Add Publish Maven Build Scan composite action

.github/workflows/test-build-scan-save.yml → .github/workflows/test-maven-build-scan-save.yml

@@ -22,26 +22,27 @@ jobs:
           java-version: '8'
           distribution: 'temurin'
       - name: Save Maven Build Scan (no-op)
-        uses: ./maven/build-scan-save
+        uses: ./maven/build-scan/save
       - name: Run Maven Build 1
         working-directory: ./sample/common-gradle-enterprise-maven-configuration
         run: mvn clean -B
       - name: Save Maven Build Scan 1
-        uses: ./maven/build-scan-save
+        uses: ./maven/build-scan/save
       - name: Run Maven Build 2
         working-directory: ./sample/common-gradle-enterprise-maven-configuration
         run: mvn initialize -B
       - name: Save Maven Build Scan 2
-        uses: ./maven/build-scan-save
+        uses: ./maven/build-scan/save
 
   check-saved-build-scans:
-    name: Check Save Build Scan
+    name: Verify Saved Build Scans
     needs: create-and-save-build-scans
     runs-on: ubuntu-latest
     env:
       DATA_ARTIFACT_NAME: 'maven-build-scan-data'
+      METADATA_ARTIFACT_NAME: 'maven-build-scan-metadata'
     steps:
-      - name: Download Workflow Artifacts
+      - name: Download data workflow artifact
         uses: actions/download-artifact@v3
         with:
           name: ${{ env.DATA_ARTIFACT_NAME }}
@@ -53,3 +54,15 @@ jobs:
             echo "Found $scanCount scans (2 expected)"
             exit 1
           fi
+      - name: Download metadata workflow artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: ${{ env.METADATA_ARTIFACT_NAME }}
+          path: ${{ env.METADATA_ARTIFACT_NAME }}
+      - name: Verify metadata files count
+        run: |
+          metadataFilesCount=$(find ${{ env.METADATA_ARTIFACT_NAME }} -type f -name '*-ge-extension-versions.txt' | wc -l)
+          if [ "$metadataFilesCount" != "2" ]; then
+            echo "Found $metadataFilesCount metadata files (2 expected)"
+            exit 1
+          fi

.github/workflows/test-check-tos.yml → .github/workflows/test-terms-of-service-verify.yml

@@ -4,7 +4,7 @@ on:
   pull_request:
 
 jobs:
-  gradle-check-tos:
+  check-terms-of-service-approval:
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -15,7 +15,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Gradle - Terms of Service approval verification
-        uses: ./check-tos
+        uses: ./terms-of-service/verify
         with:
           tos-location: 'https://foo.bar/tos.html'
           white-list: '*'

README.md

@@ -2,11 +2,12 @@
 
 A collection of composite Github Actions
 
-## gradle-check-tos
+## terms-of-service/verify
 
-A composite action to check that Gradle Terms of Service have been approved.
+A composite action to verify that Gradle Terms of Service have been approved.
 
 The action succeeds if the pull-request contributors are recorded in the signature file, fails otherwise.
+Contributors can approve the Terms of Service by commenting the pull-request, explore the [cla-assistant-lite documentation](https://github.com/marketplace/actions/cla-assistant-lite) for more details.
 
 **Dependencies**:
 
@@ -42,7 +43,7 @@ on:
   pull_request_target:
 
