GH Actions CI reporting #8730
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: GH Actions CI reporting | |
| on: | |
| workflow_run: | |
| workflows: [ "GH Actions CI" ] | |
| types: [ completed ] | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| publish-build-scans: | |
| name: Publish Develocity build scans | |
| if: github.repository == 'hibernate/hibernate-orm' && github.event.workflow_run.conclusion != 'cancelled' | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checkout target branch which has trusted code | |
| - name: Check out target branch | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ github.ref }} | |
| - name: Set up JDK | |
| uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '25' | |
| - name: Generate cache key | |
| id: cache-key | |
| run: | | |
| CURRENT_BRANCH="${{ github.repository != 'hibernate/hibernate-orm' && 'fork' || github.base_ref || github.ref_name }}" | |
| CURRENT_MONTH=$(/bin/date -u "+%Y-%m") | |
| CURRENT_DAY=$(/bin/date -u "+%d") | |
| ROOT_CACHE_KEY="buildtool-cache" | |
| echo "buildtool-monthly-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}" >> $GITHUB_OUTPUT | |
| echo "buildtool-monthly-branch-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}" >> $GITHUB_OUTPUT | |
| echo "buildtool-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}-${CURRENT_DAY}" >> $GITHUB_OUTPUT | |
| - name: Restore Maven/Gradle Dependency/Dist Caches | |
| uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 | |
| with: | |
| path: | | |
| ~/.m2/repository/ | |
| ~/.m2/wrapper/ | |
| ~/.gradle/caches/modules-2 | |
| ~/.gradle/wrapper/ | |
| key: ${{ steps.cache-key.outputs.buildtool-cache-key }} | |
| restore-keys: | | |
| ${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}- | |
| ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}- | |
| - name: Download GitHub Actions artifacts for the Develocity build scans | |
| id: downloadBuildScan | |
| uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 | |
| with: | |
| pattern: build-scan-data-* | |
| github-token: ${{ github.token }} | |
| repository: ${{ github.repository }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| path: /tmp/downloaded-build-scan-data/ | |
| # Don't fail the build if there are no matching artifacts | |
| continue-on-error: true | |
| - name: Publish Develocity build scans for previous builds | |
| if: ${{ steps.downloadBuildScan.outcome != 'failure'}} | |
| run: | | |
| shopt -s nullglob # Don't run the loop below if there are no artifacts | |
| status=0 | |
| mkdir -p ~/.gradle/ | |
| for build_scan_data_directory in /tmp/downloaded-build-scan-data/* | |
| do | |
| rm -rf ~/.gradle/build-scan-data | |
| mv "$build_scan_data_directory" ~/.gradle/build-scan-data \ | |
| && ./gradlew --no-build-cache buildScanPublishPrevious || status=1 | |
| done | |
| exit $status | |
| env: | |
| DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY_PR }} | |
| publish-sonar-scans: | |
| name: Publish Sonar scan | |
| if: github.repository == 'hibernate/hibernate-orm' && github.event.workflow_run.conclusion != 'cancelled' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Determine the Branch Reference for which the original action was triggered | |
| id: determine_branch_ref | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| if [ "${{ github.event.workflow_run.event }}" == "pull_request" ]; then | |
| echo "::notice::Triggering workflow was executed for a pull request" | |
| FORK_OWNER="${{ github.event.workflow_run.head_repository.owner.login }}" | |
| BRANCH_NAME="${{ github.event.workflow_run.head_branch }}" | |
| if [ "${{ github.event.workflow_run.head_repository.owner.login }}" != "${{ github.event.workflow_run.repository.owner.login }}" ]; then | |
| BRANCH_NAME="$FORK_OWNER:$BRANCH_NAME" | |
| fi | |
| GH_RESPONSE=$(gh pr view "$BRANCH_NAME" --repo ${{ github.event.workflow_run.repository.full_name }} --json number,baseRefName) | |
| TARGET_BRANCH=$(echo $GH_RESPONSE | jq -r '.baseRefName') | |
| PR_ID=$(echo $GH_RESPONSE | jq -r '.number') | |
| echo "::notice::PR found. Target branch is: $TARGET_BRANCH" | |
| echo "::notice:: Pull Request number is: $PR_ID" | |
