Skip to content

#4582 Fix deep permission inheritance #7759

#4582 Fix deep permission inheritance

#4582 Fix deep permission inheritance #7759

name: Full CI Build (and Release)
on:
push:
pull_request:
jobs:
build-project:
runs-on: ubuntu-20.04
env:
# Static env vars
# Github runners limited to 2 cores, 7Gb RAM
# https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources
MAX_WORKERS: 3
# Fixed ssh-agent socket so multiple steps can use the same agent
# if needs be
SSH_AUTH_SOCK: "/tmp/ssh-agent-stroom.sock"
steps:
- name: Checkout code
id: checkout_code
uses: actions/checkout@v2
with:
# Set this so it gets the annotated commit, not the commit being tagged.
# Which means we can get the release msg
# See https://github.com/actions/runner/issues/712
ref: ${{ github.ref }}
# Make sure the wrapper jar has not been tampered with
- name: Validate gradle wrapper jar
id: validate_gradle_wrapper
uses: gradle/wrapper-validation-action@v1
# Set variables in github's special env file which are then automatically
# read into env vars in each subsequent step
- name: Set Environment Variables
id: set_env_var
run: |
{
# Map the GITHUB env vars to our own
echo "BUILD_DIR=${GITHUB_WORKSPACE}"
echo "BUILD_COMMIT=${GITHUB_SHA}"
echo "ACTIONS_SCRIPTS_DIR=${GITHUB_WORKSPACE}/.github/workflows/scripts"
if [[ ${GITHUB_REF} =~ ^refs/tags/ ]]; then
# strip off the 'refs/tags/' bit
tag="${GITHUB_REF#refs/tags/}"
echo "BUILD_TAG=${tag}"
fi
if [[ ${GITHUB_REF} =~ ^refs/heads/ ]]; then
# strip off the 'ref/heads/' bit
echo "BUILD_BRANCH=${GITHUB_REF#refs/heads/}"
fi
if [[ ${GITHUB_REF} =~ ^refs/pulls/ ]]; then
echo "BUILD_IS_PULL_REQUEST=true"
else
echo "BUILD_IS_PULL_REQUEST=false"
fi
if [[ ${GITHUB_REF} =~ ^refs/tags/v ]]; then
echo "BUILD_IS_RELEASE=true"
else
echo "BUILD_IS_RELEASE=false"
fi
} >> $GITHUB_ENV
# Separate step to show what is visible across steps
- name: Build Environment Info
id: build_info
run: |
"${ACTIONS_SCRIPTS_DIR}/echo_variables.sh" \
"docker version" "$(docker --version)" \
"docker compose version" "$(docker compose version)" \
"git version" "$(git --version)" \
"GITHUB_WORKSPACE" "$GITHUB_WORKSPACE" \
"GITHUB_REF" "$GITHUB_REF" \
"GITHUB_SHA" "$GITHUB_SHA" \
"BUILD_DIR" "$BUILD_DIR" \
"BUILD_TAG" "$BUILD_TAG" \
"BUILD_BRANCH" "$BUILD_BRANCH" \
"BUILD_COMMIT" "$BUILD_COMMIT" \
"BUILD_IS_PULL_REQUEST" "$BUILD_IS_PULL_REQUEST" \
"BUILD_IS_RELEASE" "$BUILD_IS_RELEASE" \
"ACTIONS_SCRIPTS_DIR" "$ACTIONS_SCRIPTS_DIR" \
"PWD" "$PWD" \
"HOME" "$HOME"
- name: Run full build
id: run_build
env:
# Docker creds for dockerhub authenticated push/pull
# Manually added secrets in github
# https://github.com/gchq/stroom/settings/secrets/actions
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
run: |
pushd "${BUILD_DIR}" > /dev/null
echo -e "${GREEN}Running ${BLUE}ci_build.sh${NC}"
./ci_build.sh
echo -e "${GREEN}Finished running build script${NC}"
# - name: Tar Test Results
# if: always()
# run: tar -cvf test-results.tar "**/test-results/**/*.xml"
#
# - name: Tar Test Results
# if: always()
# run: |
# bash --version
# pushd "${BUILD_DIR}" > /dev/null
# shopt -s globstar
# find ./**/test-results/**/*.xml -type f -print0 | tar -czf test-results.tar.gz --null -T -
#
# - name: Upload Test Results
# if: always()
# uses: actions/upload-artifact@v3
# with:
# name: Unit Test Results
# path: test-results.tar.gz
# retention-days: 5
- name: Upload Test Results
if: always()
uses: actions/upload-artifact@v3
with:
name: Unit Test Results
path: "**/test-results/**/*.xml"
retention-days: 5
# - name: Publish Unit Test Results
# uses: EnricoMi/publish-unit-test-result-action@v1
# if: always()
# with:
# files: "**/test-results/**/*.xml"
#
#
# - name: Upload Test Results
# if: always()
# uses: actions/upload-artifact@v3
# with:
# name: Unit Test Results
# path: "**/test-results/**/*.xml"
# retention-days: 5
- name: Release to GitHub
id: create_release
if: ${{ env.BUILD_IS_RELEASE == 'true' }}
env:
# Github provided secret
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: "${ACTIONS_SCRIPTS_DIR}/create_github_release.sh"
- name: Update gh-pages
id: update_gh-pages
if: ${{ env.BUILD_IS_RELEASE == 'true' }}
env:
# Github provided secret. To set it up do:
# Use this to generate the pub/priv key pair
# ssh-keygen -t rsa -b 4096 -f <repo>_deploy_key
# Create a repo deploy key with the public key, name 'Actions Deploy Key' and with write access
# https://github.com/<namespace>/<repo>/settings/keys/new
# Create a repo secret with the private key, name 'SSH_DEPLOY_KEY'
# https://github.com/<namespace>/<repo>/settings/secrets/actions/new
SSH_DEPLOY_KEY: ${{ secrets.SSH_DEPLOY_KEY }}
run: "${ACTIONS_SCRIPTS_DIR}/update_gh_pages.sh"