 jobs:
-  gradle-check-tos:
+  check-terms-of-service-approval:
     runs-on: ubuntu-latest
     permissions:
       # required to update signature file
@@ -54,7 +55,7 @@ jobs:
       statuses: write
     steps:
       - name: Gradle - Terms of Service approval verification
-        uses: gradle/github-actions/check-tos@v1.0
+        uses: gradle/github-actions/terms-of-service/verify@v1.0
         with:
           # tos-location can also point to a file in a Github repository with this syntax: /<owner>/<repo>/blob/<branch>/tos.html
           tos-location: 'https://foo.bar/tos.html'
@@ -68,10 +69,11 @@ jobs:
           #github-token: ${{ secrets.MY_PAT }}
 ```
 
-## maven/build-scan-save
+## maven/build-scan/save
 A Composite action to save an unpublished Maven Build Scan®.
 
 The action saves unpublished Build Scan® data as a workflow artifact with name `maven-build-scan-data`, which can then be published in a dependent workflow.
+To simplify the Build Scan® publication process later on, a file containing the Gradle Enterprise Maven extension version(s) is saved as an additional workflow artifact with name `maven-build-scan-metadata`.
 
 Use this action in your existing pull-request workflows to allow Build Scan® to be published. Since these workflows are running in an untrusted context, they do not have access to the required secrets to publish the Build Scan® directly.
 
@@ -98,5 +100,86 @@ Insert the `Save Build Scan` step after each Maven execution step in the Github
       - name: Build with Maven
         run: mvn clean package
       - name: Save Build Scan
-        uses: gradle/github-actions/maven/[email protected]
-[...]```
+        uses: gradle/github-actions/maven/build-scan/[email protected]
+[...]
+```
+
+## maven/build-scan/publish
+
+A composite action to publish all Maven Build Scans® saved as workflow artifacts when validating a pull-request (by the `maven/build-scan/save` action). 
+
+This action is called from a new workflow with a `workflow_run` event trigger in order to run just after the existing pull-request workflow has completed.
+This event allows access to the repository secrets (_Gradle Enterprise Access Key_) which is required to publish Build Scans® to Gradle Enterprise when authentication is enabled.
+
+The Build Scan® publication requires the Gradle Terms of Service to be approved, this can be achieved by adding a workflow using the `terms-of-service/verify` action.
+The `pull-request-check/verify` action is used to ensure this workflow passed successfully. 
+
+`dawidd6/action-download-artifact` action is used to download Artifacts uploaded by a different workflow.
+
+**Dependencies**:
+
+- [dawidd6/action-download-artifact](https://github.com/marketplace/actions/download-workflow-artifact)
+
+**Event Trigger**:
+- `workflow_run`
+
+**Action inputs**:
+
+| Name                                  | Description                                        | Default |
+|---------------------------------------|----------------------------------------------------|---------|
+| `gradle-enterprise-url`               | Gradle Enterprise URL                              |         |
+| `gradle-enterprise-extension-version` | Gradle Enterprise Maven extension version          |         |
+| `gradle-enterprise-access-key`        | *Optional*: Gradle Enterprise access key           |         |
+| `gradle-enterprise-allow-untrusted`   | *Optional*: Gradle Enterprise allow-untrusted flag | `false` |
+
+**Usage**:
+
+_Note:_
+Some parameters need to be adjusted here:
+- The workflow name (here `PR Check`) has to be adjusted to the `name` used in the workflow run to validate pull-requests
+- The workflow-job-name (here `check-terms-of-service-approval`) has to be adjusted to the job `name` used in the workflow to verify the Terms of Service approval.
+- The Gradle Enterprise URL (here `https://<MY_GE_URL>`)
