Leo Galambos
558707d78e
feat: enable Gradle dependency locking for all configurations feat: enforce strict lock-state usage in the build feat: centralize repository declaration in settings.gradle feat: enable strict Gradle dependency verification via gradle.properties feat: add committed dependency lock state and verification metadata fix: defer mockito agent resolution to test execution phase for locked builds ci: validate reproducibility inputs before workflow builds ci: include lock and verification inputs in workflow change detection docs: establish explicit dependency update workflow for locks and verification metadata
170 lines
4.4 KiB
YAML
170 lines
4.4 KiB
YAML
name: Build and Release
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- develop
|
|
tags:
|
|
- 'release@*'
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
- develop
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
quality-gates:
|
|
name: Quality gates
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Check out repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Validate Gradle wrapper
|
|
uses: gradle/actions/wrapper-validation@v4
|
|
|
|
- name: Set up Temurin JDK 21
|
|
uses: actions/setup-java@v4
|
|
with:
|
|
distribution: temurin
|
|
java-version: '21'
|
|
|
|
- name: Set up Gradle caching and instrumentation
|
|
uses: gradle/actions/setup-gradle@v4
|
|
|
|
- name: Verify reproducibility inputs
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
test -f gradle.lockfile
|
|
test -f gradle.properties
|
|
test -f gradle/verification-metadata.xml
|
|
|
|
- name: Execute build, tests, PMD, coverage, Javadoc, distribution packaging, and SBOM generation
|
|
run: ./gradlew --no-daemon clean build pmdMain javadoc jacocoTestReport distZip cyclonedxBom
|
|
|
|
- name: Upload SBOM
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: sbom
|
|
path: |
|
|
build/reports/sbom/radixor-sbom.json
|
|
build/reports/sbom/radixor-sbom.xml
|
|
if-no-files-found: error
|
|
retention-days: 14
|
|
|
|
- name: Upload test reports
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: test-reports
|
|
path: |
|
|
build/reports/tests/test
|
|
build/test-results/test
|
|
if-no-files-found: warn
|
|
retention-days: 14
|
|
|
|
- name: Upload PMD reports
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: pmd-reports
|
|
path: build/reports/pmd
|
|
if-no-files-found: warn
|
|
retention-days: 14
|
|
|
|
- name: Upload coverage reports
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: coverage-reports
|
|
path: |
|
|
build/reports/jacoco/test/html
|
|
build/reports/jacoco/test/jacocoTestReport.xml
|
|
if-no-files-found: warn
|
|
retention-days: 14
|
|
|
|
- name: Upload Javadoc
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: javadoc
|
|
path: build/docs/javadoc
|
|
if-no-files-found: warn
|
|
retention-days: 14
|
|
|
|
- name: Upload benchmark reports
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: benchmark-reports
|
|
path: build/reports/jmh
|
|
if-no-files-found: ignore
|
|
retention-days: 14
|
|
|
|
- name: Upload distribution archives
|
|
if: success()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: distributions
|
|
path: build/distributions/*.zip
|
|
if-no-files-found: error
|
|
retention-days: 14
|
|
|
|
release:
|
|
name: Publish tagged distribution
|
|
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/release@')
|
|
runs-on: ubuntu-latest
|
|
needs: quality-gates
|
|
permissions:
|
|
contents: write
|
|
|
|
steps:
|
|
- name: Check out repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Validate Gradle wrapper
|
|
uses: gradle/actions/wrapper-validation@v4
|
|
|
|
- name: Set up Temurin JDK 21
|
|
uses: actions/setup-java@v4
|
|
with:
|
|
distribution: temurin
|
|
java-version: '21'
|
|
|
|
- name: Set up Gradle caching and instrumentation
|
|
uses: gradle/actions/setup-gradle@v4
|
|
|
|
- name: Verify reproducibility inputs
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
test -f gradle.lockfile
|
|
test -f gradle.properties
|
|
test -f gradle/verification-metadata.xml
|
|
|
|
- name: Build release distribution and SBOM
|
|
run: ./gradlew --no-daemon clean build pmdMain javadoc jacocoTestReport distZip cyclonedxBom
|
|
|
|
- name: Publish GitHub release assets
|
|
uses: softprops/action-gh-release@v2
|
|
with:
|
|
generate_release_notes: true
|
|
files: |
|
|
build/distributions/*.zip
|
|
build/reports/sbom/radixor-sbom.json
|
|
build/reports/sbom/radixor-sbom.xml
|