Skip to content

Commit

Permalink
[#23] Add basic GitHub Actions workflows
Browse files Browse the repository at this point in the history 
Note that static analysis is commented out until it is implemented in #22.

Maven deployment will be enabled once secrets are added.
  • Loading branch information
@ccjernigan
ccjernigan authored May 4, 2022
1 parent e6b328f commit 925d80f
Show file tree
Hide file tree
Showing 5 changed files with 487 additions and 0 deletions.
73 changes: 73 additions & 0 deletions .github/actions/setup/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
name: 'Setup Java and Dependency Cache'
description: "Configures the build environment and caches Gradle, dependencies, and build outputs."
runs:
using: "composite"
steps:
- name: Set Env
shell: bash
run: |
echo "home=${HOME}" >> "$GITHUB_ENV"
- name: Set up Java
uses: actions/setup-java@4fe61d24fe5472910b93bdeffb8aad49f979d862
with:
distribution: 'zulu'
java-version: 17
- name: Disable Gradle Daemon
shell: bash
run: |
mkdir ~/.gradle
echo "org.gradle.daemon=false" >> ~/.gradle/gradle.properties
- name: Gradle Wrapper Cache
id: gradle-wrapper-cache
uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09
with:
path: ~/.gradle/wrapper
key: ${{ runner.os }}-gradle-wrapper-${{ hashFiles(format('{0}{1}', github.workspace, '/gradle/wrapper/gradle-wrapper.properties')) }}
- name: Gradle Dependency Cache
id: gradle-dependency-cache
uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09
with:
path: ~/.gradle/caches/modules-2
key: ${{ runner.os }}-gradle-deps-${{ hashFiles(format('{0}{1}', github.workspace, '/gradle.properties')) }}
restore-keys: |
${{ runner.os }}-gradle-deps
# This tries to fall back to the build cache from the main branch, while ensuring that
# main branch builds repopulate the cache each time.
- name: Gradle Build Cache Main
id: gradle-build-cache-main
if: github.event.pull_request.head.sha == ''
uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09
with:
path: |
~/.gradle/caches/build-cache-1
~/.gradle/caches/transforms-3
key: ${{ runner.os }}-gradle-build-${{ github.sha }}
restore-keys: |
${{ runner.os }}-gradle-build
- name: Gradle Build Cache Pull Request
id: gradle-build-cache-pr
if: github.event.pull_request.head.sha != ''
uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09
with:
path: |
~/.gradle/caches/build-cache-1
~/.gradle/caches/transforms-3
key: ${{ runner.os }}-gradle-build-${{ github.event.pull_request.base.sha }}
restore-keys: |
${{ runner.os }}-gradle-build
- name: Download Gradle
if: steps.gradle-wrapper-cache.outputs.cache-hit != 'true'
shell: bash
run: |
./gradlew --version
- name: Download Gradle Dependencies
if: steps.gradle-dependency-cache.outputs.cache-hit != 'true'
shell: bash
run: |
./gradlew dependencies :lib:dependencies
- name: Compile
if: steps.gradle-build-cache-main.outputs.cache-hit != 'true' && steps.gradle-build-cache-pr.outputs.cache-hit != 'true'
shell: bash
run: |
./gradlew assemble testClasses
109 changes: 109 additions & 0 deletions .github/workflows/deploy-release.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
# Expected secrets
# MAVEN_CENTRAL_USERNAME - Username for Maven Central.
# MAVEN_CENTRAL_PASSWORD - Password for Maven Central.
# MAVEN_SIGNING_KEYRING_FILE_BASE64 - Base64 encoded GPG keyring file.
# MAVEN_SIGNING_KEY_ID - ID for the key in the GPG keyring file.
# MAVEN_SIGNING_PASSWORD - Password for the key in the GPG keyring file.

name: Deploy Release

on:
workflow_dispatch:

concurrency: deploy_release

jobs:
validate_gradle_wrapper:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
timeout-minutes: 1
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
# Gradle Wrapper validation can be flaky
# https://github.com/gradle/wrapper-validation-action/issues/40
- name: Gradle Wrapper Validation
timeout-minutes: 1
uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b

check_secrets:
environment: deployment
permissions:
contents: read
runs-on: ubuntu-latest
outputs:
has-secrets: ${{ steps.check_secrets.outputs.defined }}
steps:
- id: check_secrets
env:
MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
MAVEN_SIGNING_KEYRING_FILE_BASE64: ${{ secrets.MAVEN_SIGNING_KEYRING_FILE_BASE64 }}
MAVEN_SIGNING_KEY_ID: ${{ secrets.MAVEN_SIGNING_KEY_ID }}
MAVEN_SIGNING_PASSWORD: ${{ secrets.MAVEN_SIGNING_PASSWORD }}
if: "${{ env.MAVEN_CENTRAL_USERNAME != '' && env.MAVEN_CENTRAL_PASSWORD != '' && env.MAVEN_SIGNING_KEYRING_FILE_BASE64 != '' && env.MAVEN_SIGNING_KEY_ID != '' && env.MAVEN_SIGNING_PASSWORD != '' }}"
run: echo "::set-output name=defined::true"

