set top level permission to codeql.yml #5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- '**' | |
- '!dependabot/**' | |
pull_request: | |
branches: [ 'master' ] | |
permissions: read-all | |
jobs: | |
test: | |
name: Test OpenJDK ${{ matrix.java }} on ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ ubuntu-latest, windows-latest, macos-latest ] | |
java: [ 8, 11, 17, 20 ] | |
runs-on: ${{ matrix.os }} | |
permissions: | |
checks: write | |
steps: | |
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | |
- uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 | |
with: | |
distribution: 'temurin' | |
java-version: ${{ matrix.java }} | |
java-package: jdk | |
cache: 'maven' | |
- name: Run Tests | |
run: mvn --batch-mode --no-transfer-progress test | |
- name: Publish Test Report | |
uses: mikepenz/action-junit-report@75b84e78b3f0aaea7ed7cf8d1d100d7f97f963ec # v4.0.0 | |
if: ${{ !cancelled() }} | |
with: | |
report_paths: "**/target/surefire-reports/TEST*.xml" | |
check_name: Unit Test Results for OpenJDK ${{ matrix.java }} on ${{ matrix.os }} | |
test_oracle: | |
name: Test Oracle JDK 8 with KCMS=${{ matrix.kcms }} | |
runs-on: ubuntu-latest | |
permissions: | |
checks: write | |
strategy: | |
matrix: | |
kcms: [ true, false ] | |
steps: | |
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | |
- run: | | |
download_url="https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245038_d3c52aa6bfa54d3ca74e617f18309292" | |
wget -O $RUNNER_TEMP/java_package.tar.gz $download_url | |
- uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 | |
with: | |
distribution: 'jdkfile' | |
jdkFile: ${{ runner.temp }}/java_package.tar.gz | |
java-version: '8' | |
cache: 'maven' | |
- name: Set MAVEN_OPTS | |
if: ${{ matrix.kcms }} | |
run: | | |
echo "MAVEN_OPTS=-Dsun.java2d.cmm=sun.java2d.cmm.kcms.KcmsServiceProvider" >> $GITHUB_ENV | |
- name: Display Java version | |
run: java -version | |
- name: Run Tests | |
run: mvn --batch-mode --no-transfer-progress test | |
- name: Publish Test Report | |
uses: mikepenz/action-junit-report@75b84e78b3f0aaea7ed7cf8d1d100d7f97f963ec # v4.0.0 | |
if: ${{ !cancelled() }} | |
with: | |
report_paths: "**/target/surefire-reports/TEST*.xml" | |
check_name: Unit Test Results for Oracle JDK 8 with KCMS=${{ matrix.kcms }} | |
release: | |
name: Deploy | |
needs: [ test, test_oracle ] | |
if: github.ref == 'refs/heads/master' # only perform on latest master | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | |
- name: Set up Maven Central | |
uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 | |
with: # running setup-java again overwrites the settings.xml | |
distribution: 'temurin' | |
java-version: '8' | |
java-package: jdk | |
server-id: ossrh # Value of the distributionManagement/repository/id field of the pom.xml | |
server-username: MAVEN_CENTRAL_USERNAME # env variable for username in deploy (1) | |
server-password: MAVEN_CENTRAL_PASSWORD # env variable for token in deploy (2) | |
gpg-private-key: ${{ secrets.GPG_KEY }} # Value of the GPG private key to import | |
gpg-passphrase: MAVEN_CENTRAL_GPG_PASSPHRASE # env variable for GPG private key passphrase (3) | |
- name: Get Project Version | |
run: | | |
echo "PROJECT_VERSION=$(mvn --batch-mode help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_ENV | |
- name: Publish to Maven Central | |
if: ${{ endsWith(env.PROJECT_VERSION, '-SNAPSHOT') }} | |
run: mvn --batch-mode --no-transfer-progress deploy -P release -DskipTests | |
env: | |
MAVEN_CENTRAL_USERNAME: ${{ secrets.SONATYPE_USERNAME }} # must be the same env variable name as (1) | |
MAVEN_CENTRAL_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} # must be the same env variable name as (2) | |
MAVEN_CENTRAL_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} # must be the same env variable name as (3) |