Skip to content
This repository has been archived by the owner on Aug 3, 2024. It is now read-only.

add explicit permissions to workflow #587

add explicit permissions to workflow

add explicit permissions to workflow #587

Workflow file for this run

name: Main
on:
push:
schedule:
- cron: '45 22 4 * *'
env:
ARTIFACT: gitfx
JAVA_VERSION: 17
jobs:
debug:
runs-on: ubuntu-latest
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJSON(github) }}
run: echo "$GITHUB_CONTEXT"
- name: Dump job context
env:
JOB_CONTEXT: ${{ toJSON(job) }}
run: echo "$JOB_CONTEXT"
- name: Dump steps context
env:
STEPS_CONTEXT: ${{ toJSON(steps) }}
run: echo "$STEPS_CONTEXT"
- name: Dump runner context
env:
RUNNER_CONTEXT: ${{ toJSON(runner) }}
run: echo "$RUNNER_CONTEXT"
- name: Dump strategy context
env:
STRATEGY_CONTEXT: ${{ toJSON(strategy) }}
run: echo "$STRATEGY_CONTEXT"
- name: Dump matrix context
env:
MATRIX_CONTEXT: ${{ toJSON(matrix) }}
run: echo "$MATRIX_CONTEXT"
- name: Dump environment variables
run: set
version:
runs-on: ubuntu-latest
permissions:
contents: write
outputs:
new_version: ${{ steps.output.outputs.new_version }}
steps:
- uses: actions/[email protected]
with:
# fetch entire history to analyze commits since last tag
fetch-depth: 0
- name: Bump version and push tag
id: tag
if: ${{ github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' }}
uses: mathieudutour/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
release_branches: master,main
- id: output
env:
NEW_VERSION: ${{ steps.tag.outputs.new_version}}
run: |
echo "new_version=${NEW_VERSION:-$GITHUB_SHA}" >> $GITHUB_OUTPUT
- name: Make sure build did not change anything
run: git diff --exit-code
macos:
runs-on: macos-latest
needs: version
env:
REVISION: ${{ needs.version.outputs.new_version }}
steps:
- uses: actions/[email protected]
- uses: gluonhq/setup-graalvm@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/[email protected]
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Build with Maven
run: |
set -o xtrace
./mvnw \
--batch-mode \
-Dsha1="${GITHUB_SHA}" \
-Drevision="${REVISION}" \
verify gluonfx:build gluonfx:package
- name: Move artifacts
run: |
mkdir target/artifacts
cp "target/gluonfx/x86_64-darwin/${ARTIFACT}" "target/artifacts/${ARTIFACT}-darwin-${REVISION}"
mkdir -p "target/gluonfx/x86_64-darwin/${ARTIFACT}.app/Contents/Resources/bin"
cp "./src/main/packaging/macos/gitfx.sh" "target/gluonfx/x86_64-darwin/${ARTIFACT}.app/Contents/Resources/bin"
cp -r "target/gluonfx/x86_64-darwin/${ARTIFACT}.app" "target/artifacts/"
- uses: actions/[email protected]
with:
name: ${{ env.ARTIFACT }}-${{ github.job }}-${{ needs.version.outputs.new_version }}
path: target/artifacts
- name: Make sure build did not change anything
run: git diff --exit-code
linux:
runs-on: ubuntu-latest
needs: version
env:
REVISION: ${{ needs.version.outputs.new_version }}
steps:
- uses: actions/[email protected]
- uses: gluonhq/setup-graalvm@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/[email protected]
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Install libraries
run: sudo apt-get update && sudo apt-get install libasound2-dev libavcodec-dev libavformat-dev libavutil-dev libgl-dev libgtk-3-dev libpango1.0-dev libxtst-dev
- name: Build with Maven
run: |
set -o xtrace
./mvnw \
--batch-mode \
-Dsha1="${GITHUB_SHA}" \
-Drevision="${REVISION}" \
verify gluonfx:build gluonfx:package
- name: Move artifacts
run: |
mkdir target/artifacts
cp "target/gluonfx/x86_64-linux/${ARTIFACT}" "target/artifacts/${ARTIFACT}-linux-${REVISION}"
- uses: actions/[email protected]
with:
name: ${{ env.ARTIFACT }}-${{ github.job }}-${{ needs.version.outputs.new_version }}
path: target/artifacts
- name: Make sure build did not change anything
run: git diff --exit-code
windows:
runs-on: windows-latest
needs: version
env:
REVISION: ${{ needs.version.outputs.new_version }}
steps:
- uses: actions/[email protected]
- uses: gluonhq/setup-graalvm@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: microsoft/[email protected]
- uses: egor-tensin/vs-shell@v1
- uses: actions/[email protected]
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Build with Maven
run: |
.\mvnw --batch-mode -Dsha1="$env:GITHUB_SHA" -Drevision="$env:REVISION" verify gluonfx:build gluonfx:package
