-
Notifications
You must be signed in to change notification settings - Fork 0
161 lines (148 loc) · 5.79 KB
/
Copy pathpr-matrix-on-demand.yml
File metadata and controls
161 lines (148 loc) · 5.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: PR matrix (on demand)
# Manually triggered by commenting one of these slash commands on an
# open PR:
# /run-all-jdks
# /jdk-matrix
# /test-all
# Runs the forward-compat matrix (JDK 21, 25) — JDK 17 already runs
# automatically on every PR open/sync via pull-request.yml.
#
# Important security note: workflows triggered by `issue_comment` always
# run from the *default branch's* version of the workflow file, not from
# the PR. So adding/changing this file on a feature branch has no effect
# until it lands on main.
on:
issue_comment:
types: [created]
permissions:
contents: read
pull-requests: write # to react to the trigger comment
# Multiple "run all versions" comments on the same PR cancel earlier runs.
concurrency:
group: pr-on-demand-${{ github.event.issue.number }}
cancel-in-progress: true
jobs:
guard:
name: Guard
runs-on: ubuntu-latest
# Only fire on PR comments (not generic issue comments) that contain
# one of the three accepted slash commands. `contains` is substring
# match — false positives are possible but unlikely in practice given
# the leading slash and hyphen-rich shape of these tokens.
if: |
github.event.issue.pull_request != null && (
contains(github.event.comment.body, '/run-all-jdks') ||
contains(github.event.comment.body, '/jdk-matrix') ||
contains(github.event.comment.body, '/test-all')
)
outputs:
head_sha: ${{ steps.pr.outputs.head_sha }}
steps:
# Reject comments from anyone without write access. Otherwise an
# external user commenting on a fork PR could burn our CI minutes
# and potentially exfiltrate secrets via a malicious build.
- name: Verify commenter has write permission
uses: actions/github-script@v7
with:
script: |
const { data: perm } = await github.rest.repos.getCollaboratorPermissionLevel({
owner: context.repo.owner,
repo: context.repo.repo,
username: context.payload.comment.user.login,
});
const allowed = ['write', 'maintain', 'admin'].includes(perm.permission);
if (!allowed) {
core.setFailed(
`@${context.payload.comment.user.login} (${perm.permission}) ` +
`cannot trigger CI; write access required.`
);
}
# Visible feedback to the commenter that we picked up the trigger.
- name: React 👀 to the trigger comment
uses: actions/github-script@v7
with:
script: |
await github.rest.reactions.createForIssueComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: context.payload.comment.id,
content: 'eyes',
});
# The issue_comment event payload doesn't include the PR's head SHA,
# so look it up via the pulls API. We also confirm the PR is open;
# firing on closed PRs is almost always a mistake.
- name: Resolve PR head SHA
id: pr
uses: actions/github-script@v7
with:
script: |
const { data: pr } = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.payload.issue.number,
});
if (pr.state !== 'open') {
core.setFailed(`PR #${pr.number} is ${pr.state}; refusing to run.`);
return;
}
core.setOutput('head_sha', pr.head.sha);
verify:
name: Verify (JDK ${{ matrix.java }})
needs: guard
runs-on: ubuntu-latest
strategy:
# If JDK 21 fails, we still want to know whether 25 passes.
fail-fast: false
matrix:
java: ['21', '25']
steps:
# Check out exactly the PR's HEAD commit, not the merge ref.
- name: Checkout PR head
uses: actions/checkout@v4
with:
ref: ${{ needs.guard.outputs.head_sha }}
# Order matters: JDK 17 must be last so JAVA_HOME=17 (Gradle 8.12
# doesn't support JDK 24+ as its daemon runtime). The matrix JDK
# is still installed and registered as a toolchain target.
- name: Set up JDKs (test=${{ matrix.java }}, compile/daemon=17)
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: |
${{ matrix.java }}
17
- name: Set up Gradle
uses: gradle/actions/setup-gradle@v4
- name: Test on JDK ${{ matrix.java }}
run: ./gradlew test -PtestJdk=${{ matrix.java }} --stacktrace
- name: Upload test reports on failure
if: failure()
uses: actions/upload-artifact@v4
with:
name: test-reports-jdk${{ matrix.java }}
path: |
build/reports/tests/
build/test-results/
retention-days: 14
# Post a single comment summarizing the on-demand matrix result so it's
# visible on the PR without diving into the Actions tab.
report:
name: Report
needs: verify
if: always() && needs.guard.result == 'success'
runs-on: ubuntu-latest
steps:
- name: Comment outcome
uses: actions/github-script@v7
with:
script: |
const ok = '${{ needs.verify.result }}' === 'success';
const emoji = ok ? '✅' : '❌';
const status = ok ? 'passed' : 'failed';
const runUrl = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.issue.number,
body: `${emoji} On-demand JDK matrix \`{21, 25}\` ${status}. [View run](${runUrl}).`,
});