From e0704c96ba7905b340fe074240b2c6bf08bbba5a Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Fri, 3 Jan 2025 16:57:02 +0100 Subject: [PATCH] WIP --- .github/workflows/build.yml | 10 ++- .github/workflows/codeql.yml | 52 ------------- .github/workflows/deploy-website.yml | 85 --------------------- .github/workflows/openssf-scorecard.yml | 53 ------------- .github/workflows/pitest-analyze-pr.yml | 44 ----------- .github/workflows/pitest-update-pr.yml | 46 ----------- .github/workflows/run-integration-tests.yml | 63 --------------- .github/workflows/sonarcloud.yml | 51 ------------- pom.xml | 2 +- settings.xml | 21 ++++- 10 files changed, 24 insertions(+), 403 deletions(-) delete mode 100644 .github/workflows/codeql.yml delete mode 100644 .github/workflows/deploy-website.yml delete mode 100644 .github/workflows/openssf-scorecard.yml delete mode 100644 .github/workflows/pitest-analyze-pr.yml delete mode 100644 .github/workflows/pitest-update-pr.yml delete mode 100644 .github/workflows/run-integration-tests.yml delete mode 100644 .github/workflows/sonarcloud.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9aca467a3b..e5bd38a414 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -2,7 +2,7 @@ name: Build and verify on: pull_request: push: - branches: [ master ] + branches: permissions: contents: read jobs: @@ -33,7 +33,9 @@ jobs: allowed-endpoints: > api.adoptium.net:443 github.com:443 + github-registry-files.githubusercontent.com:443 jitpack.io:443 + maven.pkg.github.com:443 objects.githubusercontent.com:443 repo.maven.apache.org:443 # We run the build twice for each supported JDK: once against the @@ -50,9 +52,9 @@ jobs: - name: Display build environment details run: mvn --version - name: Build project against vanilla Error Prone, compile Javadoc - run: mvn -T1C install javadoc:jar - - name: Build project with self-check against Error Prone fork - run: mvn -T1C clean verify -Perror-prone-fork -Pnon-maven-central -Pself-check -s settings.xml + run: mvn -T1C install javadoc:jar -P non-maven-central -s settings.xml + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Remove installed project artifacts run: mvn dependency:purge-local-repository -DmanualInclude='${project.groupId}' -DresolutionFuzziness=groupId diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index aff9cd0bb8..0000000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,52 +0,0 @@ -# Analyzes the code using GitHub's default CodeQL query database. -# Identified issues are registered with GitHub's code scanning dashboard. When -# a pull request is analyzed, any offending lines are annotated. See -# https://codeql.github.com for details. -name: CodeQL analysis -on: - pull_request: - push: - branches: [ master ] - schedule: - - cron: '0 4 * * 1' -permissions: - contents: read -jobs: - analyze: - strategy: - matrix: - language: [ java, ruby ] - permissions: - contents: read - security-events: write - runs-on: ubuntu-24.04 - steps: - - name: Install Harden-Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.adoptium.net:443 - api.github.com:443 - github.com:443 - objects.githubusercontent.com:443 - repo.maven.apache.org:443 - uploads.github.com:443 - - name: Check out code and set up JDK and Maven - uses: s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1 # v1.18.0 - with: - java-version: 17.0.13 - java-distribution: temurin - maven-version: 3.9.9 - - name: Initialize CodeQL - uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 - with: - languages: ${{ matrix.language }} - - name: Perform minimal build - if: matrix.language == 'java' - run: mvn -T1C clean package -DskipTests -Dverification.skip - - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 - with: - category: /language:${{ matrix.language }} diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml deleted file mode 100644 index 42bdfc2942..0000000000 --- a/.github/workflows/deploy-website.yml +++ /dev/null @@ -1,85 +0,0 @@ -name: Update `error-prone.picnic.tech` website content -on: - pull_request: - push: - branches: [ master, website ] -permissions: - contents: read -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} -jobs: - build: - runs-on: ubuntu-24.04 - steps: - - name: Install Harden-Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.adoptium.net:443 - api.github.com:443 - bestpractices.coreinfrastructure.org:443 - blog.picnic.nl:443 - errorprone.info:443 - github.com:443 - img.shields.io:443 - index.rubygems.org:443 - jitpack.io:443 - maven.apache.org:443 - objects.githubusercontent.com:443 - pitest.org:443 - repo.maven.apache.org:443 - rubygems.org:443 - search.maven.org:443 - securityscorecards.dev:443 - sonarcloud.io:443 - www.baeldung.com:443 - www.bestpractices.dev:443 - www.youtube.com:443 - youtrack.jetbrains.com:443 - - name: Check out code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - uses: ruby/setup-ruby@bfefad842bb982ff05b233bcbc1571d97a87e69f # v1.206.0 - with: - working-directory: ./website - bundler-cache: true - - name: Configure Github Pages - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 - - name: Generate documentation - run: ./generate-docs.sh - - name: Build website with Jekyll - working-directory: ./website - run: bundle exec jekyll build - - name: Validate HTML output - working-directory: ./website - # XXX: Drop `--disable_external true` once we fully adopted the - # "Refaster rules" terminology on our website and in the code. - run: bundle exec htmlproofer --disable_external true --check-external-hash false ./_site - - name: Upload website as artifact - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 - with: - path: ./website/_site - deploy: - if: github.ref == 'refs/heads/website' - needs: build - permissions: - id-token: write - pages: write - runs-on: ubuntu-24.04 - environment: - name: github-pages - url: ${{ steps.deployment.outputs.page_url }} - steps: - - name: Install Harden-Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.github.com:443 - - name: Deploy to GitHub Pages - id: deployment - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml deleted file mode 100644 index 0dea645746..0000000000 --- a/.github/workflows/openssf-scorecard.yml +++ /dev/null @@ -1,53 +0,0 @@ -# Analyzes the code base and GitHub project configuration for adherence to -# security best practices for open source software. Identified issues are -# registered with GitHub's code scanning dashboard. When a pull request is -# analyzed, any offending lines are annotated. See -# https://securityscorecards.dev for details. -name: OpenSSF Scorecard update -on: - pull_request: - push: - branches: [ master ] - schedule: - - cron: '0 4 * * 1' -permissions: - contents: read -jobs: - analyze: - permissions: - contents: read - security-events: write - id-token: write - runs-on: ubuntu-24.04 - steps: - - name: Install Harden-Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.deps.dev:443 - api.github.com:443 - api.osv.dev:443 - api.scorecard.dev:443 - api.securityscorecards.dev:443 - github.com:443 - index.docker.io:443 - oss-fuzz-build-logs.storage.googleapis.com:443 - repo.maven.apache.org:443 - *.sigstore.dev:443 - www.bestpractices.dev:443 - - name: Check out code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - name: Run OpenSSF Scorecard analysis - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 - with: - results_file: results.sarif - results_format: sarif - publish_results: ${{ github.ref == 'refs/heads/master' }} - - name: Update GitHub's code scanning dashboard - uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 - with: - sarif_file: results.sarif diff --git a/.github/workflows/pitest-analyze-pr.yml b/.github/workflows/pitest-analyze-pr.yml deleted file mode 100644 index ded194c679..0000000000 --- a/.github/workflows/pitest-analyze-pr.yml +++ /dev/null @@ -1,44 +0,0 @@ -# Performs mutation testing analysis on the files changed by a pull request and -# uploads the results. The associated PR is subsequently updated by the -# `pitest-update-pr.yml` workflow. See https://blog.pitest.org/oss-pitest-pr/ -# for details. -name: "Mutation testing" -on: - pull_request: -permissions: - contents: read -jobs: - analyze-pr: - runs-on: ubuntu-24.04 - steps: - - name: Install Harden-Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.adoptium.net:443 - github.com:443 - objects.githubusercontent.com:443 - repo.maven.apache.org:443 - - name: Check out code and set up JDK and Maven - uses: s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1 # v1.18.0 - with: - checkout-fetch-depth: 2 - java-version: 17.0.13 - java-distribution: temurin - maven-version: 3.9.9 - - name: Run Pitest - # By running with features `+GIT(from[HEAD~1]), +gitci`, Pitest only - # analyzes lines changed in the associated pull request, as GitHub - # exposes the changes unique to the PR as a single commit on top of the - # target branch. See https://blog.pitest.org/pitest-pr-setup for - # details. - run: mvn test pitest:mutationCoverage -DargLine.xmx=2048m -Dverification.skip -Dfeatures="+GIT(from[HEAD~1]), +gitci" - - name: Aggregate Pitest reports - run: mvn pitest-git:aggregate -DkilledEmoji=":tada:" -DmutantEmoji=":zombie:" -DtrailingText="Mutation testing report by [Pitest](https://pitest.org/). Review any surviving mutants by inspecting the line comments under [_Files changed_](${{ github.event.number }}/files)." - - name: Upload Pitest reports as artifact - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 - with: - name: pitest-reports - path: ./target/pit-reports-ci diff --git a/.github/workflows/pitest-update-pr.yml b/.github/workflows/pitest-update-pr.yml deleted file mode 100644 index f47369a901..0000000000 --- a/.github/workflows/pitest-update-pr.yml +++ /dev/null @@ -1,46 +0,0 @@ -# Updates a pull request based on the corresponding mutation testing analysis -# performed by the `pitest-analyze-pr.yml` workflow. See -# https://blog.pitest.org/oss-pitest-pr/ for details. -name: "Mutation testing: post results" -on: - workflow_run: - workflows: ["Mutation testing"] - types: - - completed -permissions: - actions: read -jobs: - update-pr: - if: ${{ github.event.workflow_run.conclusion == 'success' }} - permissions: - actions: read - checks: write - contents: read - pull-requests: write - runs-on: ubuntu-24.04 - steps: - - name: Install Harden-Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.adoptium.net:443 - api.github.com:443 - github.com:443 - objects.githubusercontent.com:443 - repo.maven.apache.org:443 - - name: Check out code and set up JDK and Maven - uses: s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1 # v1.18.0 - with: - java-version: 17.0.13 - java-distribution: temurin - maven-version: 3.9.9 - - name: Download Pitest analysis artifact - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 - with: - workflow: ${{ github.event.workflow_run.workflow_id }} - name: pitest-reports - path: ./target/pit-reports-ci - - name: Update PR - run: mvn -DrepoToken="${{ secrets.GITHUB_TOKEN }}" pitest-github:updatePR diff --git a/.github/workflows/run-integration-tests.yml b/.github/workflows/run-integration-tests.yml deleted file mode 100644 index d82fa7fe9e..0000000000 --- a/.github/workflows/run-integration-tests.yml +++ /dev/null @@ -1,63 +0,0 @@ -# If requested by means of a pull request comment, runs integration tests -# against the project, using the code found on the pull request branch. -# XXX: Review whether then build matrix should also vary JDK or OS versions. -# XXX: Support `/integration-test [name...]