-
Notifications
You must be signed in to change notification settings - Fork 71
330 lines (283 loc) · 13.2 KB
/
pr-build.yml
File metadata and controls
330 lines (283 loc) · 13.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
name: PR Build
on:
pull_request:
types:
- opened
- reopened
- synchronize
- labeled
- unlabeled
branches:
- main
- "release/v*"
env:
TEST_TAG: public.ecr.aws/aws-observability/adot-autoinstrumentation-java:test-v2
USER: ${{ github.event.pull_request.user.login }}
LABELS: ${{ toJSON(github.event.pull_request.labels.*.name) }}
jobs:
static-code-checks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
# This action wrapper by raven-actions provides cross-platform support and caching
# Catches the same issues as GitHub's web editor: syntax errors, type mismatches,
# undefined inputs/secrets, circular dependencies, and more
# Note: actionlint cannot validate composite actions - see https://github.com/rhysd/actionlint/issues/350
- name: Validate GitHub Actions workflows
if: always()
uses: raven-actions/actionlint@e01d1ea33dd6a5ed517d95b4c0c357560ac6f518 # v2.1.1
with:
files: .github/workflows/*.yml
# Temporarily ignore specific shellcheck codes while we systematically fix them
# SC2009: Consider using pgrep instead of grepping ps output
# SC2027: The surrounding quotes actually unquote this
# SC2046: Quote this to prevent word splitting
# SC2086: Double quote to prevent globbing and word splitting
# SC2129: Consider using { cmd1; cmd2; } >> file instead of individual redirects
# SC2162: read without -r will mangle backslashes
# SC2193: The arguments to this comparison can never be equal
# SC2206: Quote to prevent word splitting/globbing, or split robustly with mapfile or read -a
flags: |
-ignore SC2009
-ignore SC2027
-ignore SC2046
-ignore SC2086
-ignore SC2129
-ignore SC2162
-ignore SC2193
-ignore SC2206
- name: Check CHANGELOG
if: always()
run: |
# Check if PR is from workflows bot or dependabot
if [[ "${{ env.USER }}" == "aws-application-signals-bot" ]]; then
echo "Skipping check: PR from aws-application-signals-bot"
exit 0
fi
if [[ "${{ env.USER }}" == "dependabot[bot]" ]]; then
echo "Skipping check: PR from dependabot"
exit 0
fi
# Check for skip changelog label
if echo '${{ env.LABELS }}' | jq -r '.[]' | grep -q "skip changelog"; then
echo "Skipping check: skip changelog label found"
exit 0
fi
# Fetch base branch and check for CHANGELOG modifications
git fetch origin ${{ github.base_ref }}
if git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -q "CHANGELOG.md"; then
echo "CHANGELOG.md entry found - check passed"
exit 0
fi
echo "It looks like you didn't add an entry to CHANGELOG.md. If this change affects the SDK behavior, please update CHANGELOG.md and link this PR in your entry. If this PR does not need a CHANGELOG entry, you can add the 'Skip Changelog' label to this PR."
exit 1
- name: Check for versioned GitHub actions
if: always()
run: |
# Get changed GitHub workflow/action files
CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true)
if [ -n "$CHANGED_FILES" ]; then
# Check for any versioned actions, excluding comments and this validation script
VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES | grep -v "grep.*uses:.*@v" | grep -v "#.*@v" || true)
if [ -n "$VIOLATIONS" ]; then
echo "Found versioned GitHub actions. Use commit SHAs instead:"
echo "$VIOLATIONS"
exit 1
fi
fi
echo "No versioned actions found in changed files"
- name: Check for github.event in run steps
if: always()
run: |
# Get changed GitHub workflow/action files
CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true)
if [ -n "$CHANGED_FILES" ]; then
VIOLATIONS=""
for file in $CHANGED_FILES; do
# Extract all 'run' step values excluding this validation step
RUN_STEPS=$(yq eval '.. | select(has("run") and has("name") and .name != "Check for github.event in run steps") | .run' "$file" 2>/dev/null || echo "")
if echo "$RUN_STEPS" | grep -q "github\.event\."; then
VIOLATIONS="$VIOLATIONS$file: Contains github.event.* in run step\n"
fi
done
if [ -n "$VIOLATIONS" ]; then
echo -e "Found github.event.* usage in run steps. This can lead to script injection vulnerabilities:"
echo -e "$VIOLATIONS"
exit 1
fi
fi
echo "No github.event.inputs usage found in run steps"
testpatch:
name: Test patches applied to dependencies
runs-on: aws-otel-java-instrumentation_ubuntu-latest_32-core
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
with:
java-version-file: .java-version
distribution: temurin
# vaadin 14 tests fail with node 18
- name: Set up Node
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version: 16
# vaadin tests use pnpm
- name: Cache pnpm modules
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
path: ~/.pnpm-store
key: ${{ runner.os }}-test-cache-pnpm-modules
- uses: gradle/actions/wrapper-validation@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
- uses: ./.github/actions/patch-dependencies
with:
run_tests: "true"
build:
name: Build on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
matrix:
os:
- macos-latest
- ubuntu-latest
- windows-latest
exclude:
