Skip to content

fix(deps): update dependency postcss to v8.4.31 [security] - autoclosed #1949

fix(deps): update dependency postcss to v8.4.31 [security] - autoclosed

fix(deps): update dependency postcss to v8.4.31 [security] - autoclosed #1949

Workflow file for this run

name: Framework
on:
push:
branches:
- stable
- v3
pull_request:
types: [opened, reopened, synchronize]
merge_group: {}
env:
GRADLE_CACHE_LOCAL: false
GRADLE_CACHE_REMOTE: true
GRADLE_CACHE_PUSH: true
CACHE_ENDPOINT: "https://gradle.less.build/cache/generic/"
BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
GRADLE_OPTS: "-Xmx6g -XX:MaxMetaspaceSize=1024m -XX:+UseParallelGC"
jobs:
##
## Job: Pre-flight Checks
##
preflight-checks:
name: "Pre-flight Checks"
runs-on: "ubuntu-latest"
permissions:
contents: "read"
id-token: "write"
checks: "write"
packages: "read"
pull-requests: "write"
steps:
- name: Harden Runner
uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
with:
egress-policy: audit
- name: "Setup: Checkout"
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: "Setup: GraalVM (Java 20)"
uses: elide-dev/setup-graalvm@0711c08964f86c1721bebb824b2ac856457e0f55 # custom
with:
components: "native-image,js,wasm,ruby,python,llvm"
distribution: 'graalvm'
java-version: '20'
check-for-updates: true
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: "Setup: GraalVM (Java 21)"
uses: elide-dev/setup-graalvm@0711c08964f86c1721bebb824b2ac856457e0f55 # custom
if: false
with:
components: "native-image,js,wasm,ruby,python,llvm,regex,icu4j,trufflejson"
distribution: 'graalvm'
distribution_url: 'https://dl.less.build/toolchains/graalvm/dev/graalvm-java21-24.0.0-dev.linux-amd64.tar.gz'
java-version: 'dev'
github-token: ${{ secrets.GITHUB_TOKEN }}
set-java-home: 'false'
- id: "auth"
name: "Setup: Authorize Service Account"
uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
with:
credentials_json: "${{ secrets.BUILDBOT_SERVICE_ACCOUNT }}"
create_credentials_file: true
export_environment_variables: true
cleanup_credentials: true
- name: "Patch: Neutralize Yarn Lock"
run: mv yarn.lock yarn.inert
- name: "Check: Dependency Review"
uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0
continue-on-error: true
if: ${{ github.event_name == 'pull_request' }}
with:
config-file: "./.github/dependency-review-config.yml"
license-check: true
vulnerability-check: true
fail-on-severity: "low"
base-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref || 'v3' }}
- name: "Patch: Restore Yarn Lock"
run: mv yarn.inert yarn.lock
- name: "Check: Library ABI"
uses: gradle/gradle-build-action@b5126f31dbc19dd434c3269bf8c28c315e121da2 # v2.8.1
id: abicheck
continue-on-error: ${{ contains(github.event.pull_request.labels.*.name, 'ci:api-check-bypass') }}
env:
CI: true
GITHUB_ACTOR: ${{ env.GITHUB_ACTOR }}
GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
with:
cache-read-only: false
arguments: |
apiCheck
--dependency-verification=lenient
--write-locks
--no-daemon
--warning-mode=none
-Pelide.ci=true
-PbuildDocs=false
-PbuildSamples=false
-PbuildDocsSite=false
##
## Job: Library Build
##
gradle:
strategy:
fail-fast: false
matrix:
os: [Ubuntu]
mode: ['Strict']
machine: [ubuntu-latest]
provenance: [true]
include:
- os: macOS
mode: Strict
machine: macos-13
provenance: false
name: "Build (${{ matrix.os }})"
runs-on: ${{ matrix.machine }}
continue-on-error: ${{ matrix.mode != 'Strict' }}
permissions:
contents: "write"
actions: "read"
id-token: "write"
