google · vorburger · Oct 26, 2023 · Oct 26, 2023 · Oct 26, 2023 · Oct 28, 2023
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: "GitHub Actions: Build"
+name: "Build"
 
 # Controls when the action will run. Triggers the workflow on push or pull request
 # events for the `master` branch
@@ -22,25 +22,41 @@ on:
     tags:
       build*
   pull_request:
+    # The branches below must be a subset of the branches above
     branches: [ master ]
+  schedule:
+    # Run once a week (even if no new code or PRs) to detect random regressions
+    - cron: '12 13 * * 2'
+
 env:
   # Allow precise monitoring of the save/restore of Gradle User Home by `gradle-build-action`
   # See https://github.com/marketplace/actions/gradle-build-action?version=v2.1.1#cache-debugging-and-analysis
   GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: "fhir" # change this to invalidate cache
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref || github.run_id }}
+  cancel-in-progress: true
+
+  # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # Build will compile APK, test APK and run tests, lint, etc.
   build:
-
     runs-on: ubuntu-22.04-8core
+    timeout-minutes: 60
+    permissions:
+      actions: read
+      contents: read
+      # Required by codeql-action
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java' ]
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      - name: Cancel previous
-        uses: styfle/[email protected]
-        with:
-          access_token: ${{ github.token }}
 
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - name: Checkout Repo
@@ -49,17 +65,46 @@ jobs:
           # Fetch origin/master for spotless ratchet to work
           # https://github.com/diffplug/spotless/issues/1242
           fetch-depth: 0
-      - name: Setup machine
-        uses: ./.github/actions/commonSetup
+
+      - name: Switch to Java 17 from Eclipse Temurin distro
+        uses: actions/setup-java@v3
+        with:
+          java-version: 17
+          distribution: temurin
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Build (minimal, for CodeQL) with Gradle
+        run: ./gradlew --scan --full-stacktrace compileDebugAndroidTestSources
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{matrix.language}}"
+
+      # This needs to be done *AFTER* CodeQL; otherwise it fails weirdly, see https://github.com/google/android-fhir/issues/2310
+      - name: "Setup Gradle"
+        uses: gradle/gradle-build-action@v2
+        with:
+          # See https://github.com/marketplace/actions/gradle-build-action#enable-dependency-graph-generation-for-a-workflow
+          dependency-graph: generate-and-submit
+          # Limit the size of the cache entry.
+          # These directories contain instrumented/transformed dependency jars which can be reconstructed relatively quickly.
+          gradle-home-cache-excludes: |
+            caches/jars-9
+            caches/transforms-3
 
       - name: Spotless check
-        run: ./gradlew spotlessCheck --scan --stacktrace
+        run: ./gradlew spotlessCheck --scan --full-stacktrace
 
-      - name: Build with Gradle
-        run: ./gradlew build --scan --stacktrace
+      - name: Build (full) with Gradle
+        run: ./gradlew build --scan --full-stacktrace
 
       - name: Check with Gradle
-        run: ./gradlew check --scan --stacktrace
+        run: ./gradlew check --scan --full-stacktrace
 
       - name: Release artifacts to local repo
         run: ./gradlew publishReleasePublicationToCIRepository --scan