-
Notifications
You must be signed in to change notification settings - Fork 0
129 lines (114 loc) · 4.9 KB
/
maven.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: maven-cicd
on:
# for regular master build (after the merge)
push:
branches:
- main
# for PRs from forked repos and non forked repos
# in order to write status info to the PR we require write repository token (https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/)
pull_request:
branches:
- main
types: [opened, synchronize, reopened]
# restrict privileges except for setting commit status, adding PR comments and writing statuses
permissions:
actions: read
checks: write
contents: read
deployments: read
issues: read
packages: read
pull-requests: write
repository-projects: read
security-events: read
statuses: write
jobs:
build:
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
jdk: [11, 17, 21]
include:
# lengthy build steps should only be performed on linux with Java 17 (Sonarcloud analysis, deployment)
- os: ubuntu-latest
jdk: 17
isMainBuildEnv: true
namePrefix: 'Main '
fail-fast: false
name: ${{ matrix.namePrefix }} Maven build (${{ matrix.os }}, JDK ${{ matrix.jdk }})
runs-on: ${{ matrix.os }}
steps:
- name: Checkout
uses: actions/checkout@v4
# always act on the modified source code (even for event pull_request_target)
# is considered potentially unsafe (https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) but actions are only executed after approval from committers
with:
ref: ${{ github.event.pull_request.head.sha }}
# no additional git operations after checkout triggered in workflow, no need to store credentials
persist-credentials: false
- name: Set up JDK
uses: actions/setup-java@v4
with:
cache: 'maven'
distribution: 'temurin'
java-version: ${{ matrix.jdk }}
# generate settings.xml with the correct values
server-id: ossrh # Value of the distributionManagement/repository/id field of the pom.xml
server-username: MAVEN_USERNAME # env variable for username in deploy
server-password: MAVEN_PASSWORD # env variable for token in deploy
# sets environment variables to be used in subsequent steps: https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
- name: Set environment variables
shell: bash
run: |
if [ "${{ matrix.isMainBuildEnv }}" = "true" ]; then
echo "MVN_ADDITIONAL_OPTS=-Dsonar.projectKey=Netcentric_aem-content-package-namespace-validators -Dsonar.organization=netcentric -Dsonar.host.url=https://sonarcloud.io -Pjacoco-report" >> $GITHUB_ENV
if [ "${{github.ref}}" = "refs/heads/main" ] && [ "${{github.event_name}}" = "push" ]; then
echo "MAVEN_USERNAME=${{ secrets.OSSRH_TOKEN_USER }}" >> $GITHUB_ENV
echo "MAVEN_PASSWORD=${{ secrets.OSSRH_TOKEN_PASSWORD }}" >> $GITHUB_ENV
echo "MVN_GOAL=clean deploy org.sonarsource.scanner.maven:sonar-maven-plugin:sonar" >> $GITHUB_ENV
echo "STEP_NAME_SUFFIX=(Deploys to OSSRH)" >> $GITHUB_ENV
else
echo "MVN_GOAL=clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:5.0.0.4389:sonar" >> $GITHUB_ENV
fi
else
echo "MVN_ADDITIONAL_OPTS=" >> $GITHUB_ENV
echo "MVN_GOAL=clean verify" >> $GITHUB_ENV
fi
- name: Set up Maven
# https://maven.apache.org/wrapper/#using-a-different-version-of-maven
run: mvn --errors --batch-mode --show-version org.apache.maven.plugins:maven-wrapper-plugin:3.3.2:wrapper "-Dmaven=3.9.9"
- name: ${{ matrix.namePrefix }} Build with Maven ${{ env.STEP_NAME_SUFFIX }}
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: ./mvnw -e -B -V ${{ env.MVN_GOAL }} ${{ env.MVN_ADDITIONAL_OPTS }}
- name: Upload Test Results
if: always()
uses: actions/upload-artifact@v4
with:
name: Test Results (${{ matrix.os }}, JDK ${{ matrix.jdk }}))
path: |
target/surefire-reports/TEST*.xml
target/invoker-reports/TEST*.xml
publish-test-results:
name: "Publish Tests Results"
needs: build
runs-on: ubuntu-latest
permissions:
checks: write
# only needed unless run with comment_mode: off
pull-requests: write
# only needed for private repository
contents: read
# only needed for private repository
issues: read
if: always()
steps:
- name: Download Artifacts
uses: actions/download-artifact@v4
with:
path: artifacts
- name: Publish Test Results
uses: EnricoMi/publish-unit-test-result-action@v2
with:
files: "artifacts/**/*.xml"