Backport some of the workflow updates (sonar, version updates, OTP) #9673
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: GH Actions CI | |
| on: | |
| pull_request: | |
| branches: | |
| - '7.1' | |
| # Ignore dependabot PRs that are not just about build dependencies or workflows; | |
| # we'll reject such PRs and send one ourselves. | |
| - '!dependabot/**' | |
| - 'dependabot/maven/build-dependencies-**' | |
| - 'dependabot/github_actions/workflow-actions-**' | |
| permissions: { } # none | |
| # See https://github.com/hibernate/hibernate-orm/pull/4615 for a description of the behavior we're getting. | |
| concurrency: | |
| # Consider that two builds are in the same concurrency group (cannot run concurrently) | |
| # if they use the same workflow and are about the same branch ("ref") or pull request. | |
| group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}" | |
| # Cancel previous builds in the same concurrency group even if they are in progress | |
| # for pull requests or pushes to forks (not the upstream repository). | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' || github.repository != 'hibernate/hibernate-orm' }} | |
| jobs: | |
| # Main job for h2/docker DBs. | |
| build: | |
| permissions: | |
| contents: read | |
| name: OpenJDK 21 - ${{matrix.rdbms}} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - rdbms: h2 | |
| - rdbms: hsqldb | |
| - rdbms: mysql | |
| - rdbms: mariadb | |
| - rdbms: postgresql | |
| - rdbms: edb | |
| - rdbms: oracle | |
| - rdbms: db2 | |
| - rdbms: mssql | |
| - rdbms: sybase | |
| # Running with CockroachDB requires at least 2-4 vCPUs, which we don't have on GH Actions runners | |
| # - rdbms: cockroachdb | |
| # Running with HANA requires at least 8GB memory just for the database, which we don't have on GH Actions runners | |
| # - rdbms: hana | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Reclaim Disk Space | |
| run: .github/ci-prerequisites.sh | |
| - name: Start database | |
| env: | |
| RDBMS: ${{ matrix.rdbms }} | |
| run: ci/database-start.sh | |
| - name: Set up Java 21 | |
| uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| - name: Generate cache key | |
| id: cache-key | |
| run: | | |
| CURRENT_BRANCH="${{ github.repository != 'hibernate/hibernate-orm' && 'fork' || github.base_ref || github.ref_name }}" | |
| CURRENT_MONTH=$(/bin/date -u "+%Y-%m") | |
| CURRENT_DAY=$(/bin/date -u "+%d") | |
| ROOT_CACHE_KEY="buildtool-cache" | |
| echo "buildtool-monthly-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}" >> $GITHUB_OUTPUT | |
| echo "buildtool-monthly-branch-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}" >> $GITHUB_OUTPUT | |
| echo "buildtool-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}-${CURRENT_DAY}" >> $GITHUB_OUTPUT | |
| - name: Cache Maven/Gradle Dependency/Dist Caches | |
| id: cache-maven | |
| uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 | |
| # if it's not a pull request, we restore and save the cache | |
| if: github.event_name != 'pull_request' | |
| with: | |
| path: | | |
| ~/.m2/repository/ | |
| ~/.m2/wrapper/ | |
| ~/.gradle/caches/ | |
| !~/.gradle/caches/build-cache-* | |
| ~/.gradle/wrapper/ | |
| # A new cache will be stored daily. After that first store of the day, cache save actions will fail because the cache is immutable, but it's not a problem. | |
| # The whole cache is dropped monthly to prevent unlimited growth. | |
| # The cache is per branch but in case we don't find a branch for a given branch, we will get a cache from another branch. | |
| key: ${{ steps.cache-key.outputs.buildtool-cache-key }} | |
| restore-keys: | | |
| ${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}- | |
| ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}- | |
| - name: Restore Maven/Gradle Dependency/Dist Caches | |
| uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 | |
| # if it is a pull request, we restore the cache, but we don't save it | |
| if: github.event_name == 'pull_request' | |
| with: | |
| path: | | |
| ~/.m2/repository/ | |
| ~/.m2/wrapper/ | |
| ~/.gradle/caches/ | |
| !~/.gradle/caches/build-cache-* | |
| ~/.gradle/wrapper/ | |
| key: ${{ steps.cache-key.outputs.buildtool-cache-key }} | |
| restore-keys: | | |
| ${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}- | |
| ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}- | |
| - name: Run build script | |
| run: ./ci/build-github.sh | |
