Skip to content

Commit

Permalink
chore: upgrade ci workflows
Browse files Browse the repository at this point in the history 
- feat: ship dependency graph to github
- feat: generate provenance on release
- chore: use zulu 20 instead of gvm
  • Loading branch information
@sgammon
sgammon committed Jul 30, 2023
1 parent 6398363 commit 82c9e41
Show file tree
Hide file tree
Showing 3 changed files with 59 additions and 23 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/pr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@ jobs:
name: "Build (${{ matrix.label }})"

permissions:
contents: "read"
actions: "read"
contents: "write"
id-token: "write"
checks: "write"
pull-requests: "write"
Expand Down Expand Up @@ -66,7 +67,6 @@ jobs:
label: ${{ matrix.label }}
flags: ${{ matrix.flags }}
experimental: ${{ matrix.experimental }}
gvm: ${{ matrix.gvm }}
java: ${{ matrix.java }}
coverage: ${{ matrix.coverage }}

Expand Down
38 changes: 27 additions & 11 deletions .github/workflows/step.build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,10 @@ on:
required: false
type: string
default: "--no-configuration-cache"
gvm:
required: false
type: string
default: ${{ vars.GVM_VERSION }}
java:
required: false
type: string
default: ${{ vars.JVM_VERSION }}
default: 20
coverage:
required: false
type: boolean
Expand Down Expand Up @@ -64,11 +60,14 @@ jobs:
checks: "write"
pull-requests: "write"

outputs:
hashes: ${{ steps.hash.outputs.hashes }}

steps:
- name: "Setup: Checkout"
uses: actions/checkout@v3
- name: "Setup: Cache"
uses: actions/cache@v3
uses: buildjet/cache@v3
with:
key: ${{ runner.os }}-gradle-${{ hashFiles('*.gradle.kts') }}-${{ hashFiles('gradle/libs.versions.toml') }}
restore-keys: |
Expand All @@ -77,12 +76,11 @@ jobs:
~/.sonar/cache
~/.konan
~/.gradle/caches
- name: "Setup: GraalVM"
uses: graalvm/setup-graalvm@v1
- name: "Setup: Zulu 20"
uses: buildjet/setup-java@v3
with:
version: ${{ inputs.gvm }}
java-version: ${{ inputs.java }}
github-token: ${{ secrets.GITHUB_TOKEN }}
distribution: 'zulu'
java-version: '20'
- name: "Build and Test"
uses: gradle/gradle-build-action@v2
id: gradlebuild
Expand All @@ -91,6 +89,7 @@ jobs:
cache-read-only: ${{ github.ref != 'refs/heads/main' && github.ref != 'refs/heads/master' && github.ref != 'refs/heads/beta' }}
gradle-version: wrapper
gradle-home-cache-cleanup: true
dependency-graph: generate
gradle-home-cache-includes: |
caches
notifications
Expand All @@ -107,6 +106,10 @@ jobs:
--dependency-verification=lenient
-Pci=true
${{ inputs.flags }}
- name: "Build: Provenance Subject"
id: hash
run: |
echo "hashes=$(sha256sum ./build/libs/* | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: "Analysis: Build Reports"
uses: actions/upload-artifact@v3
if: failure() || success()
Expand All @@ -120,3 +123,16 @@ jobs:
- name: "Analysis: Coverage"
if: ${{ inputs.coverage }}
uses: codecov/codecov-action@v3

## Report: Provenance
provenance:
name: Provenance
needs: [build]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: false
40 changes: 30 additions & 10 deletions .github/workflows/step.publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,10 +115,13 @@ jobs:
id-token: write
contents: read

outputs:
hashes: ${{ steps.hash.outputs.hashes }}

strategy:
fail-fast: false
matrix:
runner: [macOS-latest, windows-latest-8-cores, ubuntu-latest-4-cores]
runner: [macOS-latest, windows-latest, ubuntu-latest]
include:
- runner: macOS-latest
flags: "--no-configuration-cache"
Expand All @@ -127,14 +130,14 @@ jobs:
gvm: ${{ vars.GVM_VERSION }}
java: ${{ vars.JVM_VERSION }}
target: publishMac
- runner: windows-latest-8-cores
- runner: windows-latest
flags: "--no-configuration-cache"
os: "windows"
label: "Windows"
gvm: ${{ vars.GVM_VERSION }}
java: ${{ vars.JVM_VERSION }}
target: publishWindows
- runner: ubuntu-latest-4-cores
- runner: ubuntu-latest
flags: "--no-configuration-cache"
os: "linux"
label: "Linux"
Expand All @@ -146,7 +149,7 @@ jobs:
- name: "Setup: Checkout"
uses: actions/checkout@v3
- name: "Setup: Cache"
uses: actions/cache@v3
uses: buildjet/cache@v3
with:
key: ${{ runner.os }}-gradle-${{ hashFiles('*.gradle.kts') }}-${{ hashFiles('gradle/libs.versions.toml') }}
restore-keys: |
Expand All @@ -166,19 +169,19 @@ jobs:
uses: 'google-github-actions/setup-gcloud@v1'
with:
version: '${{ vars.GCLOUD_VERSION }}'
- name: "Setup: GraalVM"
uses: graalvm/setup-graalvm@v1
- name: "Setup: Zulu 20"
uses: buildjet/setup-java@v3
with:
version: ${{ matrix.gvm }}
java-version: ${{ matrix.java }}
github-token: ${{ secrets.GITHUB_TOKEN }}
distribution: 'zulu'
java-version: '20'
- name: "Publish (${{ matrix.label }})"
uses: gradle/gradle-build-action@v2
id: publish
with:
cache-read-only: true
gradle-version: wrapper
gradle-home-cache-cleanup: true
dependency-graph: generate-and-submit
gradle-home-cache-includes: |
caches
notifications
Expand All @@ -198,6 +201,10 @@ jobs:
--${{ inputs.logLevel }}
${{ inputs.flags }}
${{ matrix.flags }}
- name: "Build: Provenance Subject"
id: hash
run: |
echo "hashes=$(sha256sum ./build/libs/* | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: "Artifacts: Libraries"
uses: actions/upload-artifact@v3
if: failure() || success()
Expand All @@ -210,6 +217,19 @@ jobs:
uses: actions/upload-artifact@v3
if: failure() || success()
with:
name: libraries
name: reports
path: |
build/reports/
## Report: Provenance
provenance:
name: Provenance
needs: [publish]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: true

0 comments on commit 82c9e41

Please sign in to comment.