1- name : pre-review
1+ name : CI
22
33on :
4- merge_group :
54 pull_request :
65 branches :
76 - main
1716 GRADLE_OPTS : " -Xmx6g -Dorg.gradle.parallel=true"
1817
1918jobs :
19+
2020 repolint :
2121 name : " Repository Linting"
2222 runs-on : ubuntu-latest
2828 ref : ${{ github.event.pull_request.head.sha || github.ref }}
2929 - name : Lint Repo
3030 run : bundle exec /app/bin/repolinter.js --rulesetUrl https://raw.githubusercontent.com/hyperledger-labs/hyperledger-community-management-tools/main/repo_structure/repolint.json --format markdown
31+
3132 gradle-wrapper :
3233 name : " Gradle Wrapper Validation"
3334 runs-on : ubuntu-latest
3637 with :
3738 ref : ${{ github.event.pull_request.head.sha || github.ref }}
3839 - uses : gradle/actions/wrapper-validation@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6.0.1
40+
3941 spotless-checkLicense :
4042 name : " Spotless & Check License"
4143 runs-on : ubuntu-latest
6264 with :
6365 name : checkLicense
6466 path : build/reports/dependency-license
67+
6568 compile :
6669 runs-on : ubuntu-latest
6770 timeout-minutes : 30
8285 cache-disabled : true
8386 - name : Gradle Compile
8487 run : ./gradlew build -x test -x spotlessCheck
88+ - name : Upload tar.gz
89+ uses : actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
90+ with :
91+ name : besu-tar
92+ path : build/distributions/besu-*.tar.gz
93+ retention-days : 10
94+ - name : Upload zip
95+ uses : actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
96+ with :
97+ name : besu-zip
98+ path : build/distributions/besu-*.zip
99+ retention-days : 10
100+ - name : Upload workspace build
101+ uses : actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
102+ with :
103+ name : assemble-output
104+ path : |
105+ ./
106+ !./.git/**
107+ retention-days : 1
108+ include-hidden-files : ' true'
109+
110+ # Supply chain security: verifies that source JARs for all dependencies are recorded
111+ # in verification-metadata.xml. Prevents tampered or undeclared source artifacts
112+ # from being introduced without explicit sign-off.
85113 verify-source-metadata :
86114 name : " Verify Dependency Source Metadata"
87115 runs-on : ubuntu-latest
@@ -102,78 +130,57 @@ jobs:
102130 cache-disabled : true
103131 - name : Verify source artifacts recorded in verification-metadata.xml
104132 run : ./gradlew verifySourceArtifacts
133+
134+ # Tests
135+ # Each suite has its suite-tests-passed job in the file directly
105136 unitTests :
106- runs-on : besu-research-ubuntu-16 # more cores
107- timeout-minutes : 30
108- needs : [spotless-checkLicense, gradle-wrapper, repolint]
137+ needs : compile
109138 permissions :
139+ actions : read
140+ contents : read
110141 checks : write
111142 statuses : write
112- strategy :
113- fail-fast : true
114- steps :
115- - name : Checkout Repo
116- uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
117- with :
118- ref : ${{ github.event.pull_request.head.sha || github.ref }}
119- - name : Set up Java
120- uses : actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
121- with :
122- distribution : temurin
123- java-version : 25
124- - name : Install required packages
125- run : sudo apt-get install -y xmlstarlet
126- - name : Setup Gradle
127- uses : gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6.0.1
128- with :
129- cache-disabled : true
130- add-job-summary : on-failure
131- - name : run unit tests
132- env :
133- # reducing JVM forks to increase reuse of setup code such as SignatureAlgorithm
134- GRADLE_MAX_TEST_FORKS : 2 # besu-research-ubuntu-16 will use 8 by default
135- run : ./gradlew -Dorg.gradle.parallel=true -Dorg.gradle.caching=true test
136- - name : Upload Unit Test Results
137- uses : actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
138- with :
139- name : unit-test-results
140- path : ' **/test-results/**/TEST-*.xml'
141- - name : Upload Unit Test HTML Reports
142- uses : actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
143- if : success() || failure()
144- with :
145- name : unit-test-html-reports
146- path : ' **/build/reports/tests/test/**'
147- unittests-passed :
148- name : " unittests-passed"
149- runs-on : ubuntu-latest
150- needs : [compile, unitTests, verify-source-metadata]
143+ uses : ./.github/workflows/unit-tests.yml
144+ with :
145+ assemble_output_run_id : ${{ github.run_id }}
146+
147+ integrationTests :
148+ needs : compile
151149 permissions :
150+ actions : read
151+ contents : read
152152 checks : write
153- statuses : write
154- if : always()
155- steps :
156- # Fail if any `needs` job was not a success.
157- # Along with `if: always()`, this allows this job to act as a single required status check for the entire workflow.
158- - name : Fail on workflow error
159- run : exit 1
160- if : >-
161- ${{
162- contains(needs.*.result, 'failure')
163- || contains(needs.*.result, 'cancelled')
164- || contains(needs.*.result, 'skipped')
165- }}
166- - name : Checkout Repo
167- if : always()
168- uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
169- with :
170- ref : ${{ github.event.pull_request.head.sha || github.ref }}
171- - name : Download all unit test results
172- if : always()
173- uses : actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
174- with :
175- pattern : unit-test-results
176- merge-multiple : true
177- - name : Report 10 slowest tests
178- if : always()
179- run : python3 .github/workflows/reportSlowestTests.sh 10
153+ statuses : write
154+ uses : ./.github/workflows/integration-tests.yml
155+ with :
156+ assemble_output_run_id : ${{ github.run_id }}
157+
158+ referenceTests :
159+ needs : compile
160+ permissions :
161+ actions : read
162+ contents : read
163+ packages : read
164+ checks : write
165+ statuses : write
166+ uses : ./.github/workflows/reference-tests.yml
167+ with :
168+ assemble_output_run_id : ${{ github.run_id }}
169+ secrets : inherit
170+
171+ acceptanceTests :
172+ needs : compile
173+ permissions :
174+ actions : read
175+ contents : read
176+ checks : write
177+ statuses : write
178+ uses : ./.github/workflows/acceptance-tests.yml
179+ with :
180+ assemble_output_run_id : ${{ github.run_id }}
181+ secrets : inherit
182+
183+
184+ # verify-source-metadata dropped from the merge gate
185+ # The old unittests-passed gate required [compile, unitTests, verify-source-metadata]. The new one only requires [unitTests]. Supply-chain security checks (verifySourceArtifacts) no longer block PR merge. This feels like an unintentional regression — verify-source-metadata should remain in the required set.
186+ # gate the merge all tests thing heresN
0 commit comments