+- The secret name holding the Gradle Enterprise access key (here `<GE_ACCESS_KEY>`)
+
+```yaml
+name: Publish Maven Build Scans
+
+on:
+  workflow_run:
+    workflows: [ "PR Check" ]
+    types: [ completed ]
+
+jobs:
+
+  verify-terms-of-service-approval:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Verify check terms of service approval job passed
+        uses: gradle/github-actions/pull-request-check/[email protected]
+        with:
+          workflow-job-name: 'check-terms-of-service-approval'
+
+  load-metadata:
+    runs-on: ubuntu-latest
+    needs: verify-terms-of-service-approval
+    outputs:
+      extension-versions: ${{ steps.load.outputs.extension-versions }}
+    steps:
+      - name: Load Gradle Enterprise extension versions to publish Build Scans for
+        id: load
+        uses: gradle/github-actions/maven/build-scan/[email protected]
+
+  publish-build-scan:
+    runs-on: ubuntu-latest
+    needs: load-metadata
+    strategy:
+      matrix:
+        version: ${{ fromJson(needs.load-metadata.outputs.extension-versions) }}
+    steps:
+      - name: Publish Maven Build Scans
+        uses: gradle/github-actions/maven/build-scan/[email protected]
+        with:
+          gradle-enterprise-url: 'https://<MY_GE_URL>'
+          gradle-enterprise-extension-version: ${{ matrix.version }}
+          gradle-enterprise-access-key: ${{ secrets.<GE_ACCESS_KEY> }}
+```

maven/build-scan/load-metadata/action.yml

@@ -0,0 +1,32 @@
+name: Collect Gradle Enterprise extension versions from Build Metadata
+description: Collect Gradle Enterprise extension versions from Build Metadata
+
+outputs:
+  extension-versions:
+    description: 'Array of Gradle Enterprise Maven Extension versions to publish Build Scans for'
+    value: ${{ steps.collect-versions.outputs.VERSIONS }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Download Build Scan metadata
+      uses: dawidd6/action-download-artifact@v2
+      env:
+        METADATA_ARTIFACT_NAME: 'maven-build-scan-metadata'
+      with:
+        run_id: ${{ github.event.workflow_run.id }}
+        name: ${{ env.METADATA_ARTIFACT_NAME }}
+        path: ${{ env.METADATA_ARTIFACT_NAME }}
+    - name: Collect Gradle Enterprise extension versions
+      env:
+        METADATA_ARTIFACT_NAME: 'maven-build-scan-metadata'
+        METADATA_FILE_NAME: 'ge-extension-versions.txt'
+      id: collect-versions
+      run: |
+        # concatenate all metadata files in one single file
+        find ${{ env.METADATA_ARTIFACT_NAME }}/ -type f -name '*-${{ env.METADATA_FILE_NAME }}' -exec cat {} \; > ${{ env.METADATA_FILE_NAME }}
+        # create json array from unified file
+        VERSIONS=$(jq -R -s -c 'split("\n") | unique | map(select(length > 0))' < ${{ env.METADATA_FILE_NAME }})
+        # add as output
+        echo "VERSIONS=$VERSIONS" >> $GITHUB_OUTPUT
+      shell: bash

maven/build-scan/publish/action.yml

@@ -0,0 +1,94 @@
+name: Publish Maven Build Scans
+description: Publish Maven Build Scans
+
+inputs:
+  gradle-enterprise-url:
+    description: 'Gradle Enterprise URL'
+    required: true
+  gradle-enterprise-access-key:
+    description: 'Gradle Enterprise access key'
+    required: false
+  gradle-enterprise-extension-version:
+    description: 'Gradle Enterprise extension version'
+    required: true
+  gradle-enterprise-allow-untrusted:
+    description: 'Gradle Enterprise allow-untrusted flag'
+    default: 'false'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Download Build Scans
+      uses: dawidd6/action-download-artifact@v2
+      env:
+        ARTIFACT_NAME: 'maven-build-scan-data'
+      with:
+        run_id: ${{ github.event.workflow_run.id }}
+        name: ${{ env.ARTIFACT_NAME }}
+        path: ${{ env.ARTIFACT_NAME }}
+    - name: Restore Build Scans
+      env:
+        ARTIFACT_NAME: 'maven-build-scan-data'
+        BUILD_SCAN_DIR: '~/.m2/.gradle-enterprise/build-scan-data/'