checks: "write"
pull-requests: "write"
packages: "read"
security-events: "write"
defaults:
run:
shell: bash
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
with:
egress-policy: audit
- name: "Setup: Checkout"
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: "Setup: GraalVM (Java 20)"
uses: elide-dev/setup-graalvm@0711c08964f86c1721bebb824b2ac856457e0f55 # custom
with:
components: "native-image,js,wasm,ruby,python,llvm"
distribution: 'graalvm'
java-version: '20'
check-for-updates: true
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: "Setup: GraalVM (Java 21)"
uses: elide-dev/setup-graalvm@0711c08964f86c1721bebb824b2ac856457e0f55 # custom
if: false
with:
components: "native-image,js,wasm,ruby,python,llvm,regex,icu4j,trufflejson"
distribution: 'graalvm'
distribution_url: 'https://dl.less.build/toolchains/graalvm/dev/graalvm-java21-24.0.0-dev.linux-amd64.tar.gz'
java-version: 'dev'
github-token: ${{ secrets.GITHUB_TOKEN }}
set-java-home: 'false'
- name: "Setup: Node"
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: 20
cache: "yarn"
- name: "Setup: Yarn"
run: npm install -g [email protected] && yarn --ignore-platform
- id: "auth"
name: "Setup: Authorize Service Account"
uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
with:
credentials_json: "${{ secrets.BUILDBOT_SERVICE_ACCOUNT }}"
create_credentials_file: true
export_environment_variables: true
cleanup_credentials: true
- name: "🛠️ Build"
uses: gradle/gradle-build-action@b5126f31dbc19dd434c3269bf8c28c315e121da2 # v2.8.1
id: gradlebuild
continue-on-error: ${{ matrix.mode == 'labs' }}
env:
CI: true
with:
cache-read-only: false
dependency-graph: generate-and-submit
arguments: |
build
-x check
-x test
-x jvmTest
-x jsTest
-x jsBrowserTest
-x nativeCompile
-x nativeTest
-x nativeOptimizedCompile
--scan
--no-daemon
--warning-mode=none
--dependency-verification=lenient
--stacktrace
-Pelide.ci=true
-PbuildSamples=false
-PbuildDocsSite=false
-PbuildDocs=false
- name: "Build reports"
if: failure()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: build-reports-${{ matrix.os }}-latest-gvm-latest
path: |
build/reports/**/*.*
- name: "Build: Provenance Subject"
id: hash
if: ${{ matrix.os == 'ubuntu' }}
run: |
echo "hashes=$(sha256sum ./packages/*/build/libs/* | base64 -w0)" >> "$GITHUB_OUTPUT"
## Report: Provenance
provenance:
name: Provenance
needs: [gradle]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.gradle.outputs.hashes }}"
upload-assets: ${{ github.ref == 'refs/heads/stable' || github.ref == 'refs/heads/v3' || startsWith(github.ref, 'release/') || startsWith(github.ref, 'refs/tags/v') }}
##
## Job: Testsuite (JVM)
##
tests-jvm:
name: "Tests: JVM"
runs-on: ubuntu-latest
needs: [preflight-checks]
permissions:
contents: "read"
id-token: "write"
checks: "write"
packages: "read"
pull-requests: "write"
steps:
- name: Harden Runner
uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
with:
egress-policy: audit
- name: "Setup: Checkout"
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: "Setup: Git History"
run: git fetch --unshallow || exit 0
- name: "Setup: GraalVM (Java 20)"
uses: elide-dev/setup-graalvm@0711c08964f86c1721bebb824b2ac856457e0f55 # custom
with:
components: "native-image,js,wasm,ruby,python,llvm"
distribution: 'graalvm'
java-version: '20'
check-for-updates: true
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: "Setup: GraalVM (Java 21)"
uses: elide-dev/setup-graalvm@0711c08964f86c1721bebb824b2ac856457e0f55 # custom
