Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ISSUE #4720] Modernize CI license check and Enable Dependabot #4827

Merged
merged 59 commits into from
May 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
59 commits
Select commit Hold shift + click to select a range
9682c61
Sync changes in https://github.com/apache/eventmesh/pull/4719
Pil0tXia Apr 11, 2024
4100a72
minor change
Pil0tXia Apr 11, 2024
335c80c
Only keep the artifact name
Pil0tXia Apr 11, 2024
bac8c92
Run `sed -i 's/-[0-9].*\.jar//g'`
Pil0tXia Apr 11, 2024
b1bba8b
Run `sort known-dependencies.txt | uniq > known-dependencies-unique.txt`
Pil0tXia Apr 11, 2024
d51c5be
Allow CI to run on branches with namespace in the branch name in fork…
Pil0tXia Apr 11, 2024
f4b938a
Correct typo and remove useless command
Pil0tXia Apr 11, 2024
9694f41
Use `sort -u -o` instead of `uniq` to remove duplicate artifacts with…
Pil0tXia Apr 11, 2024
62b6fff
Enlarge open-pull-requests-limit
Pil0tXia Apr 11, 2024
9143ee3
minor: polish tips
Pil0tXia Apr 14, 2024
4e79cfa
Test apache/skywalking-eyes/dependency CI result
Pil0tXia Apr 15, 2024
d69be55
Fix 'unable to find version `0.6.0`'
Pil0tXia Apr 15, 2024
82a0f6b
See debug log to prove it works
Pil0tXia Apr 15, 2024
3e73b4c
skywalking-eyes/dependency doesn't support gradle, test basic actions…
Pil0tXia Apr 15, 2024
7938772
Add all denied licenses
Pil0tXia Apr 15, 2024
67428e6
Remove redundant check
Pil0tXia Apr 15, 2024
2e48a53
Remove not included SPDX: ASL, RSAL
Pil0tXia Apr 15, 2024
bb9acc8
Add a useful printAllDependencyTrees task
Pil0tXia Apr 15, 2024
e83b6a8
Exampt safe artifact under multiple licenses
Pil0tXia Apr 15, 2024
ce7d632
Exempt more safe artifacts (Looks like the last of them)
Pil0tXia Apr 15, 2024
45ca6d6
'allow-dependencies-licenses' attribute only supports single-line text
Pil0tXia Apr 15, 2024
194ab58
Add a TODO comment
Pil0tXia Apr 16, 2024
2daf146
Add more file extensions for checkstyle
Pil0tXia Apr 16, 2024
2e733d4
Resolve some checkstyle header violations
Pil0tXia Apr 16, 2024
97bb5c6
Merge branch 'master' into pil0txia/action_4720
Pil0tXia Apr 16, 2024
6d4fa75
Add back apache/skywalking-eyes
Pil0tXia Apr 16, 2024
047450f
Fix downloaded file didn't have a `.`
Pil0tXia Apr 16, 2024
f235a01
Disable Go deps update & Must pass CI before merge
Pil0tXia Apr 17, 2024
fb23917
No need to force up-to-date & Auto-approve only
Pil0tXia Apr 18, 2024
87dc5a9
Remove the slash at the end of the homepage url in Repo GitHub desc
Pil0tXia Apr 18, 2024
f666bb8
Skip patch updates temporarily to reduce PR noise
Pil0tXia Apr 18, 2024
3f62976
Merge branch 'master' into pil0txia/action_4720
Pil0tXia Apr 18, 2024
0261ef6
Logback removed after https://github.com/apache/eventmesh/pull/4831/c…
Pil0tXia Apr 18, 2024
4893cea
Merge branch 'master' into pil0txia/action_4720
Pil0tXia Apr 22, 2024
b0b657b
Accept patch update
Pil0tXia Apr 22, 2024
9f91fa4
Submit dependency graph
Pil0tXia Apr 23, 2024
d4bc876
Follow https://github.com/gradle/actions/blob/main/docs/dependency-su…
Pil0tXia Apr 23, 2024
183a1af
try to sort dependency graph workflow exec seq
Pil0tXia Apr 23, 2024
5c0c070
`workflow_run` event will only trigger a workflow run if the workflo…
Pil0tXia Apr 23, 2024
2f7c34a
Grant required permission of CodeQL
Pil0tXia Apr 23, 2024
df3532d
Attempt to fix 'No dependency graph files found to submit'
Pil0tXia Apr 23, 2024
c5820c4
Attempt to fix 'No dependency graph files found to submit' try 2
Pil0tXia Apr 23, 2024
d4c21d4
Attempt to fix 'No dependency graph files found to submit' try 3
Pil0tXia Apr 23, 2024
b2ff90e
Attempt to fix 'No dependency graph files found to submit' try 4
Pil0tXia Apr 23, 2024
c75cb66
Try to check dependency-review
Pil0tXia Apr 24, 2024
95ab20d
Only check bundled dependencies
Pil0tXia Apr 24, 2024
96f39e1
Fix 'No snapshots were found for the head SHA' attempt 1
Pil0tXia Apr 24, 2024
3de89a5
Test runtimeClasspath dependencies
Pil0tXia Apr 24, 2024
18751cc
Revert "Test runtimeClasspath dependencies"
Pil0tXia Apr 24, 2024
14e449f
Try to retry 1 hr wo wait for snapshot update
Pil0tXia Apr 24, 2024
b96139c
Test https://github.com/gradle/actions/issues/196#issuecomment-207436…
Pil0tXia Apr 24, 2024
66ea158
Add todo comments
Pil0tXia Apr 24, 2024
6593458
Keep implementation and compileOnly for now
Pil0tXia Apr 24, 2024
a37e0e1
Keep runtimeOnly deps
Pil0tXia Apr 25, 2024
286f9c5
Merge branch 'master' into pil0txia/action_4720
Pil0tXia Apr 25, 2024
ace11a2
[Breaking Change] Remove dependency-review-action and wait for its bu…
Pil0tXia Apr 25, 2024
51e6d6f
Add checkDeniedLicense into CI
Pil0tXia Apr 25, 2024
75f1ba7
minor code optimization
Pil0tXia Apr 25, 2024
7a87a69
Merge branch 'master' into pil0txia/action_4720
Pil0tXia May 8, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .asf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,11 @@ github:
protected_branches:
master:
required_status_checks:
strict: true
strict: false
contexts:
- dependency-review
- Build (ubuntu-latest, 8, java)
- Build (ubuntu-latest, 11, java)
required_pull_request_reviews:
dismiss_stale_reviews: true
required_approving_review_count: 2
Expand Down
42 changes: 26 additions & 16 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -1,29 +1,39 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