# Skip windows on patch workflow because it is not possible to build opentelemetry-java on windows
# when the cache is in a different drive than the source code
# Windows is not working for patch workflows, therefore we disable it here
# https://github.com/square/wire/issues/2188
# https://github.com/open-telemetry/opentelemetry-java/issues/4560
- os: ${{ startsWith(github.event.pull_request.base.ref, 'release/v') && 'windows-latest' || '' }}
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
- uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
with:
java-version-file: .java-version
distribution: temurin
- uses: gradle/actions/wrapper-validation@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
# Cleanup directories before proceeding with setup
- name: Clean up old installations
if: ${{ matrix.os != 'windows-latest' }}
run: |
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
# cache local patch outputs
- name: Cache local Maven repository
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4.2.4
with:
path: |
~/.m2/repository/io/opentelemetry/
key: ${{ runner.os }}-maven-local-${{ hashFiles('.github/patches/opentelemetry-java*.patch') }}
- name: Publish patched dependencies to maven local
uses: ./.github/actions/patch-dependencies
if: ${{ matrix.os != 'windows-latest' }} # Skip patch on windows as it is not possible to build opentelemetry-java on windows
- name: Build with Gradle with Integration tests
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70
if: ${{ matrix.os == 'ubuntu-latest' }}
with:
arguments: build integrationTests --stacktrace -PenableCoverage=true -PlocalDocker=true
- name: Build and Test UDP exporter
run: |
./gradlew build -p exporters/aws-distro-opentelemetry-xray-udp-span-exporter
- name: Set up Java version for tests
uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
with:
java-version: 23
distribution: temurin
- name: Pull base image of Contract Tests Sample Apps
if: ${{ matrix.os == 'ubuntu-latest' }}
run: docker pull public.ecr.aws/docker/library/amazoncorretto:23-alpine
- name: Run contract tests
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 #v3.5.0
if: ${{ matrix.os == 'ubuntu-latest' }}
with:
arguments: contractTests -PlocalDocker=true -i
- name: Set up Java version for image build
uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
with:
java-version-file: .java-version
distribution: temurin
- name: Get current version
if: ${{ matrix.os == 'ubuntu-latest' }}
shell: bash
run: |
echo "ADOT_JAVA_VERSION=$(./gradlew printVersion -q )" >> $GITHUB_ENV
- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #3.6.0
if: ${{ matrix.os == 'ubuntu-latest' }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1
with:
driver-opts: image=moby/buildkit:v0.15.1
if: ${{ matrix.os == 'ubuntu-latest' }}
- name: Build image for testing
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
if: ${{ matrix.os == 'ubuntu-latest' }}
with:
push: false
build-args: "ADOT_JAVA_VERSION=${{ env.ADOT_JAVA_VERSION }}"
context: .
platforms: linux/amd64
tags: ${{ env.TEST_TAG }}
load: true
- name: Perform image scan
uses: ./.github/actions/image_scan
if: ${{ matrix.os == 'ubuntu-latest' }}
with:
image-ref: ${{ env.TEST_TAG }}
severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
logout: 'true'
trivyignore-file: .github/trivy/pr-build.trivyignore.yaml
- name: Test docker image
if: ${{ matrix.os == 'ubuntu-latest' }}
shell: bash
run: .github/scripts/test-adot-javaagent-image.sh "${{ env.TEST_TAG }}" "${{ env.ADOT_JAVA_VERSION }}"
- name: Build with Gradle
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 #v3.5.0
if: ${{ matrix.os != 'ubuntu-latest' && (hashFiles('.github/patches/opentelemetry-java*.patch') == '' || matrix.os != 'windows-latest' ) }} # build on windows as well unless a patch exists
with:
arguments: build --stacktrace -PenableCoverage=true
- uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 #v5.5.1
build-lambda:
runs-on: ubuntu-latest
steps:
- name: Checkout Repo @ SHA - ${{ github.sha }}
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
- name: Setup Java
uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
with:
java-version-file: .java-version
distribution: temurin
- name: Build layer
working-directory: lambda-layer
run: ./build-layer.sh
all-pr-checks-pass:
runs-on: ubuntu-latest
needs: [static-code-checks, testpatch, build, build-lambda]
if: always()
steps:
- name: Checkout to get workflow file
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
- name: Check all jobs succeeded and none missing
run: |
# Check if all needed jobs succeeded
results='${{ toJSON(needs) }}'
if echo "$results" | jq -r '.[] | .result' | grep -v success; then
echo "Some jobs failed"
exit 1
fi
# Extract all job names from workflow (excluding this gate job)
all_jobs=$(yq eval '.jobs | keys | .[]' .github/workflows/pr-build.yml | grep -v "all-pr-checks-pass" | sort)
# Extract job names from needs array
needed_jobs='${{ toJSON(needs) }}'
needs_list=$(echo "$needed_jobs" | jq -r 'keys[]' | sort)
# Check if any jobs are missing from needs
missing_jobs=$(comm -23 <(echo "$all_jobs") <(echo "$needs_list"))
if [ -n "$missing_jobs" ]; then
echo "ERROR: Jobs missing from needs array in all-pr-checks-pass:"
echo "$missing_jobs"
echo "Please add these jobs to the needs array of all-pr-checks-pass"
exit 1
fi
echo "All checks passed and no jobs missing from gate!"