diff --git a/.github/workflows/codeql.ci.yml b/.github/workflows/checks.codeql.yml similarity index 95% rename from .github/workflows/codeql.ci.yml rename to .github/workflows/checks.codeql.yml index 02cbde7ea..14dbaafca 100644 --- a/.github/workflows/codeql.ci.yml +++ b/.github/workflows/checks.codeql.yml @@ -1,6 +1,6 @@ name: "CodeQL" -on: +"on": workflow_dispatch: {} workflow_call: {} push: @@ -35,8 +35,8 @@ jobs: - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' - java-version: '21' + distribution: "graalvm" + java-version: "21" github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: Initialize CodeQL" uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/checks.gradle-wrapper.yml similarity index 87% rename from .github/workflows/gradle-wrapper-validation.yml rename to .github/workflows/checks.gradle-wrapper.yml index 75ba990a7..c60294b67 100644 --- a/.github/workflows/gradle-wrapper-validation.yml +++ b/.github/workflows/checks.gradle-wrapper.yml @@ -1,11 +1,8 @@ name: Validate Gradle Wrapper -on: - push: - branches: - - main - pull_request: - branches: - - "*" + +"on": + workflow_dispatch: {} + workflow_call: {} permissions: contents: read @@ -19,7 +16,6 @@ jobs: uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: egress-policy: audit - - name: Checkout latest code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 - name: Validate Gradle Wrapper diff --git a/.github/workflows/model.ci.yml b/.github/workflows/checks.model.yml similarity index 70% rename from .github/workflows/model.ci.yml rename to .github/workflows/checks.model.yml index bd375d6cf..a96220122 100644 --- a/.github/workflows/model.ci.yml +++ b/.github/workflows/checks.model.yml @@ -1,12 +1,45 @@ name: Model -on: - push: - branches: - - main - - stable - pull_request: - types: [labeled, opened, reopened, synchronize] +"on": + workflow_dispatch: + inputs: + lint: + description: "Lint" + type: boolean + required: false + default: true + breakcheck: + description: "Break-check" + type: boolean + required: false + default: true + push: + description: "Push" + type: boolean + required: false + default: false + + workflow_call: + inputs: + lint: + description: "Lint" + type: boolean + required: false + default: true + breakcheck: + description: "Break-check" + type: boolean + required: false + default: true + push: + description: "Push" + type: boolean + required: false + default: false + secrets: + BUF_TOKEN: + description: "Buf push token" + required: false permissions: contents: read @@ -16,7 +49,9 @@ jobs: ## Job: Buf Lint ## buf-lint: + name: "Protocol: Lint" runs-on: ubuntu-latest + if: inputs.lint defaults: run: shell: bash @@ -43,7 +78,9 @@ jobs: ## Job: Buf Breaking ## buf-breaking: + name: "Protocol: Break-check" runs-on: ubuntu-latest + if: inputs.breakcheck defaults: run: shell: bash @@ -73,17 +110,19 @@ jobs: ## Job: Buf Push ## buf-push: + name: "Protocol: Push" runs-on: ubuntu-latest + if: inputs.push defaults: run: shell: bash needs: ["buf-lint", "buf-breaking"] - if: | - ( - github.ref == 'refs/heads/stable' || - github.ref == 'refs/heads/main' || - startsWith(github.ref, 'refs/tags/v') - ) +# if: | +# ( +# github.ref == 'refs/heads/stable' || +# github.ref == 'refs/heads/main' || +# startsWith(github.ref, 'refs/tags/v') +# ) permissions: contents: "read" steps: diff --git a/.github/workflows/qodana.ci.yml b/.github/workflows/checks.qodana.yml similarity index 96% rename from .github/workflows/qodana.ci.yml rename to .github/workflows/checks.qodana.yml index fc6474262..c8ef08411 100644 --- a/.github/workflows/qodana.ci.yml +++ b/.github/workflows/checks.qodana.yml @@ -1,5 +1,6 @@ name: Qodana -on: + +"on": workflow_dispatch: {} workflow_call: {} @@ -20,7 +21,7 @@ jobs: - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' + distribution: "graalvm" java-version: 21 check-for-updates: false github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/checks.scorecards.yml similarity index 96% rename