Skip to content

Commit

Permalink
Unify publication workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
@jprinet
jprinet committed Sep 29, 2023
1 parent b9eb35b commit 4a2b29a
Show file tree
Hide file tree
Showing 7 changed files with 232 additions and 136 deletions.
0 ...b/workflows/test-terms-of-service-run.yml → .../test-terms-of-service-acceptance-run.yml
View file
File renamed without changes.
221 changes: 153 additions & 68 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,81 @@

A collection of composite Github Actions

## terms-of-service-acceptance/run
## Publish Build Scans® from forked repositories

### Description
When submitting a pull request, a Github workflow that validates the change is usually triggered, however the Develocity Build Scans® can’t be published for 2 reasons:
- The Develocity Terms of Service have not been agreed to by the contributor
- Workflows from forked repositories do not have access to secrets although an access token is required to publish a Build Scan®

This repository contains some actions which can be combined together to solve this.

### Architecture
![Architecture](./doc/architecture.png)

### Usage

**Usage**:

Insert the `Save Build Scan` step after each Maven execution step in the Github workflow called to validate a pull-request (`Build with Maven` here).

```yaml
[...]
- name: Build with Maven
run: mvn clean package
- name: Save Build Scan
uses: gradle/github-actions/maven-build-scan/[email protected]
[...]
```

Add a workflow to publish the Build Scans® saved during the previous step

_Note:_
Some parameters need to be adjusted here:
- The workflow name (here `Build`) triggered when a pull-request is submitted
- The build workflow filename (here `build.yml`) has to be adjusted to the filename of the workflow using `maven-build-scan/save`
- The Develocity URL (here `https://<MY_DEVELOCITY_URL>`)
- The secret name holding the Develocity access key (here `<DEVELOCITY_ACCESS_KEY>`)

```yaml
name: Upload Build Scans

on:
workflow_run:
workflows: [ "Build" ]
types: [ completed ]
issue_comment:
types: [ created ]

jobs:

publish-build-scans:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- name: Load data
id: load
uses: gradle/github-actions/maven-build-scan/[email protected]
with:
build-workflow-filename: 'build.yml'
- name: Verify Terms of Service acceptance
uses: gradle/github-actions/terms-of-service-acceptance/[email protected]
with:
tos-location: 'https://foo.bar/tos.html'
pr-number: ${{ steps.load.outputs.pr-number }}
- name: Publish Maven Build Scans
uses: gradle/github-actions/maven-build-scan/[email protected]
with:
develocity-url: 'https://<MY_DEVELOCITY_URL>'
develocity-access-key: ${{ secrets.<DEVELOCITY_ACCESS_KEY> }}
pr-number: ${{ steps.load.outputs.pr-number }}
```
### Implementation details
#### terms-of-service-acceptance/run
A composite action to verify that Develocity Terms of Service have been accepted.
Expand All @@ -19,22 +93,21 @@ See the [cla-assistant-lite documentation](https://github.com/marketplace/action
**Event Triggers**:
This action should be configured to respond to the following event triggers:
- `pull_request_target`: to check if the user has previously accepted the Terms of Service when submitting the pull-request.
- `issue-comment`: to check if any new pull-request comment is accepting the Terms of Service.
- `workflow_run`: to check if the user has previously accepted the Terms of Service before publishing a Build Scan®.
- `issue_comment`: to check if any new pull-request comment is accepting the Terms of Service.

**Permissions**:

The following permissions are required for this action to operate:
- `contents: write`: to create/edit the signature file
- `pull-requests: write`: to comment the pull-request
- `actions: write`: to update the pull-request status check
- `statuses: write`: to update the pull-request status check

**Action inputs**:

| Name | Description | Default |
|------------------------------------------|------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `tos-location` | Terms Of Service location (URL) | |
| `pr-number` | pull-request number | |
| `signature-branch` | *Optional*: Git branch where the signature file will be stored | `${{ github.event.repository.default_branch }}` |
| `signature-location` | *Optional*: Signature file location | `.github/develocity-tos.json` |
| `pr-comment-tos-acceptance-missing` | *Optional*: pull-request comment added when Terms of Service have not previously been accepted | `Please accept [Develocity Terms Of Service]({0}) to get your pull-request Build Scan published by commenting this pull-request with the following message:` |
Expand All @@ -45,43 +118,21 @@ The following permissions are required for this action to operate:

