diff --git a/.github/workflows/codeql.ci.yml b/.github/workflows/checks.codeql.yml similarity index 95% rename from .github/workflows/codeql.ci.yml rename to .github/workflows/checks.codeql.yml index 02cbde7ea..14dbaafca 100644 --- a/.github/workflows/codeql.ci.yml +++ b/.github/workflows/checks.codeql.yml @@ -1,6 +1,6 @@ name: "CodeQL" -on: +"on": workflow_dispatch: {} workflow_call: {} push: @@ -35,8 +35,8 @@ jobs: - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' - java-version: '21' + distribution: "graalvm" + java-version: "21" github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: Initialize CodeQL" uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/checks.gradle-wrapper.yml similarity index 87% rename from .github/workflows/gradle-wrapper-validation.yml rename to .github/workflows/checks.gradle-wrapper.yml index 75ba990a7..c60294b67 100644 --- a/.github/workflows/gradle-wrapper-validation.yml +++ b/.github/workflows/checks.gradle-wrapper.yml @@ -1,11 +1,8 @@ name: Validate Gradle Wrapper -on: - push: - branches: - - main - pull_request: - branches: - - "*" + +"on": + workflow_dispatch: {} + workflow_call: {} permissions: contents: read @@ -19,7 +16,6 @@ jobs: uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: egress-policy: audit - - name: Checkout latest code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 - name: Validate Gradle Wrapper diff --git a/.github/workflows/model.ci.yml b/.github/workflows/checks.model.yml similarity index 95% rename from .github/workflows/model.ci.yml rename to .github/workflows/checks.model.yml index bd375d6cf..f46204a43 100644 --- a/.github/workflows/model.ci.yml +++ b/.github/workflows/checks.model.yml @@ -1,12 +1,8 @@ name: Model -on: - push: - branches: - - main - - stable - pull_request: - types: [labeled, opened, reopened, synchronize] +"on": + workflow_dispatch: {} + workflow_call: {} permissions: contents: read diff --git a/.github/workflows/qodana.ci.yml b/.github/workflows/checks.qodana.yml similarity index 96% rename from .github/workflows/qodana.ci.yml rename to .github/workflows/checks.qodana.yml index c17b0f0a8..13df5e9ae 100644 --- a/.github/workflows/qodana.ci.yml +++ b/.github/workflows/checks.qodana.yml @@ -1,5 +1,6 @@ name: Qodana -on: + +"on": workflow_dispatch: {} workflow_call: {} @@ -20,7 +21,7 @@ jobs: - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' + distribution: "graalvm" java-version: 21 check-for-updates: false github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/checks.scorecards.yml similarity index 96% rename from .github/workflows/scorecards.yml rename to .github/workflows/checks.scorecards.yml index d1a72b2c5..a883661fc 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/checks.scorecards.yml @@ -2,17 +2,18 @@ # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. -name: Scorecard supply-chain security -on: +name: Scorecard + +"on": # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: + branch_protection_rule: {} # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - - cron: '20 7 * * 2' - push: - branches: ["v3"] + - cron: "20 7 * * 2" + workflow_dispatch: {} + workflow_call: {} # Declare default permissions as read only. permissions: read-all diff --git a/.github/workflows/bench.ci.yml b/.github/workflows/job.bench.yml similarity index 96% rename from .github/workflows/bench.ci.yml rename to .github/workflows/job.bench.yml index 93972b326..ae400e7a6 100644 --- a/.github/workflows/bench.ci.yml +++ b/.github/workflows/job.bench.yml @@ -1,11 +1,8 @@ name: Benchmark -on: - push: - branches: - - stable - pull_request: - types: [opened, reopened, synchronize] +"on": + workflow_dispatch: {} + workflow_call: {} env: BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }} @@ -68,7 +65,7 @@ jobs: if: ${{ matrix.engine == 'graalvm' }} with: components: "native-image,js,wasm" - distribution: 'graalvm' + distribution: "graalvm" java-version: ${{ matrix.java }} github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: Zulu" diff --git a/.github/workflows/build.ci.yml b/.github/workflows/job.build.yml similarity index 80% rename from .github/workflows/build.ci.yml rename to .github/workflows/job.build.yml index 1399ce948..ae3d983c0 100644 --- a/.github/workflows/build.ci.yml +++ b/.github/workflows/job.build.yml @@ -1,13 +1,139 @@ name: Framework -on: - push: - branches: - - stable - - main - pull_request: - types: [opened, reopened, synchronize] - merge_group: {} +"on": + workflow_dispatch: + inputs: + ## Input: Enable Tests + tests: + description: "Tests" + type: boolean + default: true + + ## Input: Enable Native Targets + native: + description: "Native" + type: boolean + default: false + + ## Input: Enable Release Targets + release: + description: "Release" + type: boolean + default: false + + ## Input: Publish Libraries + publish: + description: "Publish" + type: boolean + default: false + + ## Input: Deploy Samples + deploy: + description: "Deploy" + type: boolean + default: false + + ## Input: Enable Container Targets + containers: + description: "Containers" + type: boolean + default: false + + ## Input: Enable Provenance + provenance: + description: "Provenance" + type: boolean + default: true + + ## Input: Enable macOS + macos: + description: "Enable macOS" + type: boolean + default: false + + ## Input: Enable Windows + windows: + description: "Enable Windows" + type: boolean + default: false + + ## Input: Runner + runner: + description: "Runner" + type: string + default: ubuntu-latest + + workflow_call: + inputs: + tests: + description: "Tests" + type: boolean + default: true + native: + description: "Native" + type: boolean + default: false + release: + description: "Release" + type: boolean + default: false + containers: + description: "Containers" + type: boolean + default: false + publish: + description: "Publish" + type: boolean + default: false + deploy: + description: "Deploy" + type: boolean + default: false + provenance: + description: "Provenance" + type: boolean + default: true + macos: + description: "Enable macOS" + type: boolean + default: false + windows: + description: "Enable Windows" + type: boolean + default: false + runner: + description: "Runner to use" + type: string + default: ubuntu-latest + runner_large: + description: "Runner (Large)" + type: string + default: ubuntu-latest-8-cores + runner_large_macos: + description: "Runner (Large, macOS)" + type: string + default: macos-13-xl + runner_large_windows: + description: "Runner (Large, Windows)" + type: string + default: windows-latest-8-cores + + secrets: + BUILDLESS_APIKEY: + required: false + description: "Buildless API Key" + BUILDBOT_SERVICE_ACCOUNT: + required: false + description: "GCP Service Account" + BUILDBOT_GHCR_TOKEN: + required: false + description: "GHCR Token" + SONAR_TOKEN: + required: false + description: "Sonar token" + CODECOV_TOKEN: + required: false + description: "Codecov token" env: GRADLE_CACHE_LOCAL: false @@ -21,96 +147,23 @@ permissions: contents: read jobs: - ## - ## Job: Pre-flight Checks - ## - preflight-checks: - name: "Pre-flight Checks" - runs-on: ${{ vars.RUNNER_DEFAULT || 'ubuntu-latest' }} - permissions: - contents: "read" - id-token: "write" - checks: "write" - packages: "read" - pull-requests: "write" - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - name: "Setup: Checkout" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - submodules: true - - name: "Setup: Buildless" - uses: buildless/setup@v1.0.2 - - name: "Setup: GraalVM (Java 21)" - uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 - with: - distribution: 'graalvm' - java-version: '21' - github-token: ${{ secrets.GITHUB_TOKEN }} - - id: "auth" - name: "Setup: Authorize Service Account" - uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1 - with: - credentials_json: "${{ secrets.BUILDBOT_SERVICE_ACCOUNT }}" - create_credentials_file: true - export_environment_variables: true - cleanup_credentials: true - - name: "Patch: Neutralize Yarn Lock" - run: mv yarn.lock yarn.inert - - name: "Check: Dependency Review" - uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0 - continue-on-error: true - if: github.event_name == 'pull_request' - with: - config-file: "./.github/dependency-review-config.yml" - license-check: true - vulnerability-check: true - fail-on-severity: "low" - base-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref || 'v3' }} - - name: "Patch: Restore Yarn Lock" - run: mv yarn.inert yarn.lock - - name: "Check: Library ABI" - uses: gradle/gradle-build-action@3b1b3b9a2104c2b47fbae53f3938079c00c9bb87 # v3.0.0 - id: abicheck - continue-on-error: ${{ contains(github.event.pull_request.labels.*.name, 'ci:api-check-bypass') }} - env: - CI: true - GITHUB_ACTOR: ${{ env.GITHUB_ACTOR }} - GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }} - with: - cache-read-only: false - arguments: | - apiCheck - --dependency-verification=lenient - --no-daemon - --warning-mode=none - -Pelide.ci=true - -PbuildDocs=false - -PbuildSamples=false - -PbuildDocsSite=false - ## ## Job: Library Build ## - gradle: strategy: fail-fast: false matrix: os: [Ubuntu] - mode: ['Strict'] + mode: ["Strict"] machine: - ${{ vars.RUNNER_DEFAULT || 'ubuntu-latest' }} provenance: [true] - # macOS build is disabled. - # include: - # - os: macOS - # mode: Strict - # machine: macos-13 - # provenance: false + include: + - os: macOS + mode: Strict + machine: macos-13 + provenance: false name: "Build (${{ matrix.os }})" runs-on: ${{ matrix.machine }} @@ -144,8 +197,8 @@ jobs: - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' - java-version: '21' + distribution: "graalvm" + java-version: "21" github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: Buildless" if: contains(matrix.machine, 'macos') == false @@ -209,19 +262,20 @@ jobs: build/reports/**/*.* - name: "Build: Provenance Subject" id: hash - if: ${{ matrix.os == 'ubuntu' }} + if: ${{ matrix.os == 'ubuntu' && inputs.provenance }} run: | echo "hashes=$(sha256sum ./packages/*/build/libs/* | base64 -w0)" >> "$GITHUB_OUTPUT" ## Report: Provenance provenance: name: Provenance + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + if: inputs.provenance needs: [gradle] permissions: - actions: read - id-token: write - contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + actions: "read" + id-token: "write" + contents: "write" with: base64-subjects: "${{ needs.gradle.outputs.hashes }}" upload-assets: ${{ github.ref == 'refs/heads/stable' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'release/') || startsWith(github.ref, 'refs/tags/v') }} @@ -233,6 +287,7 @@ jobs: name: "Tests: All Suites" runs-on: ${{ vars.RUNNER_DEFAULT || 'ubuntu-latest' }} needs: [preflight-checks] + if: inputs.tests permissions: contents: "read" @@ -255,8 +310,8 @@ jobs: - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' - java-version: '21' + distribution: "graalvm" + java-version: "21" github-token: ${{ secrets.GITHUB_TOKEN }} - id: "auth" name: "Setup: Authorize Service Account" @@ -361,12 +416,12 @@ jobs: name: "Tests: Native" runs-on: ${{ vars.RUNNER_LARGE || 'ubuntu-latest-8-cores' }} needs: [tests, preflight-checks] - if: | - ( - github.ref == 'refs/heads/stable' || - contains(github.event.pull_request.labels.*.name, 'ci:test-native') || - contains(github.event.head_commit.message, 'ci:test-native') - ) + if: inputs.tests && inputs.native +# ( +# github.ref == 'refs/heads/stable' || +# contains(github.event.pull_request.labels.*.name, 'ci:test-native') || +# contains(github.event.head_commit.message, 'ci:test-native') +# ) steps: - name: Harden Runner @@ -380,8 +435,8 @@ jobs: - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' - java-version: '21' + distribution: "graalvm" + java-version: "21" github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: Buildless" uses: buildless/setup@v1.0.2 @@ -441,30 +496,31 @@ jobs: runs-on: ${{ matrix.runner }} needs: [preflight-checks, gradle] continue-on-error: true - if: | - ( - github.ref == 'refs/heads/stable' || - startsWith(github.ref, 'release/') || - contains(github.event.pull_request.labels.