.github/workflows/build.yml from sebthom/jstuff

.github/workflows/build.yml
Summary

Maintainability

Test Coverage

Issues
# SPDX-FileCopyrightText: © Sebastian Thomschke
# SPDX-FileContributor: Sebastian Thomschke (https://sebthom.de/)
# SPDX-License-Identifier: EPL-2.0
# SPDX-ArtifactOfProjectHomePage: https://github.com/sebthom/jstuff
#
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
name: Build

on:
  push:
    branches-ignore:  # build all branches except:
    - 'dependabot/**'  # prevent GHA triggered twice (once for commit to the branch and once for opening/syncing the PR)
    tags-ignore:  # don't build tags
    - '**'
    paths-ignore:
    - '**/*.adoc'
    - '**/*.md'
    - '.editorconfig'
    - '.git*'
    - '.github/*.yml'
    - '.github/workflows/stale.yml'
  pull_request:
    paths-ignore:
    - '**/*.adoc'
    - '**/*.md'
    - '.editorconfig'
    - '.git*'
    - '.github/*.yml'
  workflow_dispatch:
    # https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/
    inputs:
      additional_maven_args:
        description: 'Additional Maven Args'
        required: false
        default: ''
      debug-with-ssh:
        description: "Start an SSH session for debugging purposes at the end of the build:"
        default: never
        type: choice
        options: [ always, on_failure, on_failure_or_cancelled, never ]
      debug-with-ssh-only-for-actor:
        description: "Limit access to the SSH session to the GitHub user that triggered the job."
        default: true
        type: boolean
      debug-with-ssh-only-jobs-matching:
        description: "Only start an SSH session for jobs matching this regex pattern:"
        default: ".*"
        type: string


defaults:
  run:
    shell: bash


jobs:

  ###########################################################
  maven-build:
  ###########################################################
    runs-on: ubuntu-latest
    continue-on-error: ${{ matrix.experimental }}
    strategy:
      fail-fast: false
      matrix:
        include:
        - java: 17
          may_create_release: ${{ github.ref_name == 'main' }}
          experimental: false
        - java: 21
          may_create_release: false
          experimental: false
        - java: 22
          may_create_release: false
          experimental: false


    env:
      JAVA_VERSION: ${{ matrix.java }}


    # https://docs.github.com/en/actions/using-jobs/using-concurrency
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.java }}
      cancel-in-progress: false


    steps:
    - name: "ACT: Install ping"
      if: runner.os == 'Linux' && env.ACT # https://github.com/nektos/act#skipping-steps
      run: |
        if ! hash ping 2>/dev/null; then
          apt-get update
          apt-get -y install iputils-ping
        fi


    - name: "Show: GitHub context"
      env:
        GITHUB_CONTEXT: ${{ toJSON(github) }}
      run: echo $GITHUB_CONTEXT


    - name: "Show: environment variables"
      run: env | sort


    - name: Git Checkout
      uses: actions/checkout@v4  # https://github.com/actions/checkout


    - name: "Install: JDK ${{ env.JAVA_VERSION }} ☕"
      uses: actions/setup-java@v4  # https://github.com/actions/setup-java
      with:
        distribution: temurin
        java-version: ${{ matrix.java }}
        cache: maven


    - name: "Test with Maven 🔨"
      if: ${{ !matrix.may_create_release || env.ACT }}
      env:
        MAY_CREATE_RELEASE: false
      run: |
        bash .ci/build.sh ${{ github.event.inputs.additional_maven_args }} -Djava.version=${{ matrix.java }}


    - name: "Build with Maven 🔨"
      if: ${{ matrix.may_create_release && !env.ACT }}
      id: maven-build
      env:
        DEPLOY_SNAPSHOTS_TO_GITHUB_BRANCH: true
        GITHUB_USER: ${{ github.actor }}
        GITHUB_API_KEY: ${{ secrets.GH_API_TOKEN }}
        MAY_CREATE_RELEASE: true
        SIGN_KEY: ${{ secrets.GPG_SIGN_KEY }}
        SIGN_KEY_PASS: ${{ secrets.GPG_SIGN_KEY_PWD }}
        SONATYPE_CENTRAL_USER: ${{ vars.SONATYPE_CENTRAL_USER }}
        SONATYPE_CENTRAL_TOKEN: ${{ secrets.SONATYPE_CENTRAL_TOKEN }}
      run: |
        set -eu

        bash .ci/build.sh ${{ github.event.inputs.additional_maven_args }} -Djava.version=${{ matrix.java }}

        if find . -path "*/target/site/jacoco/jacoco.xml" | grep -q .; then
          echo 'has_jacoco_results=true' >> $GITHUB_OUTPUT
        fi


