ci-github-actions/build-gradle/action.yml at e7ebce66b37b214c02cc2606a39c6b72563a3e24 · SonarSource/ci-github-actions · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
---
name: Build Gradle
description: GitHub Action to build, analyze, and deploy a Gradle project
inputs:
  artifactory-deployer-role:
    description: Suffix for the Artifactory deployer role in Vault. Defaults to `qa-deployer` for private repositories, and
      `public-deployer` for public repositories.
    default: ''
  artifactory-deploy-repo:
    description: Deployment repository. Defaults to `sonarsource-private-qa` for private repositories, and `sonarsource-public-qa` for
      public repositories.
    default: ''
  gradle-args:
    description: Additional arguments to pass to Gradle
  deploy:
    description: Whether to deploy on master, maintenance, dogfood and long-lived branches.
    default: 'true'
  deploy-pull-request:
    description: Whether to also deploy pull request artifacts. If deploy is 'false', this has no effect.
    default: 'false'
  skip-tests:
    description: Whether to skip running tests
    default: 'false'
  sonar-platform:
    description: SonarQube primary platform (next, sqc-eu, sqc-us, or none). Use 'none' to skip sonar scans.
    default: next
  run-shadow-scans:
    description: If true, run SonarQube analysis on all three platforms (next, sqc-eu, sqc-us).
      If false, run analysis on the platform specified with sonar-platform.
    default: 'false'
  provenance:
    description: Whether to generate provenance attestation for built artifacts
    default: 'false'
  provenance-artifact-paths:
    description: >-
      Relative paths of the artifacts for which to generate a provenance attestation (glob pattern).
      Default is collected from '*/build/libs/*', '*/build/distributions/*', and '*/build/reports/*'
    default: ''
  # Inputs passed to config-gradle
  working-directory:
    description: Relative path under github.workspace to execute the build in
    default: .
  artifactory-reader-role:
    description: Suffix for the Artifactory reader role in Vault. Defaults to `private-reader` for private repositories, and `public-reader`
      for public repositories.
    default: ''
  repox-url:
    description: URL for Repox
    default: https://repox.jfrog.io
  repox-artifactory-url:
    description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided)
    default: ''
  use-develocity:
    description: Whether to use Develocity for build tracking.
    default: 'false'
  develocity-url:
    description: URL for Develocity
    default: https://develocity.sonar.build/
  cache-paths:
    description: Cache paths to use (multiline).
    default: |-
      ~/.gradle/caches
      ~/.gradle/wrapper
  disable-caching:
    description: Whether to disable Gradle caching entirely
    default: 'false'
  generate-summary:
    description: Whether to generate a workflow summary after the build.
    default: 'true'

outputs:
  project-version:
    description: The release version set as Gradle project version in gradle.properties
    value: ${{ steps.config.outputs.project-version }}
  BUILD_NUMBER:
    description: The build number, incremented or reused if already cached
    value: ${{ steps.config.outputs.BUILD_NUMBER }}
  deployed:
    description: Whether artifacts were deployed
    value: ${{ steps.build.outputs.deployed }}

runs:
  using: composite
  steps:
    - name: Set local action paths
      id: set-path
      shell: bash
      run: |
        echo "::group::Fix for using local actions"
        echo "GITHUB_ACTION_PATH=$GITHUB_ACTION_PATH"
        echo "github.action_path=${{ github.action_path }}"
        ACTION_PATH_BUILD_GRADLE="${{ github.action_path }}"
        echo "ACTION_PATH_BUILD_GRADLE=$ACTION_PATH_BUILD_GRADLE"
        echo "ACTION_PATH_BUILD_GRADLE=$ACTION_PATH_BUILD_GRADLE" >> "$GITHUB_ENV"
        host_actions_root="$(dirname "$ACTION_PATH_BUILD_GRADLE")"
        echo "host_actions_root=$host_actions_root" >> "$GITHUB_OUTPUT"

        mkdir -p ".actions"
        ln -sf "$host_actions_root/config-gradle" .actions/config-gradle
        ln -sf "$host_actions_root/shared" .actions/shared
        ls -la .actions/*
        echo "::endgroup::"