| echo "::notice:: Branch to merge is: $BRANCH_NAME" | |
| echo "original_branch_ref=$TARGET_BRANCH" >> "$GITHUB_OUTPUT" | |
| echo "pr_id=$PR_ID" >> "$GITHUB_OUTPUT" | |
| echo "branch_to_merge=$BRANCH_NAME" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "::notice::Triggering workflow was executed for a push event? Using the head_branch value." | |
| echo "original_branch_ref=${{ github.event.workflow_run.head_branch }}" >> "$GITHUB_OUTPUT" | |
| fi | |
| # Checkout target branch (from the main repository) | |
| - name: Check out target branch | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| # By default, a workflow that is triggered with on workflow_run would run on the main (default) branch. | |
| # Different branches might have different versions of Develocity, and we want to make sure | |
| # that we publish with the one that we built the scan with in the first place. | |
| ref: ${{ steps.determine_branch_ref.outputs.original_branch_ref }} | |
| fetch-depth: 0 | |
| # Note: we need to check out the code with all the changes so that we have the sources, | |
| # matching our compiled classes we'll pull from the build artifacts. | |
| # We won't be running any builds from the checked out code, | |
| # but we'll use the code to run the sonar scanner tool. | |
| # | |
| # Only needed if we are analysing the PR, | |
| # as otherwise the previous checkout already did the work. | |
| - name: Check out merged code (if PR) | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| if [ "${{ github.event.workflow_run.event }}" == "pull_request" ]; then | |
| gh pr checkout ${{steps.determine_branch_ref.outputs.pr_id}} | |
| fi | |
| # so we aren't tempted to run a Gradle command! | |
| rm -rf gradlew* | |
| - name: Set up Java 25 | |
| uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 | |
| with: | |
| java-version: 25 | |
| distribution: temurin | |
| - name: Download coverage reports | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # 7.0.0 | |
| with: | |
| pattern: build-results-data | |
| github-token: ${{ github.token }} | |
| repository: ${{ github.repository }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| path: . | |
| merge-multiple: 'true' | |
| # Don't fail the build if there are no matching artifacts | |
| continue-on-error: true | |
| - name: Install Sonar CLI | |
| run: | | |
| SONAR_HASH=8fbfb1eb546b734a60fc3e537108f06e389a8ca124fbab3a16236a8a51edcc15 | |
| SONAR_SCANNER_VERSION=8.0.1.6346 | |
| export SONAR_SCANNER_HOME=$HOME/.sonar/sonar-scanner-$SONAR_SCANNER_VERSION | |
| curl --create-dirs -sSLo $HOME/.sonar/sonar-scanner.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$SONAR_SCANNER_VERSION.zip | |
| DOWNLOADED_HASH=$(sha256sum $HOME/.sonar/sonar-scanner.zip | awk '{print $1}') | |
| if [ "$DOWNLOADED_HASH" == "$SONAR_HASH" ]; then | |
| echo "Successfully verified the file checksum" | |
| else | |
| echo "Error: Failed the file checksum verification. Expected: $SONAR_HASH but got $DOWNLOADED_HASH instead" | |
| exit 1 | |
| fi | |
| unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/ | |
| mv "$HOME/.sonar/sonar-scanner-$SONAR_SCANNER_VERSION"/* "$HOME/.sonar/" | |
| - name: Sonar Analysis | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| run: | | |
| find . -name "*.exec" -type f | |
| EXTRA_ARGS="" | |
| if [ "${{ github.event.workflow_run.event }}" == "pull_request" ]; then | |
| echo "::notice::Triggering workflow was executed for a pull request" | |
| EXTRA_ARGS="-Dsonar.pullrequest.branch=${{steps.determine_branch_ref.outputs.branch_to_merge}} -Dsonar.pullrequest.key=${{steps.determine_branch_ref.outputs.pr_id}} -Dsonar.pullrequest.base=${{steps.determine_branch_ref.outputs.original_branch_ref}} -Dsonar.pullrequest.provider=GitHub -Dsonar.pullrequest.github.repository=hibernate/hibernate-orm" | |
| else | |
| EXTRA_ARGS="-Dsonar.branch.name=${{github.event.workflow_run.head_branch}}" | |
| fi | |
| $HOME/.sonar/bin/sonar-scanner $EXTRA_ARGS \ | |
| -Dsonar.java.libraries="$(pwd)/target/sonar-dependencies/*.jar" \ | |
| -Dsonar.coverage.jacoco.xmlReportPaths="$(pwd)/reporting/target/reports/jacoco/mergeCodeCoverageReport/mergeCodeCoverageReport.xml" |