From 66e90836a6c39f0e9f9f5f24b7e3efc6875fddfe Mon Sep 17 00:00:00 2001 From: Michael Vorburger Date: Thu, 26 Oct 2023 18:41:44 +0200 Subject: [PATCH 1/4] Minor clean-up to align CodeQL & Build GitHub Actions --- .github/workflows/build.yml | 27 ++++++++++++++++++++------- .github/workflows/codeql.yaml | 19 +++++++++++++++++++ 2 files changed, 39 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9ffbca252b..22419da6dc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -name: "GitHub Actions: Build" +name: "Build" # Controls when the action will run. Triggers the workflow on push or pull request # events for the `master` branch @@ -22,18 +22,30 @@ on: tags: build* pull_request: + # The branches below must be a subset of the branches above branches: [ master ] + schedule: + # Run once a week (even if no new code or PRs) to detect random regressions + - cron: '12 13 * * 2' + env: # Allow precise monitoring of the save/restore of Gradle User Home by `gradle-build-action` # See https://github.com/marketplace/actions/gradle-build-action?version=v2.1.1#cache-debugging-and-analysis GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: "fhir" # change this to invalidate cache -# A workflow run is made up of one or more jobs that can run sequentially or in parallel + + # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # Build will compile APK, test APK and run tests, lint, etc. build: - runs-on: ubuntu-22.04-8core + timeout-minutes: 60 + permissions: + actions: read + contents: read + + strategy: + fail-fast: false # Steps represent a sequence of tasks that will be executed as part of the job steps: @@ -49,17 +61,18 @@ jobs: # Fetch origin/master for spotless ratchet to work # https://github.com/diffplug/spotless/issues/1242 fetch-depth: 0 + - name: Setup machine uses: ./.github/actions/commonSetup - name: Spotless check - run: ./gradlew spotlessCheck --scan --stacktrace + run: ./gradlew spotlessCheck --scan --full-stacktrace - - name: Build with Gradle - run: ./gradlew build --scan --stacktrace + - name: Build (full) with Gradle + run: ./gradlew build --scan --full-stacktrace - name: Check with Gradle - run: ./gradlew check --scan --stacktrace + run: ./gradlew check --scan --full-stacktrace - name: Release artifacts to local repo run: ./gradlew publishReleasePublicationToCIRepository --scan diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 25e4197f6b..0df5358f2c 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -1,5 +1,24 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + name: "CodeQL" +# NB: This GitHub Action for https://codeql.github.com seems to be +# a bit "special"; it does not appear to be (easily) possible to just +# integrate and run this as part of the main build.yaml action; see +# https://github.com/google/android-fhir/issues/2310. + on: push: branches: [ "master" ] From 5a8f5997f848b30cace0a0b8ffa3a146afaf7fc3 Mon Sep 17 00:00:00 2001 From: Michael Vorburger Date: Thu, 26 Oct 2023 19:01:47 +0200 Subject: [PATCH 2/4] Replace styfle/cancel-workflow-action with new GitHub concurrency: standard see https://github.com/styfle/cancel-workflow-action/blob/main/README.md --- .github/workflows/build.yml | 8 ++++---- .github/workflows/codeql.yaml | 4 ++++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 22419da6dc..6f6b4c73d2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,6 +34,10 @@ env: GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: "fhir" # change this to invalidate cache +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.ref || github.run_id }} + cancel-in-progress: true + # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # Build will compile APK, test APK and run tests, lint, etc. @@ -49,10 +53,6 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: - - name: Cancel previous - uses: styfle/cancel-workflow-action@0.12.0 - with: - access_token: ${{ github.token }} # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - name: Checkout Repo diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 0df5358f2c..1f90d2cb89 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -28,6 +28,10 @@ on: schedule: - cron: '32 13 * * 2' +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.ref || || github.run_id }} + cancel-in-progress: true + jobs: analyze: name: Analyze From 8ab3993c5664a6e03f58719389127ae6eb708e19 Mon Sep 17 00:00:00 2001 From: Michael Vorburger Date: Thu, 26 Oct 2023 19:11:26 +0200 Subject: [PATCH 3/4] Merge CodeQL & Build GitHub Actions (re. #2294) --- .github/actions/commonSetup/action.yml | 21 -------- .github/workflows/build.yml | 34 +++++++++++- .github/workflows/codeql.yaml | 74 -------------------------- 3 files changed, 32 insertions(+), 97 deletions(-) delete mode 100644 .github/actions/commonSetup/action.yml delete mode 100644 .github/workflows/codeql.yaml diff --git a/.github/actions/commonSetup/action.yml b/.github/actions/commonSetup/action.yml deleted file mode 100644 index c15b0e993b..0000000000 --- a/.github/actions/commonSetup/action.