from .github/workflows/scorecards.yml rename to .github/workflows/checks.scorecards.yml index d1a72b2c5..a883661fc 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/checks.scorecards.yml @@ -2,17 +2,18 @@ # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. -name: Scorecard supply-chain security -on: +name: Scorecard + +"on": # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: + branch_protection_rule: {} # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - - cron: '20 7 * * 2' - push: - branches: ["v3"] + - cron: "20 7 * * 2" + workflow_dispatch: {} + workflow_call: {} # Declare default permissions as read only. permissions: read-all diff --git a/.github/workflows/bench.ci.yml b/.github/workflows/job.bench.yml similarity index 96% rename from .github/workflows/bench.ci.yml rename to .github/workflows/job.bench.yml index 93972b326..ae400e7a6 100644 --- a/.github/workflows/bench.ci.yml +++ b/.github/workflows/job.bench.yml @@ -1,11 +1,8 @@ name: Benchmark -on: - push: - branches: - - stable - pull_request: - types: [opened, reopened, synchronize] +"on": + workflow_dispatch: {} + workflow_call: {} env: BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }} @@ -68,7 +65,7 @@ jobs: if: ${{ matrix.engine == 'graalvm' }} with: components: "native-image,js,wasm" - distribution: 'graalvm' + distribution: "graalvm" java-version: ${{ matrix.java }} github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: Zulu" diff --git a/.github/workflows/build.ci.yml b/.github/workflows/job.build.yml similarity index 79% rename from .github/workflows/build.ci.yml rename to .github/workflows/job.build.yml index b36adc742..cad4e59cc 100644 --- a/.github/workflows/build.ci.yml +++ b/.github/workflows/job.build.yml @@ -1,13 +1,139 @@ name: Framework -on: - push: - branches: - - stable - - main - pull_request: - types: [opened, reopened, synchronize] - merge_group: {} +"on": + workflow_dispatch: + inputs: + ## Input: Enable Tests + tests: + description: "Tests" + type: boolean + default: true + + ## Input: Enable Native Targets + native: + description: "Native" + type: boolean + default: false + + ## Input: Enable Release Targets + release: + description: "Release" + type: boolean + default: false + + ## Input: Publish Libraries + publish: + description: "Publish" + type: boolean + default: false + + ## Input: Deploy Samples + deploy: + description: "Deploy" + type: boolean + default: false + + ## Input: Enable Container Targets + containers: + description: "Containers" + type: boolean + default: false + + ## Input: Enable Provenance + provenance: + description: "Provenance" + type: boolean + default: true + + ## Input: Enable macOS + macos: + description: "Enable macOS" + type: boolean + default: false + + ## Input: Enable Windows + windows: + description: "Enable Windows" + type: boolean + default: false + + ## Input: Runner + runner: + description: "Runner" + type: string + default: ubuntu-latest + + workflow_call: + inputs: + tests: + description: "Tests" + type: boolean + default: true + native: + description: "Native" + type: boolean + default: false + release: + description: "Release" + type: boolean + default: false + containers: + description: "Containers" + type: boolean + default: false + publish: + description: "Publish" + type: boolean + default: false + deploy: + description: "Deploy" + type: boolean + default: false + provenance: + description: "Provenance" + type: boolean + default: true + macos: + description: "Enable macOS" + type: boolean + default: false + windows: + description: "Enable Windows" + type: boolean + default: false + runner: + description: "Runner to use" + type: string + default: ubuntu-latest + runner_large: + description: "Runner (Large)" + type: string + default: ubuntu-latest-8-cores + runner_large_macos: + description: "Runner (Large, macOS)" + type: string + default: macos-13-xl + runner_large_windows: + description: "Runner (Large, Windows)" + type: string + default: windows-latest-8-cores + + secrets: + BUILDLESS_APIKEY: + required: false + description: "Buildless API Key" + BUILDBOT_SERVICE_ACCOUNT: + required: false + description: "GCP Service Account" + BUILDBOT_GHCR_TOKEN: + required: false + description: "GHCR Token" + SONAR_TOKEN: + required: false + description: "Sonar token" + CODECOV_TOKEN: + required: false + description: "Codecov token" env: GRADLE_CACHE_LOCAL: false @@ -21,100 +147,30 @@ permissions: contents: read jobs: - ## - ## Job: Pre-flight Checks - ## - preflight-checks: - name: "Pre-flight Checks" - runs-on: ${{ vars.RUNNER_DEFAULT || 'ubuntu-latest' }} - permissions: - contents: "read" - id-token: "write" - checks: "write" - packages: "read" - pull-requests: "write" - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - name: "Setup: Checkout" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - submodules: true - - name: "Setup: Buildless" - uses: buildless/setup@30e82389418c7f17046606183bc4c78b2c8913e0 # v1.0.2 - - name: "Setup: GraalVM (Java 21)" - uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 - with: - distribution: 'graalvm' - java-version: '21' - github-token: ${{ secrets.GITHUB_TOKEN }} - - id: "auth" - name: "Setup: Authorize Service Account" - uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1 - with: - credentials_json: "${{ secrets.BUILDBOT_SERVICE_ACCOUNT }}" - create_credentials_file: true - export_environment_variables: true - cleanup_credentials: true - - name: "Patch: Neutralize Yarn Lock" - run: mv yarn.lock yarn.inert - - name: "Check: Dependency Review" - uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0 - continue-on-error: true - if: github.event_name == 'pull_request' - with: - config-file: "./.github/dependency-review-config.yml" - license-check: true - vulnerability-check: true - fail-on-severity: "low" - base-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref || 'v3' }} - - name: "Patch: Restore Yarn Lock" - run: mv yarn.inert yarn.lock - - name: "Check: Library ABI" - uses: gradle/gradle-build-action@3b1b3b9a2104c2b47fbae53f3938079c00c9bb87 # v3.0.0 - id: abicheck - continue-on-error: ${{ contains(github.event.pull_request.labels.*.name, 'ci:api-check-bypass') }} - env: - CI: true - GITHUB_ACTOR: ${{ env.GITHUB_ACTOR }} - GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }} - with: - cache-read-only: false - arguments: | - apiCheck - --dependency-verification=lenient - --no-daemon - --warning-mode=none - -Pelide.ci=true - -PbuildDocs=false - -PbuildSamples=false - -PbuildDocsSite=false - ## ## Job: Library Build ## - gradle: strategy: fail-fast: false matrix: os: [Ubuntu] - mode: ['Strict'] + mode: ["Strict"] machine: - - ${{ vars.RUNNER_DEFAULT || 'ubuntu-latest' }} + - ${{ inputs.runner }} provenance: [true] - # macOS build is disabled. - # include: - # - os: macOS - # mode: Strict - # machine: macos-13 - # provenance: false + enabled: [true] + include: + - os: macOS + mode: Strict + machine: macos-13 + provenance: false + enabled: ${{ inputs.macos }} name: "Build (${{ matrix.os }})" runs-on: ${{ matrix.machine }} continue-on-error: ${{ matrix.mode != 'Strict' }} + if: matrix.enabled permissions: contents: "write" @@ -144,8 +200,8 @@ jobs: - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' - java-version: '21' + distribution: "graalvm" + java-version: "21" github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: Buildless" if: contains(matrix.machine, 'macos') == false @@ -209,19 +265,20 @@ jobs: build/reports/**/*.