deploy_release:
environment: deployment
if: needs.check_secrets.outputs.has-secrets == 'true'
needs: [validate_gradle_wrapper, check_secrets]
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
timeout-minutes: 1
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- name: Setup
id: setup
timeout-minutes: 30
uses: ./.github/actions/setup
- name: Export Maven Signing Key
env:
MAVEN_SIGNING_KEYRING_FILE_BASE64: ${{ secrets.MAVEN_SIGNING_KEYRING_FILE_BASE64 }}
GPG_KEY_PATH: ${{ format('{0}/keyring.gpg', env.home) }}
shell: bash
run: |
echo ${MAVEN_SIGNING_KEYRING_FILE_BASE64} | base64 --decode > ${GPG_KEY_PATH}
# While not strictly necessary, this sanity checks the build before attempting to upload.
# This adds minimal additional build time, since most of the work is cached and re-used
# in the next step.
- name: Deploy to Maven Local
timeout-minutes: 25
env:
ORG_GRADLE_PROJECT_IS_SNAPSHOT: false
ORG_GRADLE_PROJECT_RELEASE_SIGNING_ENABLED: false
run: |
./gradlew publishToMavenLocal --no-parallel
- name: Deploy to Maven Central
timeout-minutes: 8
env:
ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
ORG_GRADLE_PROJECT_IS_SNAPSHOT: false
ORG_GRADLE_PROJECT_RELEASE_SIGNING_ENABLED: true
GPG_KEY_PATH: ${{ format('{0}/keyring.gpg', env.home) }}
GPG_KEY_ID: ${{ secrets.MAVEN_SIGNING_KEY_ID }}
GPG_PASSWORD: ${{ secrets.MAVEN_SIGNING_PASSWORD }}
run: |
./gradlew publish -Psigning.secretKeyRingFile=$GPG_KEY_PATH -Psigning.keyId=$GPG_KEY_ID -Psigning.password=$GPG_PASSWORD --no-parallel
./gradlew closeAndReleaseRepository --no-parallel
- name: Collect Artifacts
timeout-minutes: 1
if: ${{ always() }}
env:
ARTIFACTS_DIR_PATH: ${{ format('{0}/artifacts', env.home) }}
BINARIES_ZIP_PATH: ${{ format('{0}/artifacts/release_binaries.zip', env.home) }}
run: |
mkdir ${ARTIFACTS_DIR_PATH}
zip -r ${BINARIES_ZIP_PATH} . -i *build/outputs/*
- name: Upload Artifacts
if: ${{ always() }}
uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
timeout-minutes: 1
with:
name: Release binaries
path: ~/artifacts
102 changes: 102 additions & 0 deletions .github/workflows/deploy-snapshot.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
# Expected secrets
# MAVEN_CENTRAL_USERNAME - Username for Maven Central
# MAVEN_CENTRAL_PASSWORD - Password for Maven Central

# Note that snapshot releases do not require GPG signing

name: Deploy Snapshot

on:
workflow_dispatch:
push:
branches:
- master
paths-ignore:
- '.github/ISSUE_TEMPLATE/*'
- '.github/PULL_REQUEST_TEMPLATE.md'
- 'LICENSE'
- 'README.md'
- 'docs/**'

concurrency: deploy_snapshot

jobs:
validate_gradle_wrapper:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
timeout-minutes: 1
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
# Gradle Wrapper validation can be flaky
# https://github.com/gradle/wrapper-validation-action/issues/40
- name: Gradle Wrapper Validation
timeout-minutes: 1
uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b

check_secrets:
environment: deployment
permissions:
contents: read
runs-on: ubuntu-latest
outputs:
has-secrets: ${{ steps.check_secrets.outputs.defined }}
steps:
- id: check_secrets
env:
MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
if: "${{ env.MAVEN_CENTRAL_USERNAME != '' && env.MAVEN_CENTRAL_PASSWORD != '' }}"
run: echo "::set-output name=defined::true"

deploy_snapshot:
if: needs.check_secrets.outputs.has-secrets == 'true'
needs: [validate_gradle_wrapper, check_secrets]
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
timeout-minutes: 1
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- name: Setup
id: setup
timeout-minutes: 30
uses: ./.github/actions/setup
# While not strictly necessary, this sanity checks the build before attempting to upload.
# This adds minimal additional build time, since most of the work is cached and re-used
# in the next step.
- name: Deploy to Maven Local
timeout-minutes: 25
env:
ORG_GRADLE_PROJECT_IS_SNAPSHOT: true
ORG_GRADLE_PROJECT_RELEASE_SIGNING_ENABLED: false
run: |
./gradlew publishToMavenLocal --no-parallel
- name: Deploy to Maven Central
timeout-minutes: 8
env:
ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
ORG_GRADLE_PROJECT_IS_SNAPSHOT: true
ORG_GRADLE_PROJECT_RELEASE_SIGNING_ENABLED: false
run: |
./gradlew publish --no-parallel
- name: Collect Artifacts
timeout-minutes: 1
if: ${{ always() }}
env:
ARTIFACTS_DIR_PATH: ${{ format('{0}/artifacts', env.home) }}
BINARIES_ZIP_PATH: ${{ format('{0}/artifacts/snapshot_binaries.zip', env.home) }}
run: |
mkdir ${ARTIFACTS_DIR_PATH}
zip -r ${BINARIES_ZIP_PATH} . -i *build/outputs/*
- name: Upload Artifacts
if: ${{ always() }}
uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
timeout-minutes: 1
with:
name: Snapshot binaries
path: ~/artifacts
Loading

0 comments on commit 925d80f

Please sign in to comment.