chore: update buildless, add action (#45)

mfwgenerics · Dec 6, 2023 · aad9abd · aad9abd
1 parent c4b5a79
commit aad9abd
Show file tree

Hide file tree

Showing 22 changed files with 365 additions and 88 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    target-branch: "main"
+    schedule:
+      interval: "weekly"
+
+  # Maintain dependencies for Gradle
+  - package-ecosystem: "gradle"
+    directory: "/"
+    target-branch: "main"
+    schedule:
+      interval: "weekly"
diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml
@@ -0,0 +1,3 @@
+license-check: true
+vulnerability-check: true
+allow-ghsas: []
diff --git a/.github/workflows/check.codeql.yml b/.github/workflows/check.codeql.yml
@@ -0,0 +1,89 @@
+name: "CodeQL"
+
+on:
+  workflow_dispatch:
+    secrets:
+      BUILDLESS_APIKEY:
+        description: "Buildless API Key"
+        required: true
+
+  workflow_call:
+    secrets:
+      BUILDLESS_APIKEY:
+        description: "Buildless API Key"
+        required: true
+
+  push:
+    branches:
+      - main
+
+  schedule:
+    - cron: "33 9 * * 0"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: CodeQL Analysis
+    continue-on-error: true
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            agent.less.build:443
+            cli.less.build:443
+            dl.less.build:443
+            edge.pkg.st:443
+            maven.pkg.st:443
+            github.com:443
+            global.less.build:443
+            gradle.pkg.st:443
+            jcenter.bintray.com:443
+            local.less.build:443
+            plugins-artifacts.gradle.org:443
+            plugins.gradle.org:443
+            repo.maven.apache.org:443
+            scans-in.gradle.com:443
+            api.github.com:443
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Configure JDK
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 21
+      - name: Setup Buildless
+        uses: buildless/setup@v1.0.2
+        with:
+          agent: ${{ secrets.BUILDLESS_APIKEY != '' }}
+      - name: "Setup: Initialize CodeQL"
+        uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2
+        with:
+          languages: java
+      - name: "Build"
+        uses: gradle/gradle-build-action@v2.10.0
+        id: gradlebuild
+        continue-on-error: true
+        with:
+          cache-read-only: true
+          arguments: build -x test -x check
+          gradle-home-cache-includes: |
+            caches
+            notifications
+            jdks
+            wrapper
+      - name: "Analsis: CodeQL"
+        uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2
+        continue-on-error: true
+        with:
+          category: "/language:java"
diff --git a/.github/workflows/check.deps.yml b/.github/workflows/check.deps.yml
@@ -0,0 +1,34 @@
+name: "Dependency check"
+
+on:
+  workflow_dispatch: {}
+  workflow_call: {}
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-check:
+    name: Dependency check
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Check Dependencies
+        uses: actions/dependency-review-action@v3
+        continue-on-error: true
+        with:
+          config-file: "./.github/dependency-review-config.yml"
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -1,29 +1,89 @@
-name: Build and test
-on: [push, pull_request, workflow_dispatch]
-env:
-  GRADLE_CACHE_USERNAME: apikey
-  GRADLE_CACHE_PUSH: true
-  GRADLE_CACHE_LOCAL: false
-  GRADLE_CACHE_REMOTE: true
-  BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
+name: CI
+
+on:
+  merge_group: {}
+  workflow_dispatch:
+    inputs:
+      enableAgent:
+        type: boolean
+        description: "Buildless Agent"
+        default: false
+
+  push:
+    branches:
+      - main
+
+  pull_request: {}
+
 jobs:
   build:
     name: Build and test
     runs-on: ubuntu-latest
+    timeout-minutes: 10
+    services:
+      postgres:
+        image: postgres:13
+        env:
+          POSTGRES_PASSWORD: mysecretpassword
+        ports:
+          - 5432:5432
+      mysql:
+        image: mysql:8.0.31
+        env:
+          MYSQL_ROOT_PASSWORD: my-secret-pw
+        ports:
+          - 3306:3306
+
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            agent.less.build:443
+            cli.less.build:443
+            dl.less.build:443
+            edge.pkg.st:443
+            github.com:443
+            global.less.build:443
+            gradle.pkg.st:443
+            maven.pkg.st:443
+            jcenter.bintray.com:443
+            local.less.build:443
+            plugins-artifacts.gradle.org:443
+            plugins.gradle.org:443
+            repo.maven.apache.org:443
+            scans-in.gradle.com:443
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Configure JDK
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
-          java-version: 19
-      - name: Setup PostgreSQL
-        run: sudo postgres/setup.sh
-      - name: Setup MySQL
-        run: sudo mysql/setup.sh
-      - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2
+          java-version: 21
+      - name: Setup Buildless
+        uses: buildless/setup@v1.0.2
+        with:
+          agent: ${{ secrets.BUILDLESS_APIKEY != '' }}
       - name: Gradle check
-        run: ./gradlew check --scan
+        uses: gradle/gradle-build-action@v2.10.0
+        with:
+          arguments: check --scan
+          cache-read-only: false
+          gradle-home-cache-cleanup: true
+          gradle-home-cache-includes: |
+            caches
+            notifications
+            jdks
+            wrapper
+  codeql-check:
+    name: Checks
+    uses: "./.github/workflows/check.codeql.yml"
+    secrets:
+      BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
 