* - name: "Build: Provenance Subject" id: hash - if: ${{ matrix.os == 'ubuntu' }} + if: ${{ matrix.os == 'ubuntu' && inputs.provenance }} run: | echo "hashes=$(sha256sum ./packages/*/build/libs/* | base64 -w0)" >> "$GITHUB_OUTPUT" ## Report: Provenance provenance: name: Provenance + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + if: inputs.provenance needs: [gradle] permissions: - actions: read - id-token: write - contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + actions: "read" + id-token: "write" + contents: "write" with: base64-subjects: "${{ needs.gradle.outputs.hashes }}" upload-assets: ${{ github.ref == 'refs/heads/stable' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'release/') || startsWith(github.ref, 'refs/tags/v') }} @@ -231,8 +288,8 @@ jobs: ## tests: name: "Tests: All Suites" - runs-on: ${{ vars.RUNNER_DEFAULT || 'ubuntu-latest' }} - needs: [preflight-checks] + runs-on: ${{ inputs.runner }} + if: inputs.tests permissions: contents: "read" @@ -255,8 +312,8 @@ jobs: - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' - java-version: '21' + distribution: "graalvm" + java-version: "21" github-token: ${{ secrets.GITHUB_TOKEN }} - id: "auth" name: "Setup: Authorize Service Account" @@ -359,14 +416,13 @@ jobs: ## tests-native: name: "Tests: Native" - runs-on: ${{ vars.RUNNER_LARGE || 'ubuntu-latest-8-cores' }} - needs: [tests, preflight-checks] - if: | - ( - github.ref == 'refs/heads/stable' || - contains(github.event.pull_request.labels.*.name, 'ci:test-native') || - contains(github.event.head_commit.message, 'ci:test-native') - ) + runs-on: ${{ inputs.runner_large || 'ubuntu-latest-8-cores' }} + if: inputs.tests && inputs.native +# ( +# github.ref == 'refs/heads/stable' || +# contains(github.event.pull_request.labels.*.name, 'ci:test-native') || +# contains(github.event.head_commit.message, 'ci:test-native') +# ) steps: - name: Harden Runner @@ -380,8 +436,8 @@ jobs: - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' - java-version: '21' + distribution: "graalvm" + java-version: "21" github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: Buildless" uses: buildless/setup@30e82389418c7f17046606183bc4c78b2c8913e0 # v1.0.2 @@ -439,32 +495,33 @@ jobs: cli-build-debug: name: "CLI: Native (Debug, ${{ matrix.os }}, ${{ matrix.arch || 'amd64' }})" runs-on: ${{ matrix.runner }} - needs: [preflight-checks, gradle] + needs: [gradle] continue-on-error: true - if: | - ( - github.ref == 'refs/heads/stable' || - startsWith(github.ref, 'release/') || - contains(github.event.pull_request.labels.*.name, 'ci:build-cli') || - contains(github.event.head_commit.message, 'ci:build-cli') - ) + if: inputs.native +# if: | +# ( +# github.ref == 'refs/heads/stable' || +# startsWith(github.ref, 'release/') || +# contains(github.event.pull_request.labels.*.name, 'ci:build-cli') || +# contains(github.event.head_commit.message, 'ci:build-cli') +# ) strategy: fail-fast: false matrix: os: ["Linux"] arch: ["amd64"] - runner: ["ubuntu-latest-8-cores"] + runner: ["${{ inputs.runner_large }}"] labs: [false] tag: [linux-amd64] include: - os: Linux - runner: ${{ vars.RUNNER_LARGE || 'ubuntu-latest-8-cores' }} + runner: ${{ inputs.runner_large }} arch: amd64 labs: false tag: linux-amd64 - os: macOS - runner: macos-13-xl + runner: ${{ inputs.runner_large_macos }} arch: amd64 labs: false tag: darwin-amd64 @@ -494,12 +551,12 @@ jobs: uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 with: arch: ${{ matrix.arch }} - cache: 'gradle' + cache: "gradle" - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' - java-version: '21' + distribution: "graalvm" + java-version: "21" github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: Node" uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 @@ -561,14 +618,15 @@ jobs: cli-build-release: name: "CLI: Native (Release, ${{ matrix.os }}, ${{ matrix.arch || 'amd64' }})" runs-on: ${{ matrix.runner }} - needs: [preflight-checks, gradle] + needs: [gradle] continue-on-error: true - if: | - ( - github.ref == 'refs/heads/stable' || - contains(github.event.pull_request.labels.*.name, 'ci:build-cli') || - contains(github.event.head_commit.message, 'ci:build-cli') - ) + if: inputs.native && inputs.release +# if: | +# ( +# github.ref == 'refs/heads/stable' || +# contains(github.event.pull_request.labels.