| shell: bash | |
| env: | |
| RDBMS: ${{ matrix.rdbms }} | |
| # For jobs running on 'push', publish build scan and cache immediately. | |
| # This won't work for pull requests, since they don't have access to secrets. | |
| POPULATE_REMOTE_GRADLE_CACHE: ${{ github.event_name == 'push' && github.repository == 'hibernate/hibernate-orm' && 'true' || 'false' }} | |
| DEVELOCITY_ACCESS_KEY: "${{ secrets.DEVELOCITY_ACCESS_KEY }}" | |
| # For jobs running on 'pull_request', upload build scan data. | |
| # The actual publishing must be done in a separate job (see ci-report.yml). | |
| # We don't write to the remote cache as that would be unsafe. | |
| - name: Upload GitHub Actions artifact for the Develocity build scan | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| if: "${{ github.event_name == 'pull_request' && !cancelled() }}" | |
| with: | |
| name: build-scan-data-${{ matrix.rdbms }} | |
| path: ~/.gradle/build-scan-data | |
| - name: Store coverage report | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: build-coverage-data-${{ matrix.rdbms }} | |
| retention-days: 1 | |
| path: | | |
| ./**/target/jacoco/*.exec | |
| - name: Store build results | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| if: "${{ matrix.rdbms == 'h2' }}" | |
| with: | |
| name: build-compilation-data | |
| retention-days: 1 | |
| path: | | |
| ./**/target/resources/ | |
| ./**/target/classes/ | |
| ./**/target/generated/ | |
| .gradle/caches/build-cache-* | |
| - name: Upload test reports (if Gradle failed) | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| if: failure() | |
| with: | |
| name: test-reports-java11-${{ matrix.rdbms }} | |
| path: | | |
| ./**/target/reports/tests/ | |
| - name: Omit produced artifacts from build cache | |
| run: ./ci/before-cache.sh | |
| # Job for builds on Oracle TP infrastructure. | |
| # This is untrusted, even for pushes, see below. | |
| otp: | |
| permissions: | |
| contents: read | |
| name: GraalVM 21 - ${{matrix.rdbms}} | |
| runs-on: [ self-hosted, Linux, X64, OracleTestPilot ] | |
| if: github.repository == 'hibernate/hibernate-orm' | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| #- rdbms: autonomous-transaction-processing-serverless-26ai | |
| #- rdbms: autonomous-transaction-processing-serverless-19c | |
| - rdbms: base-database-service-19c | |
| - rdbms: base-database-service-21c | |
| - rdbms: base-database-service-26ai | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Java 21 | |
| uses: graalvm/setup-graalvm@f744c72a42b1995d7b0cbc314bde4bace7ac1fe1 # v1.5.0 | |
| with: | |
| distribution: 'graalvm' | |
| java-version: '21' | |
| - name: Generate cache key | |
| id: cache-key | |
| run: | | |
| CURRENT_BRANCH="${{ github.repository != 'hibernate/hibernate-orm' && 'fork' || github.base_ref || github.ref_name }}" | |
| CURRENT_MONTH=$(/bin/date -u "+%Y-%m") | |
| CURRENT_DAY=$(/bin/date -u "+%d") | |
| ROOT_CACHE_KEY="buildtool-cache-oracle-test-pilot" | |
| echo "buildtool-monthly-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}" >> $GITHUB_OUTPUT | |
| echo "buildtool-monthly-branch-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}" >> $GITHUB_OUTPUT | |
| echo "buildtool-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}-${CURRENT_DAY}" >> $GITHUB_OUTPUT | |
| - name: Cache Maven/Gradle Dependency/Dist Caches | |
| id: cache-maven | |
| uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 | |
| # if it's not a pull request, we restore and save the cache | |
| if: github.event_name != 'pull_request' | |
| with: | |
| path: | | |
| ~/.m2/repository/ | |
| ~/.m2/wrapper/ | |
| ~/.gradle/caches/ | |
| !~/.gradle/caches/build-cache-* | |
| ~/.gradle/wrapper/ | |
| # A new cache will be stored daily. After that first store of the day, cache save actions will fail because the cache is immutable, but it's not a problem. | |
| # The whole cache is dropped monthly to prevent unlimited growth. | |
| # The cache is per branch but in case we don't find a branch for a given branch, we will get a cache from another branch. | |
| key: ${{ steps.cache-key.outputs.buildtool-cache-key }} | |
| restore-keys: | | |
| ${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}- | |
| ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}- | |
| - name: Restore Maven/Gradle Dependency/Dist Caches | |
| uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 | |
| # if it is a pull request, we restore the cache, but we don't save it | |