if: false
with:
components: "native-image,js,wasm,ruby,python,llvm,regex,icu4j,trufflejson"
distribution: 'graalvm'
distribution_url: 'https://dl.less.build/toolchains/graalvm/dev/graalvm-java21-24.0.0-dev.linux-amd64.tar.gz'
java-version: 'dev'
github-token: ${{ secrets.GITHUB_TOKEN }}
set-java-home: 'false'
- id: "auth"
name: "Setup: Authorize Service Account"
uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
with:
credentials_json: "${{ secrets.BUILDBOT_SERVICE_ACCOUNT }}"
create_credentials_file: true
export_environment_variables: true
cleanup_credentials: true
- name: "Setup: Node"
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: 20
cache: "yarn"
- name: "Setup: Yarn"
run: npm install -g [email protected] && yarn --ignore-platform
- name: "Testsuite (JVM)"
uses: gradle/gradle-build-action@b5126f31dbc19dd434c3269bf8c28c315e121da2 # v2.8.1
env:
CI: true
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
TEST_EXCEPTIONS: true
with:
cache-read-only: false
arguments: |
test
check
jacocoTestReport
koverXmlReport
:tools:reports:reports
--scan
--no-daemon
--warning-mode=none
--dependency-verification=lenient
-x ktlintCheck
-x ktlintKotlinScriptCheck
-x apiCheck
-x nativeTest
-x nativeCompile
-x nativeOptimizedCompile
-Pelide.ci=true
-PbuildSamples=false
-PbuildDocs=false
-PbuildDocsSite=false
- name: "Runtime Self-tests (JVM)"
uses: gradle/gradle-build-action@b5126f31dbc19dd434c3269bf8c28c315e121da2 # v2.8.1
continue-on-error: true
env:
CI: true
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
TEST_EXCEPTIONS: true
with:
cache-read-only: false
arguments: |
optimizedRun
--scan
--no-daemon
--warning-mode=none
--dependency-verification=lenient
-x ktlintCheck
-x ktlintKotlinScriptCheck
-x apiCheck
-x nativeTest
-x nativeCompile
-x nativeOptimizedCompile
-Pelide.ci=true
-PbuildSamples=false
-PbuildDocs=false
-PbuildDocsSite=false
--args="selftest"
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: test-reports-jvm
path: |
**/build/reports/jacoco/test/jacocoTestReport.xml
**/build/reports/jacoco/testCodeCoverageReport/jacocoTestReport.xml
**/build/reports/jacoco/testCodeCoverageReport/testCodeCoverageReport.xml
build/reports/kover/merged/html/**/*.*
tools/reports/build/reports/**/*.xml
tools/reports/build/test-results/**/*.xml
- name: "Annotate: Test Results"
uses: elide-tools/action-junit-report@f14b1271fab649beb23e70eae2a258f3ee24a591 # v3.1.0
if: always() # always run even if the previous step fails
with:
report_paths: "**/build/test-results/test/TEST-*.xml"
- name: "Report: Codecov (Main)"
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: ./build/reports/kover/merged/xml/report.xml
name: elide
flags: jvm,lib
fail_ci_if_error: false
verbose: true
- name: "Report: Codecov (Substrate)"
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: ./tools/substrate/build/reports/kover/merged/xml/report.xml
name: substrate
flags: jvm,substrate
fail_ci_if_error: false
verbose: true
- name: "Report: Codecov (Plugin)"
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: ./tools/plugin/gradle-plugin/plugin-build/plugin/build/reports/kover/xml/report.xml
name: plugin-gradle
flags: jvm,plugin,gradle
fail_ci_if_error: false
verbose: true
##
## Job: Testsuite (Native)
##
tests-native:
name: "Tests: Native"
runs-on: ubuntu-latest-8-cores
needs: [tests-jvm, preflight-checks]
if: |
(
github.ref == 'refs/heads/stable' ||
contains(github.event.pull_request.labels.*.name, 'ci:test-native') ||
