Version 5.0.0 #333
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Java Core Library | |
| on: | |
| pull_request: | |
| pull_request_target: # Use pull_request_target so Dependabot PRs can run with repo context (secrets available) | |
| branches: [ "master" ] | |
| push: | |
| branches: [ "master" ] | |
| workflow_dispatch: | |
| env: | |
| DEFAULT_JAVA_VERSION: '17' | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| java: [ '17', '21', '25' ] | |
| name: Test with Java ${{ matrix.java }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Java | |
| uses: actions/setup-java@v5 | |
| with: | |
| distribution: temurin | |
| java-version: ${{ matrix.java }} | |
| - name: Run tests and generate reports | |
| run: ./gradlew testAndReport | |
| - name: Upload Artifact | |
| uses: actions/upload-artifact@v7 | |
| if: always() | |
| with: | |
| name: report-java-${{ matrix.java }} | |
| path: build/reports/** | |
| retention-days: 5 | |
| - name: Run Sonar analysis | |
| # Skip Sonar on Dependabot in pull_request runs (no secrets there); handled by a separate job below | |
| if: matrix.java == env.DEFAULT_JAVA_VERSION && github.actor != 'dependabot[bot]' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| run: ./gradlew sonar -x test --no-watch-fs | |
| # Separate job to safely run Sonar on Dependabot PRs using pull_request_target context | |
| sonar-dependabot: | |
| name: Sonar (Dependabot PRs) | |
| # Only run when the event is pull_request_target and the actor is Dependabot | |
| if: github.event_name == 'pull_request_target' && github.event.pull_request.user.login == 'dependabot[bot]' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| checks: write | |
| steps: | |
| # IMPORTANT: pull_request_target defaults to checking out the base branch; explicitly use the PR HEAD SHA | |
| - name: Checkout PR HEAD | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Setup Java | |
| uses: actions/setup-java@v5 | |
| with: | |
| distribution: temurin | |
| java-version: ${{ env.DEFAULT_JAVA_VERSION }} | |
| - name: Build (no tests) | |
| run: ./gradlew assemble -x test | |
| - name: Sonar analysis (Dependabot) | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Secrets are available in PR_TARGET context | |
| run: ./gradlew sonar -x test --no-watch-fs | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: [ test ] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Setup Java | |
| uses: actions/setup-java@v5 | |
| with: | |
| distribution: temurin | |
| java-version: ${{ env.DEFAULT_JAVA_VERSION }} | |
| - name: Run build with Gradle Wrapper | |
| run: ./gradlew build -x test | |
| - name: Upload Artifact | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: jar | |
| path: build/libs/** | |
| retention-days: 5 |