chore: various ci job fixups

- fix: publish failed test reports as artifact - fix: coverage reporting - fix: separate jobs for dependency graph and build - fix: warnings yielded by detekt job Signed-off-by: Sam Gammon <sam@elide.ventures>
apple · Feb 22, 2024 · 7bd65d4 · 7bd65d4
1 parent 3348ff8
commit 7bd65d4
Show file tree

Hide file tree

Showing 8 changed files with 209 additions and 88 deletions.
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -5,10 +5,3 @@ languages:
 
 queries:
   - uses: security-and-quality
-
-paths:
-  - packages
-
-paths-ignore:
-  - .codebase
-  - build
diff --git a/.github/workflows/checks.codeql.yml b/.github/workflows/checks.codeql.yml
@@ -15,6 +15,10 @@ name: "CodeQL"
   schedule:
     - cron: "0 0-23/2 * * *"
 
+  push:
+    branches:
+      - main
+
 permissions:
   contents: read
 

diff --git a/.github/workflows/job.build.yml b/.github/workflows/job.build.yml
@@ -0,0 +1,113 @@
+name: "Build"
+
+"on":
+  workflow_dispatch: {}
+  workflow_call:
+    inputs: {}
+    secrets:
+      GRADLE_CONFIGURATION_KEY:
+        description: "Gradle cache key"
+        required: false
+      BUILDLESS_APIKEY:
+        description: "Buildless key"
+        required: false
+
+permissions:
+  contents: read
+
+jobs:
+  ##
+  ## Job: Build
+  ##
+  gradle:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [Ubuntu]
+        mode: ["Strict"]
+        machine:
+          - "ubuntu-latest"
+
+    name: "Build (${{ matrix.os }})"
+    runs-on: ${{ matrix.machine }}
+    continue-on-error: ${{ matrix.mode != 'Strict' }}
+
+    defaults:
+      run:
+        shell: bash
+
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+
+    steps:
+      - name: "Setup: Harden Runner"
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          submodules: true
+          persist-credentials: false
+      - name: "Setup: Cache Restore (Build)"
+        id: cache-restore-build
+        uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+        with:
+          key: pkl-v1-build-${{ hashFiles('gradle/libs.versions.toml') }}
+          restore-keys: |
+            pkl-v1-build-${{ hashFiles('gradle/libs.versions.toml') }}
+            pkl-v1-build-
+            pkl-v1-
+            pkl-
+          path: |
+            .gradle/
+            build/
+            .codebase/
+            .kotlin/
+            ./*/build/bin
+            ./*/build/classes
+            ./*/build/kotlin
+            ./*/build/klib
+            ./*/build/generated
+            ./*/build/generated-sources
+      - name: "Setup: Java 21"
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
+        with:
+          distribution: 'adopt'
+          java-version: '21'
+      - name: "Setup: GraalVM (Java 21)"
+        uses: graalvm/setup-graalvm@d72e3dbf5f44eb0b78c4f8ec61a262d8bf9b94af # v1.1.7
+        with:
+          distribution: "graalvm"
+          java-version: 21
+          check-for-updates: false
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          set-java-home: 'false'
+      - name: "🛠️ Build"
+        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
+        id: gradlebuild
+        env:
+          CI: true
+        with:
+          cache-read-only: true
+          cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
+          gradle-home-cache-cleanup: true
+          arguments: build -x test -x check
+          build-scan-publish: true
+          build-scan-terms-of-service-url: "https://gradle.com/terms-of-service"
+          build-scan-terms-of-service-agree: "yes"
+      - name: "Artifact: Caches"
+        uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+        with:
+          key: ${{ steps.cache-restore.outputs.cache-primary-key }}
+          path: |
+            .gradle/
+            build/
+            .codebase/
+            .kotlin/
+            ./*/build/bin
+            ./*/build/classes
+            ./*/build/kotlin
+            ./*/build/klib
+            ./*/build/generated
+            ./*/build/generated-sources
diff --git a/.github/workflows/job.dependency-graph.yml b/.github/workflows/job.dependency-graph.yml
@@ -20,17 +20,8 @@ jobs:
   ## Job: Build+Submit Dependency Graph
   ##
   gradle:
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [Ubuntu]
-        mode: ["Strict"]
-        machine:
-          - "ubuntu-latest"
-
-    name: "Build (${{ matrix.os }})"
-    runs-on: ${{ matrix.machine }}
-    continue-on-error: ${{ matrix.mode != 'Strict' }}
+    name: "Dependency Graph"
+    runs-on: "ubuntu-latest"
 