version: 2
updates:
- package-ecosystem: "gradle"
directory: "/"
open-pull-requests-limit: 20
open-pull-requests-limit: 15
schedule:
interval: "weekly"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
update-types: [ "version-update:semver-major" ]
- package-ecosystem: "gomod"
directory: "eventmesh-sdks/eventmesh-sdk-go"
schedule:
interval: "monthly"
ignore:
- dependency-name: "*"
# Disabled temporarily since the Go SDK is not integrated with CI
update-types: [ "version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch" ]
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
42 changes: 42 additions & 0 deletions .github/workflows/auto-dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

name: Dependabot Auto-approve
on: pull_request_target

permissions:
contents: write
pull-requests: write

jobs:
# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
# Pull request Auto merge is not enabled for this repository
dependabot:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"

- name: Approve PR
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
61 changes: 21 additions & 40 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -1,29 +1,29 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

name: "Continuous Integration"

on:
push:
branches: [ '*' ]
branches:
- '**'
- '!dependabot/**'
pull_request:
branches: [ '*' ]
branches: [ '**' ]

jobs:
build:
Expand All @@ -33,12 +33,12 @@ jobs:
matrix:
os: [ ubuntu-latest, macOS-latest ]
java: [ 8, 11 ]
language: ['java']
language: [ 'java' ]
runs-on: ${{ matrix.os }}

steps:
- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@v4

- if: matrix.language == 'cpp' || matrix.language == 'csharp'
name: Build C
Expand All @@ -48,10 +48,10 @@ jobs:
make -C ./eventmesh-sdks/eventmesh-sdk-c

- name: Setup Gradle
uses: gradle/gradle-build-action@v2
uses: gradle/actions/setup-gradle@v3

- name: Set up JDK 11
uses: actions/setup-java@v3
uses: actions/setup-java@v4
with:
distribution: 'zulu'
java-version: 11
Expand All @@ -62,7 +62,7 @@ jobs:
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}

- name: Set up JDK ${{ matrix.java }}
uses: actions/setup-java@v3
uses: actions/setup-java@v4
with:
distribution: 'zulu'
java-version: ${{ matrix.java }}
Expand All @@ -80,22 +80,3 @@ jobs:

- name: Upload coverage report to codecov.io
run: bash <(curl -s https://codecov.io/bash) || echo 'Failed to upload coverage report!'

license-check:
name: License Check
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: Check license header
uses: apache/skywalking-eyes@main
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Check third party dependencies
run: |
./gradlew clean dist -x spotlessJava -x test -x checkstyleMain -x javaDoc && ./gradlew installPlugin && ./gradlew tar && sh tools/dependency-check/check-dependencies.sh && echo "Thirty party dependencies check success"
env:
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}
74 changes: 74 additions & 0 deletions .github/workflows/code-scanning.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

name: 'Code Scanning'

on:
push:
branches:
- '**'
- '!dependabot/**'
pull_request:
branches: [ '**' ]

permissions:
security-events: write
contents: read

jobs:
build:
name: Analyze
strategy:
fail-fast: false
matrix:
language: [ 'java', 'go' ]
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
languages: ${{ matrix.language }}

- name: Set up JDK 11
if: matrix.language == 'java'
uses: actions/setup-java@v4
with:
distribution: 'zulu'
java-version: 11

- name: Setup Gradle
if: matrix.language == 'java'
uses: gradle/actions/setup-gradle@v3
with:
cache-disabled: true

- name: Build
if: matrix.language == 'java'
run: ./gradlew clean assemble compileTestJava --parallel --daemon
env:
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}

- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v3
69 changes: 0 additions & 69 deletions .github/workflows/codeql.yml

This file was deleted.

Loading
Loading