-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PR Testing: Build Performance (CI Refactor) #16
base: master
Are you sure you want to change the base?
Commits on Mar 8, 2024
-
chore(ci): apply hardening to ci jobs
- chore: apply 'Harden Runner' auditing to all ci tasks - chore: apply `persist-credentials: false` to checkout tasks - chore: publish dependency graph and add dependency review check - chore: add codeql scan job (temp) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3.6.0...b4ffde6) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 4.1.3. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@0efb1d1...9129d7d) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: StepSecurity Bot <[email protected]> Signed-off-by: Sam Gammon <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for ee5b42a - Browse repository at this point
Copy the full SHA ee5b42aView commit details -
chore(ci): refactor into reusable workflows
This change refactors the main CI workflow into two new workflows, `on.pr.yml` and `on.push.yml`, which each call into the exiting CI job as a reusable workflow. This has the nice benefit of putting all tests, checks, builds, etc., on one screen during development on GitHub, allows customization of the PR vs. push flow, and yet keeps behavior fully consistent between the two. - chore: move ci jobs to `workflow_call` trigger - chore: add entrypoint jobs for PR and Push events - chore: cleanup permissions and dispatch checks/tests Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for dbce167 - Browse repository at this point
Copy the full SHA dbce167View commit details -
chore(ci): switch to enforced hardening mode
This changeset switches the StepSecurity hardening action to enforced mode, where previously it was running in `audit` mode. Now, audit logs have been gathered and it is time to seal off the list of accessible network endpoints for a given job. - chore: gather and apply network endpoints for each job - chore: move to `block` mode for `egress-policy` in `step-security/harden-runner` Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 4a825df - Browse repository at this point
Copy the full SHA 4a825dfView commit details -
feat(ci): slsa provenance support
This changeset adds SLSA 3+ provenance support to the workflow. The main CI run has now been split into two: `ci.build.yml`, which only builds the library and is provenance-capable, and `ci.test.yml`, which is the previous CI logic. The regular build logic is applied only on push, and can be applied on PRs too, with publish of provenance material turned off. The test suite is invoked from PRs. The workflows have been split into build/test phases to avoid publishing provenance data and GitHub artifacts for build matrix outputs. JARs are uniform across OS targets, so there is no need to gather and publish for more than Ubuntu. - feat: add slsa support to build workflow - chore: split `test` into `build` and `test` workflows - chore: use new workflows (build/test) from push/pr triggers Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 31002ed - Browse repository at this point
Copy the full SHA 31002edView commit details -
chore(build): parameterize deploy repositories
Adds two build parameters - `publishing.repository.snapshots`: Snapshot repo to deploy to - `publishing.repository.releases`: Releases repo to deploy to Both default to their current values, Sonatype. This small inert change allows a fork to easily publish to a different repository without resorting to a code change. Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3cd91de - Browse repository at this point
Copy the full SHA 3cd91deView commit details -
feat(build): sigstore publishing plugin
This changeset adds the Maven Sigstore plugin for use during publishing to Sonatype and other public repositories. - chore: add sigstore plugin to build Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 63aa4ea - Browse repository at this point
Copy the full SHA 63aa4eaView commit details -
chore(ci): build with
--strict-checksums
Fails the build if any downloaded dependencies fail their checksum verification. - chore: add `--strict-checksums` flag to `mvnw` calls in ci
Configuration menu - View commit details
-
Copy full SHA for 1f9bc69 - Browse repository at this point
Copy the full SHA 1f9bc69View commit details -
chore(ci): document gha workflows
Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5cf768a - Browse repository at this point
Copy the full SHA 5cf768aView commit details -
Configuration menu - View commit details
-
Copy full SHA for 97c1228 - Browse repository at this point
Copy the full SHA 97c1228View commit details -
Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for bcdfeea - Browse repository at this point
Copy the full SHA bcdfeeaView commit details -
Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f66df3e - Browse repository at this point
Copy the full SHA f66df3eView commit details
Commits on Mar 10, 2024
-
Avoid calling
checkNotNull
on nullable values except during actual ……precondition checks. It's not that we're not going to make such calls illegal, I promise :) I mean, we certainly aren't going to _in general_, but I am tempted for `com.google.common`, as discussed on cl/372346107 :) (It would have caught the problem of cl/612591080!) I'm testing what would happen if we did do it for `com.google.common` in case it shakes out any more bugs. It does reveal that I didn't complete the cleanup of cl/612591080. And it reveals a few places where we'd normally use `requireNonNull`, since the checks aren't "preconditions" in the sense of "the caller did something wrong" (from cl/15376243 and cl/526930990). I've made those changes. (I would have made some more changes if I had tried to address more of `com.google.common`. But I stuck to the "main" packages, and I didn't even fix enough errors to see full results.) Honestly, the more interesting thing that this exercise revealed was that there are more cases in which I'm especially sympathetic to calling `checkNotNull` on nullable values: - `DummyProxy` is making an `InvocationHandler` perform automatic precondition tests based on annotations on the interface it's implementing. - `EqualsTester` and Truth have permissive signatures because they're test utilities, as documented in cl/578260904 and discussed during the Truth CLs. And the yet more interesting thing that it revealed is that we may want to use `@NonNull` here in the future, similar to what we've discussed in google#6824. RELNOTES=n/a PiperOrigin-RevId: 614074533
Configuration menu - View commit details
-
Copy full SHA for 55f607b - Browse repository at this point
Copy the full SHA 55f607bView commit details -
Bump
j2objc-annotations
to 3.0.0.This is another baby step toward google#2970. RELNOTES=n/a PiperOrigin-RevId: 614287410
Configuration menu - View commit details
-
Copy full SHA for 67b1add - Browse repository at this point
Copy the full SHA 67b1addView commit details -
fix: drop jdk srzip javadoc infra
- chore: drop jdk srczip dependencies - chore: cleanup comments and config related to srczip Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2d6a7e4 - Browse repository at this point
Copy the full SHA 2d6a7e4View commit details -
chore(labs): improve build and test speed
This changeset optimizes the Guava build significantly by enabling parallel build and test features supported by Maven. With these flags enabled, only a few tests exhibit flaky behavior; applying a sensible count of test retries (3) solves the problem. As a result, the testsuite can now be executed often, because it takes about 2 minutes to run. Building is also much faster. After benchmarking different configurations, 2-threads-per-core and 2-test-forks-per-core seems optimal: ``` [INFO] Guava Maven Parent ..................... SUCCESS [ 0.121 s] [INFO] Guava: Google Core Libraries for Java .. SUCCESS [ 9.681 s] [INFO] Guava BOM .............................. SUCCESS [ 0.120 s] [INFO] Guava Testing Library .................. SUCCESS [ 47.883 s] [INFO] Guava Unit Tests ....................... SUCCESS [01:57 min] <-- [INFO] Guava GWT compatible libs .............. SUCCESS [ 6.909 s] ``` When built and executed serially: ``` [INFO] Guava Maven Parent ..................... SUCCESS [ 0.129 s] [INFO] Guava: Google Core Libraries for Java .. SUCCESS [ 15.653 s] [INFO] Guava BOM .............................. SUCCESS [ 0.064 s] [INFO] Guava Testing Library .................. SUCCESS [01:26 min] [INFO] Guava Unit Tests ....................... SUCCESS [06:26 min] <-- [INFO] Guava GWT compatible libs .............. SUCCESS [ 11.092 s] ``` Benchmark hardware: - Apple M2 Max, 96GB RAM - macOS Sonoma 14.3.1 - GraalVM CE JVM 21.0.2 ``` openjdk version "21.0.2" 2024-01-16 OpenJDK Runtime Environment GraalVM CE 21.0.2+13.1 (build 21.0.2+13-jvmci-23.1-b30) OpenJDK 64-Bit Server VM GraalVM CE 21.0.2+13.1 (build 21.0.2+13-jvmci-23.1-b30, mixed mode, sharing) ``` - chore: enable parallel build - chore: enable parallel test execution - chore: enable parallel gc for maven - chore: tune tiered compilation for maven - chore: tune thread count for maven - fix: enable test retries (max = 3) for parallel-flaky tests Signed-off-by: Sam Gammon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d6c6548 - Browse repository at this point
Copy the full SHA d6c6548View commit details