    - uses: ./.actions/config-gradle
      id: config
      with:
        host-actions-root: ${{ steps.set-path.outputs.host_actions_root }}
        working-directory: ${{ inputs.working-directory }}
        artifactory-reader-role: ${{ inputs.artifactory-reader-role }}
        repox-url: ${{ inputs.repox-url }}
        repox-artifactory-url: ${{ inputs.repox-artifactory-url }}
        use-develocity: ${{ inputs.use-develocity }}
        develocity-url: ${{ inputs.develocity-url }}
        cache-paths: ${{ inputs.cache-paths }}
        disable-caching: ${{ inputs.disable-caching }}

    - name: Set build parameters
      shell: bash
      env:
        ARTIFACTORY_DEPLOYER_ROLE: ${{ inputs.artifactory-deployer-role != '' && inputs.artifactory-deployer-role ||
          (github.event.repository.visibility == 'public' && 'public-deployer' || 'qa-deployer') }}
      run: |
        echo "ARTIFACTORY_DEPLOYER_ROLE=${ARTIFACTORY_DEPLOYER_ROLE}" >> "$GITHUB_ENV"
    - uses: SonarSource/vault-action-wrapper@545e7cfbb5528e7009a1edcc83e073898d292627 # 3.2.0
      id: secrets
      with:
        # yamllint disable rule:line-length
        secrets: |
          ${{ inputs.sonar-platform != 'none' && 'development/kv/data/next url | NEXT_URL;' || '' }}
          ${{ inputs.sonar-platform != 'none' && 'development/kv/data/next token | NEXT_TOKEN;' || '' }}
          ${{ inputs.sonar-platform != 'none' && 'development/kv/data/sonarqube-us url | SQC_US_URL;' || '' }}
          ${{ inputs.sonar-platform != 'none' && 'development/kv/data/sonarqube-us token | SQC_US_TOKEN;' || '' }}
          ${{ inputs.sonar-platform != 'none' && 'development/kv/data/sonarcloud url | SQC_EU_URL;' || '' }}
          ${{ inputs.sonar-platform != 'none' && 'development/kv/data/sonarcloud token | SQC_EU_TOKEN;' || '' }}
          ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && format('development/artifactory/token/{{REPO_OWNER_NAME_DASH}}-{0} username | ARTIFACTORY_DEPLOY_USERNAME;', env.ARTIFACTORY_DEPLOYER_ROLE) || '' }}
          ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && format('development/artifactory/token/{{REPO_OWNER_NAME_DASH}}-{0} access_token | ARTIFACTORY_DEPLOY_ACCESS_TOKEN;', env.ARTIFACTORY_DEPLOYER_ROLE) || '' }}
          development/kv/data/sign key | SIGN_KEY;
          development/kv/data/sign passphrase | PGP_PASSPHRASE;
          development/kv/data/sign key_id | SIGN_KEY_ID;
        # yamllint enable rule:line-length

    - name: Build, analyze and deploy
      shell: bash
      id: build
      env:
        # GitHub context
        PULL_REQUEST: ${{ github.event.pull_request.number || '' }}
        PULL_REQUEST_SHA: ${{ github.event.pull_request.base.sha || '' }}
        DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}

        # Action inputs
        DEPLOY: ${{ inputs.deploy }}
        DEPLOY_PULL_REQUEST: ${{ inputs.deploy-pull-request }}
        SKIP_TESTS: ${{ inputs.skip-tests }}
        GRADLE_ARGS: ${{ inputs.gradle-args }}
        SONAR_PLATFORM: ${{ inputs.sonar-platform }}
        RUN_SHADOW_SCANS: ${{ inputs.run-shadow-scans }}
        ARTIFACTORY_DEPLOY_REPO: ${{ inputs.artifactory-deploy-repo != '' && inputs.artifactory-deploy-repo ||
          github.event.repository.visibility == 'public' && 'sonarsource-public-qa' || 'sonarsource-private-qa' }}