+  dependency-check:
+    name: Checks
+    uses: "./.github/workflows/check.deps.yml"
+    secrets: inherit
diff --git a/.github/workflows/docusaurus.yml b/.github/workflows/docusaurus.yml
@@ -2,7 +2,8 @@ name: Deploy Docs
 on:
   push:
     branches: [main]
-    paths: docs/site/**
+    paths: 
+      - docs/site/**
 permissions:
   contents: read
   pages: write
@@ -17,21 +18,33 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Configure JDK
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
-          java-version: 19
-      - name: Build pages
-        run: ./gradlew :docs:docusaurusBuild
+          java-version: 21
+      - name: Setup Buildless
+        uses: buildless/setup@v1.0.2
+      - name: Gradle check
+        uses: gradle/gradle-build-action@v2.10.0
+        with:
+          arguments: :docs:docusaurusBuild
+          gradle-home-cache-cleanup: true
+          gradle-home-cache-includes: |
+            notifications
+            jdks
       - name: Setup Pages
-        uses: actions/configure-pages@v1
+        uses: actions/configure-pages@v4
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v1
+        uses: actions/upload-pages-artifact@v2
         with:
           path: docs/site/build
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v1
+        uses: actions/deploy-pages@v3
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,6 +5,14 @@ on:
     branches:
       - main
   workflow_dispatch: {}
+
+env:
+  REPOSITORY_ID: ${{ needs.staging_repository.outputs.repository_id }}
+  SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
+  SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
+  GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+  GPG_PRIVATE_PASSWORD: ${{ secrets.GPG_PRIVATE_PASSWORD }}
+
 jobs:
   staging_repository:
     runs-on: ubuntu-latest
@@ -25,25 +33,35 @@ jobs:
     name: Publish
     needs: staging_repository
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Configure JDK
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
-          java-version: 19
-      - name: Gradle publish
-        run: ./gradlew publish
-        env:
-          REPOSITORY_ID: ${{ needs.staging_repository.outputs.repository_id }}
-          SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
-          SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
-          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
-          GPG_PRIVATE_PASSWORD: ${{ secrets.GPG_PRIVATE_PASSWORD }}
+          java-version: 21
+      - name: Setup Buildless
+        uses: buildless/setup@v1.0.2
+        with:
+          agent: ${{ secrets.BUILDLESS_APIKEY != '' }}
+      - name: Gradle check
+        uses: gradle/gradle-build-action@v2.10.0
+        with:
+          arguments: publish --scan
+          dependency-graph: generate-and-submit
+          gradle-home-cache-includes: |
+            caches
+            notifications
+            jdks
+            wrapper
       - name: Release Sonatype Repo
         uses: nexus-actions/release-nexus-staging-repo@main
         with:
           username: ${{ secrets.SONATYPE_USERNAME }}
           password: ${{ secrets.SONATYPE_PASSWORD }}
           staging_repository_id: ${{ needs.staging_repository.outputs.repository_id }}
-          base_url: https://s01.oss.sonatype.org/service/local/
+          base_url: https://s01.oss.sonatype.org/service/local/
diff --git a/README.md b/README.md
@@ -33,4 +33,4 @@ This will serve documentation on `http://localhost:3000/koala` by default.
 
 # Contributing
 
-See [CONTRIBUTING.md](CONTRIBUTING.md)
+See [CONTRIBUTING.md](CONTRIBUTING.md)
diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts
@@ -3,10 +3,12 @@ plugins {
 }
 
 repositories {
+    maven("https://gradle.pkg.st")
+    maven("https://maven.pkg.st")
     gradlePluginPortal()
 }
 
 dependencies {
-    implementation("org.jetbrains.kotlin:kotlin-gradle-plugin:1.8.0")
+    implementation("org.jetbrains.kotlin:kotlin-gradle-plugin:1.9.21")
     implementation("com.palantir.gradle.gitversion:gradle-git-version:0.15.0")
-}
+}