From f2b7481997da307fec118a23783221c9fb6f8f6c Mon Sep 17 00:00:00 2001 From: Hartmut Date: Mon, 18 Sep 2023 14:06:21 +0200 Subject: [PATCH 1/3] ci: use gradle wrapper, enable cache usage --- .github/workflows/callable.build.yml | 4 +--- .github/workflows/callable.code-analysis.codeql.yml | 3 +-- .github/workflows/callable.code-analysis.trivy.yml | 1 - .github/workflows/callable.gradle-release.yml | 5 ----- .github/workflows/callable.integration-test.yml | 6 +----- .github/workflows/callable.publish-javadoc.yml | 3 +-- .github/workflows/callable.publish-sonatype.yml | 7 +++---- 7 files changed, 7 insertions(+), 22 deletions(-) diff --git a/.github/workflows/callable.build.yml b/.github/workflows/callable.build.yml index 3c68110..8b98ae8 100644 --- a/.github/workflows/callable.build.yml +++ b/.github/workflows/callable.build.yml @@ -15,10 +15,8 @@ jobs: with: distribution: 'corretto' java-version: '17' - cache: 'gradle' - uses: gradle/wrapper-validation-action@v1 - name: Setup Gradle uses: gradle/gradle-build-action@v2.8.0 - - name: Run build (incl. test) - run: gradle build -x intTest --no-daemon + run: ./gradlew build -x intTest --no-daemon diff --git a/.github/workflows/callable.code-analysis.codeql.yml b/.github/workflows/callable.code-analysis.codeql.yml index e14fd10..19ab16a 100644 --- a/.github/workflows/callable.code-analysis.codeql.yml +++ b/.github/workflows/callable.code-analysis.codeql.yml @@ -39,13 +39,12 @@ jobs: with: distribution: 'corretto' java-version: '17' - cache: 'gradle' - uses: gradle/wrapper-validation-action@v1 - name: Setup Gradle uses: gradle/gradle-build-action@v2.8.0 - name: Run build with Gradle Wrapper run: | - gradle build -x intTest --no-daemon + ./gradlew build -x intTest --no-daemon # ignore ./.gradle folder for analysis rm -Rf .gradle diff --git a/.github/workflows/callable.code-analysis.trivy.yml b/.github/workflows/callable.code-analysis.trivy.yml index aa4dcbf..d9a6d14 100644 --- a/.github/workflows/callable.code-analysis.trivy.yml +++ b/.github/workflows/callable.code-analysis.trivy.yml @@ -21,7 +21,6 @@ jobs: with: distribution: 'corretto' java-version: '17' - cache: 'gradle' - uses: gradle/wrapper-validation-action@v1 - name: Setup Gradle uses: gradle/gradle-build-action@v2.8.0 diff --git a/.github/workflows/callable.gradle-release.yml b/.github/workflows/callable.gradle-release.yml index 8c43cc5..1baeae3 100644 --- a/.github/workflows/callable.gradle-release.yml +++ b/.github/workflows/callable.gradle-release.yml @@ -14,7 +14,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Validate 'Release Type' param - id: validate_type env: TYPE: ${{ inputs.type }} run: | @@ -32,19 +31,16 @@ jobs: with: distribution: 'corretto' java-version: '17' - cache: 'gradle' - uses: gradle/wrapper-validation-action@v1 - name: Setup Gradle uses: gradle/gradle-build-action@v2.8.0 - name: Get current version - id: get_version run: | source gradle.properties echo "current_version=${version}" >> $GITHUB_ENV - name: Determine version type - id: bump_version env: TYPE: ${{ inputs.type }} VERSION: ${{ env.current_version }} @@ -69,7 +65,6 @@ jobs: git config --local user.email "action@github.com" git config --local user.name "GitHub Action" - name: Run 'gradle release' - id: gradle_release run: | echo "Type: ${{ inputs.type }}" echo "Current version: ${{ env.current_version }}" diff --git a/.github/workflows/callable.integration-test.yml b/.github/workflows/callable.integration-test.yml index 595262d..89ac44a 100644 --- a/.github/workflows/callable.integration-test.yml +++ b/.github/workflows/callable.integration-test.yml @@ -15,13 +15,9 @@ jobs: with: distribution: 'corretto' java-version: '17' - cache: 'gradle' - uses: gradle/wrapper-validation-action@v1 - name: Setup Gradle uses: gradle/gradle-build-action@v2.8.0 - - name: Run build (incl. test) - run: gradle build -x intTest --no-daemon - - name: Run integration tests - run: gradle intTest --no-daemon + run: ./gradlew intTest -x test --no-daemon diff --git a/.github/workflows/callable.publish-javadoc.yml b/.github/workflows/callable.publish-javadoc.yml index 8bb317d..f215099 100644 --- a/.github/workflows/callable.publish-javadoc.yml +++ b/.github/workflows/callable.publish-javadoc.yml @@ -18,13 +18,12 @@ jobs: with: distribution: 'corretto' java-version: '17' - cache: 'gradle' - uses: gradle/wrapper-validation-action@v1 - name: Setup Gradle uses: gradle/gradle-build-action@v2.8.0 - name: Run build (incl. test) - run: gradle javadoc + run: ./gradlew javadoc - name: Conclude javadoc version and set env run: | diff --git a/.github/workflows/callable.publish-sonatype.yml b/.github/workflows/callable.publish-sonatype.yml index 2427efa..002f8ed 100644 --- a/.github/workflows/callable.publish-sonatype.yml +++ b/.github/workflows/callable.publish-sonatype.yml @@ -14,23 +14,22 @@ jobs: with: distribution: 'corretto' java-version: '17' - cache: 'gradle' - uses: gradle/wrapper-validation-action@v1 - name: Setup Gradle uses: gradle/gradle-build-action@v2.8.0 + # note the following two steps are identical but different names for better DX in GitHub Actions UI - name: Publish SNAPSHOT to Sonatype (Maven Central) if: github.ref == 'refs/heads/main' - run: gradle publishToSonatype closeAndReleaseSonatypeStagingRepository + run: ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository env: GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }} GPG_SIGNING_PASSPHRASE: ${{ secrets.GPG_SIGNING_PASSPHRASE }} OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} - - name: Publish RELEASE to Sonatype (Maven Central) if: github.ref_type == 'tag' - run: gradle publishToSonatype closeAndReleaseSonatypeStagingRepository + run: ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository env: GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }} GPG_SIGNING_PASSPHRASE: ${{ secrets.GPG_SIGNING_PASSPHRASE }} From 356a133a545f6dc3a6b91267907bce0fc7a562c5 Mon Sep 17 00:00:00 2001 From: Hartmut Date: Mon, 18 Sep 2023 14:07:07 +0200 Subject: [PATCH 2/3] chore: remove 'gradle.lockfile' from .gitignore --- java-library-template/.gitignore | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 java-library-template/.gitignore diff --git a/java-library-template/.gitignore b/java-library-template/.gitignore deleted file mode 100644 index 06c581c..0000000 --- a/java-library-template/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -# gradle locking of dependency versions *required+used for trivy scan only, so do not add to source control -gradle.lockfile From 3b72191144bbf3fe2ec76518a6f1bcc4689521b3 Mon Sep 17 00:00:00 2001 From: Hartmut Date: Mon, 18 Sep 2023 14:30:00 +0200 Subject: [PATCH 3/3] ci: set cache r/w only for gradle/gradle-build-action --- .github/workflows/callable.build.yml | 2 + .../callable.code-analysis.codeql.yml | 60 ++++++++++--------- .../callable.code-analysis.trivy.yml | 2 + .github/workflows/callable.gradle-release.yml | 2 + .../workflows/callable.integration-test.yml | 2 + .../workflows/callable.publish-javadoc.yml | 2 + .../workflows/callable.publish-sonatype.yml | 2 + 7 files changed, 43 insertions(+), 29 deletions(-) diff --git a/.github/workflows/callable.build.yml b/.github/workflows/callable.build.yml index 8b98ae8..6229e9b 100644 --- a/.github/workflows/callable.build.yml +++ b/.github/workflows/callable.build.yml @@ -18,5 +18,7 @@ jobs: - uses: gradle/wrapper-validation-action@v1 - name: Setup Gradle uses: gradle/gradle-build-action@v2.8.0 + with: + cache-write-only: true - name: Run build (incl. test) run: ./gradlew build -x intTest --no-daemon diff --git a/.github/workflows/callable.code-analysis.codeql.yml b/.github/workflows/callable.code-analysis.codeql.yml index 19ab16a..70aefe0 100644 --- a/.github/workflows/callable.code-analysis.codeql.yml +++ b/.github/workflows/callable.code-analysis.codeql.yml @@ -19,36 +19,38 @@ jobs: security-events: write steps: - - name: Checkout repository - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@v4 - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: java - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: java + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - queries: security-extended,security-and-quality + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + queries: security-extended,security-and-quality - - uses: actions/setup-java@v3 - with: - distribution: 'corretto' - java-version: '17' - - uses: gradle/wrapper-validation-action@v1 - - name: Setup Gradle - uses: gradle/gradle-build-action@v2.8.0 - - name: Run build with Gradle Wrapper - run: | - ./gradlew build -x intTest --no-daemon - # ignore ./.gradle folder for analysis - rm -Rf .gradle + - uses: actions/setup-java@v3 + with: + distribution: 'corretto' + java-version: '17' + - uses: gradle/wrapper-validation-action@v1 + - name: Setup Gradle + uses: gradle/gradle-build-action@v2.8.0 + with: + cache-read-only: true + - name: Run build with Gradle Wrapper + run: | + ./gradlew build -x intTest --no-daemon + # ignore ./.gradle folder for analysis + rm -Rf .gradle - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: "/language:${{matrix.language}}" + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/callable.code-analysis.trivy.yml b/.github/workflows/callable.code-analysis.trivy.yml index d9a6d14..031bdae 100644 --- a/.github/workflows/callable.code-analysis.trivy.yml +++ b/.github/workflows/callable.code-analysis.trivy.yml @@ -24,6 +24,8 @@ jobs: - uses: gradle/wrapper-validation-action@v1 - name: Setup Gradle uses: gradle/gradle-build-action@v2.8.0 + with: + cache-read-only: true - name: Generate gradle.lockfile for trivy scan run: gradle dependencies --write-locks diff --git a/.github/workflows/callable.gradle-release.yml b/.github/workflows/callable.gradle-release.yml index 1baeae3..78d26e1 100644 --- a/.github/workflows/callable.gradle-release.yml +++ b/.github/workflows/callable.gradle-release.yml @@ -34,6 +34,8 @@ jobs: - uses: gradle/wrapper-validation-action@v1 - name: Setup Gradle uses: gradle/gradle-build-action@v2.8.0 + with: + cache-read-only: true - name: Get current version run: | diff --git a/.github/workflows/callable.integration-test.yml b/.github/workflows/callable.integration-test.yml index 89ac44a..5635554 100644 --- a/.github/workflows/callable.integration-test.yml +++ b/.github/workflows/callable.integration-test.yml @@ -18,6 +18,8 @@ jobs: - uses: gradle/wrapper-validation-action@v1 - name: Setup Gradle uses: gradle/gradle-build-action@v2.8.0 + with: + cache-read-only: true - name: Run integration tests run: ./gradlew intTest -x test --no-daemon diff --git a/.github/workflows/callable.publish-javadoc.yml b/.github/workflows/callable.publish-javadoc.yml index f215099..26c4eab 100644 --- a/.github/workflows/callable.publish-javadoc.yml +++ b/.github/workflows/callable.publish-javadoc.yml @@ -21,6 +21,8 @@ jobs: - uses: gradle/wrapper-validation-action@v1 - name: Setup Gradle uses: gradle/gradle-build-action@v2.8.0 + with: + cache-read-only: true - name: Run build (incl. test) run: ./gradlew javadoc diff --git a/.github/workflows/callable.publish-sonatype.yml b/.github/workflows/callable.publish-sonatype.yml index 002f8ed..b228b94 100644 --- a/.github/workflows/callable.publish-sonatype.yml +++ b/.github/workflows/callable.publish-sonatype.yml @@ -17,6 +17,8 @@ jobs: - uses: gradle/wrapper-validation-action@v1 - name: Setup Gradle uses: gradle/gradle-build-action@v2.8.0 + with: + cache-read-only: true # note the following two steps are identical but different names for better DX in GitHub Actions UI - name: Publish SNAPSHOT to Sonatype (Maven Central)