Improve the CI (fixed test reports, grouped dependency updates)

.github/dependabot.yml

@@ -9,3 +9,15 @@ updates:
     schedule:
       interval: "daily"
     open-pull-requests-limit: 20
+    groups:
+      # https://github.blog/2023-08-24-a-faster-way-to-manage-version-updates-with-dependabot/
+      # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
+      kotlin:
+        patterns:
+          - "org.jetbrains.kotlin:*"
+      moshi:
+        patterns:
+          - "com.squareup.moshi:*"
+      okio:
+        patterns:
+          - "com.squareup.okio:*"

.github/workflows/cd.yml

@@ -5,29 +5,51 @@ on:
     branches:
       - main
 jobs:
-  publish:
+  event-file:
+    # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches
+    name: "Event File"
     runs-on: ubuntu-latest
+    steps:
+      - name: Upload
+        uses: actions/upload-artifact@v3
+        with:
+          name: event-file
+          path: ${{ github.event_path }}
+  publish:
+    strategy:
+      matrix:
+        os:
+          - ubuntu-latest
+        #          - windows-latest
+        #          - macos-latest
+        java:
+          - 8
+    #          - 17
+    runs-on: ${{ matrix.os }}
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 1
       - name: Set up JDK
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v3.12.0
         with:
           distribution: 'zulu'
-          java-version: 8
-          cache: 'gradle'
+          java-version: ${{ matrix.java }}
+      - name: Setup Gradle
+        uses: gradle/gradle-build-action@v2
       - name: build publish
         run: ./gradlew clean build publish --no-daemon --info --stacktrace
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           ORG_GRADLE_PROJECT_signingKey: ${{ secrets.GPG_SIGNING_KEY }}
           ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.GPG_SIGNING_PASSWORD }}
-      - name: Publish Test Report
-        if: ${{ always() }}
-        uses: scacap/action-surefire-report@v1
+      - name: Upload Test Results
+        # see publish-test-results.yml for workflow that publishes test results without security issues for forks
+        # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches
+        if: always()
+        uses: actions/upload-artifact@v3
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          report_paths: '**/build/test-results/test/TEST-*.xml'
+          name: Test Results (Java ${{ matrix.java }} on ${{ matrix.os }})
+          path: '**/build/test-results/test/TEST-*.xml'
 ...

.github/workflows/ci.yml

@@ -6,23 +6,39 @@ on:
     branches-ignore:
       - main
 jobs:
+  event-file:
+    # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches
+    name: "Event File"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Upload
+        uses: actions/upload-artifact@v3
+        with:
+          name: event-file
+          path: ${{ github.event_path }}
   ci-build:
     strategy:
       matrix:
-        os: [ ubuntu-latest, windows-latest, macos-latest ]
-        java: [ 8, 17 ]
+        os:
+          - ubuntu-latest
+          - windows-latest
+          - macos-latest
+        java:
+          - 8
+          - 17
     runs-on: ${{ matrix.os }}
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 1
       - name: Set up JDK
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v3.12.0
         with:
           distribution: 'zulu'
           java-version: ${{ matrix.java }}
-          cache: 'gradle'
+      - name: Setup Gradle
+        uses: gradle/gradle-build-action@v2
       # checks if updating the generated sources would succeed
       - name: clean updateApiModelSources
         run: ./gradlew clean updateApiModelSources --no-daemon --info --stacktrace
@@ -34,9 +50,10 @@ jobs:
         run: ./gradlew clean build --no-daemon --info --stacktrace
       - name: Upload Test Results
         # see publish-test-results.yml for workflow that publishes test results without security issues for forks
+        # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches
+        if: always()
         uses: actions/upload-artifact@v3
-        if: ${{ always() }}
         with:
-          name: test-results
+          name: Test Results (Java ${{ matrix.java }} on ${{ matrix.os }})
           path: '**/build/test-results/test/TEST-*.xml'
 ...