contains(github.event.head_commit.message, 'ci:test-native')
)
steps:
- name: Harden Runner
uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
with:
egress-policy: audit
- name: "Setup: Checkout"
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: "Setup: GraalVM (Java 20)"
uses: elide-dev/setup-graalvm@0711c08964f86c1721bebb824b2ac856457e0f55 # custom
with:
components: "native-image,js,wasm,ruby,python,llvm"
distribution: 'graalvm'
java-version: '20'
check-for-updates: true
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: "Setup: GraalVM (Java 21)"
uses: elide-dev/setup-graalvm@0711c08964f86c1721bebb824b2ac856457e0f55 # custom
if: false
with:
components: "native-image,js,wasm,ruby,python,llvm,regex,icu4j,trufflejson"
distribution: 'graalvm'
distribution_url: 'https://dl.less.build/toolchains/graalvm/dev/graalvm-java21-24.0.0-dev.linux-amd64.tar.gz'
java-version: 'dev'
github-token: ${{ secrets.GITHUB_TOKEN }}
set-java-home: 'false'
- id: "auth"
name: "Setup: Authorize Service Account"
uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
with:
credentials_json: "${{ secrets.BUILDBOT_SERVICE_ACCOUNT }}"
create_credentials_file: true
export_environment_variables: true
cleanup_credentials: true
- name: "Setup: Node"
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: 20
cache: "yarn"
- name: "Setup: Yarn"
run: npm install -g [email protected] && yarn --ignore-platform
- name: "Run Tests (Native)"
uses: gradle/gradle-build-action@b5126f31dbc19dd434c3269bf8c28c315e121da2 # v2.8.1
continue-on-error: true
env:
CI: true
with:
cache-read-only: false
arguments: |
nativeTest
check
jacocoTestReport
--scan
--no-daemon
--warning-mode=none
--dependency-verification=lenient
-x ktlintCheck
-x ktlintKotlinScriptCheck
-x apiCheck
-x :packages:server:nativeTest
-Pelide.ci=true
-PbuildSamples=false
-PbuildDocsSite=false
-PbuildDocs=false
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: test-reports-native
path: |
**/build/reports/jacoco/test/jacocoTestReport.xml
**/build/reports/jacoco/testCodeCoverageReport/jacocoTestReport.xml
**/build/reports/jacoco/testCodeCoverageReport/testCodeCoverageReport.xml
tools/reports/build/reports/**/*.xml
tools/reports/build/test-results/**/*.xml
##
## Job: CLI (Native Debug)
##
cli-build-debug:
name: "CLI: Native (Debug, ${{ matrix.os }}, ${{ matrix.arch || 'amd64' }})"
runs-on: ${{ matrix.runner }}
needs: [preflight-checks, gradle]
continue-on-error: true
if: |
(
github.ref == 'refs/heads/stable' ||
startsWith(github.ref, 'release/') ||
contains(github.event.pull_request.labels.*.name, 'ci:build-cli') ||
contains(github.event.head_commit.message, 'ci:build-cli')
)
strategy:
fail-fast: false
matrix:
os: ["Linux"]
arch: ["amd64"]
runner: ["ubuntu-latest-8-cores"]
labs: [false]
tag: [linux-amd64]
include:
- os: Linux
runner: ubuntu-latest-8-cores
arch: amd64
labs: false
tag: linux-amd64
- os: macOS
runner: macos-13-xl
arch: amd64
labs: false
tag: darwin-amd64
steps:
- name: Harden Runner
uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
with:
egress-policy: audit
- name: "Setup: Checkout"
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- id: "auth"
name: "Setup: Authorize Service Account"
uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
with:
credentials_json: "${{ secrets.BUILDBOT_SERVICE_ACCOUNT }}"
create_credentials_file: true
export_environment_variables: true
cleanup_credentials: true
- name: "Setup: MSVC"
if: contains(matrix.runner, 'windows')