| if: github.event_name == 'pull_request' | |
| with: | |
| path: | | |
| ~/.m2/repository/ | |
| ~/.m2/wrapper/ | |
| ~/.gradle/caches/ | |
| !~/.gradle/caches/build-cache-* | |
| ~/.gradle/wrapper/ | |
| key: ${{ steps.cache-key.outputs.buildtool-cache-key }} | |
| restore-keys: | | |
| ${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}- | |
| ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}- | |
| - id: create_database | |
| uses: oracle-actions/setup-testpilot@f620f11f9f26dacfe80ba1823342e3e92604c55f # v1.0.23 | |
| with: | |
| oci-service: ${{ matrix.rdbms }} | |
| action: create | |
| user: hibernate_orm_test | |
| - name: Run build script | |
| env: | |
| RDBMS: ${{ matrix.rdbms }} | |
| RUNID: ${{ github.run_number }} | |
| TESTPILOT_CONNECTION_STRING_SUFFIX: ${{ steps.create_database.outputs.connection_string_suffix }} | |
| TESTPILOT_PASSWORD: ${{ steps.create_database.outputs.database_password }} | |
| API_HOST: "" | |
| TESTPILOT_CLIENT_ID: "" | |
| TESTPILOT_TOKEN: "" | |
| # Needed for TFO (TCP fast open) | |
| LD_PRELOAD: /home/ubuntu/libtfojdbc1.so | |
| LD_LIBRARY_PATH: /home/ubuntu | |
| run: ./ci/build-github.sh | |
| shell: bash | |
| - uses: oracle-actions/setup-testpilot@f620f11f9f26dacfe80ba1823342e3e92604c55f # v1.0.23 | |
| if: always() | |
| with: | |
| oci-service: ${{ matrix.rdbms }} | |
| action: delete | |
| user: hibernate_orm_test | |
| # Upload build scan data. | |
| # The actual publishing must be done in a separate job (see ci-report.yml). | |
| # We don't write to the remote cache as that would be unsafe. | |
| # That's even on push, because we do not trust Oracle Test Pilot runners to hold secrets: they are shared infrastructure. | |
| - name: Upload GitHub Actions artifact for the Develocity build scan | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| if: "${{ !cancelled() }}" | |
| with: | |
| name: build-scan-data-${{ matrix.rdbms }} | |
| path: ~/.gradle/build-scan-data | |
| - name: Store coverage report | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: build-coverage-data-${{ matrix.rdbms }} | |
| retention-days: 1 | |
| path: | | |
| ./**/target/jacoco/*.exec | |
| - name: Upload test reports (if Gradle failed) | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| if: failure() | |
| with: | |
| name: test-reports-java11-${{ matrix.rdbms }} | |
| path: | | |
| ./**/target/reports/tests/ | |
| - name: Omit produced artifacts from build cache | |
| run: ./ci/before-cache.sh | |
| # Static code analysis check | |
| format_checks: | |
| permissions: | |
| contents: read | |
| name: Static code analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Reclaim disk space and sanitize user home | |
| run: .github/ci-prerequisites-atlas.sh | |
| - name: Set up Java 21 | |
| uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '21' | |
| - name: Generate cache key | |
| id: cache-key | |
| run: | | |
| CURRENT_BRANCH="${{ github.repository != 'hibernate/hibernate-orm' && 'fork' || github.base_ref || github.ref_name }}" | |
| CURRENT_MONTH=$(/bin/date -u "+%Y-%m") | |
| CURRENT_DAY=$(/bin/date -u "+%d") | |
| ROOT_CACHE_KEY="buildtool-cache" | |
| echo "buildtool-monthly-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}" >> $GITHUB_OUTPUT | |
| echo "buildtool-monthly-branch-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}" >> $GITHUB_OUTPUT | |
| echo "buildtool-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}-${CURRENT_DAY}" >> $GITHUB_OUTPUT | |
| - name: Cache Maven/Gradle Dependency/Dist Caches | |
| id: cache-maven | |
| uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 | |
| # if it's not a pull request, we restore and save the cache | |
| if: github.event_name != 'pull_request' | |
| with: | |
| path: | | |
| ~/.m2/repository/ | |
| ~/.m2/wrapper/ | |
| ~/.gradle/caches/ | |
| !~/.gradle/caches/build-cache-* | |
| ~/.gradle/wrapper/ | |
| # A new cache will be stored daily. After that first store of the day, cache save actions will fail because the cache is immutable, but it's not a problem. | |
| # The whole cache is dropped monthly to prevent unlimited growth. | |
| # The cache is per branch but in case we don't find a branch for a given branch, we will get a cache from another branch. | |
| key: ${{ steps.cache-key.outputs.buildtool-cache-key }} | |
| restore-keys: | | |
| ${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}- | |
| ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}- | |
| - name: Restore Maven/Gradle Dependency/Dist Caches | |
| uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 | |
| # if it is a pull request, we restore the cache, but we don't save it | |
| if: github.event_name == 'pull_request' | |
| with: | |
| path: | | |
| ~/.m2/repository/ | |
| ~/.m2/wrapper/ | |
| ~/.gradle/caches/ | |
| !~/.gradle/caches/build-cache-* | |
| ~/.gradle/wrapper/ | |
| key: ${{ steps.cache-key.outputs.buildtool-cache-key }} | |
| restore-keys: | | |
| ${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}- | |
| ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}- | |
| - name: Run build script | |
| run: ./gradlew formatChecks | |
| env: | |
| # For jobs running on 'push', publish build scan and cache immediately. | |
| # This won't work for pull requests, since they don't have access to secrets. | |
| POPULATE_REMOTE_GRADLE_CACHE: ${{ github.event_name == 'push' && github.repository == 'hibernate/hibernate-orm' && 'true' || 'false' }} | |
| DEVELOCITY_ACCESS_KEY: "${{ secrets.DEVELOCITY_ACCESS_KEY }}" | |
| # For jobs running on 'pull_request', upload build scan data. | |
| # The actual publishing must be done in a separate job (see ci-report.yml). | |
| # We don't write to the remote cache as that would be unsafe. | |
| - name: Upload GitHub Actions artifact for the Develocity build scan | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| if: "${{ github.event_name == 'pull_request' && !cancelled() }}" | |
| with: | |
| name: build-scan-data-sca | |
| path: ~/.gradle/build-scan-data | |
| - name: Upload test reports (if Gradle failed) | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| if: failure() | |
| with: | |
| name: test-reports-java11-sca | |
| path: | | |
| ./**/target/reports/tests/ | |
| - name: Omit produced artifacts from build cache | |
| run: ./ci/before-cache.sh | |
| prepare-sonar-bundle: | |
| name: Prepare build bundle for Sonar scanner | |
| needs: | |
| - build | |
| - otp | |
| if: | | |
| always() && !cancelled() | |
| && needs.build.result != 'cancelled' && needs.otp.result != 'cancelled' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 | |
| with: | |
| java-version: '21' | |
| distribution: 'temurin' | |
| - name: Generate cache key | |
| id: cache-key | |
| run: | | |
| CURRENT_BRANCH="${{ github.repository != 'hibernate/hibernate-orm' && 'fork' || github.base_ref || github.ref_name }}" | |
| CURRENT_MONTH=$(/bin/date -u "+%Y-%m") | |
| CURRENT_DAY=$(/bin/date -u "+%d") | |
| ROOT_CACHE_KEY="buildtool-cache" | |
| echo "buildtool-monthly-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}" >> $GITHUB_OUTPUT | |
| echo "buildtool-monthly-branch-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}" >> $GITHUB_OUTPUT | |
| echo "buildtool-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}-${CURRENT_DAY}" >> $GITHUB_OUTPUT | |
| - name: Restore Maven/Gradle Dependency/Dist Caches | |
| uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 | |
| with: | |
| path: | | |
| ~/.m2/repository/ | |
| ~/.m2/wrapper/ | |
| ~/.gradle/caches/ | |
| !~/.gradle/caches/build-cache-* | |
| ~/.gradle/wrapper/ | |
| key: ${{ steps.cache-key.outputs.buildtool-cache-key }} | |
| restore-keys: | | |
| ${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}- | |
| ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}- | |
| - name: Download compilation results | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # 7.0.0 | |
| with: | |
| name: build-compilation-data | |
| path: . | |
| # Don't fail the build if there are no matching artifacts (the build will re-compile things then) | |
| continue-on-error: true | |
| - name: Download coverage reports | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # 7.0.0 | |
| with: | |
| pattern: build-coverage-data* | |
| path: . | |
| merge-multiple: 'true' | |
| # Don't fail the build if there are no matching artifacts | |
| continue-on-error: true | |
| - name: Merge Jacoco Reports | |
| run: ./gradlew mergeCodeCoverageReport copyDependenciesSonar --no-parallel | |
| - name: Store build info for Sonar scanning | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: build-results-data | |
| retention-days: 1 | |
| path: | | |
| ./**/target/jacoco/*.exec | |
| ./**/target/classes/ | |
| ./**/target/generated/ | |
| ./**/target/resources/ | |
| ./**/target/reports/ | |
| ./**/target/sonar-dependencies/ |