fix: build caching in ci, codeql

Signed-off-by: Sam Gammon <sam@elide.ventures>
elide-dev · Feb 14, 2024 · 58eb3e1 · 58eb3e1
1 parent a20da7d
commit 58eb3e1
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 11 deletions.
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -1,6 +1,6 @@
 name: "CodeQL"
 
-languages: java, javascript
+languages: javascript-typescript
 
 queries:
   - uses: security-and-quality
@@ -13,3 +13,5 @@ paths-ignore:
   - build
   - samples
   - tools/plugin
+  - packages/embedded
+  - packages/nfi
diff --git a/.github/workflows/checks.codeql.yml b/.github/workflows/checks.codeql.yml
@@ -35,10 +35,6 @@ jobs:
       actions: read
       contents: read
       security-events: write
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ["javascript-typescript"]
     steps:
       - name: "Setup: Harden Runner"
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@@ -65,6 +61,7 @@ jobs:
         uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
         with:
           config-file: ./.github/codeql/codeql-config.yml
+          fail-on-severity: "error"
       - name: "Setup: Artifacts"
         uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
         continue-on-error: true
@@ -73,6 +70,9 @@ jobs:
       - name: "Analysis: Build"
         uses: gradle/actions/setup-gradle@v3.1.0
         continue-on-error: true
+        env:
+          CI: true
+          BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
         with:
           cache-read-only: true
           cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
@@ -85,8 +85,3 @@ jobs:
       - name: "Analysis: CodeQL"
         uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
         continue-on-error: true
-        with:
-          languages: ${{ matrix.language }}
-          queries: ./.github/codeql/queries
-          config-file: ./.github/codeql/codeql-config.yml
-          fail-on-severity: "error"
diff --git a/.github/workflows/checks.sonar.yml b/.github/workflows/checks.sonar.yml
@@ -25,6 +25,9 @@ name: Sonar
       BUILDLESS_APIKEY:
         description: "Buildless API key"
         required: false
+      GRADLE_CONFIGURATION_KEY:
+        description: "Gradle cache key"
+        required: false
 
 permissions:
   contents: "read"
@@ -68,6 +71,9 @@ jobs:
       - name: "Analysis: Sonar"
         uses: gradle/actions/setup-gradle@v3.1.0
         continue-on-error: true
+        env:
+          CI: true
+          BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
         with:
           cache-read-only: true
           cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}

diff --git a/.github/workflows/job.build.yml b/.github/workflows/job.build.yml
@@ -238,6 +238,7 @@ jobs:
         continue-on-error: ${{ matrix.mode == 'labs' }}
         env:
           CI: true
+          BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
         with:
           cache-read-only: false
           cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
@@ -403,6 +404,7 @@ jobs:
         uses: gradle/actions/setup-gradle@v3.1.0
         env:
           CI: true
+          BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
           TEST_EXCEPTIONS: true
         with:
           cache-read-only: false
@@ -446,6 +448,7 @@ jobs:
         env:
           CI: true
           TEST_EXCEPTIONS: true
+          BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
         with:
           cache-read-only: true
           cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
@@ -572,6 +575,7 @@ jobs:
         continue-on-error: true
         env:
           CI: true
+          BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
         with:
           cache-read-only: true
           cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
@@ -699,6 +703,7 @@ jobs:
         uses: gradle/actions/setup-gradle@v3.1.0
         env:
           CI: true
+          BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
         with:
           cache-read-only: true
           cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
@@ -847,6 +852,7 @@ jobs:
         uses: gradle/actions/setup-gradle@v3.1.0
         env:
           CI: true
+          BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
         with:
           cache-read-only: true
           cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}

diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml
@@ -217,6 +217,7 @@ jobs:
     if: fromJson(needs.triage.outputs.srcs)
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      GRADLE_CONFIGURATION_KEY: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
       BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
     permissions:
       contents: "read"
@@ -231,6 +232,7 @@ jobs:
     if: fromJson(needs.triage.outputs.packages)
     secrets:
       BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
+      GRADLE_CONFIGURATION_KEY: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
     permissions:
       actions: "read"
       contents: "read"
@@ -247,5 +249,6 @@ jobs:
     secrets:
       QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}
       BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
+      GRADLE_CONFIGURATION_KEY: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
     permissions:
       contents: "read"
diff --git a/settings.gradle.kts b/settings.gradle.kts
@@ -261,7 +261,7 @@ val cachePush: String? by settings
 
 buildless {
   localCache {
-    enabled = true
+    enabled = System.getenv("CI") != "true"
   }
 
   remoteCache {