+      run: |
+        mkdir -p ${{ env.BUILD_SCAN_DIR }}
+        cp -r ${{ env.ARTIFACT_NAME }}/* ${{ env.BUILD_SCAN_DIR }}
+      shell: bash
+    - name: Create Maven Project Structure
+      env:
+        PROJECT_DIR: 'maven-build-scan-publisher'
+      run: |
+        mkdir -p ${{ env.PROJECT_DIR }}/.mvn
+
+        cat > ${{ env.PROJECT_DIR }}/pom.xml << EOF
+        <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+          <modelVersion>4.0.0</modelVersion>
+          <groupId>com.gradle</groupId>
+          <artifactId>${{ env.PROJECT_DIR }}</artifactId>
+          <version>1.0</version>
+          <name>Maven Build Scan Publisher</name>
+        </project>
+        EOF
+
+        cat > ${{ env.PROJECT_DIR }}/.mvn/extensions.xml << EOF
+        <?xml version="1.0" encoding="UTF-8"?>
+        <extensions>
+          <extension>
+            <groupId>com.gradle</groupId>
+            <artifactId>gradle-enterprise-maven-extension</artifactId>
+            <version>${{ inputs.gradle-enterprise-extension-version }}</version>
+          </extension>
+        </extensions>
+        EOF
+
+        cat > ${{ env.PROJECT_DIR }}/.mvn/gradle-enterprise.xml << EOF
+        <?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
+        <gradleEnterprise 
+          xmlns="https://www.gradle.com/gradle-enterprise-maven" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://www.gradle.com/gradle-enterprise-maven https://www.gradle.com/schema/gradle-enterprise-maven.xsd">
+          <server>
+            <url>${{ inputs.gradle-enterprise-url }}</url>
+            <allowUntrusted>${{ inputs.gradle-enterprise-allow-untrusted }}</allowUntrusted>
+          </server>
+        </gradleEnterprise>
+        EOF
+      shell: bash
+    - name: Set up JDK 17
+      uses: actions/setup-java@v3
+      with:
+        java-version: '17'
+        distribution: 'temurin'
+    - name: Publish build scan
+      env:
+        BUILD_SCAN_DIR: '~/.m2/.gradle-enterprise/build-scan-data/'
+        GRADLE_ENTERPRISE_ACCESS_KEY: ${{ inputs.gradle-enterprise-access-key }}
+        PROJECT_DIR: 'maven-build-scan-publisher'
+      working-directory: ${{ env.PROJECT_DIR }}
+      run: |
+        set +e
+        NB_SCANS=$(find ${{ env.BUILD_SCAN_DIR }}${{ inputs.gradle-enterprise-extension-version }} -type f -name "scan.scan"  | wc -l)
+        for ((i=1; i <= $NB_SCANS; i++))
+        do
+          echo "BUILD SCAN PUBLICATION $i/$NB_SCANS"
+          mvn gradle-enterprise:build-scan-publish-previous
+        done
+      shell: bash

maven/build-scan/save/action.yml

@@ -0,0 +1,32 @@
+name: Save Maven Build Scan
+description: Save Maven Build Scan
+
+runs:
+  using: composite
+  steps:
+    - name: Generate UUID
+      id: generate-uuid
+      run: |
+        # create a unique file name to avoid issues with actions/upload-artifact if this composite action is called multiple times
+        echo "UUID=$(cat /proc/sys/kernel/random/uuid)" >> "$GITHUB_OUTPUT"
+      shell: bash
+    - name: Dump Gradle Enterprise extension versions in file
+      env:
+        BUILD_SCAN_DIR: '~/.m2/.gradle-enterprise/build-scan-data/'
+      run: |
+        if [ -d ${{ env.BUILD_SCAN_DIR }} ]; then
+          find ${{ env.BUILD_SCAN_DIR }} -type d -name "*.*" -maxdepth 1 -mindepth 1 -exec basename {} \; > ${{ steps.generate-uuid.outputs.UUID }}-ge-extension-versions.txt
+        fi
+      shell: bash
+    - name: Upload Build Scan metadata as workflow Artifact
+      uses: actions/upload-artifact@v3
+      with:
+        name: 'maven-build-scan-metadata'
+        path: '*-ge-extension-versions.txt'
+        retention-days: 1
+    - name: Upload Build Scan as workflow Artifact
+      uses: actions/upload-artifact@v3
+      with:
+        name: 'maven-build-scan-data'
+        path: '~/.m2/.gradle-enterprise/build-scan-data/'
+        retention-days: 1