-
Notifications
You must be signed in to change notification settings - Fork 106
158 lines (156 loc) · 5.55 KB
/
ci-pr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: 'CI - PR'
on:
pull_request:
env:
MAIN_PATH: 'build-dir'
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
MAVEN_THREADS: 'true'
jobs:
build:
if: github.repository == 'spring-cloud/stream-applications'
runs-on: ubuntu-latest
steps:
- name: 'Configure: checkout stream-applications@${{ github.ref_name }}'
uses: actions/checkout@v3
- name: 'Configure: checkout stream-applications@main'
id: checkout-main
uses: actions/checkout@v3
with:
ref: 'main'
path: ${{ env.MAIN_PATH }}
- name: 'Configure: Install gh cli'
uses: ./.github/actions/install-gh
- name: 'Configure: Ensure scripts are executable'
shell: bash
run: find . -type f -name "*.sh" -exec chmod a+x '{}' \;
- name: 'Configure: Install Java'
if: ${{ github.base_ref != 'main' }}
uses: actions/setup-java@v1
with:
java-version: ${{ needs.parameters.outputs.jdk_build }}
- name: 'Configure: Install GraalVM'
if: ${{ github.base_ref == 'main' }}
uses: graalvm/setup-graalvm@v1
with:
version: 'latest'
java-version: '17'
components: 'js'
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: 'Configure: cache for maven dependencies'
uses: actions/cache@v3
with:
path: ~/.m2/repository
key: maven-repo-${{ hashFiles('**/pom.xml') }}-pr-${{ github.base_ref }}
restore-keys: |
maven-repo-${{ hashFiles('**/pom.xml') }}-pr-${{ github.base_ref }}
maven-repo-${{ hashFiles('**/pom.xml') }}
maven-repo-
- name: 'Configure: Install xsltproc'
uses: ./.github/actions/install-xsltproc
- name: 'Action: verify changed modules'
shell: bash
env:
VERBOSE: ${{ github.debug && 'true' || '' }}
run: |
PR=$(echo "${{ github.ref_name }}" | grep -o '[[:digit:]]*')
echo "Checking out pull request #$PR"
gh pr checkout $PR
BUILD_DIR=$(realpath $MAIN_PATH)
echo "Changed files:"
gh pr diff --name-only
CHANGED=$(gh pr diff --name-only)
$BUILD_DIR/scripts/determine-modules-changed.sh "$CHANGED"
MODULES=$(jq '.[]' modules.json | sed 's/\"//g')
FOLDERS=
ROOT_MODULES=
if [ "$MAVEN_THREADS" = "true" ]; then
MVN_THR="-T 0.5C"
else
MVN_THR=
fi
MAVEN_OPTS="-s $BUILD_DIR/.settings.xml -B -U $MVN_THR"
echo "VERBOSE=$VERBOSE"
if [ "$VERBOSE" = "true" ]; then
MAVEN_OPTS="-X $MAVEN_OPTS"
fi
for module in $MODULES; do
if [[ "$module" == *"/"* ]]; then
if [ "$FOLDERS" = "" ]; then
FOLDERS="$module"
else
FOLDERS="$FOLDERS,$module"
fi
else
if [ "$ROOT_MODULES" == "" ]; then
ROOT_MODULES=$module
else
ROOT_MODULES="$ROOT_MODULES,$module"
fi
fi
done
set +e
if [ "$ROOT_MODULES" != "" ]; then
# Module with no / are probably a root module that contains other modules and will trigger a lot of dependant builds without real value
echo "::info ::building $ROOT_MODULES"
echo "::debug ::MAVEN:./mvnw $MAVEN_OPTS -pl $ROOT_MODULES install"
./mvnw $MAVEN_OPTS -pl $ROOT_MODULES install
RC=$?
if ((RC!=0)); then
exit $RC
fi
fi
if [ "$FOLDERS" != "" ]; then
echo "::info ::verify $FOLDERS and dependents"
echo "::debug ::MAVEN:./mvnw $MAVEN_OPTS -amd -pl $FOLDERS install"
./mvnw $MAVEN_OPTS -amd -pl $FOLDERS install
RC=$?
if ((RC!=0)); then
exit $RC
fi
fi
# Build any applications that was compiled but don't deploy to artifactory.
PROCESSORS=$(find ./applications/processor -name target -exec ./parent-dir '{}' \;)
SINKS=$(find ./applications/sink -name target -exec ./parent-dir '{}' \;)
SOURCES=$(find ./applications/source -name target -exec ./parent-dir '{}' \;)
# true as 3rd argument ensures that jars aren't deployed and containers aren't built.
for appdir in $PROCESSORS; do
./build-app.sh . "./$appdir" true
done
for appdir in $SOURCES; do
./build-app.sh . "./$appdir" true
done
for appdir in $SINKS; do
./build-app.sh . "./$appdir" true
done
- name: 'Upload: Error logs'
if: ${{ failure() }}
uses: actions/upload-artifact@v3
with:
name: 'modified-surefire-reports'
path: '**/target/surefire-reports'
retention-days: 7
if-no-files-found: ignore
- name: 'Built'
shell: bash
run: echo "::info ::Built"
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'table'
severity: 'CRITICAL,HIGH'
- name: 'Scanned'
shell: bash
run: echo "::info ::Scanned"
done:
runs-on: ubuntu-latest
needs: [ scan, build ]
steps:
- name: 'Done'
shell: bash
run: echo "::info ::Done"