- name: Move artifacts
run: |
mkdir target/artifacts
copy "target\gluonfx\x86_64-windows\$env:ARTIFACT.exe" "target\artifacts\$env:ARTIFACT-windows-$env:REVISION.exe"
- uses: actions/[email protected]
with:
name: ${{ env.ARTIFACT }}-${{ github.job }}-${{ needs.version.outputs.new_version }}
path: target/artifacts
- name: Make sure build did not change anything
run: git diff --exit-code
release:
if: ${{ github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' }}
runs-on: ubuntu-latest
needs: [version, macos, linux, windows]
permissions:
contents: write
steps:
- uses: actions/[email protected]
- name: Download all workflow run artifacts
uses: actions/[email protected]
with:
path: ./target
- name: Build project
working-directory: target
run: |
chmod +x ${{ env.ARTIFACT }}-macos-${{ needs.version.outputs.new_version }}/${{ env.ARTIFACT }}.app/Contents/MacOS/${{ env.ARTIFACT }}
chmod +x ${{ env.ARTIFACT }}-macos-${{ needs.version.outputs.new_version }}/${{ env.ARTIFACT }}.app/Contents/Resources/bin/*
zip -r windows.zip ${{ env.ARTIFACT }}-windows-${{ needs.version.outputs.new_version }}/
zip -r linux.zip ${{ env.ARTIFACT }}-linux-${{ needs.version.outputs.new_version }}/
zip -r macos.zip ${{ env.ARTIFACT }}-macos-${{ needs.version.outputs.new_version }}/
- name: Create Release
id: create_release
uses: ncipollo/[email protected]
with:
tag: v${{ needs.version.outputs.new_version }}
name: Release ${{ needs.version.outputs.new_version }}
body: ${{ needs.version.outputs.changelog }}
draft: true
- name: Upload Release Asset
uses: shogo82148/[email protected]
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ./target/linux.zip
asset_name: ${{ env.ARTIFACT }}-linux-${{ needs.version.outputs.new_version }}.zip
asset_content_type: application/zip
- name: Upload Release Asset
uses: shogo82148/[email protected]
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ./target/${{ env.ARTIFACT }}-linux-${{ needs.version.outputs.new_version }}/${{ env.ARTIFACT }}-linux-${{ needs.version.outputs.new_version }}
asset_name: ${{ env.ARTIFACT }}-linux
asset_content_type: application/x-executable
- name: Upload Release Asset
uses: shogo82148/[email protected]
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ./target/windows.zip
asset_name: ${{ env.ARTIFACT }}-windows-${{ needs.version.outputs.new_version }}.zip
asset_content_type: application/zip
- name: Upload Release Asset
uses: shogo82148/[email protected]
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ./target/${{ env.ARTIFACT }}-windows-${{ needs.version.outputs.new_version }}/${{ env.ARTIFACT }}-windows-${{ needs.version.outputs.new_version }}.exe
asset_name: ${{ env.ARTIFACT }}-windows.exe
asset_content_type: application/vnd.microsoft.portable-executable
- name: Upload Release Asset
uses: shogo82148/[email protected]
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ./target/macos.zip
asset_name: ${{ env.ARTIFACT }}-macos-${{ needs.version.outputs.new_version }}.zip
asset_content_type: application/zip
- name: Upload Release Asset
uses: shogo82148/[email protected]
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ./target/${{ env.ARTIFACT }}-macos-${{ needs.version.outputs.new_version }}/${{ env.ARTIFACT }}-darwin-${{ needs.version.outputs.new_version }}
asset_name: ${{ env.ARTIFACT }}-macos
asset_content_type: application/octet-stream
- uses: eregon/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_id: ${{ steps.create_release.outputs.id }}
- name: Make sure build did not change anything
run: git diff --exit-code
deploy:
needs: [version, macos, linux, windows]
if: ${{ github.event_name == 'push' && !startsWith(github.ref, 'refs/heads/dependabot/') }}
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- uses: actions/[email protected]
- uses: actions/[email protected]
with:
java-version: ${{ env.JAVA_VERSION }}
distribution: temurin
cache: 'maven'
- name: Publish to GitHub Packages Apache Maven
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REVISION: ${{ needs.version.outputs.new_version }}
run: |
./mvnw \
--batch-mode \
-Dsha1="${GITHUB_SHA}" \
-Drevision="${REVISION}" \
-DaltDeploymentRepository="github::default::https://maven.pkg.github.com/${GITHUB_REPOSITORY}" \
deploy
- name: Make sure build did not change anything
run: git diff --exit-code