     permissions:
       ## Needed for submission of dependency graphs
@@ -79,39 +70,6 @@ jobs:
         with:
           distribution: 'adopt'
           java-version: '21'
-      - name: "Setup: GraalVM (Java 21)"
-        uses: graalvm/setup-graalvm@d72e3dbf5f44eb0b78c4f8ec61a262d8bf9b94af # v1.1.7
-        with:
-          distribution: "graalvm"
-          java-version: 21
-          check-for-updates: false
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          set-java-home: 'false'
-      - name: "🛠️ Build"
-        uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
-        id: gradlebuild
-        env:
-          CI: true
-        with:
-          cache-read-only: true
-          cache-encryption-key: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
-          gradle-home-cache-cleanup: true
-          arguments: dependencies build -x test -x check --scan
       - name: "🛠️ Dependency Graph"
         uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
         continue-on-error: true
-      - name: "Artifact: Caches"
-        uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
-        with:
-          key: ${{ steps.cache-restore.outputs.cache-primary-key }}
-          path: |
-            .gradle/
-            build/
-            .codebase/
-            .kotlin/
-            ./*/build/bin
-            ./*/build/classes
-            ./*/build/kotlin
-            ./*/build/klib
-            ./*/build/generated
-            ./*/build/generated-sources
diff --git a/.github/workflows/job.native-build.yml b/.github/workflows/job.native-build.yml
@@ -1,13 +1,51 @@
 name: "Native Build"
 
 "on":
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      release:
+        type: boolean
+        default: false
+        description: "Release build"
+      macos:
+        type: boolean
+        default: true
+        description: "macOS"
+      linux:
+        type: boolean
+        default: true
+        description: "Linux"
+      windows:
+        type: boolean
+        default: false
+        description: "Windows"
+      artifact:
+        type: string
+        default: ""
+        description: "Artifact prefix"
+
   workflow_call:
     inputs:
       release:
         type: boolean
         default: false
         description: "Release build"
+      macos:
+        type: boolean
+        default: true
+        description: "macOS"
+      linux:
+        type: boolean
+        default: true
+        description: "Linux"
+      windows:
+        type: boolean
+        default: false
+        description: "Windows"
+      artifact:
+        type: string
+        default: ""
+        description: "Artifact prefix"
 
     secrets:
       GRADLE_CONFIGURATION_KEY:
@@ -30,18 +68,23 @@ jobs:
       matrix:
         os: [Ubuntu]
         mode: ["Strict"]
-        tag: ["linux-amd64"]
+        tag: ["linux-amd64-${{ fromJson(inputs.release) && 'opt' || 'dev' }}"]
         machine: ["ubuntu-latest"]
         target: [":pkl-cli:linuxExecutableAmd64"]
+        enabled:
+          - ${{ fromJson(inputs.linux) }}
         include:
           - os: macOS x64
-            tag: macos-x64
+            tag: macos-x64-${{ fromJson(inputs.release) && 'opt' || 'dev' }}
             machine: macos-13
             target: :pkl-cli:macExecutableAmd64
+            enabled: ${{ fromJson(inputs.macos) }}
           - os: macOS aarch64
-            tag: macos-aarch64
+            tag: macos-aarch64-${{ fromJson(inputs.release) && 'opt' || 'dev' }}
             machine: macos-13-xlarge
             target: :pkl-cli:macExecutableAarch64
+            enabled: ${{ fromJson(inputs.macos) }}
+
           # Windows build is currently broken.
           #
           # - os: Windows
@@ -51,6 +94,7 @@ jobs:
 
