Skip to content

ci(GitHub): Bump step-security/harden-runner from 2.8.0 to 2.9.1 #113

ci(GitHub): Bump step-security/harden-runner from 2.8.0 to 2.9.1

ci(GitHub): Bump step-security/harden-runner from 2.8.0 to 2.9.1 #113

Workflow file for this run

name: Build
on:
pull_request:
paths-ignore:
- '**-validation.yml'
- '**.*ignore'
- '**.md'
- '**.txt'
- '**/pr-**.yml'
- '**/release.yml'
- '**dependabot.yml'
# Avoid useless and/or duplicate runs.
# Also, we merge with --ff-only,
# so we don't need to run on the merge commit.
branches-ignore:
# Dependabot creates both branch and PR. Avoid running twice.
- 'dependabot/**'
- 'dev'
- 'feat*/**'
- 'fix/**'
- 'mr/**'
- 'pr/**'
- 'pull/**'
- 'wip/**'
push:
paths-ignore:
- '**-validation.yml'
- '**.*ignore'
- '**.md'
- '**.txt'
- '**/pr-**.yml'
- '**/release.yml'
- '**dependabot.yml'
permissions:
contents: write
# required for all workflows (CodeQL)
security-events: write
# required for workflows in private repositories (CodeQL)
actions: read
# We appear to need write permission for both pull-requests and
# issues to post a comment to a pull request.
pull-requests: write
issues: write
env:
CI: true
BUILD_NUMBER: ${{ github.run_number }}
SCM_TAG: ${{ github.sha }}
#GRADLE_OPTS: "-Dorg.gradle.daemon=false"
DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS: "^(?!(classpath)).*"
DEPENDENCY_GRAPH_INCLUDE_PROJECTS: "^:(?!(buildSrc|test|check)).*"
IS_DEFAULT_BRANCH: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
jobs:
buildAndCheck:
strategy:
fail-fast: false
matrix:
java: [ '17' ]
os: [ 'macos', 'ubuntu', 'windows' ]
language: [ 'java-kotlin' ]
name: 'Build and check on ${{ matrix.os }}'
timeout-minutes: 25
runs-on: '${{ matrix.os }}-latest'
if: ${{ !contains(github.event.head_commit.message, 'ci skip') }}
env:
GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: false
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: audit
- name: Checkout
uses: actions/checkout@v4
- name: 'Set up JDK ${{ matrix.java }}'
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: '${{ matrix.java }}'
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
with:
gradle-home-cache-cleanup: true
cache-disabled: ${{ matrix.os == 'windows' }} # super slow on Windows.
cache-encryption-key: "${{ secrets.GRADLE_ENCRYPTION_KEY }}"
cache-read-only: ${{ !env.IS_DEFAULT_BRANCH }}
dependency-graph: ${{ env.IS_DEFAULT_BRANCH && 'generate-and-submit' || 'disabled'}}
add-job-summary-as-pr-comment: on-failure
artifact-retention-days: 1
- name: Initialize CodeQL
if: matrix.os == 'ubuntu'
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: 'Build and check plugin itself'
timeout-minutes: 15
run: ./gradlew build assemble check --continue --stacktrace --scan
- name: Upload sarif report (Detekt)
if: always() && (github.event_name == 'pull_request' || env.IS_DEFAULT_BRANCH)
uses: github/codeql-action/upload-sarif@v3
continue-on-error: true
with:
sarif_file: build/detekt-merged.sarif
category: detekt
- name: Upload sarif report (Lint)
if: always() && (github.event_name == 'pull_request' || env.IS_DEFAULT_BRANCH)
uses: github/codeql-action/upload-sarif@v3
continue-on-error: true
with:
sarif_file: build/lint-merged.sarif
category: lint
- name: Run check-latest
if: always()
timeout-minutes: 10
working-directory: checks/latest
run: ./gradlew check --continue --stacktrace --scan
env:
GITHUB_DEPENDENCY_GRAPH_ENABLED: false
- name: Run check-js-only
if: always()
timeout-minutes: 10
working-directory: checks/js-only
run: ./gradlew check --continue --stacktrace --scan
env:
GITHUB_DEPENDENCY_GRAPH_ENABLED: false
- name: Upload the build report
if: always()
uses: actions/upload-artifact@v4
with:
name: '${{ matrix.os }}-build-report'
path: |
**/build/logs/
**/build/reports/
**/build/output/
build/*-merged.*
compression-level: 9
- name: Perform CodeQL Analysis
if: matrix.os == 'ubuntu'
timeout-minutes: 6
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
- name: "Post result in PR comment"
uses: actions/github-script@v7
if: github.event_name == 'pull_request' && failure()
env:
OS: ${{ matrix.os }}
GH_WORKFLOW: ${{ github.workflow }}
RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { OS, GH_WORKFLOW, RUN_URL } = process.env
github.rest.issues.createComment({
issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo,
body: `❌ ${GH_WORKFLOW} [failed](${RUN_URL}) on ${OS}.`,
})