uses: ilammy/msvc-dev-cmd@cec98b9d092141f74527d0afa6feb2af698cfe89 # v1.12.1
with:
arch: ${{ matrix.arch }}
cache: 'gradle'
- name: "Setup: GraalVM (Java 20)"
uses: elide-dev/setup-graalvm@0711c08964f86c1721bebb824b2ac856457e0f55 # custom
with:
components: "native-image,js,wasm,ruby,python,llvm"
distribution: 'graalvm'
java-version: '20'
check-for-updates: true
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: "Setup: GraalVM (Java 21)"
uses: elide-dev/setup-graalvm@0711c08964f86c1721bebb824b2ac856457e0f55 # custom
if: false
with:
components: "native-image,js,wasm,ruby,python,llvm,regex,icu4j,trufflejson"
distribution: 'graalvm'
distribution_url: 'https://dl.less.build/toolchains/graalvm/dev/graalvm-java21-24.0.0-dev.linux-amd64.tar.gz'
java-version: 'dev'
github-token: ${{ secrets.GITHUB_TOKEN }}
set-java-home: 'false'
- name: "Setup: Node"
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: 20
cache: "yarn"
- name: "Setup: Yarn"
run: npm install -g [email protected] && yarn --ignore-platform
- name: "Build: CLI (Native/Debug)"
uses: gradle/gradle-build-action@b5126f31dbc19dd434c3269bf8c28c315e121da2 # v2.8.1
env:
CI: true
with:
cache-read-only: false
arguments: |
:packages:cli:nativeCompile
-Prelease=false
-PbuildMode=dev
--scan
--no-daemon
--warning-mode=none
--dependency-verification=lenient
-Pelide.ci=true
-PbuildSamples=false
-PbuildDocsSite=false
-PbuildDocs=false
- name: "Post-process: Compress (xz)"
if: success() && !contains(matrix.runner, 'windows')
run: |
pushd packages/cli/build/native/nativeCompile;
xz -9kv elide.debug;
popd;
echo "Binary compressed.";
- name: "Artifacts: Debug Binary (Unix)"
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
if: success() && !contains(matrix.runner, 'windows')
with:
name: cli-debug-${{ matrix.tag }}
path: |
./packages/cli/build/native/nativeCompile/elide.debug.xz
- name: "Artifacts: Debug Binary (Windows)"
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
if: success() && contains(matrix.runner, 'windows')
with:
name: cli-debug-${{ matrix.tag }}
path: |
./packages/cli/build/native/nativeCompile/elide.debug
- name: "Artifacts: Dashboard Dump"
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
if: success()
with:
name: cli-debug-report-${{ matrix.tag }}
path: |
./packages/cli/build/native/nativeCompile/elide-tool.bgv
##
## Job: CLI (Native Release)
##
cli-build-release:
name: "CLI: Native (Release, ${{ matrix.os }}, ${{ matrix.arch || 'amd64' }})"
runs-on: ${{ matrix.runner }}
needs: [preflight-checks, gradle]
continue-on-error: true
if: |
(
github.ref == 'refs/heads/stable' ||
contains(github.event.pull_request.labels.*.name, 'ci:build-cli') ||
contains(github.event.head_commit.message, 'ci:build-cli')
)
strategy:
fail-fast: false
matrix:
os: ["Linux"]
arch: ["amd64"]
runner: ["ubuntu-latest-8-cores"]
labs: [false]
tag: [linux-amd64]
include:
- os: Linux
runner: ubuntu-latest-8-cores
arch: amd64
labs: false
tag: linux-amd64
- os: macOS
runner: macos-13-xl
arch: amd64
labs: false
tag: darwin-amd64
- os: Windows
runner: windows-latest-8-cores
arch: amd64
tag: windows-amd64
labs: true
steps:
- name: Harden Runner
uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
with:
egress-policy: audit
- name: "Setup: Checkout"
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- id: "auth"
name: "Setup: Authorize Service Account"
uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
with:
credentials_json: "${{ secrets.BUILDBOT_SERVICE_ACCOUNT }}"
