diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 0000000000..da88764351 --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,52 @@ +name: Build and verify +on: + pull_request: + push: + branches: [ master ] +permissions: + contents: read +jobs: + build: + strategy: + matrix: + os: [ ubuntu-22.04 ] + jdk: [ 11.0.20, 17.0.8, 21.0.0 ] + distribution: [ temurin ] + experimental: [ false ] + include: + - os: macos-12 + jdk: 17.0.8 + distribution: temurin + experimental: false + - os: windows-2022 + jdk: 17.0.8 + distribution: temurin + experimental: false + runs-on: ${{ matrix.os }} + continue-on-error: ${{ matrix.experimental }} + steps: + # We run the build twice for each supported JDK: once against the + # original Error Prone release, using only Error Prone checks available + # on Maven Central, and once against the Picnic Error Prone fork, + # additionally enabling all checks defined in this project and any Error + # Prone checks available only from other artifact repositories. + - name: Check out code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - name: Set up JDK + uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 + with: + java-version: ${{ matrix.jdk }} + distribution: ${{ matrix.distribution }} + cache: maven + - name: Display build environment details + run: mvn --version + - name: Build project against vanilla Error Prone, compile Javadoc + run: mvn -T1C install javadoc:jar + - name: Build project with self-check against Error Prone fork + run: mvn -T1C clean verify -Perror-prone-fork -Pnon-maven-central -Pself-check -s settings.xml + - name: Remove installed project artifacts + run: mvn build-helper:remove-project-artifact + +# XXX: Enable Codecov once we "go public". diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..03ef52a5ad --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,44 @@ +# Analyzes the code using GitHub's default CodeQL query database. +# Identified issues are registered with GitHub's code scanning dashboard. When +# a pull request is analyzed, any offending lines are annotated. See +# https://codeql.github.com for details. +name: CodeQL analysis +on: + pull_request: + push: + branches: [ master ] + schedule: + - cron: '0 4 * * 1' +permissions: + contents: read +jobs: + analyze: + strategy: + matrix: + language: [ java, ruby ] + permissions: + contents: read + security-events: write + runs-on: ubuntu-22.04 + steps: + - name: Check out code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - name: Set up JDK + uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 + with: + java-version: 17.0.8 + distribution: temurin + cache: maven + - name: Initialize CodeQL + uses: github/codeql-action/init@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0 + with: + languages: ${{ matrix.language }} + - name: Perform minimal build + if: matrix.language == 'java' + run: mvn -T1C clean install -DskipTests -Dverification.skip + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0 + with: + category: /language:${{ matrix.language }} diff --git a/.github/workflows/deploy-website.yaml b/.github/workflows/deploy-website.yaml new file mode 100644 index 0000000000..ce5be120b7 --- /dev/null +++ b/.github/workflows/deploy-website.yaml @@ -0,0 +1,51 @@ +name: Update `error-prone.picnic.tech` website content +on: + pull_request: + push: + branches: [ master, website ] +permissions: + contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} +jobs: + build: + runs-on: ubuntu-22.04 + steps: + - name: Check out code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - uses: ruby/setup-ruby@d37167af451eb51448db3354e1057b75c4b268f7 # v1.155.0 + with: + working-directory: ./website + bundler-cache: true + - name: Configure Github Pages + uses: actions/configure-pages@f156874f8191504dae5b037505266ed5dda6c382 # v3.0.6 + - name: Generate documentation + run: ./generate-docs.sh + - name: Build website with Jekyll + working-directory: ./website + run: bundle exec jekyll build + - name: Validate HTML output + working-directory: ./website + # XXX: Drop `--disable_external true` once we fully adopted the + # "Refaster rules" terminology on our website and in the code. + run: bundle exec htmlproofer --disable_external true --check-external-hash false ./_site + - name: Upload website as artifact + uses: actions/upload-pages-artifact@a753861a5debcf57bf8b404356158c8e1e33150c # v2.0.0 + with: + path: ./website/_site + deploy: + if: github.ref == 'refs/heads/website' + needs: build + permissions: + id-token: write + pages: write + runs-on: ubuntu-22.04 + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@9dbe3824824f8a1377b8e298bafde1a50ede43e5 # v2.0.4 diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml new file mode 100644 index 0000000000..65a96d597b --- /dev/null +++ b/.github/workflows/openssf-scorecard.yml @@ -0,0 +1,36 @@ +# Analyzes the code base and GitHub project configuration for adherence to +# security best practices for open source software. Identified issues are +# registered with GitHub's code scanning dashboard. When a pull request is +# analyzed, any offending lines are annotated. See +# https://securityscorecards.dev for details. +name: OpenSSF Scorecard update +on: + pull_request: + push: + branches: [ master ] + schedule: + - cron: '0 4 * * 1' +permissions: + contents: read +jobs: + analyze: + permissions: + contents: read + security-events: write + id-token: write + runs-on: ubuntu-22.04 + steps: + - name: Check out code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - name: Run OpenSSF Scorecard analysis + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: ${{ github.ref == 'refs/heads/master' }} + - name: Update GitHub's code scanning dashboard + uses: github/codeql-action/upload-sarif@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0 + with: + sarif_file: results.sarif diff --git a/.github/workflows/pitest-analyze-pr.yml b/.github/workflows/pitest-analyze-pr.yml new file mode 100644 index 0000000000..4ded8ed954 --- /dev/null +++ b/.github/workflows/pitest-analyze-pr.yml @@ -0,0 +1,38 @@ +# Performs mutation testing analysis on the files changed by a pull request and +# uploads the results. The associated PR is subsequently updated by the +# `pitest-update-pr.yml` workflow. See https://blog.pitest.org/oss-pitest-pr/ +# for details. +name: "Mutation testing" +on: + pull_request: +permissions: + contents: read +jobs: + analyze-pr: + runs-on: ubuntu-22.04 + steps: + - name: Check out code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 2 + persist-credentials: false + - name: Set up JDK + uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 + with: + java-version: 17.0.8 + distribution: temurin + cache: maven + - name: Run Pitest + # By running with features `+GIT(from[HEAD~1]), +gitci`, Pitest only + # analyzes lines changed in the associated pull request, as GitHub + # exposes the changes unique to the PR as a single commit on top of the + # target branch. See https://blog.pitest.org/pitest-pr-setup for + # details. + run: mvn test pitest:mutationCoverage -DargLine.xmx=2048m -Dverification.skip -Dfeatures="+GIT(from[HEAD~1]), +gitci" + - name: Aggregate Pitest reports + run: mvn pitest-git:aggregate -DkilledEmoji=":tada:" -DmutantEmoji=":zombie:" -DtrailingText="Mutation testing report by [Pitest](https://pitest.org/). Review any surviving mutants by inspecting the line comments under [_Files changed_](${{ github.event.number }}/files)." + - name: Upload Pitest reports as artifact + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: pitest-reports + path: ./target/pit-reports-ci diff --git a/.github/workflows/pitest-update-pr.yml b/.github/workflows/pitest-update-pr.yml new file mode 100644 index 0000000000..bc7b1ef632 --- /dev/null +++ b/.github/workflows/pitest-update-pr.yml @@ -0,0 +1,39 @@ +# Updates a pull request based on the corresponding mutation testing analysis +# performed by the `pitest-analyze-pr.yml` workflow. See +# https://blog.pitest.org/oss-pitest-pr/ for details. +name: "Mutation testing: post results" +on: + workflow_run: + workflows: ["Mutation testing"] + types: + - completed +permissions: + actions: read +jobs: + update-pr: + if: ${{ github.event.workflow_run.conclusion == 'success' }} + permissions: + actions: read + checks: write + contents: read + pull-requests: write + runs-on: ubuntu-22.04 + steps: + - name: Check out code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - name: Set up JDK + uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 + with: + java-version: 17.0.8 + distribution: temurin + cache: maven + - name: Download Pitest analysis artifact + uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2.28.0 + with: + workflow: ${{ github.event.workflow_run.workflow_id }} + name: pitest-reports + path: ./target/pit-reports-ci + - name: Update PR + run: mvn -DrepoToken="${{ secrets.GITHUB_TOKEN }}" pitest-github:updatePR diff --git a/.github/workflows/run-integration-tests.yml b/.github/workflows/run-integration-tests.yml index e59ed57a77..a51bba2706 100644 --- a/.github/workflows/run-integration-tests.yml +++ b/.github/workflows/run-integration-tests.yml @@ -9,24 +9,20 @@ name: "Integration tests" on: issue_comment: types: [ created ] - # XXX: Drop. - pull_request: permissions: contents: read jobs: run-integration-tests: name: On-demand integration test - # XXX: Enable. - #if: | - # github.event.issue.pull_request && contains(github.event.comment.body, '/integration-test') + if: | + github.event.issue.pull_request && contains(github.event.comment.body, '/integration-test') runs-on: ubuntu-22.04 steps: - name: Check out code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - # XXX: Enable. - #ref: refs/pull/${{ github.event.issue.number }}/head + ref: refs/pull/${{ github.event.issue.number }}/head - name: Set up JDK uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 with: diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml new file mode 100644 index 0000000000..feaedba873 --- /dev/null +++ b/.github/workflows/sonarcloud.yml @@ -0,0 +1,36 @@ +# Analyzes the code base using SonarCloud. See +# https://sonarcloud.io/project/overview?id=PicnicSupermarket_error-prone-support. +name: SonarCloud analysis +on: + pull_request: + push: + branches: [ master ] + schedule: + - cron: '0 4 * * 1' +permissions: + contents: read +jobs: + analyze: + permissions: + contents: read + runs-on: ubuntu-22.04 + steps: + - name: Check out code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + persist-credentials: false + - name: Set up JDK + uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 + with: + java-version: 17.0.8 + distribution: temurin + cache: maven + - name: Create missing `test` directory + # XXX: Drop this step in favour of actually having a test. + run: mkdir refaster-compiler/src/test + - name: Perform SonarCloud analysis + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: mvn -T1C jacoco:prepare-agent verify jacoco:report sonar:sonar -Dverification.skip -Dsonar.projectKey=PicnicSupermarket_error-prone-support