java-core-lib/.github/workflows/build.yml at master · BitWeb/java-core-lib · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: Build Java Core Library

on:
  pull_request:
  pull_request_target: # Use pull_request_target so Dependabot PRs can run with repo context (secrets available)
    branches: [ "master" ]
  push:
    branches: [ "master" ]
  workflow_dispatch:

jobs:
  generate-matrix:
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
    name: Generate version matrix
    steps:
      - uses: actions/checkout@v6
      - name: Read matrix from JSON
        id: set-matrix
        run: |
          MATRIX=$(jq -c '.matrix' .github/spring-versions.json)
          echo "matrix={\"include\":$MATRIX}" >> $GITHUB_OUTPUT

  regression-tests:
    needs: generate-matrix
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
    name: Test Spring Boot ${{ matrix.boot }} / Java ${{ matrix.java }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Setup Java
        uses: actions/setup-java@v5
        with:
          distribution: temurin
          java-version: ${{ matrix.java }}

      - name: Run tests and generate reports
        run: ./gradlew testAndReport -PspringBootVersion=${{ matrix.boot }} -PspringFrameworkVersion=${{ matrix.framework }}

      - name: Upload Artifact
        uses: actions/upload-artifact@v7
        if: always()
        with:
          name: report-java-${{ matrix.java }}-spring-boot-${{ matrix.boot }}
          path: build/reports/**
          retention-days: 5

  test:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        java: [ '17', '21' ]
    name: Test Spring Boot latest / Java ${{ matrix.java }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Setup Java
        uses: actions/setup-java@v5
        with:
          distribution: temurin
          java-version: ${{ matrix.java }}

      - name: Run tests and generate reports
        run: ./gradlew testAndReport

      - name: Upload Artifact
        uses: actions/upload-artifact@v7
        if: always()
        with:
          name: report-java-${{ matrix.java }}-spring-boot-latest
          path: build/reports/**
          retention-days: 5

      - name: Run Sonar analysis
        # Skip Sonar on Dependabot in pull_request runs (no secrets there); handled by a separate job below
        if: matrix.java == '17' && github.actor != 'dependabot[bot]'
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        run: ./gradlew sonar -x test --no-watch-fs

  # Separate job to safely run Sonar on Dependabot PRs using pull_request_target context
  sonar-dependabot:
    name: Sonar (Dependabot PRs)
    # Only run when the event is pull_request_target and the actor is Dependabot
    if: github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
      checks: write
    steps:
      # IMPORTANT: pull_request_target defaults to checking out the base branch; explicitly use the PR HEAD SHA
      - name: Checkout PR HEAD
        uses: actions/checkout@v6
        with:
          ref: ${{ github.event.pull_request.head.sha }}

      - name: Setup Java
        uses: actions/setup-java@v5
        with:
          distribution: temurin
          java-version: '17'

      - name: Build (no tests)
        run: ./gradlew assemble -x test

      - name: Sonar analysis (Dependabot)
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}  # Secrets are available in PR_TARGET context
        run: ./gradlew sonar -x test --no-watch-fs

  build:
    runs-on: ubuntu-latest
    needs: [ test ]
    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      - name: Setup Java
        uses: actions/setup-java@v5
        with:
          distribution: temurin
          java-version: 17

      - name: Run build with Gradle Wrapper
        run: ./gradlew build -x test

      - name: Upload Artifact
        uses: actions/upload-artifact@v7
        with:
          name: jar
          path: build/libs/**
          retention-days: 5