*.name, 'ci:build-cli') || - contains(github.event.head_commit.message, 'ci:build-cli') - ) + if: inputs.native +# if: | +# ( +# github.ref == 'refs/heads/stable' || +# startsWith(github.ref, 'release/') || +# contains(github.event.pull_request.labels.*.name, 'ci:build-cli') || +# contains(github.event.head_commit.message, 'ci:build-cli') +# ) strategy: fail-fast: false matrix: os: ["Linux"] arch: ["amd64"] - runner: ["ubuntu-latest-8-cores"] + runner: ["${{ inputs.runner_large }}"] labs: [false] tag: [linux-amd64] include: - os: Linux - runner: ${{ vars.RUNNER_LARGE || 'ubuntu-latest-8-cores' }} + runner: ${{ inputs.runner_large }} arch: amd64 labs: false tag: linux-amd64 - os: macOS - runner: macos-13-xl + runner: ${{ inputs.runner_large_macos }} arch: amd64 labs: false tag: darwin-amd64 @@ -494,12 +550,12 @@ jobs: uses: ilammy/msvc-dev-cmd@cec98b9d092141f74527d0afa6feb2af698cfe89 # v1.12.1 with: arch: ${{ matrix.arch }} - cache: 'gradle' + cache: "gradle" - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' - java-version: '21' + distribution: "graalvm" + java-version: "21" github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: Node" uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 @@ -563,12 +619,13 @@ jobs: runs-on: ${{ matrix.runner }} needs: [preflight-checks, gradle] continue-on-error: true - if: | - ( - github.ref == 'refs/heads/stable' || - contains(github.event.pull_request.labels.*.name, 'ci:build-cli') || - contains(github.event.head_commit.message, 'ci:build-cli') - ) + if: inputs.native && inputs.release +# if: | +# ( +# github.ref == 'refs/heads/stable' || +# contains(github.event.pull_request.labels.*.name, 'ci:build-cli') || +# contains(github.event.head_commit.message, 'ci:build-cli') +# ) strategy: fail-fast: false @@ -576,22 +633,22 @@ jobs: os: ["Linux"] arch: ["amd64"] runner: - - ${{ vars.RUNNER_LARGE || 'ubuntu-latest-8-cores' }} + - ${{ inputs.runner_large }} labs: [false] tag: [linux-amd64] include: - os: Linux - runner: ${{ vars.RUNNER_LARGE || 'ubuntu-latest-8-cores' }} + runner: ${{ inputs.runner_large }} arch: amd64 labs: false tag: linux-amd64 - os: macOS - runner: macos-13-xl + runner: ${{ inputs.runner_large_macos }} arch: amd64 labs: false tag: darwin-amd64 - os: Windows - runner: windows-latest-8-cores + runner: ${{ inputs.runner_large_windows }} arch: amd64 tag: windows-amd64 labs: true @@ -624,8 +681,8 @@ jobs: - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' - java-version: '21' + distribution: "graalvm" + java-version: "21" github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: Node" uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 @@ -668,12 +725,13 @@ jobs: name: "Container: JVM" runs-on: ${{ vars.RUNNER || 'ubuntu-latest-8-cores' }} needs: [gradle, preflight-checks] - if: | - ( - github.ref == 'refs/heads/stable' || - contains(github.event.pull_request.labels.*.name, 'ci:build-img-jvm') || - contains(github.event.head_commit.message, 'ci:build-img-jvm') - ) + if: inputs.containers +# if: | +# ( +# github.ref == 'refs/heads/stable' || +# contains(github.event.pull_request.labels.*.name, 'ci:build-img-jvm') || +# contains(github.event.head_commit.message, 'ci:build-img-jvm') +# ) permissions: contents: "read" @@ -703,8 +761,8 @@ jobs: - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' - java-version: '21' + distribution: "graalvm" + java-version: "21" github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: QEMU" uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 @@ -772,12 +830,13 @@ jobs: runs-on: ${{ vars.RUNNER_LARGE || 'ubuntu-latest-8-cores' }} continue-on-error: true needs: [gradle, preflight-checks] - if: | - ( - github.ref == 'refs/heads/stable' || - contains(github.event.pull_request.labels.