create_credentials_file: true
export_environment_variables: true
cleanup_credentials: true
- name: "Setup: MSVC"
if: contains(matrix.runner, 'windows')
uses: ilammy/msvc-dev-cmd@cec98b9d092141f74527d0afa6feb2af698cfe89 # v1.12.1
with:
arch: ${{ matrix.arch }}
- name: "Setup: GraalVM (Java 20)"
uses: elide-dev/setup-graalvm@0711c08964f86c1721bebb824b2ac856457e0f55 # custom
with:
components: "native-image,js,wasm,ruby,python,llvm"
distribution: 'graalvm'
java-version: '20'
check-for-updates: true
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: "Setup: GraalVM (Java 21)"
uses: elide-dev/setup-graalvm@0711c08964f86c1721bebb824b2ac856457e0f55 # custom
if: false
with:
components: "native-image,js,wasm,ruby,python,llvm,regex,icu4j,trufflejson"
distribution: 'graalvm'
distribution_url: 'https://dl.less.build/toolchains/graalvm/dev/graalvm-java21-24.0.0-dev.linux-amd64.tar.gz'
java-version: 'dev'
github-token: ${{ secrets.GITHUB_TOKEN }}
set-java-home: 'false'
- name: "Setup: Node"
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: 20
cache: "yarn"
- name: "Setup: Yarn"
run: npm install -g [email protected] && yarn --ignore-platform
- name: "Build: CLI (Native/Release)"
uses: gradle/gradle-build-action@b5126f31dbc19dd434c3269bf8c28c315e121da2 # v2.8.1
env:
CI: true
with:
cache-read-only: false
arguments: |
:packages:cli:nativeOptimizedCompile
:packages:cli:dist
-Prelease=true
-PbuildMode=release
--scan
--no-daemon
--warning-mode=none
--dependency-verification=lenient
-Pelide.ci=true
-PbuildSamples=false
-PbuildDocsSite=false
-PbuildDocs=false
- name: "Artifacts: Release Binary"
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
if: success()
with:
name: cli-release-${{ matrix.tag }}
path: |
./packages/cli/build/distributions/*
##
## Job: Docker Samples (JVM)
##
docker-jvm:
name: "Docker: JVM"
runs-on: ubuntu-latest
needs: [gradle, preflight-checks]
if: |
(
github.ref == 'refs/heads/stable' ||
contains(github.event.pull_request.labels.*.name, 'ci:build-img-jvm') ||
contains(github.event.head_commit.message, 'ci:build-img-jvm')
)
permissions:
contents: "read"
id-token: "write"
checks: "write"
packages: "read"
pull-requests: "write"
strategy:
fail-fast: false
matrix:
project: ["server:hellocss"]
labs: [false]
include:
- project: "server:hellocss"
labs: false
- project: "fullstack:react-ssr:server"
labs: true
steps:
- name: Harden Runner
uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
with:
egress-policy: audit
- name: "Setup: GraalVM (Java 20)"
uses: elide-dev/setup-graalvm@0711c08964f86c1721bebb824b2ac856457e0f55 # custom
with:
components: "native-image,js,wasm,ruby,python,llvm"
distribution: 'graalvm'
java-version: '20'
check-for-updates: true
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: "Setup: GraalVM (Java 21)"
uses: elide-dev/setup-graalvm@0711c08964f86c1721bebb824b2ac856457e0f55 # custom
if: false
with:
components: "native-image,js,wasm,ruby,python,llvm,regex,icu4j,trufflejson"
distribution: 'graalvm'
distribution_url: 'https://dl.less.build/toolchains/graalvm/dev/graalvm-java21-24.0.0-dev.linux-amd64.tar.gz'
java-version: 'dev'
github-token: ${{ secrets.GITHUB_TOKEN }}
set-java-home: 'false'
- name: "Setup: QEMU"
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- name: "Setup: Docker"
uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1
id: buildx
with:
install: true
- name: "Setup: Checkout"
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: "Setup: Node"
