-
Notifications
You must be signed in to change notification settings - Fork 97
313 lines (292 loc) · 13.6 KB
/
pull_request_secure.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
# Jobs in this workflow deal with secrets.
# Since they may be executed from forks by untrusted users,
# we need to ensure that the user is a member of the organization
# or that there is explicit approval for their jobs to run.
name: Secured Workflow
on:
push:
branches: [main]
# There are two differences to "pull_request" here:
# - The workflow will receive secrets, even in PRs from forks.
# - The workflow will be executed automatically, without requiring a manual approval.
# Therefore the workflow needs to be explicitly secured; see "known_user" and "approval_required" jobs below.
pull_request_target:
branches: [main] # Benchmarks aren't branched, so they will only ever work against current main.
types:
- opened
- reopened
- synchronize
paths-ignore:
- 'LICENSE*'
- '.gitignore'
- '**.md'
- '**.adoc'
- '*.txt'
jobs:
# Check if the user is a member of the organization; if so, allow the PR to sail through.
known_user:
runs-on: ubuntu-latest
outputs:
is_member_of_org: ${{ steps.auth_check.outputs.authorized }}
steps:
- id: auth_check
env:
GH_TOKEN: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Release account is a Solver Gatekeeper.
shell: bash
run: |
# -g to allow actors such as dependabot[bot]
ORG_MEMBERSHIP=`curl -g -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $GH_TOKEN" "https://api.github.com/orgs/TimefoldAI/memberships/${{ github.actor }}" | jq -r '.state == "active"'`
echo "authorized=$ORG_MEMBERSHIP" >> "$GITHUB_OUTPUT"
- id: validation
shell: bash
run: |
echo "Authorized user: ${{ steps.auth_check.outputs.authorized }}"
# If the user is not a member, require a member to approve the PR.
approval_required:
needs: known_user
environment:
${{
github.event_name == 'pull_request_target' &&
github.event.pull_request.head.repo.full_name != github.repository &&
(needs.known_user.outputs.is_member_of_org != 'true' || github.actor == 'dependabot[bot]') &&
'external' || 'internal'
}}
runs-on: ubuntu-latest
steps:
- run: true
integration-tests:
needs: approval_required
name: Integration Tests
runs-on: ubuntu-latest
concurrency:
group: pr-${{ github.event_name }}-${{ github.head_ref }}
cancel-in-progress: true
steps:
# Clone timefold-solver
# No need to check for stale repo, as Github merges the main repo into the fork automatically.
- name: Checkout timefold-solver
uses: actions/checkout@v4
with:
path: ./timefold-solver
ref: ${{ github.event.pull_request.head.sha }} # The GHA event will pull the main branch by default, and we must specify the PR reference version
- name: Setup Temurin 17 and Maven
uses: actions/setup-java@v4
with:
java-version: '21'
distribution: 'temurin'
cache: 'maven'
- name: Quickly build timefold-solver
working-directory: ./timefold-solver
shell: bash
run: mvn -B -Dquickly clean install
# Clone timefold-solver-enterprise
- name: Checkout timefold-solver-enterprise (PR) # Checkout the PR branch first, if it exists
id: checkout-solver-enterprise
uses: actions/checkout@v4
continue-on-error: true
with:
repository: TimefoldAI/timefold-solver-enterprise
ref: ${{ github.head_ref }}
token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Safe; only used to clone the repo and not stored in the fork.
path: ./timefold-solver-enterprise
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
- name: Checkout timefold-solver-enterprise (main) # Checkout the main branch if the PR branch does not exist
if: steps.checkout-solver-enterprise.outcome != 'success'
uses: actions/checkout@v4
with:
repository: TimefoldAI/timefold-solver-enterprise
ref: main
token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Safe; only used to clone the repo and not stored in the fork.
path: ./timefold-solver-enterprise
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
- name: Quickly build timefold-solver-enterprise
working-directory: ./timefold-solver-enterprise
shell: bash
run: mvn -B -Dquickly clean install
# Clone timefold-solver-benchmarks
- name: Checkout timefold-solver-benchmarks (PR) # Checkout the PR branch first, if it exists
if: github.head_ref # Only true if this is a PR.
id: checkout-solver-benchmarks-pr
uses: actions/checkout@v4
continue-on-error: true
with:
repository: TimefoldAI/timefold-solver-benchmarks
ref: ${{ github.head_ref }}
path: ./timefold-solver-benchmarks
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
- name: Checkout timefold-solver-benchmarks (main) # Checkout the main branch if the PR branch does not exist
if: ${{ steps.checkout-solver-benchmarks-pr.outcome != 'success' }}
uses: actions/checkout@v4
with:
repository: TimefoldAI/timefold-solver-benchmarks
ref: main
path: ./timefold-solver-benchmarks
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
- name: Build and test timefold-solver-benchmarks
working-directory: ./timefold-solver-benchmarks
shell: bash
run: mvn -B -DskipJMH clean verify
enterprise-java:
needs: approval_required
name: Enterprise Edition (Java)
runs-on: ubuntu-latest
concurrency:
group: downstream-enterprise-${{ github.event_name }}-${{ github.head_ref }}
cancel-in-progress: true
timeout-minutes: 120
steps:
# Clone timefold-solver
# No need to check for stale repo, as Github merges the main repo into the fork automatically.
- name: Checkout timefold-solver
uses: actions/checkout@v4
with:
path: ./timefold-solver
ref: ${{ github.event.pull_request.head.sha }} # The GHA event will pull the main branch by default, and we must specify the PR reference version
# Clone timefold-solver-enterprise
# Need to check for stale repo, since Github is not aware of the build chain and therefore doesn't automate it.
- name: Checkout timefold-solver-enterprise (PR) # Checkout the PR branch first, if it exists
id: checkout-solver-enterprise
uses: actions/checkout@v4
continue-on-error: true
with:
repository: TimefoldAI/timefold-solver-enterprise
ref: ${{ github.head_ref }}
token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Safe; only used to clone the repo and not stored in the fork.
