact_id: matchArtifact.id, - archive_format: 'zip', - }); - var fs = require('fs'); - fs.writeFileSync('${{github.workspace}}/test-results.zip', Buffer.from(download.data)); - - run: unzip test-results.zip + run_id: ${{ github.event.workflow_run.id }} + path: artifacts - name: Publish Test Results - uses: scacap/action-surefire-report@v1 + uses: EnricoMi/publish-unit-test-result-action@v2 with: - commit: ${{ github.event.workflow_run.head_commit.id }} - github_token: ${{ secrets.GITHUB_TOKEN }} - report_paths: '**/build/test-results/test/TEST-*.xml' + commit: ${{ github.event.workflow_run.head_sha }} + event_file: artifacts/event-file/event.json + event_name: ${{ github.event.workflow_run.event }} + files: "artifacts/**/build/test-results/test/TEST-*.xml" +... diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4574d978..e0c49692 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,19 +7,39 @@ on: # - published jobs: - release: + event-file: + # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches + name: "Event File" runs-on: ubuntu-latest + steps: + - name: Upload + uses: actions/upload-artifact@v3 + with: + name: event-file + path: ${{ github.event_path }} + release: + strategy: + matrix: + os: + - ubuntu-latest + # - windows-latest + # - macos-latest + java: + - 8 + # - 17 + runs-on: ${{ matrix.os }} timeout-minutes: 20 steps: - uses: actions/checkout@v3 with: fetch-depth: 1 - name: Set up JDK - uses: actions/setup-java@v3 + uses: actions/setup-java@v3.12.0 with: distribution: 'zulu' - java-version: 8 - cache: 'gradle' + java-version: ${{ matrix.java }} + - name: Setup Gradle + uses: gradle/gradle-build-action@v2 - name: Set artifact version run: | echo "RELEASE_VERSION=$(echo '${{ github.event.release.tag_name }}' | sed -e s/^v//)" >> $GITHUB_ENV @@ -32,10 +52,12 @@ jobs: SONATYPE_STAGING_PROFILE_ID: ${{ secrets.SONATYPE_STAGING_PROFILE_ID }} SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} - - name: Publish Test Report - if: ${{ always() }} - uses: scacap/action-surefire-report@v1 + - name: Upload Test Results + # see publish-test-results.yml for workflow that publishes test results without security issues for forks + # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches + if: always() + uses: actions/upload-artifact@v3 with: - github_token: ${{ secrets.GITHUB_TOKEN }} - report_paths: '**/build/test-results/test/TEST-*.xml' + name: Test Results (Java ${{ matrix.java }} on ${{ matrix.os }}) + path: '**/build/test-results/test/TEST-*.xml' ... From 15ace34e9dd485a52e78260649301d55ce4751a4 Mon Sep 17 00:00:00 2001 From: Tobias Gesellchen Date: Sat, 26 Aug 2023 17:37:58 +0200 Subject: [PATCH 2/2] Configure grouped dependency updates --- .github/dependabot.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6337115b..8f29cf04 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,15 @@ updates: schedule: interval: "daily" open-pull-requests-limit: 20 + groups: + # https://github.blog/2023-08-24-a-faster-way-to-manage-version-updates-with-dependabot/ + # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups + kotlin: + patterns: + - "org.jetbrains.kotlin:*" + moshi: + patterns: + - "com.squareup.moshi:*" + okio: + patterns: + - "com.squareup.okio:*"