*.name, 'ci:build-cli') || +# contains(github.event.head_commit.message, 'ci:build-cli') +# ) strategy: fail-fast: false @@ -576,22 +634,22 @@ jobs: os: ["Linux"] arch: ["amd64"] runner: - - ${{ vars.RUNNER_LARGE || 'ubuntu-latest-8-cores' }} + - ${{ inputs.runner_large }} labs: [false] tag: [linux-amd64] include: - os: Linux - runner: ${{ vars.RUNNER_LARGE || 'ubuntu-latest-8-cores' }} + runner: ${{ inputs.runner_large }} arch: amd64 labs: false tag: linux-amd64 - os: macOS - runner: macos-13-xl + runner: ${{ inputs.runner_large_macos }} arch: amd64 labs: false tag: darwin-amd64 - os: Windows - runner: windows-latest-8-cores + runner: ${{ inputs.runner_large_windows }} arch: amd64 tag: windows-amd64 labs: true @@ -624,8 +682,8 @@ jobs: - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' - java-version: '21' + distribution: "graalvm" + java-version: "21" github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: Node" uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 @@ -666,14 +724,15 @@ jobs: ## docker-jvm: name: "Container: JVM" - runs-on: ${{ vars.RUNNER || 'ubuntu-latest-8-cores' }} - needs: [gradle, preflight-checks] - if: | - ( - github.ref == 'refs/heads/stable' || - contains(github.event.pull_request.labels.*.name, 'ci:build-img-jvm') || - contains(github.event.head_commit.message, 'ci:build-img-jvm') - ) + runs-on: ${{ inputs.runner_large || inputs.runner || 'ubuntu-latest-8-cores' }} + needs: [gradle] + if: inputs.containers +# if: | +# ( +# github.ref == 'refs/heads/stable' || +# contains(github.event.pull_request.labels.*.name, 'ci:build-img-jvm') || +# contains(github.event.head_commit.message, 'ci:build-img-jvm') +# ) permissions: contents: "read" @@ -703,8 +762,8 @@ jobs: - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' - java-version: '21' + distribution: "graalvm" + java-version: "21" github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: QEMU" uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 @@ -769,15 +828,16 @@ jobs: docker-native: name: "Container: Native" - runs-on: ${{ vars.RUNNER_LARGE || 'ubuntu-latest-8-cores' }} + runs-on: ${{ inputs.runner_large || inputs.runner || 'ubuntu-latest-8-cores' }} continue-on-error: true - needs: [gradle, preflight-checks] - if: | - ( - github.ref == 'refs/heads/stable' || - contains(github.event.pull_request.labels.*.name, 'ci:build-img-native') || - contains(github.event.head_commit.message, 'ci:build-img-native') - ) + needs: [gradle] + if: inputs.containers && inputs.native +# if: | +# ( +# github.ref == 'refs/heads/stable' || +# contains(github.event.pull_request.labels.*.name, 'ci:build-img-native') || +# contains(github.event.head_commit.message, 'ci:build-img-native') +# ) permissions: contents: "read" @@ -807,8 +867,8 @@ jobs: - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' - java-version: '21' + distribution: "graalvm" + java-version: "21" github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: QEMU" uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 @@ -885,13 +945,14 @@ jobs: deploy-samples: name: "Deploy" needs: [gradle, tests, docker-jvm, docker-native] - if: | - ( - contains(github.event.pull_request.labels.*.name, 'ci:deploy-samples') || - contains(github.event.pull_request.labels.*.name, 'ci:deploy') || - contains(github.event.head_commit.message, 'ci:deploy-samples') || - contains(github.event.head_commit.message, 'ci:deploy') - ) + if: inputs.release && inputs.deploy +# if: | +# ( +# contains(github.event.pull_request.labels.*.name, 'ci:deploy-samples') || +# contains(github.event.pull_request.labels.*.name, 'ci:deploy') || +# contains(github.event.head_commit.message, 'ci:deploy-samples') || +# contains(github.event.head_commit.message, 'ci:deploy') +# ) strategy: matrix: @@ -908,7 +969,7 @@ jobs: statuses: "write" packages: "read" - uses: ./.github/workflows/deploy.ci.yml + uses: ./.github/workflows/job.deploy.yml secrets: inherit with: path: "samples/${{ matrix.category }}/${{ matrix.app }}" @@ -923,12 +984,13 @@ jobs: publish-snapshot: name: "Publish: Snapshot" needs: [gradle, tests] - if: | - ( - github.ref == 'refs/heads/stable' || - contains(github.event.pull_request.labels.