.github/workflows/publish-test-results.yml

@@ -10,41 +10,42 @@ on:
   workflow_run:
     workflows:
       - CI
+      - Publish
+      - Release
     types:
       - completed
+permissions: {}
 
 jobs:
-  # Job based on https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+  # Job based on
+  # - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+  # - https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches
   publish-test-results:
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    if: github.event.workflow_run.conclusion != 'skipped'
+
+    permissions:
+      checks: write
+      # needed unless run with comment_mode: off
+      pull-requests: write
+      # only needed for private repository
+      #contents: read
+      # only needed for private repository
+      #issues: read
+      # required by download step to access artifacts API
+      actions: read
+
     steps:
-      # Unfortunately, the official actions/download-artifact action is very limited in scope.
-      # Can't use it yet in this context, https://github.com/actions/download-artifact/issues/60
-      - name: Download artifact
-        uses: actions/github-script@v6
+      - name: Download and Extract Artifacts
+        uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615
         with:
-          script: |
-            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               run_id: ${{ github.event.workflow_run.id }},
-            });
-            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
-              return artifact.name == "test-results"
-            })[0];
-            var download = await github.rest.actions.downloadArtifact({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               artifact_id: matchArtifact.id,
-               archive_format: 'zip',
-            });
-            var fs = require('fs');
-            fs.writeFileSync('${{github.workspace}}/test-results.zip', Buffer.from(download.data));
-      - run: unzip test-results.zip
+          run_id: ${{ github.event.workflow_run.id }}
+          path: artifacts
       - name: Publish Test Results
-        uses: scacap/action-surefire-report@v1
+        uses: EnricoMi/publish-unit-test-result-action@v2
         with:
-          commit: ${{ github.event.workflow_run.head_commit.id }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          report_paths: '**/build/test-results/test/TEST-*.xml'
+          commit: ${{ github.event.workflow_run.head_sha }}
+          event_file: artifacts/event-file/event.json
+          event_name: ${{ github.event.workflow_run.event }}
+          files: "artifacts/**/build/test-results/test/TEST-*.xml"
+...

.github/workflows/release.yml

@@ -7,19 +7,39 @@ on:
 #      - published
 
 jobs:
-  release:
+  event-file:
+    # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches
+    name: "Event File"
     runs-on: ubuntu-latest
+    steps:
+      - name: Upload
+        uses: actions/upload-artifact@v3
+        with:
+          name: event-file
+          path: ${{ github.event_path }}
+  release:
+    strategy:
+      matrix:
+        os:
+          - ubuntu-latest
+        #          - windows-latest
+        #          - macos-latest
+        java:
+          - 8
+    #          - 17
+    runs-on: ${{ matrix.os }}
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 1
       - name: Set up JDK
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v3.12.0
         with:
           distribution: 'zulu'
-          java-version: 8
-          cache: 'gradle'
+          java-version: ${{ matrix.java }}
+      - name: Setup Gradle
+        uses: gradle/gradle-build-action@v2
       - name: Set artifact version
         run: |
           echo "RELEASE_VERSION=$(echo '${{ github.event.release.tag_name }}' | sed -e s/^v//)" >> $GITHUB_ENV
@@ -32,10 +52,12 @@ jobs:
           SONATYPE_STAGING_PROFILE_ID: ${{ secrets.SONATYPE_STAGING_PROFILE_ID }}
           SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
           SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
-      - name: Publish Test Report
-        if: ${{ always() }}
-        uses: scacap/action-surefire-report@v1
+      - name: Upload Test Results
+        # see publish-test-results.yml for workflow that publishes test results without security issues for forks
+        # https://github.com/marketplace/actions/publish-test-results#support-fork-repositories-and-dependabot-branches
+        if: always()
+        uses: actions/upload-artifact@v3
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          report_paths: '**/build/test-results/test/TEST-*.xml'
+          name: Test Results (Java ${{ matrix.java }} on ${{ matrix.os }})
+          path: '**/build/test-results/test/TEST-*.xml'
 ...