**Usage**:

```yaml
name: Gradle - Terms of Service acceptance verification

on:
# issue_comment event is triggered when a pull-request is commented
issue_comment:
types: [ created ]
pull_request_target:
_Note:_
Some parameters need to be adjusted here:
- The pull-request number (here `steps.load.outputs.pr-number`) has to be adjusted to the value set in the context

jobs:
run-terms-of-service-acceptance:
runs-on: ubuntu-latest
permissions:
# required to update signature file
contents: write
# required to comment pull-request
pull-requests: write
# required to update pull-request status check
actions: write
statuses: write
steps:
- name: Run Terms of Service acceptance verification
```yaml
[...]
- name: Verify Terms of Service acceptance
uses: gradle/github-actions/terms-of-service-acceptance/[email protected]
with:
# tos-location can also point to a file in a Github repository with this syntax: /<owner>/<repo>/blob/<branch>/tos.html
tos-location: 'https://foo.bar/tos.html'
# Optional inputs
#pr-comment-tos-acceptance-missing: 'Please accept [Develocity Terms Of Service]({0}) to get your pull-request Build Scan published by commenting this pull-request with the following message:'
#pr-comment-tos-acceptance-request: 'I have read Develocity Terms Of Service and I hereby accept the Terms'
#pr-comment-tos-acceptance-validation: 'All Contributors have accepted Develocity Terms Of Service.'
#signature-branch: 'main'
#signature-location: '.github/develocity-tos.json'
#white-list: 'bot1,bot2'
#github-token: ${{ secrets.MY_PAT }}
pr-number: ${{ steps.load.outputs.pr-number }}
[...]
```

## maven-build-scan/save
#### maven-build-scan/save
A Composite action to save an unpublished Maven Build Scan®.

The action saves unpublished Build Scan® data as a workflow artifact with name `maven-build-scan-data`, which can then be published in a dependent workflow.
Expand Down Expand Up @@ -115,24 +166,74 @@ Insert the `Save Build Scan` step after each Maven execution step in the Github
[...]
```

## maven-build-scan/publish
#### maven-build-scan/load
A Composite action to load artifacts saved by `maven-build-scan/save`.

Use this action in a separate workflow to prepare the Build Scan® publication.

**Dependencies**:

- [dawidd6/action-download-artifact](https://github.com/marketplace/actions/download-workflow-artifact)

**Event Triggers**:

This action should be configured to respond to the following event trigger (see `maven-build-scan/publish` for more details):
- `workflow_run`: to run after the pull-request workflow.
- `issue_comment`: to run after the pull-request is commented.

The action fails for any other event trigger, or if the comment is different than `recheck` or `I have read Develocity Terms Of Service and I hereby accept the Terms` (can be overridden).

**Action inputs**:

| Name | Description | Default |
|-------------------------------------|----------------------------------------------------------------------------------------------|-------------------------------------------------------------------------|
| `build-workflow-filename` | Filename of the workflow using `maven-build-scan/save` (called upon pull-request submission) | |
| `pr-comment-tos-acceptance-request` | *Optional*: pull-request comment to accept the Terms of Service | `I have read Develocity Terms Of Service and I hereby accept the Terms` |

**Action outputs**:

| Name | Description |
|--------------|--------------------------------------------------------------|
| `pr-number` | pull-request number saved by `maven-build-scan/save` action |

**Usage**:

_Note:_
Some parameters need to be adjusted here:
- The build workflow filename (here `build.yml`) has to be adjusted to the filename of the workflow using `maven-build-scan/save`

```yaml
[...]
- name: Load Build Scan data
id: load
uses: gradle/github-actions/maven-build-scan/[email protected]
with:
build-workflow-filename: 'build.yml'
[...]
```

#### maven-build-scan/publish

This action will publish all Maven Build Scans® that have been saved as workflow artifacts by the `maven-build-scan/save` action.

Use this action in a separate workflow with a `workflow_run` event trigger, that will run after an existing pull-request workflow has completed. The action will download any saved Build Scan® and publish them to Develocity.
This event allows access to the repository secrets (_Develocity Access Key_) which is required to publish a Build Scan® to Gradle Enterprise when authentication is enabled.
Use this action in a separate workflow with:
- a `workflow_run` event trigger, that will run after an existing pull-request workflow has completed.
- a `issue_comment` event trigger, that will run after a comment accepting the Terms of Service is added to the pull-request
These event allows access to the repository secrets (_Develocity Access Key_) which is required to publish a Build Scan® to Gradle Enterprise when authentication is enabled.

The action will download any saved Build Scan® and publish them to Develocity.

The Build Scan® publication requires the Gradle Terms of Service to be accepted, this can be achieved by adding a workflow using the `terms-of-service-acceptance/run` action.
The `terms-of-service-acceptance/verify` action is used to ensure this workflow passed successfully.
The Build Scan® publication requires the Gradle Terms of Service to be accepted, this can be achieved by adding a previous step using the `terms-of-service-acceptance/run` action.

**Dependencies**:

- [dawidd6/action-download-artifact](https://github.com/marketplace/actions/download-workflow-artifact)
N/A

**Event Triggers**:

This action should be configured to respond to the following event trigger:
- `workflow_run`: to run after the pull-request workflow.
- `issue_comment`: to run after the pull-request is commented.