*.name, 'ci:publish-snapshot') || - contains(github.event.head_commit.message, 'ci:publish-snapshot') - ) + if: inputs.publish +# if: | +# ( +# github.ref == 'refs/heads/stable' || +# contains(github.event.pull_request.labels.*.name, 'ci:publish-snapshot') || +# contains(github.event.head_commit.message, 'ci:publish-snapshot') +# ) permissions: contents: "read" @@ -939,7 +1001,7 @@ jobs: statuses: "write" packages: "write" - uses: ./.github/workflows/publish.ci.yml + uses: ./.github/workflows/job.publish.yml secrets: inherit with: environment: snapshots @@ -958,15 +1020,16 @@ jobs: publish-ossrh: name: "Publish: OSSRH" needs: [publish-snapshot] - if: | - ( - contains(github.event.pull_request.labels.*.name, 'ci:publish') || - contains(github.event.head_commit.message, 'ci:publish') - ) && ( - false - ) && ( - startsWith(github.ref, 'refs/tags/v') - ) + if: inputs.release && inputs.publish +# if: | +# ( +# contains(github.event.pull_request.labels.*.name, 'ci:publish') || +# contains(github.event.head_commit.message, 'ci:publish') +# ) && ( +# false +# ) && ( +# startsWith(github.ref, 'refs/tags/v') +# ) permissions: contents: "read" @@ -977,7 +1040,7 @@ jobs: statuses: "write" packages: "write" - uses: ./.github/workflows/publish.ci.yml + uses: ./.github/workflows/job.publish.yml secrets: inherit with: environment: central diff --git a/.github/workflows/copybara.ci.yml b/.github/workflows/job.copybara.yml similarity index 95% rename from .github/workflows/copybara.ci.yml rename to .github/workflows/job.copybara.yml index 44495497d..88115b565 100644 --- a/.github/workflows/copybara.ci.yml +++ b/.github/workflows/job.copybara.yml @@ -1,13 +1,8 @@ name: "Copybara" -on: - push: - branches: - - v3 - - main - - stable - pull_request: - types: [labeled, opened, reopened, synchronize] +"on": + workflow_dispatch: {} + workflow_call: {} jobs: copybara-protocol: diff --git a/.github/workflows/deploy.ci.yml b/.github/workflows/job.deploy.yml similarity index 99% rename from .github/workflows/deploy.ci.yml rename to .github/workflows/job.deploy.yml index cfab3e940..f1526cb20 100644 --- a/.github/workflows/deploy.ci.yml +++ b/.github/workflows/job.deploy.yml @@ -1,10 +1,6 @@ name: Deployment -concurrency: - group: "deploy" - cancel-in-progress: false - -on: +"on": ## Deployment can be invoked from other workflows. workflow_call: inputs: @@ -63,6 +59,10 @@ on: permissions: contents: read +concurrency: + group: "deploy" + cancel-in-progress: false + jobs: deployment: name: "Deploy (${{ inputs.environment }})" diff --git a/.github/workflows/labeler.ci.yml b/.github/workflows/job.labeler.yml similarity index 85% rename from .github/workflows/labeler.ci.yml rename to .github/workflows/job.labeler.yml index ec7669712..850b2a8df 100644 --- a/.github/workflows/labeler.ci.yml +++ b/.github/workflows/job.labeler.yml @@ -1,7 +1,7 @@ -name: "Bot: Pull Request Labeler" -on: - pull_request: - types: [opened, reopened] +name: "Labeler" + +"on": + workflow_call: {} permissions: contents: read @@ -17,7 +17,6 @@ jobs: uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: egress-policy: audit - - name: "Bot: Labeler Triage" uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: diff --git a/.github/workflows/publish.ci.yml b/.github/workflows/job.publish.yml similarity index 99% rename from .github/workflows/publish.ci.yml rename to .github/workflows/job.publish.yml index 95ae5859f..016a85b4e 100644 --- a/.github/workflows/publish.ci.yml +++ b/.github/workflows/job.publish.yml @@ -4,7 +4,7 @@ concurrency: group: "publish" cancel-in-progress: false -on: +"on": ## Publish flows can be invoked from other workflows. workflow_call: inputs: @@ -177,7 +177,7 @@ jobs: uses: graalvm/setup-graalvm@2a93b69fdf86ac5a078a98c1a707744632e1da94 # v1.1.5 with: components: "native-image,js,wasm" - distribution: 'graalvm' + distribution: "graalvm" java-version: 20 