HSEARCH-5132 Do not directly rely on the Security Manager in Embedded… #1350
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # The main CI of Hibernate Search is https://ci.hibernate.org/job/hibernate-search/. | |
| # However, Hibernate Search builds run on GitHub actions regularly | |
| # to build on Windows | |
| # and check that both the Linux and Windows workflows still work | |
| # and can be used in GitHub forks. | |
| # See https://docs.github.com/en/actions | |
| # for more information about GitHub actions. | |
| name: GitHub Actions Build | |
| on: | |
| push: | |
| branches: | |
| # Pattern order matters: the last matching inclusion/exclusion wins | |
| - '**' | |
| - '!3.*' | |
| - '!4.*' | |
| - '!5.*' | |
| - '!6.*' | |
| - '!dependabot/**' | |
| - '!wip/**/dependency-update/**' | |
| tags: | |
| - '**' | |
| # WARNING: Using pull_request_target to access secrets, but we check out the merge commit. | |
| # See checkout action for details. | |
| pull_request_target: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| branches: | |
| # Pattern order matters: the last matching inclusion/exclusion wins | |
| - '**' | |
| - '!3.*' | |
| - '!4.*' | |
| - '!5.*' | |
| - '!6.*' | |
| # Ignore dependabot PRs that are not just about build dependencies; | |
| # we'll reject such dependant PRs and send a PR ourselves. | |
| - '!dependabot/**' | |
| - 'dependabot/maven/build-dependencies-**' | |
| - 'dependabot/docker/**/build-containers-**' | |
| - 'dependabot/docker/**/database-containers-**' | |
| concurrency: | |
| group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}" | |
| cancel-in-progress: ${{ github.event_name == 'pull_request_target' || github.repository != 'hibernate/hibernate-search' }} | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end" | |
| TESTCONTAINERS_REUSE_ENABLE: true | |
| jobs: | |
| build: | |
| name: ${{matrix.os.name}} | |
| runs-on: ${{ matrix.os.runs-on }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: | |
| - { | |
| name: "Linux JDK 17", | |
| runs-on: 'ubuntu-latest', | |
| java: { | |
| version: 17 | |
| }, | |
| maven: { | |
| # Since we only start an Elasticsearch container on Linux we add the profile to enable container reuse here: | |
| args: '-Pci-build' | |
| } | |
| } | |
| # We can't start Linux containers on GitHub Actions' Windows VMs, | |
| # so we can't run Elasticsearch tests. | |
| # See https://github.com/actions/runner-images/issues/1143#issuecomment-972929995 | |
| - { | |
| name: "Windows JDK 17", | |
| runs-on: 'windows-latest', | |
| java: { | |
| version: 17 | |
| }, | |
| maven: { | |
| args: '-Dtest.elasticsearch.skip=true' | |
| } | |
| } | |
| steps: | |
| - name: Support longpaths on Windows | |
| if: "startsWith(matrix.os.runs-on, 'windows')" | |
| run: git config --global core.longpaths true | |
| - name: Check out commit already pushed to branch | |
| if: "! github.event.pull_request.number" | |
| uses: actions/checkout@v4 | |
| - name: Check out PR head | |
| uses: actions/checkout@v4 | |
| if: github.event.pull_request.number | |
| with: | |
| # WARNING: This is potentially dangerous since we're checking out unreviewed code, | |
| # and since we're using the pull_request_target event we can use secrets. | |
| # Thus, we must be extra careful to never expose secrets to steps that execute this code, | |
| # and to strictly limit our of secrets to those that only pose minor security threads. | |
| # This means in particular we won't expose Develocity credentials to the main maven executions, | |
| # but instead will execute maven a third time just to push build scans to Develocity; | |
| # see below. | |
| ref: "refs/pull/${{ github.event.pull_request.number }}/head" | |
| # Fetch the whole history to make sure that gitflow incremental builder | |
| # can find the base commit. | |
| fetch-depth: 0 | |
| - name: Set up Java ${{ matrix.os.java.version }} | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: ${{ matrix.os.java.version }} | |
| distribution: temurin | |
| # https://github.com/actions/cache/blob/main/examples.md#java---maven | |
| - name: Cache local Maven repository | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.m2/repository | |
| key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-maven- | |
| - name: Set up Maven | |
| run: ./mvnw -v | |
| - name: Docker cleanup | |
| run: ./ci/docker-cleanup.sh | |
| - name: Build code and run unit tests and basic checks | |
| run: | | |
| ./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean install \ | |
| -Pjqassistant -Pdist -Pci-build -DskipITs | |
| env: | |
| # WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code. | |
| DEVELOCITY_ACCESS_KEY: "${{ github.event_name == 'push' && secrets.GRADLE_ENTERPRISE_ACCESS_KEY || '' }}" | |
| - name: Publish Develocity build scan for previous build (pull request) | |
| if: "${{ !cancelled() && github.event_name == 'pull_request_target' && github.repository == 'hibernate/hibernate-search' }}" | |
| run: | | |
| ./mvnw $MAVEN_ARGS gradle-enterprise:build-scan-publish-previous | |
| env: | |
| # WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code. | |
| DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY_PR }} | |
| - name: Run integration tests in the default environment | |
| run: | | |
| ./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean verify \ | |
| -Pskip-checks \ | |
| ${{ github.event.pull_request.base.ref && format('-Dincremental -Dgib.referenceBranch=refs/remotes/origin/{0}', github.event.pull_request.base.ref) || '' }} | |
| env: | |
| # WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code. | |
| DEVELOCITY_ACCESS_KEY: "${{ github.event_name == 'push' && secrets.GRADLE_ENTERPRISE_ACCESS_KEY || '' }}" | |
| - name: Publish Develocity build scan for previous build (pull request) | |
| if: "${{ !cancelled() && github.event_name == 'pull_request_target' && github.repository == 'hibernate/hibernate-search' }}" | |
| run: | | |
| ./mvnw $MAVEN_ARGS gradle-enterprise:build-scan-publish-previous | |
| env: | |
| # WARNING: exposes secrets, so must only be passed to a step that doesn't run unapproved code. | |
| DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY_PR }} | |
| - name: Docker cleanup | |
| run: ./ci/docker-cleanup.sh | |
| - name: Omit produced artifacts from build cache | |
| run: rm -r ~/.m2/repository/org/hibernate/search | |
| # Workaround for https://github.com/actions/upload-artifact/issues/240 | |
| - name: List build reports to upload (if build failed) | |
| if: ${{ failure() || cancelled() }} | |
| # The weird syntax is because we're setting a multiline environment variable | |
| # See https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-of-a-multiline-string | |
| run: | | |
| { | |
| echo 'buildReportPaths<<EOF' | |
| find . -path '**/*-reports' | |
| echo EOF | |
| } >> "$GITHUB_ENV" | |
| - name: Upload build reports (if build failed) | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ failure() || cancelled() }} | |
| with: | |
| name: ${{ format('build-reports-{0}', matrix.os.name ) }} | |
| path: ${{ env.buildReportPaths }} | |
| retention-days: 7 |