    - name: Publish test coverage to codeclimate.com
      uses: paambaati/codeclimate-action@v9  # https://github.com/paambaati/codeclimate-action
      if: ${{ matrix.may_create_release && steps.maven-build.outputs.has_jacoco_results && !env.ACT }}
      env:
        CC_TEST_REPORTER_ID: ${{ secrets.CODECLIMATE_TEST_REPORTER_ID }}
        JACOCO_SOURCE_PATH: "${{ github.workspace }}/jstuff-core/src/main/java ${{ github.workspace }}/jstuff-integration/src/main/java ${{ github.workspace }}/jstuff-xml/src/main/java"
      with:
        coverageLocations:  |
          ${{ github.workspace }}/jstuff-core/target/site/jacoco/jacoco.xml:jacoco
          ${{ github.workspace }}/jstuff-core/target/site/jacoco-it/jacoco.xml:jacoco
          ${{ github.workspace }}/jstuff-integration/target/site/jacoco/jacoco.xml:jacoco
          ${{ github.workspace }}/jstuff-integration/target/site/jacoco-it/jacoco.xml:jacoco
          ${{ github.workspace }}/jstuff-xml/target/site/jacoco/jacoco.xml:jacoco
          ${{ github.workspace }}/jstuff-xml/target/site/jacoco-it/jacoco.xml:jacoco


    ##################################################
    # Setup SSH debug session
    ##################################################
    - name: "SSH session for debugging: check"
      id: DEBUG_SSH_SESSSION_CHECK
      if: always()
      run: |
        set -eu
        job_filter_pattern="${{ inputs.debug-with-ssh-only-jobs-matching }}"
        echo "job_filter: $job_filter_pattern"

        job_info=$(echo "$GITHUB_JOB ${{ runner.os }} java-${{ matrix.java }}" | tr -d '\n')
        echo "job_info: $job_info"

        when="${{ inputs.debug-with-ssh }}"

        if [[ $when == "always" ]] || [[ "$job_info" =~ .*$job_filter_pattern.* ]] && case "${{ job.status }}" in
          success)   [[ $when == "always" ]] ;;
          cancelled) [[ $when == "on_failure_or_cancelled" ]] ;;
          failure)   [[ $when == "on_failure"* ]] ;;
        esac; then
          echo "start_ssh_session=true" | tee -a "$GITHUB_OUTPUT"
        fi


    - name: "SSH session for debugging: start"
      uses: mxschmitt/action-tmate@v3  # https://github.com/mxschmitt/action-tmate
      if: always() && steps.DEBUG_SSH_SESSSION_CHECK.outputs.start_ssh_session
      with:
        limit-access-to-actor: ${{ inputs.debug-with-ssh-only-for-actor }}


  ###########################################################
  dependabot-pr-auto-merge:
  ###########################################################
    needs: maven-build
    if: ${{ github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' }}
    runs-on: ubuntu-latest

    concurrency: dependabot-pr-auto-merge

    permissions:
      contents: write
      pull-requests: write

    steps:
    - name: Dependabot metadata
      id: metadata
      uses: dependabot/fetch-metadata@v2  # https://github.com/dependabot/fetch-metadata/
      with:
        github-token: "${{ secrets.GITHUB_TOKEN }}"


    - name: Enable auto-merge for Dependabot PRs
      if: |
        ${{
          (
            steps.dependabot-metadata.outputs.package-ecosystem == 'github-actions' && 
            steps.metadata.outputs.update-type == 'version-update:semver-major'
          ) || (
            steps.dependabot-metadata.outputs.package-ecosystem == 'maven' && 
            steps.metadata.outputs.update-type == 'version-update:semver-minor'
          )
        }}
      run: |
        gh pr merge --auto --rebase "$PR_URL"
      env:
        PR_URL: ${{github.event.pull_request.html_url}}
        GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}