github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: Signing Keys" diff --git a/.github/workflows/site.ci.yml b/.github/workflows/job.site.yml similarity index 97% rename from .github/workflows/site.ci.yml rename to .github/workflows/job.site.yml index bf6d28f0a..de848e140 100644 --- a/.github/workflows/site.ci.yml +++ b/.github/workflows/job.site.yml @@ -1,18 +1,8 @@ name: Site -on: - push: - branches: - - stable - - v3 - - site/* - pull_request: - types: [labeled, opened, reopened, synchronize] - branches: - - stable - - v3 - - site/* - - release/* +"on": + workflow_dispatch: {} + workflow_call: {} env: BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }} @@ -51,7 +41,7 @@ jobs: uses: graalvm/setup-graalvm@2a93b69fdf86ac5a078a98c1a707744632e1da94 # v1.1.5 with: components: "native-image,js,wasm" - distribution: 'graalvm' + distribution: "graalvm" java-version: 20 github-token: ${{ secrets.GITHUB_TOKEN }} - id: "auth" @@ -172,7 +162,7 @@ jobs: uses: graalvm/setup-graalvm@2a93b69fdf86ac5a078a98c1a707744632e1da94 # v1.1.5 with: components: "native-image,js,wasm" - distribution: 'graalvm' + distribution: "graalvm" java-version: 20 github-token: ${{ secrets.GITHUB_TOKEN }} - id: "auth" diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml new file mode 100644 index 000000000..9ba745b0d --- /dev/null +++ b/.github/workflows/on.pr.yml @@ -0,0 +1,193 @@ +name: PR + +"on": + pull_request: + types: [opened, reopened, synchronize] + +permissions: + contents: read + +concurrency: + group: "pr-${{ github.event.pull_request.number }}" + cancel-in-progress: true + +jobs: + ## + ## Job: Change Triage + ## + triage: + name: "Triage" + runs-on: ${{ vars.RUNNER_DEFAULT || 'ubuntu-latest' }} + permissions: + contents: "read" + outputs: + changes: ${{ steps.extract_branch.outputs.changes }} + branch: ${{ steps.extract_branch.outputs.branch }} + base: ${{ steps.filter.outputs.base }} + devcontainer: ${{ steps.filter.outputs.base }} + model: ${{ steps.filter.outputs.model }} + packages: ${{ steps.filter.outputs.packages }} + tools: ${{ steps.filter.outputs.tools }} + images: ${{ steps.filter.outputs.tools }} + steps: + - name: "Setup: Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Triage: Branch Label" + id: extract_branch + shell: bash + run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT + - name: "Triage: PR Labels" + uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" + - name: "Triage: PR Changes" + id: filter + uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0 + with: + filters: | + base: &base + - ".version" + - ".release" + - ".github/workflows/*.*" + devcontainer: &ci + - *base + - ".devcontainer/*.*" + - ".devcontainer/**/*.*" + model: &model + - *base + - "proto/**/*.*" + packages: + - *base + - "packages" + - "packages/*" + - "packages/**/*.*" + tools: + - *base + - "tools" + - "tools/*" + - "tools/**/*.*" + images: + - *base + - "tools/images/*" + - "tools/images/*.*" + - "tools/images/**/*.*" + + ## + ## Job: Pre-flight Checks + ## + preflight-checks: + name: "Pre-flight Checks" + runs-on: ${{ vars.RUNNER_DEFAULT || 'ubuntu-latest' }} + permissions: + contents: "read" + id-token: "write" + checks: "write" + packages: "read" + pull-requests: "write" + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: "Setup: Checkout" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + submodules: true + - name: "Setup: Buildless" + uses: buildless/setup@v1.0.2 + - name: "Setup: GraalVM (Java 21)" + uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 + with: + distribution: "graalvm" + java-version: "21" + github-token: ${{ secrets.GITHUB_TOKEN }} + - id: "auth" + name: "Setup: Authorize Service Account" + uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1 + if: false # temporarily disabled + with: + credentials_json: "${{ secrets.BUILDBOT_SERVICE_ACCOUNT }}" + create_credentials_file: true + export_environment_variables: true + cleanup_credentials: true + - name: "Patch: Neutralize Yarn Lock" + run: mv yarn.lock yarn.inert + - name: "Check: Dependency Review" + uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0 + continue-on-error: true + if: github.event_name == 'pull_request' + with: + config-file: "./.github/dependency-review-config.yml" + license-check: true + vulnerability-check: true + fail-on-severity: "low" + base-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref || 'v3' }} + - name: "Patch: Restore Yarn Lock" + run: mv yarn.inert yarn.lock + - name: "Check: Library ABI" + uses: gradle/gradle-build-action@3b1b3b9a2104c2b47fbae53f3938079c00c9bb87 # v3.0.0 + id: abicheck + if: steps.triage.outputs.packages + continue-on-error: ${{ contains(github.event.pull_request.labels.*.name, 'ci:api-check-bypass') }} + env: + CI: true + GITHUB_ACTOR: ${{ env.GITHUB_ACTOR }} + GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }} + with: + cache-read-only: false + arguments: | + apiCheck + --dependency-verification=lenient + --no-daemon + --warning-mode=none + -Pelide.ci=true + -PbuildDocs=false + -PbuildSamples=false + -PbuildDocsSite=false + + ## + ## Job: Multi-platform Build + ## + pr-build: + name: "Build" + uses: ./.github/workflows/job.build.yml + secrets: inherit + needs: [triage, preflight-checks] + if: steps.triage.outputs.model || steps.triage.outputs.packages || steps.triage.outputs.tools + permissions: + actions: "read" + contents: "write" + id-token: "write" + checks: "write" + packages: "write" + pull-requests: "write" + deployments: "write" + statuses: "write" + security-events: "write" + with: + tests: true + provenance: false + + ## + ## Job: Checks for Models + ## + check-model: + name: "Checks" + uses: ./.github/workflows/checks.model.yml + secrets: inherit + needs: [triage, preflight-checks] + if: steps.triage.outputs.model + permissions: + contents: read + + ## + ## Job: Checks with CodeQL + ## + check-codeql: + name: "Checks" + uses: ./.github/workflows/checks.codeql.yml + secrets: inherit + needs: [triage, preflight-checks, pr-build] + if: steps.triage.outputs.model || steps.triage.outputs.packages diff --git a/.github/workflows/on.push.yml b/.github/workflows/on.push.yml new file mode 100644 index 000000000..4774c0b4a --- /dev/null +++ b/.github/workflows/on.push.yml @@ -0,0 +1,18 @@ +name: CI + +"on": + push: + branches: + - stable + - main + pull_request: + types: [opened, reopened, synchronize] + merge_group: {} + +permissions: + contents: read + +concurrency: + group: "push-${{ github.ref }}" + +jobs: [] diff --git a/.github/workflows/scheduled-checks.ci.yml b/.github/workflows/on.scheduled.yml similarity index 98% rename from .github/workflows/scheduled-checks.ci.yml rename to .github/workflows/on.scheduled.yml index 0e4242461..30b840b08 100644 --- a/.github/workflows/scheduled-checks.ci.yml +++ b/.github/workflows/on.scheduled.yml @@ -1,14 +1,13 @@ name: Checks -on: +"on": workflow_dispatch: {} push: branches: - stable - - v3 - - feat/js-runtime-v3 + - main schedule: - - cron: '0 0-23/2 * * *' + - cron: "0 0-23/2 * * *" env: GRADLE_CACHE_LOCAL: false @@ -151,7 +150,7 @@ jobs: uses: graalvm/setup-graalvm@2a93b69fdf86ac5a078a98c1a707744632e1da94 # v1.1.5 with: components: "native-image,js,wasm" - distribution: 'graalvm' + distribution: "graalvm" java-version: 20 check-for-updates: ${{ matrix.os == 'ubuntu' }} github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/package.json b/package.json index 55c288461..d37e80026 100644 --- a/package.json +++ b/package.json @@ -64,6 +64,7 @@ "upgrade-node": "yarn upgrade-interactive", "upgrade-gradle": "gradle-upgrade-interactive", "prepare": "husky install", + "prettier": "prettier", "lint": "prettier --write . --plugin=prettier-plugin-sh --plugin=prettier-plugin-toml --plugin=prettier-plugin-properties --plugin=prettier-plugin-java", "lint:check": "prettier --check . --plugin=prettier-plugin-sh --plugin=prettier-plugin-toml --plugin=prettier-plugin-properties --plugin=prettier-plugin-java" }