*.name, 'ci:build-img-native') || - contains(github.event.head_commit.message, 'ci:build-img-native') - ) + if: inputs.containers && inputs.native +# if: | +# ( +# github.ref == 'refs/heads/stable' || +# contains(github.event.pull_request.labels.*.name, 'ci:build-img-native') || +# contains(github.event.head_commit.message, 'ci:build-img-native') +# ) permissions: contents: "read" @@ -807,8 +866,8 @@ jobs: - name: "Setup: GraalVM (Java 21)" uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 with: - distribution: 'graalvm' - java-version: '21' + distribution: "graalvm" + java-version: "21" github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: QEMU" uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 @@ -885,13 +944,14 @@ jobs: deploy-samples: name: "Deploy" needs: [gradle, tests, docker-jvm, docker-native] - if: | - ( - contains(github.event.pull_request.labels.*.name, 'ci:deploy-samples') || - contains(github.event.pull_request.labels.*.name, 'ci:deploy') || - contains(github.event.head_commit.message, 'ci:deploy-samples') || - contains(github.event.head_commit.message, 'ci:deploy') - ) + if: inputs.release && inputs.deploy +# if: | +# ( +# contains(github.event.pull_request.labels.*.name, 'ci:deploy-samples') || +# contains(github.event.pull_request.labels.*.name, 'ci:deploy') || +# contains(github.event.head_commit.message, 'ci:deploy-samples') || +# contains(github.event.head_commit.message, 'ci:deploy') +# ) strategy: matrix: @@ -908,7 +968,7 @@ jobs: statuses: "write" packages: "read" - uses: ./.github/workflows/deploy.ci.yml + uses: ./.github/workflows/job.deploy.yml secrets: inherit with: path: "samples/${{ matrix.category }}/${{ matrix.app }}" @@ -923,12 +983,13 @@ jobs: publish-snapshot: name: "Publish: Snapshot" needs: [gradle, tests] - if: | - ( - github.ref == 'refs/heads/stable' || - contains(github.event.pull_request.labels.*.name, 'ci:publish-snapshot') || - contains(github.event.head_commit.message, 'ci:publish-snapshot') - ) + if: inputs.publish +# if: | +# ( +# github.ref == 'refs/heads/stable' || +# contains(github.event.pull_request.labels.*.name, 'ci:publish-snapshot') || +# contains(github.event.head_commit.message, 'ci:publish-snapshot') +# ) permissions: contents: "read" @@ -939,7 +1000,7 @@ jobs: statuses: "write" packages: "write" - uses: ./.github/workflows/publish.ci.yml + uses: ./.github/workflows/job.publish.yml secrets: inherit with: environment: snapshots @@ -958,15 +1019,16 @@ jobs: publish-ossrh: name: "Publish: OSSRH" needs: [publish-snapshot] - if: | - ( - contains(github.event.pull_request.labels.*.name, 'ci:publish') || - contains(github.event.head_commit.message, 'ci:publish') - ) && ( - false - ) && ( - startsWith(github.ref, 'refs/tags/v') - ) + if: inputs.release && inputs.publish +# if: | +# ( +# contains(github.event.pull_request.labels.*.name, 'ci:publish') || +# contains(github.event.head_commit.message, 'ci:publish') +# ) && ( +# false +# ) && ( +# startsWith(github.ref, 'refs/tags/v') +# ) permissions: contents: "read" @@ -977,7 +1039,7 @@ jobs: statuses: "write" packages: "write" - uses: ./.github/workflows/publish.ci.yml + uses: ./.github/workflows/job.publish.yml secrets: inherit with: environment: central diff --git a/.github/workflows/copybara.ci.yml b/.github/workflows/job.copybara.yml similarity index 95% rename from .github/workflows/copybara.ci.yml rename to .github/workflows/job.copybara.yml index 44495497d..88115b565 100644 --- a/.github/workflows/copybara.ci.yml +++ b/.github/workflows/job.copybara.yml @@ -1,13 +1,8 @@ name: "Copybara" -on: - push: - branches: - - v3 - - main - - stable - pull_request: - types: [labeled, opened, reopened, synchronize] +"on": + workflow_dispatch: {} + workflow_call: {} jobs: copybara-protocol: diff --git a/.github/workflows/deploy.ci.yml b/.github/workflows/job.deploy.yml similarity index 99% rename from .github/workflows/deploy.ci.yml rename to .github/workflows/job.deploy.yml index 69ba70155..ac8ae2464 100644 --- a/.github/workflows/deploy.ci.yml +++ b/.github/workflows/job.deploy.yml @@ -1,10 +1,6 @@ name: Deployment -concurrency: - group: "deploy" - cancel-in-progress: false - -on: +"on": ## Deployment can be invoked from other workflows. workflow_call: inputs: @@ -63,6 +59,10 @@ on: permissions: contents: read +concurrency: + group: "deploy" + cancel-in-progress: false + jobs: deployment: name: "Deploy (${{ inputs.environment }})" diff --git a/.github/workflows/labeler.ci.yml b/.github/workflows/job.labeler.yml similarity index 85% rename from .github/workflows/labeler.ci.yml rename to .github/workflows/job.labeler.yml index ec7669712..850b2a8df 100644 --- a/.github/workflows/labeler.ci.yml +++ b/.github/workflows/job.labeler.yml @@ -1,7 +1,7 @@ -name: "Bot: Pull Request Labeler" -on: - pull_request: - types: [opened, reopened] +name: "Labeler" + +"on": + workflow_call: {} permissions: contents: read @@ -17,7 +17,6 @@ jobs: uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: egress-policy: audit - - name: "Bot: Labeler Triage" uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: diff --git a/.github/workflows/publish.ci.yml b/.github/workflows/job.publish.yml similarity index 99% rename from .github/workflows/publish.ci.yml rename to .github/workflows/job.publish.yml index 95ae5859f..016a85b4e 100644 --- a/.github/workflows/publish.ci.yml +++ b/.github/workflows/job.publish.yml @@ -4,7 +4,7 @@ concurrency: group: "publish" cancel-in-progress: false -on: +"on": ## Publish flows can be invoked from other workflows. workflow_call: inputs: @@ -177,7 +177,7 @@ jobs: uses: graalvm/setup-graalvm@2a93b69fdf86ac5a078a98c1a707744632e1da94 # v1.1.5 with: components: "native-image,js,wasm" - distribution: 'graalvm' + distribution: "graalvm" java-version: 20 github-token: ${{ secrets.GITHUB_TOKEN }} - name: "Setup: Signing Keys" diff --git a/.github/workflows/site.ci.yml b/.github/workflows/job.site.yml similarity index 97% rename from .github/workflows/site.ci.yml rename to .github/workflows/job.site.yml index 021846b81..574f7cbd8 100644 --- a/.github/workflows/site.ci.yml +++ b/.github/workflows/job.site.yml @@ -1,18 +1,8 @@ name: Site -on: - push: - branches: - - stable - - v3 - - site/* - pull_request: - types: [labeled, opened, reopened, synchronize] - branches: - - stable - - v3 - - site/* - - release/* +"on": + workflow_dispatch: {} + workflow_call: {} env: BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }} @@ -51,7 +41,7 @@ jobs: uses: graalvm/setup-graalvm@2a93b69fdf86ac5a078a98c1a707744632e1da94 # v1.1.5 with: components: "native-image,js,wasm" - distribution: 'graalvm' + distribution: "graalvm" java-version: 20 github-token: ${{ secrets.GITHUB_TOKEN }} - id: "auth" @@ -172,7 +162,7 @@ jobs: uses: graalvm/setup-graalvm@2a93b69fdf86ac5a078a98c1a707744632e1da94 # v1.1.5 with: components: "native-image,js,wasm" - distribution: 'graalvm' + distribution: "graalvm" java-version: 20 github-token: ${{ secrets.GITHUB_TOKEN }} - id: "auth" diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml new file mode 100644 index 000000000..7581e0e6a --- /dev/null +++ b/.github/workflows/on.pr.yml @@ -0,0 +1,115 @@ +name: PR + +"on": + pull_request: + types: [opened, reopened, synchronize] + +permissions: + contents: read + +concurrency: + group: "pr-${{ github.event.pull_request.number }}" + cancel-in-progress: true + +jobs: + ## + ## Job: Change Triage + ## + triage: + name: "Triage" + runs-on: ${{ vars.RUNNER_DEFAULT || 'ubuntu-latest' }} + permissions: + contents: "read" + steps: + - name: "Setup: Triage" + run: echo "Triage not yet supported." + + ## + ## Job: Pre-flight Checks + ## + preflight-checks: + name: "Pre-flight Checks" + runs-on: ${{ vars.RUNNER_DEFAULT || 'ubuntu-latest' }} + permissions: + contents: "read" + id-token: "write" + checks: "write" + packages: "read" + pull-requests: "write" + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: "Setup: Checkout" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + submodules: true + - name: "Setup: Buildless" + uses: buildless/setup@v1.0.2 + - name: "Setup: GraalVM (Java 21)" + uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1 + with: + distribution: "graalvm" + java-version: "21" + github-token: ${{ secrets.GITHUB_TOKEN }} + - id: "auth" + name: "Setup: Authorize Service Account" + uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1 + with: + credentials_json: "${{ secrets.BUILDBOT_SERVICE_ACCOUNT }}" + create_credentials_file: true + export_environment_variables: true + cleanup_credentials: true + - name: "Patch: Neutralize Yarn Lock" + run: mv yarn.lock yarn.inert + - name: "Check: Dependency Review" + uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0 + continue-on-error: true + if: github.event_name == 'pull_request' + with: + config-file: "./.github/dependency-review-config.yml" + license-check: true + vulnerability-check: true + fail-on-severity: "low" + base-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref || 'v3' }} + - name: "Patch: Restore Yarn Lock" + run: mv yarn.inert yarn.lock + - name: "Check: Library ABI" + uses: gradle/gradle-build-action@3b1b3b9a2104c2b47fbae53f3938079c00c9bb87 # v3.0.0 + id: abicheck + continue-on-error: ${{ contains(github.event.pull_request.labels.*.name, 'ci:api-check-bypass') }} + env: + CI: true + GITHUB_ACTOR: ${{ env.GITHUB_ACTOR }} + GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }} + with: + cache-read-only: false + arguments: | + apiCheck + --dependency-verification=lenient + --no-daemon + --warning-mode=none + -Pelide.ci=true + -PbuildDocs=false + -PbuildSamples=false + -PbuildDocsSite=false + + ## + ## Job: Multi-platform Build + ## + pr-build: + name: "Build" + uses: ./.github/workflows/job.build.yml + secrets: inherit + needs: [triage, preflight-checks] + permissions: + actions: "read" + contents: "write" + id-token: "write" + checks: "write" + packages: "read" + pull-requests: "write" + with: + tests: true + provenance: false diff --git a/.github/workflows/on.push.yml b/.github/workflows/on.push.yml new file mode 100644 index 000000000..4774c0b4a --- /dev/null +++ b/.github/workflows/on.push.yml @@ -0,0 +1,18 @@ +name: CI + +"on": + push: + branches: + - stable + - main + pull_request: + types: [opened, reopened, synchronize] + merge_group: {} + +permissions: + contents: read + +concurrency: + group: "push-${{ github.ref }}" + +jobs: [] diff --git a/.github/workflows/scheduled-checks.ci.yml b/.github/workflows/on.scheduled.yml similarity index 98% rename from .github/workflows/scheduled-checks.ci.yml rename to .github/workflows/on.scheduled.yml index 0e4242461..30b840b08 100644 --- a/.github/workflows/scheduled-checks.ci.yml +++ b/.github/workflows/on.scheduled.yml @@ -1,14 +1,13 @@ name: Checks -on: +"on": workflow_dispatch: {} push: branches: - stable - - v3 - - feat/js-runtime-v3 + - main schedule: - - cron: '0 0-23/2 * * *' + - cron: "0 0-23/2 * * *" env: GRADLE_CACHE_LOCAL: false @@ -151,7 +150,7 @@ jobs: uses: graalvm/setup-graalvm@2a93b69fdf86ac5a078a98c1a707744632e1da94 # v1.1.5 with: components: "native-image,js,wasm" - distribution: 'graalvm' + distribution: "graalvm" java-version: 20 check-for-updates: ${{ matrix.os == 'ubuntu' }} github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/package.json b/package.json index 55c288461..d37e80026 100644 --- a/package.json +++ b/package.json @@ -64,6 +64,7 @@ "upgrade-node": "yarn upgrade-interactive", "upgrade-gradle": "gradle-upgrade-interactive", "prepare": "husky install", + "prettier": "prettier", "lint": "prettier --write . --plugin=prettier-plugin-sh --plugin=prettier-plugin-toml --plugin=prettier-plugin-properties --plugin=prettier-plugin-java", "lint:check": "prettier --check . --plugin=prettier-plugin-sh --plugin=prettier-plugin-toml --plugin=prettier-plugin-properties --plugin=prettier-plugin-java" }