        # Vault secrets
        ARTIFACTORY_DEPLOY_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_USERNAME }}
        ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }}
        ARTIFACTORY_DEPLOY_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }}  # deprecated
        NEXT_URL: ${{ fromJSON(steps.secrets.outputs.vault).NEXT_URL }}
        NEXT_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).NEXT_TOKEN }}
        SQC_EU_URL: ${{ fromJSON(steps.secrets.outputs.vault).SQC_EU_URL }}
        SQC_EU_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SQC_EU_TOKEN }}
        SQC_US_URL: ${{ fromJSON(steps.secrets.outputs.vault).SQC_US_URL }}
        SQC_US_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SQC_US_TOKEN }}
        ORG_GRADLE_PROJECT_signingKey: ${{ fromJSON(steps.secrets.outputs.vault).SIGN_KEY }}
        ORG_GRADLE_PROJECT_signingPassword: ${{ fromJSON(steps.secrets.outputs.vault).PGP_PASSPHRASE }}
        ORG_GRADLE_PROJECT_signingKeyId: ${{ fromJSON(steps.secrets.outputs.vault).SIGN_KEY_ID }}
      working-directory: ${{ inputs.working-directory }}
      run: $ACTION_PATH_BUILD_GRADLE/build.sh

    - name: Archive problems report
      if: always()
      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
      with:
        name: problems-report-${{ github.job }}${{ strategy.job-index }}
        path: build/reports/problems/problems-report.html
        if-no-files-found: ignore

    - name: Generate provenance attestation
      if: >-
        ${{ inputs.provenance == 'true' &&
            github.event_name != 'pull_request' &&
            steps.build.outputs.deployed == 'true' &&
            (inputs.provenance-artifact-paths != '' || steps.build.outputs.artifact-paths != '') }}
      uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
      with:
        subject-path: >-
          ${{ inputs.provenance-artifact-paths != '' && inputs.provenance-artifact-paths || steps.build.outputs.artifact-paths }}
        show-summary: true

    - name: Generate workflow summary
      if: always() && inputs.generate-summary != 'false'
      shell: bash
      run: |
        build_name="${GITHUB_REPOSITORY#*/}"
        echo "## 🏗️ Gradle Build Summary (\`${GITHUB_JOB}\`)" >> $GITHUB_STEP_SUMMARY
        if [[ "${{ steps.build.conclusion }}" == "success" ]]; then
          echo "✅ **Build SUCCESS**" >> $GITHUB_STEP_SUMMARY
        else
          echo "❌ **Build FAILED**" >> $GITHUB_STEP_SUMMARY
        fi
        echo "### 📋 Build Information" >> $GITHUB_STEP_SUMMARY
        echo "- **Project**: \`$build_name\`" >> $GITHUB_STEP_SUMMARY
        echo "- **Version**: \`${PROJECT_VERSION}\`" >> $GITHUB_STEP_SUMMARY
        echo "- **Build Number**: \`${BUILD_NUMBER}\`" >> $GITHUB_STEP_SUMMARY
        echo "- **Branch**: \`${GITHUB_REF}\`" >> $GITHUB_STEP_SUMMARY
        echo "- **Commit**: \`$GITHUB_SHA\`" >> $GITHUB_STEP_SUMMARY

        if [[ "${{ steps.build.outputs.deployed }}" == true ]]; then
          echo "### 🚀 Deployment" >> $GITHUB_STEP_SUMMARY
          ARTIFACTORY_BROWSE_URL="${ARTIFACTORY_URL%/*}/ui/builds/$build_name/$BUILD_NUMBER"
          echo "🔗 **[Browse artifacts in Artifactory](${ARTIFACTORY_BROWSE_URL})**" >> $GITHUB_STEP_SUMMARY
        fi