     name: "Native CLI (${{ matrix.os }})"
     runs-on: ${{ matrix.machine }}
+    if: ${{ matrix.enabled }}
 
     defaults:
       run:
@@ -119,13 +163,14 @@ jobs:
             ${{ matrix.target || ':pkl-cli:assembleNative' }}
             -PnativeRelease=${{ inputs.release }}
       - name: "Artifact: Native CLI"
-        if: success()
-        uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
-          key: pkl-native-${{ matrix.tag }}
-          path: |
-            ./pkl-cli/build/distributions/pkl-*.zip
-            ./pkl-cli/build/distributions/pkl-*.tar
+          name: "${{ inputs.artifact || 'pkl-cli-latest' }}-${{ matrix.tag }}"
+          path: ./pkl-cli/build/distributions/pkl*.*
+          if-no-files-found: warn
+          retention-days: 14
+          compression-level: 1
+          overwrite: true
       - name: "Artifact: Caches"
         uses: actions/cache/save@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
         with:

diff --git a/.github/workflows/job.tests.yml b/.github/workflows/job.tests.yml
@@ -98,10 +98,21 @@ jobs:
           build-scan-publish: true
           build-scan-terms-of-service-url: "https://gradle.com/terms-of-service"
           build-scan-terms-of-service-agree: "yes"
-          arguments: test koverVerify reports -x check
+          arguments: test koverVerify koverXmlReport koverHtmlReport koverBinaryReport reports -x check
+      - name: "Artifact: Test Reports"
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        if: success() || failure()
+        with:
+          name: "pkl-test-reports-${{ github.ref }}"
+          path: "./build/reports/**/*.*"
+          if-no-files-found: warn
+          retention-days: 7
+          compression-level: 4
+          overwrite: true
       - name: "Reporting: Coverage"
         uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044 # v4.0.1
         continue-on-error: true
+        if: success()
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: elide-dev/pkl

diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml
@@ -68,44 +68,53 @@ jobs:
             tasks
 
   ##
-  ## Job: Build + Submit Dependency Graph
+  ## Job: Build
   ##
-  dependency-graph:
+  build:
     name: "Build"
-    uses: ./.github/workflows/job.dependency-graph.yml
+    uses: ./.github/workflows/job.build.yml
     needs: [preflight-checks]
     secrets:
       GRADLE_CONFIGURATION_KEY: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
       BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
+
+  ##
+  ## Job: Native Build
+  ##
+  native-build:
+    name: "Build"
+    uses: ./.github/workflows/job.native-build.yml
+    needs: [preflight-checks, build]
+    secrets:
+      GRADLE_CONFIGURATION_KEY: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
+      BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
     permissions:
-      ## Needed for build graph publishing
-      contents: "write"
+      contents: "read"
 
   ##
   ## Job: Tests
   ##
   pr-tests:
     name: "Tests"
     uses: ./.github/workflows/job.tests.yml
-    needs: [preflight-checks, dependency-graph]
+    needs: [preflight-checks, build]
     secrets:
       GRADLE_CONFIGURATION_KEY: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
       BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
-    with:
-      native: false
 
   ##
-  ## Job: Native Build
+  ## Job: Submit Dependency Graph
   ##
-  native-build:
-    name: "Build"
-    uses: ./.github/workflows/job.native-build.yml
-    needs: [preflight-checks, dependency-graph]
+  dependency-graph:
+    name: "Checks"
+    uses: ./.github/workflows/job.dependency-graph.yml
+    needs: [preflight-checks]
     secrets:
       GRADLE_CONFIGURATION_KEY: ${{ secrets.GRADLE_CONFIGURATION_KEY }}
       BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
     permissions:
-      contents: "read"
+      ## Needed for build graph publishing
+      contents: "write"
 
   ##
   ## Job: API Check