` comment syntax to specify the -# subset of integration tests to run. -# See this example of a dynamic build matrix: -# https://docs.github.com/en/actions/learn-github-actions/expressions#example-returning-a-json-object -name: "Integration tests" -on: - issue_comment: - types: [ created ] -permissions: - contents: read -jobs: - run-integration-tests: - name: On-demand integration test - if: | - github.event.issue.pull_request && contains(github.event.comment.body, '/integration-test') - runs-on: ubuntu-24.04 - strategy: - matrix: - integration-test: [ "checkstyle", "metrics", "prometheus-java-client" ] - steps: - - name: Install Harden-Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - # XXX: After updating the validation build flags in - # `integration-tests/prometheus-java-client.sh`, review whether the - # Docker domains specified here can be dropped. - api.adoptium.net:443 - auth.docker.io:443 - checkstyle.org:443 - example.com:80 - github.com:443 - objects.githubusercontent.com:443 - oss.sonatype.org:443 - production.cloudflare.docker.com:443 - raw.githubusercontent.com:443 - registry-1.docker.io:443 - repo.maven.apache.org:443 - repository.sonatype.org:443 - - name: Check out code and set up JDK and Maven - uses: s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1 # v1.18.0 - with: - checkout-ref: "refs/pull/${{ github.event.issue.number }}/head" - java-version: 17.0.13 - java-distribution: temurin - maven-version: 3.9.9 - - name: Install project to local Maven repository - run: mvn -T1C install -DskipTests -Dverification.skip - - name: Run integration test - run: xvfb-run "./integration-tests/${{ matrix.integration-test }}.sh" "${{ runner.temp }}/artifacts" - - name: Upload artifacts on failure - if: ${{ failure() }} - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 - with: - name: "integration-test-${{ matrix.integration-test }}" - path: "${{ runner.temp }}/artifacts" - - name: Remove installed project artifacts - run: mvn dependency:purge-local-repository -DmanualInclude='${project.groupId}' -DresolutionFuzziness=groupId diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml deleted file mode 100644 index 90df58dfb9..0000000000 --- a/.github/workflows/sonarcloud.yml +++ /dev/null @@ -1,51 +0,0 @@ -# Analyzes the code base using SonarCloud. See -# https://sonarcloud.io/project/overview?id=PicnicSupermarket_error-prone-support. -name: SonarCloud analysis -on: - pull_request: - push: - branches: [ master ] - schedule: - - cron: '0 4 * * 1' -permissions: - contents: read -jobs: - analyze: - # Analysis of code in forked repositories is skipped, as such workflow runs - # do not have access to the requisite secrets. - if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository - permissions: - contents: read - runs-on: ubuntu-24.04 - steps: - - name: Install Harden-Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com:443 - api.adoptium.net:443 - api.nuget.org:443 - ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443 - github.com:443 - objects.githubusercontent.com:443 - repo.maven.apache.org:443 - sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443 - *.sonarcloud.io:443 - sonarcloud.io:443 - - name: Check out code and set up JDK and Maven - uses: s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1 # v1.18.0 - with: - checkout-fetch-depth: 0 - java-version: 17.0.13 - java-distribution: temurin - maven-version: 3.9.9 - - name: Create missing `test` directory - # XXX: Drop this step in favour of actually having a test. - run: mkdir refaster-compiler/src/test - - name: Perform SonarCloud analysis - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - run: mvn -T1C jacoco:prepare-agent verify jacoco:report sonar:sonar -Dverification.skip -Dsonar.projectKey=PicnicSupermarket_error-prone-support diff --git a/pom.xml b/pom.xml index a1fc2e330f..384a0e8acd 100644 --- a/pom.xml +++ b/pom.xml @@ -211,7 +211,7 @@ 1.11.0 ${version.error-prone-orig} v${version.error-prone-orig}-picnic-1 - 2.36.0 + 0.0.1-test-1 0.1.28 1.0 17 diff --git a/settings.xml b/settings.xml index dc0a082218..a1f48f1cd8 100644 --- a/settings.xml +++ b/settings.xml @@ -5,13 +5,13 @@ + Prone. This fork is hosted using GitHub Packages. See + https://github.com/PicnicSupermarket/error-prone/packages/. --> error-prone-fork - jitpack.io - https://jitpack.io + error-prone-fork + https://maven.pkg.github.com/PicnicSupermarket/error-prone @@ -19,8 +19,13 @@ + non-maven-central + + error-prone-fork + https://maven.pkg.github.com/PicnicSupermarket/error-prone + jitpack.io https://jitpack.io @@ -29,4 +34,12 @@ + + + error-prone-fork + + ${env.GITHUB_TOKEN} + + +