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: "common machine setup" -description: "Prepares the machine" -runs: - using: "composite" - steps: - - name: Set up JDK 17 - uses: actions/setup-java@v2 - with: - distribution: temurin - java-version: "17" - - - name: "Setup Gradle" - uses: gradle/gradle-build-action@v2 - with: - # See https://github.com/marketplace/actions/gradle-build-action#enable-dependency-graph-generation-for-a-workflow - dependency-graph: generate-and-submit - # Limit the size of the cache entry. - # These directories contain instrumented/transformed dependency jars which can be reconstructed relatively quickly. - gradle-home-cache-excludes: | - caches/jars-9 - caches/transforms-3 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6f6b4c73d2..d753fc2249 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -50,6 +50,8 @@ jobs: strategy: fail-fast: false + matrix: + language: [ 'java' ] # Steps represent a sequence of tasks that will be executed as part of the job steps: @@ -62,8 +64,36 @@ jobs: # https://github.com/diffplug/spotless/issues/1242 fetch-depth: 0 - - name: Setup machine - uses: ./.github/actions/commonSetup + - name: Switch to Java 17 from Eclipse Temurin distro + uses: actions/setup-java@v3 + with: + java-version: 17 + distribution: temurin + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + + - name: Build (minimal, for CodeQL) with Gradle + run: ./gradlew --scan --full-stacktrace compileDebugAndroidTestSources + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" + + # This needs to be done *AFTER* CodeQL; otherwise it fails weirdly, see https://github.com/google/android-fhir/issues/2310 + - name: "Setup Gradle" + uses: gradle/gradle-build-action@v2 + with: + # See https://github.com/marketplace/actions/gradle-build-action#enable-dependency-graph-generation-for-a-workflow + dependency-graph: generate-and-submit + # Limit the size of the cache entry. + # These directories contain instrumented/transformed dependency jars which can be reconstructed relatively quickly. + gradle-home-cache-excludes: | + caches/jars-9 + caches/transforms-3 - name: Spotless check run: ./gradlew spotlessCheck --scan --full-stacktrace diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml deleted file mode 100644 index 1f90d2cb89..0000000000 --- a/.github/workflows/codeql.yaml +++ /dev/null @@ -1,74 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "CodeQL" - -# NB: This GitHub Action for https://codeql.github.com seems to be -# a bit "special"; it does not appear to be (easily) possible to just -# integrate and run this as part of the main build.yaml action; see -# https://github.com/google/android-fhir/issues/2310. - -on: - push: - branches: [ "master" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "master" ] - schedule: - - cron: '32 13 * * 2' - -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.ref || || github.run_id }} - cancel-in-progress: true - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-22.04-8core - timeout-minutes: 60 - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'java' ] - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Switch to Java 17 from Eclipse Temurin distro - uses: actions/setup-java@v3 - with: - java-version: 17 - distribution: temurin - - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - - # TODO: use Autobuild instead of ./gradlew after https://github.com/github/codeql-action/issues/1417 is fixed - # - name: Autobuild - # uses: github/codeql-action/autobuild@v2 - - name: Build with Gradle - run: ./gradlew --scan --full-stacktrace -Dorg.gradle.dependency.verification=off compileDebugAndroidTestSources - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: "/language:${{matrix.language}}" From 6c78e649c9a6e5907603c69000d71a014af604cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Vorburger=20=E2=9B=91=EF=B8=8F?= Date: Sat, 28 Oct 2023 03:43:09 +0200 Subject: [PATCH 4/4] Add missing (lost) security-events: write to build.yml --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d753fc2249..52258c7ffc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -47,6 +47,8 @@ jobs: permissions: actions: read contents: read + # Required by codeql-action + security-events: write strategy: fail-fast: false