**Permissions**:

Expand All @@ -141,44 +242,28 @@ The following permissions are required for this action to operate:

**Action inputs**:

| Name | Description | Default |
|-------------------------------|-----------------------------------------------|-----------------------|
| `develocity-url` | Develocity URL | |
| `develocity-access-key` | *Optional*: Develocity access key | |
| `develocity-allow-untrusted` | *Optional*: Develocity allow-untrusted flag | `false` |
| `github-token` | *Optional*: Github token | `${{ github.token }}` |
| Name | Description | Default |
|--------------------------------|---------------------------------------------|-----------------------|
| `develocity-url` | Develocity URL | |
| `pr-number` | pull-request number | |
| `develocity-access-key` | *Optional*: Develocity access key | |
| `develocity-allow-untrusted` | *Optional*: Develocity allow-untrusted flag | `false` |
| `github-token` | *Optional*: Github token | `${{ github.token }}` |

**Usage**:

_Note:_
Some parameters need to be adjusted here:
- The workflow name (here `PR Check`) has to be adjusted to the `name` used in the workflow run to validate pull-requests
- The workflow-job-name (here `run-terms-of-service-acceptance`) has to be adjusted to the job `name` used in the workflow to verify the Terms of Service approval.
- The Develocity URL (here `https://<MY_DEVELOCITY_URL>`)
- The secret name holding the Develocity access key (here `<DEVELOCITY_ACCESS_KEY>`)

```yaml
name: Publish Maven Build Scans

on:
workflow_run:
workflows: [ "PR Check" ]
types: [ completed ]

jobs:

publish-build-scans:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Verify Terms of Service acceptance job passed
uses: gradle/github-actions/terms-of-service-acceptance/[email protected]
with:
terms-of-service-acceptance-workflow-job-name: 'run-terms-of-service-acceptance'
[...]
- name: Publish Maven Build Scans
uses: gradle/github-actions/maven-build-scan/[email protected]
with:
develocity-url: 'https://<MY_DEVELOCITY_URL>'
develocity-access-key: ${{ secrets.<DEVELOCITY_ACCESS_KEY> }}
pr-number: ${{ steps.load.outputs.pr-number }}
[...]
```
Binary file added doc/architecture.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
68 changes: 68 additions & 0 deletions maven-build-scan/load/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
name: Load Maven Build Scans
description: Load Maven Build Scans

inputs:
build-workflow-filename:
description: 'Filename of the workflow where the maven-build-scan/save action was triggered'
required: true
pr-comment-tos-acceptance-request:
description: 'pull-request comment to accept the Terms of Service'
default: 'I have read Develocity Terms of Service and I hereby accept the Terms'

outputs:
pr-number:
description: "pull-request number"
value: ${{ steps.pr.outputs.PR_NUMBER }}

runs:
using: 'composite'
steps:
- name: Check event trigger
if: |
(github.event_name != 'issue_comment'
|| (
github.event.comment.body != 'recheck'
&& github.event.comment.body != inputs.pr-comment-tos-acceptance-request
)
)
&& github.event_name != 'workflow_run'
run: |
echo "Skipping Github event"
exit 1
shell: bash
- name: Download Build Metadata after PR Build
if: github.event_name == 'workflow_run'
uses: dawidd6/action-download-artifact@v2
env:
ARTIFACT_NAME: 'maven-build-scan-data'
with:
run_id: ${{ github.event.workflow_run.id }}
name: ${{ env.ARTIFACT_NAME }}
path: ${{ env.ARTIFACT_NAME }}
- name: Download Build Metadata after PR Comment
if: github.event_name == 'issue_comment'
env:
ARTIFACT_NAME: 'maven-build-scan-data'
uses: dawidd6/action-download-artifact@v2
with:
pr: ${{ github.event.issue.number }}
workflow_conclusion: success
workflow: ${{ inputs.build-workflow-filename }}
name: ${{ env.ARTIFACT_NAME }}
path: ${{ env.ARTIFACT_NAME }}
- name: Restore Build Scans
env:
ARTIFACT_NAME: 'maven-build-scan-data'
BUILD_SCAN_DIR: '~/.m2/.gradle-enterprise/build-scan-data/'
run: |
mkdir -p ${{ env.BUILD_SCAN_DIR }}
cp -r ${{ env.ARTIFACT_NAME }}/* ${{ env.BUILD_SCAN_DIR }}
shell: bash
- name: Collect pull-request number
id: pr
env:
BUILD_SCAN_DIR: '~/.m2/.gradle-enterprise/build-scan-data/'
run: |
source $(find ${{ env.BUILD_SCAN_DIR }} -type f -name "pr-number.properties")
echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT
shell: bash
Loading

0 comments on commit 4a2b29a

Please sign in to comment.