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: 20
- name: "Setup: Yarn"
run: npm install -g [email protected] && yarn --ignore-platform
- id: "auth"
name: "Setup: Authorize Service Account"
uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
with:
credentials_json: "${{ secrets.BUILDBOT_SERVICE_ACCOUNT }}"
create_credentials_file: true
export_environment_variables: true
cleanup_credentials: true
- name: "Setup: Setup Cloud SDK"
uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
with:
version: 389.0.0
project_id: elide-fw
- name: "Authorize Docker: GCP"
run: |
gcloud auth configure-docker us-docker.pkg.dev
- name: "Authorize Docker: GHCR"
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: elidebot
password: ${{ secrets.BUILDBOT_GHCR_TOKEN }}
## -- Samples -- ##
- name: "Build/Push: '${{ matrix.project }}' (JVM)"
continue-on-error: ${{ fromJson(matrix.labs) }}
uses: gradle/gradle-build-action@b5126f31dbc19dd434c3269bf8c28c315e121da2 # v2.8.1
with:
arguments: |
--no-daemon
--warning-mode=none
-Pelide.ci=true
-PbuildSamples=true
-PbuildDocs=false
-Pelide.runtime=JVM
-x nativeCompile
-x test
:samples:${{ matrix.project }}:optimizedDockerBuild
:samples:${{ matrix.project }}:optimizedDockerPush
##
## Job: Docker Samples (JVM)
##
docker-native:
name: "Docker: Native"
runs-on: ubuntu-latest
continue-on-error: true
needs: [gradle, preflight-checks]
if: |
(
github.ref == 'refs/heads/stable' ||
contains(github.event.pull_request.labels.*.name, 'ci:build-img-native') ||
contains(github.event.head_commit.message, 'ci:build-img-native')
)
permissions:
contents: "read"
id-token: "write"
checks: "write"
packages: "read"
pull-requests: "write"
strategy:
fail-fast: false
matrix:
project: ["server:hellocss"]
path: ["server/hellocss"]
image: ["elide-fw/samples/server/hellocss/native"]
include:
- project: "fullstack:react-ssr:server"
path: "fullstack/react-ssr/server"
image: "elide-fw/samples/fullstack/react-ssr/native"
steps:
- name: Harden Runner
uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
with:
egress-policy: audit
- name: "Setup: GraalVM (Java 20)"
uses: elide-dev/setup-graalvm@0711c08964f86c1721bebb824b2ac856457e0f55 # custom
with:
components: "native-image,js,wasm,ruby,python,llvm"
distribution: 'graalvm'
java-version: '20'
check-for-updates: true
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: "Setup: GraalVM (Java 21)"
uses: elide-dev/setup-graalvm@0711c08964f86c1721bebb824b2ac856457e0f55 # custom
if: false
with:
components: "native-image,js,wasm,ruby,python,llvm,regex,icu4j,trufflejson"
distribution: 'graalvm'
distribution_url: 'https://dl.less.build/toolchains/graalvm/dev/graalvm-java21-24.0.0-dev.linux-amd64.tar.gz'
java-version: 'dev'
github-token: ${{ secrets.GITHUB_TOKEN }}
set-java-home: 'false'
- name: "Setup: QEMU"
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- name: "Setup: Docker"
uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1
id: buildx
with:
install: true
- name: "Setup: Checkout"
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: "Setup: Node"
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: 20
- name: "Setup: Yarn"
run: npm install -g [email protected] && yarn --ignore-platform
- id: "auth"
name: "Authorize Service Account"
uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
with:
credentials_json: "${{ secrets.BUILDBOT_SERVICE_ACCOUNT }}"
create_credentials_file: true
export_environment_variables: true
cleanup_credentials: true
