Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor(ci): split ci in privileged and unprivileged #111

Closed
wants to merge 1 commit into from
Closed

refactor(ci): split ci in privileged and unprivileged #111

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
105 changes: 105 additions & 0 deletions .github/workflows/ci-privileged.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
# IMPORTANT
# This pipeline has access to secrets since the trigger is "workflow_run".
# It is required for it to operate only on artifacts and never build or execute source code.
# The sole purpose of it is to comment with diffuse reports on PRs.
# See more about security concerns here: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

name: 'ci-privileged'

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

on:
pull_request:
paths-ignore:
- '**.md'
# workflow_run:
# workflows: [ ci ]
# types:
# - completed

jobs:
comment-on-pr:
name: 'Comment on PR'
# if: ${{ github.ref != 'refs/heads/main' && github.event.workflow_run.conclusion == 'success' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: actions/setup-java@v3
with:
java-version: '11'
distribution: adopt
- uses: gradle/gradle-build-action@v2
with:
cache-read-only: false
- name: 'Build'
run: |
./gradlew clean build --stacktrace
cp sdk/build/outputs/aar/sdk-release.aar sdk-pr.aar
- name: 'Build main'
run: |
git checkout origin/main
./gradlew clean build --stacktrace
cp sdk/build/outputs/aar/sdk-release.aar sdk-main.aar
- uses: usefulness/diffuse-action@v1
if: github.ref != 'refs/heads/main'
id: diffuse
with:
old-file-path: sdk-main.aar
new-file-path: sdk-pr.aar
- name: 'Create diffuse artifact'
if: ${{ steps.diffuse.outputs.diff-raw != null }}
run: |
mkdir -p ./diffuse
echo ${{ github.event.number }} > ./diffuse/issue-nr
echo '${{ steps.diffuse.outputs.diff-gh-comment }}' > ./diffuse/diffuse-report
# Upload diffuse artifact such that `ci-privileged.yml` can use to add PR Comment
- name: 'Upload diffuse artifact'
uses: actions/upload-artifact@v3
if: ${{ steps.diffuse.outputs.diff-raw != null }}
with:
name: diffuse
path: diffuse/
- name: 'Download artifact'
if: false
uses: actions/github-script@v6
with:
script: |
var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: '${{github.event.workflow_run.id }}'
});
var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "diffuse"
})[0];
var download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip'
});
var fs = require('fs');
fs.writeFileSync('${{github.workspace}}/diffuse.zip', Buffer.from(download.data));
- run: unzip diffuse.zip
if: false
- name: 'Comment on PR'
uses: actions/github-script@v3
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
var fs = require('fs');
var issueNr = Number(fs.readFileSync('./diffuse/issue-nr'));
var diffuseReport = fs.readFileSync('./diffuse/diffuse-report');
await github.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: issueNr,
body: `
Diffuse report:

${diffuseReport}`
});
87 changes: 37 additions & 50 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,11 @@ jobs:
test:
name: 'Test Unit'
runs-on: ubuntu-latest
if: false
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: actions/setup-java@v3
with:
java-version: '11'
Expand All @@ -27,18 +30,46 @@ jobs:
with:
cache-read-only: false
- name: 'Build'
run: ./gradlew build --stacktrace
run: |
./gradlew clean build --stacktrace
cp sdk/build/outputs/aar/sdk-release.aar sdk-pr.aar
- name: 'HTML ES5 test'
run: |
npm install -g jshint
java -cp sdk/build/intermediates/javac/release/classes com.hcaptcha.sdk.HCaptchaHtml > sdk/build/hcaptcha-form.html
jshint --extract=always sdk/build/hcaptcha-form.html
- name: 'JitPack Test'
run: ./gradlew publishReleasePublicationToMavenLocal
- name: 'Build main'
run: |
git checkout origin/main
./gradlew clean build --stacktrace
cp sdk/build/outputs/aar/sdk-release.aar sdk-main.aar
- uses: usefulness/diffuse-action@v1
if: github.ref != 'refs/heads/main'
id: diffuse
with:
old-file-path: sdk-main.aar
new-file-path: sdk-pr.aar
- name: 'Create diffuse artifact'
if: ${{ steps.diffuse.outputs.diff-raw != null }}
run: |
mkdir -p ./diffuse
echo ${{ github.event.number }} > ./diffuse/issue-nr
echo '${{ steps.diffuse.outputs.diff-gh-comment }}' > ./diffuse/diffuse-report
# Upload diffuse artifact such that `ci-privileged.yml` can use to add PR Comment
- name: 'Upload diffuse artifact'
uses: actions/upload-artifact@v2
if: ${{ steps.diffuse.outputs.diff-raw != null }}
with:
name: diffuse
path: diffuse/

build-matrix:
name: 'Build (target:${{ matrix.target }} compile:${{ matrix.compile }} appcompat: ${{ matrix.appcompat }})'
needs: [ test ]
if: false
timeout-minutes: 15
runs-on: ubuntu-latest
strategy:
fail-fast: false
Expand Down Expand Up @@ -73,6 +104,7 @@ jobs:

test-ui:
name: 'Test UI'
if: false
runs-on: macos-latest
strategy:
fail-fast: false
Expand Down Expand Up @@ -131,6 +163,7 @@ jobs:

test-benchmark:
name: 'Test Benchmark'
if: false
runs-on: macos-latest
strategy:
fail-fast: false
Expand Down Expand Up @@ -201,54 +234,8 @@ jobs:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- env:
- run: ./gradlew sonarqube --info
if: ${{ env.SONAR_TOKEN != '' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: ./gradlew sonarqube --info

size-report:
name: 'Diffuse report'
needs: [ test ]
if: github.ref != 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: actions/setup-java@v3
with:
java-version: '11'
distribution: adopt
- uses: gradle/gradle-build-action@v2
with:
cache-read-only: false
- name: 'Build'
run: |
./gradlew clean build --stacktrace
cp sdk/build/outputs/aar/sdk-release.aar sdk-pr.aar
- name: 'Build main'
run: |
git checkout origin/main
./gradlew clean build --stacktrace
cp sdk/build/outputs/aar/sdk-release.aar sdk-main.aar
- id: diffuse
uses: usefulness/diffuse-action@v1
with:
old-file-path: sdk-main.aar
new-file-path: sdk-pr.aar
- uses: peter-evans/find-comment@v2
id: find_comment
with:
issue-number: ${{ github.event.pull_request.number }}
body-includes: Diffuse report
- uses: peter-evans/create-or-update-comment@v2
if: ${{ steps.diffuse.outputs.diff-raw != null || steps.find_comment.outputs.comment-id != null }}
with:
body: |
Diffuse report:

${{ steps.diffuse.outputs.diff-gh-comment }}
edit-mode: replace
comment-id: ${{ steps.find_comment.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
token: ${{ secrets.GITHUB_TOKEN }}