path: ./timefold-solver-enterprise
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
- name: Checkout timefold-solver-enterprise (main) # Checkout the main branch if the PR branch does not exist
if: steps.checkout-solver-enterprise.outcome != 'success'
uses: actions/checkout@v4
with:
repository: TimefoldAI/timefold-solver-enterprise
ref: main
token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Safe; only used to clone the repo and not stored in the fork.
path: ./timefold-solver-enterprise
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
# Build and test
- name: Setup Temurin 17 and Maven
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
cache: 'maven'
- name: Quickly build timefold-solver
working-directory: ./timefold-solver
shell: bash
run: mvn -B -Dquickly clean install
- name: Build and test timefold-solver-enterprise
working-directory: ./timefold-solver-enterprise
shell: bash
run: mvn -B clean verify
enterprise-python:
needs: approval_required
name: Enterprise Edition (Python)
concurrency:
group: downstream-enterprise-python-${{ github.event_name }}-${{ github.head_ref }}
cancel-in-progress: true
timeout-minutes: 120
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v4
with:
path: './timefold-solver'
ref: ${{ github.event.pull_request.head.sha }} # The GHA event will pull the main branch by default, and we must specify the PR reference version
# Clone timefold-solver-enterprise
# Need to check for stale repo, since Github is not aware of the build chain and therefore doesn't automate it.
- name: Checkout timefold-solver-enterprise (PR) # Checkout the PR branch first, if it exists
id: checkout-solver-enterprise
uses: actions/checkout@v4
continue-on-error: true
with:
repository: TimefoldAI/timefold-solver-enterprise
ref: ${{ github.head_ref }}
token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Safe; only used to clone the repo and not stored in the fork.
path: ./timefold-solver-enterprise
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
- name: Checkout timefold-solver-enterprise (main) # Checkout the main branch if the PR branch does not exist
if: steps.checkout-solver-enterprise.outcome != 'success'
uses: actions/checkout@v4
with:
repository: TimefoldAI/timefold-solver-enterprise
ref: main
token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Safe; only used to clone the repo and not stored in the fork.
path: ./timefold-solver-enterprise
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
# Build and test
- name: Set up the JDK
uses: actions/setup-java@v4
with:
java-version: 17
distribution: 'temurin'
cache: 'maven'
# Need to install all Python versions in the same run for tox
- name: Python 3.10, Python 3.11, Python 3.12 Setup
uses: actions/setup-python@v5
with:
python-version: |
3.10
3.11
3.12
cache: 'pip'
cache-dependency-path: |
**/setup.py
- name: Install tox
run:
pip install tox build
- name: Build Timefold Solver for Python
working-directory: ./timefold-solver
run: python -m build
- name: Run tox on Timefold Solver Enterprise for Python test suite
working-directory: ./timefold-solver-enterprise
env:
PIP_FIND_LINKS: ${{ github.workspace }}/timefold-solver/dist
run: tox
sonarcloud:
needs: approval_required
name: SonarCloud
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
ref: ${{ github.event.pull_request.head.sha }} # The GHA event will pull the main branch by default, and we must specify the PR reference version
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: 17
distribution: 'temurin'
cache: 'maven'
- name: Python 3.10, Python 3.11, Python 3.12 Setup
uses: actions/setup-python@v5
with:
python-version: |
3.10
3.11
3.12
cache: 'pip'
cache-dependency-path: |
**/setup.py
- name: Install tox
run:
pip install tox coverage pytest pytest-cov
- name: Cache SonarCloud packages
uses: actions/cache@v4
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Build with Maven to measure code coverage # The ENV variables are limited to the scope of the current step. Avoid adding sensitive ENV variables here as the tests could leak them.
run: mvn -B clean install -Prun-code-coverage
- name: Get JaCoCo Agent
run: mvn org.apache.maven.plugins:maven-dependency-plugin:2.8:get -Dartifact=org.jacoco:org.jacoco.agent:0.8.11:jar:runtime -Ddest=target/jacocoagent.jar
- name: Run tox to measure timefold solver python code coverage from Python tests
run: python -m tox -- --cov=timefold --cov-report=xml:target/coverage.xml --cov-config=tox.ini --cov-branch --cov-append --jacoco-agent=./target/jacocoagent.jar
- name: Run tox to measure jpyinterpreter code coverage from Python tests
working-directory: ./python/jpyinterpreter
run: python -m tox -- --cov=jpyinterpreter --cov-report=xml:target/coverage.xml --cov-config=tox.ini --cov-branch --cov-append --jacoco-agent=../../target/jacocoagent.jar --jacoco-output=../../target/jacoco.exec
- name: Run analysis
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Needed to run the SonarCloud analysis
run: mvn -B -Psonarcloud-analysis validate org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.organization=timefold -Dsonar.projectKey=ai.timefold:timefold-solver -Dsonar.host.url=https://sonarcloud.io -Dsonar.pullrequest.key=${{ github.event.pull_request.number }} -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }} -Dsonar.scm.revision=${{ github.event.pull_request.head.sha }}