- name: "Setup: Cloud SDK"
uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
with:
version: 389.0.0
project_id: elide-fw
install_components: "beta"
- name: "Authorize Docker: GCP"
run: |
gcloud auth configure-docker us-docker.pkg.dev
- name: "Authorize Docker: GHCR"
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: elidebot
password: ${{ secrets.BUILDBOT_GHCR_TOKEN }}
## -- Samples -- ##
- name: "Build/Push: '${{ matrix.project }}' (Native)"
uses: gradle/gradle-build-action@b5126f31dbc19dd434c3269bf8c28c315e121da2 # v2.8.1
continue-on-error: true
with:
arguments: |
--no-daemon
--warning-mode=none
-Pelide.ci=true
-PbuildSamples=true
-PbuildDocs=false
-Pelide.runtime=NATIVE
-Pelide.ci=true
-x test
:samples:${{ matrix.project }}:optimizedDockerBuildNative
:samples:${{ matrix.project }}:optimizedDockerPushNative
- name: "Build/Push: Fallback to GCB"
if: failure()
run: |
mv ./samples/${{ matrix.path }}/build/docker/native-optimized/DockerfileNative ./samples/${{ matrix.path }}/build/docker/native-optimized/Dockerfile
gcloud beta builds submit \
--machine-type e2-highcpu-32 \
--timeout=2h \
--project elide-fw \
--tag=us-docker.pkg.dev/${{ matrix.image }}:opt-latest \
./samples/${{ matrix.path }}/build/docker/native-optimized
##
## Deploy: Samples
##
deploy-samples:
name: "Deploy"
needs: [gradle, tests-jvm, docker-jvm, docker-native]
if: |
(
contains(github.event.pull_request.labels.*.name, 'ci:deploy-samples') ||
contains(github.event.pull_request.labels.*.name, 'ci:deploy') ||
contains(github.event.head_commit.message, 'ci:deploy-samples') ||
contains(github.event.head_commit.message, 'ci:deploy')
)
strategy:
matrix:
category: [fullstack]
app: [react-ssr]
variant: [native]
permissions:
contents: "read"
id-token: "write"
checks: "write"
pull-requests: "write"
deployments: "write"
statuses: "write"
packages: "read"
uses: ./.github/workflows/deploy.ci.yml
secrets: inherit
with:
path: "samples/${{ matrix.category }}/${{ matrix.app }}"
image: "us-docker.pkg.dev/elide-fw/samples/${{ matrix.category }}/${{ matrix.app }}/${{ matrix.variant }}:opt-latest"
environment: samples
url: https://${{ matrix.app }}.samples.elide.dev
##
## Publish: Library Snapshot
##
publish-snapshot:
name: "Publish: Snapshot"
needs: [gradle, tests-jvm]
if: |
(
github.ref == 'refs/heads/stable' ||
contains(github.event.pull_request.labels.*.name, 'ci:publish-snapshot') ||
contains(github.event.head_commit.message, 'ci:publish-snapshot')
)
permissions:
contents: "read"
id-token: "write"
checks: "write"
pull-requests: "write"
deployments: "write"
statuses: "write"
packages: "write"
uses: ./.github/workflows/publish.ci.yml
secrets: inherit
with:
environment: snapshots
gcp: true
snapshot: true
packages: true
processor: true
substrate: true
conventions: true
url: https://console.cloud.google.com/storage/browser/elide-snapshots/repository/v3
##
## Publish: Library OSSRH
##
publish-ossrh:
name: "Publish: OSSRH"
needs: [publish-snapshot]
if: |
(
contains(github.event.pull_request.labels.*.name, 'ci:publish') ||
contains(github.event.head_commit.message, 'ci:publish')
) && (
false
) && (
startsWith(github.ref, 'refs/tags/v')
)
permissions:
contents: "read"
id-token: "write"
checks: "write"
pull-requests: "write"
deployments: "write"
statuses: "write"
packages: "write"
uses: ./.github/workflows/publish.ci.yml
secrets: inherit
with:
environment: central
snapshot: false
auth: true
repo: https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/