CI #455

Workflow file for this run

.github/workflows/ci.yml at 582084b

	name: CI

	on:
	push:
	branches:
	- main
	- stable/*
	- release-*
	- trying
	- staging
	pull_request: { }
	merge_group: { }
	workflow_dispatch: { }
	workflow_call: { }

	defaults:
	run:
	# use bash shell by default to ensure pipefail behavior is the default
	# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
	shell: bash

	env:
	DOCKER_PLATFORMS: "linux/amd64,linux/arm64"

	jobs:
	integration-tests:
	name: "[IT] ${{ matrix.name }}"
	timeout-minutes: 20
	runs-on: [ self-hosted, linux, amd64, "16" ]
	strategy:
	fail-fast: false
	matrix:
	group: [ modules, qa-integration, qa-update ]
	include:
	- group: modules
	name: "Module Integration Tests"
	maven-modules: "'!zeebe/qa/integration-tests,!zeebe/qa/update-tests'"
	maven-build-threads: 2
	maven-test-fork-count: 7
	tcc-enabled: 'false'
	tcc-concurrency: 1
	- group: qa-integration
	name: "QA Integration Tests"
	maven-modules: "zeebe/qa/integration-tests"
	maven-build-threads: 1
	maven-test-fork-count: 10
	tcc-enabled: ${{ vars.TCC_ENABLED }}
	tcc-concurrency: 1
	- group: qa-update
	name: "QA Update Tests"
	maven-modules: "zeebe/qa/update-tests"
	maven-build-threads: 1
	maven-test-fork-count: 10
	tcc-enabled: ${{ vars.TCC_ENABLED }}
	tcc-concurrency: 2
	env:
	ZEEBE_TEST_DOCKER_IMAGE: localhost:5000/camunda/zeebe:current-test
	services:
	registry:
	image: registry:2
	ports:
	- 5000:5000
	steps:
	- uses: actions/checkout@v4
	- uses: ./.github/actions/setup-zeebe
	with:
	maven-cache-key-modifier: it-${{ matrix.group }}
	secret_vault_secretId: ${{ secrets.VAULT_SECRET_ID }}
	secret_vault_address: ${{ secrets.VAULT_ADDR }}
	secret_vault_roleId: ${{ secrets.VAULT_ROLE_ID }}
	- uses: ./.github/actions/build-zeebe
	id: build-zeebe
	with:
	maven-extra-args: -T1C
	- uses: ./.github/actions/build-docker
	with:
	repository: localhost:5000/camunda/zeebe
	version: current-test
	push: true
	distball: ${{ steps.build-zeebe.outputs.distball }}
	- name: Setup TCC
	if: ${{ matrix.tcc-enabled == 'true' }}
	uses: atomicjar/testcontainers-cloud-setup-action@v1
	env:
	TC_CLOUD_LOGS_VERBOSE: true
	TC_CLOUD_CONCURRENCY: ${{ matrix.tcc-concurrency }}
	with:
	token: ${{ secrets.TC_CLOUD_TOKEN }}
	logfile: .testcontainers-agent.log
	wait: true
	args: >
	--private-registry-url=http://localhost:5000
	--private-registry-allowed-image-name-globs=camunda/zeebe
	- name: Create build output log file
	run: echo "BUILD_OUTPUT_FILE_PATH=$(mktemp)" >> $GITHUB_ENV
	- name: Maven Test Build
	run: >
	./mvnw -B -T ${{ matrix.maven-build-threads }} --no-snapshot-updates
	-D forkCount=${{ matrix.maven-test-fork-count }}
	-D maven.javadoc.skip=true
	-D skipUTs -D skipChecks
	-D failsafe.rerunFailingTestsCount=3 -D flaky.test.reportDir=failsafe-reports
	-P parallel-tests,extract-flaky-tests
	-pl ${{ matrix.maven-modules }}
	verify
	\| tee "${BUILD_OUTPUT_FILE_PATH}"
	- name: Terminate TCC
	if: ${{ matrix.tcc-enabled == 'true'}}
	uses: atomicjar/testcontainers-cloud-setup-action@v1
	with:
	action: terminate
	- name: Analyze Test Runs
	if: always()
	uses: ./.github/actions/analyze-test-runs
	with:
	buildOutputFilePath: ${{ env.BUILD_OUTPUT_FILE_PATH }}
	- name: Upload test artifacts
	uses: ./.github/actions/collect-test-artifacts
	if: ${{ failure() \|\| cancelled() }}
	with:
	name: "[IT] ${{ matrix.name }}"
	unit-tests:
	name: Unit tests
	runs-on: [ self-hosted, linux, amd64, "16" ]
	timeout-minutes: 30
	steps:
	- uses: actions/checkout@v4
	- name: Install and allow strace tests
	run: \|
	sudo apt-get -qq update && sudo apt-get install -y strace
	sudo sysctl -w kernel.yama.ptrace_scope=0
	- uses: ./.github/actions/setup-zeebe
	with:
	go: false
	secret_vault_secretId: ${{ secrets.VAULT_SECRET_ID }}
	secret_vault_address: ${{ secrets.VAULT_ADDR }}
	secret_vault_roleId: ${{ secrets.VAULT_ROLE_ID }}
	- uses: ./.github/actions/build-zeebe
	with:
	go: false
	maven-extra-args: -T1C
	- name: Create build output log file
	run: echo "BUILD_OUTPUT_FILE_PATH=$(mktemp)" >> $GITHUB_ENV
	- name: Maven Test Build
	# we use the verify goal here as flaky test extraction is bound to the post-integration-test
	# phase of Maven https://maven.apache.org/guides/introduction/introduction-to-the-lifecycle.html#default-lifecycle
	run: >
	./mvnw -T2 -B --no-snapshot-updates
	-D skipITs -D skipChecks -D surefire.rerunFailingTestsCount=3
	-D junitThreadCount=16
	-P skip-random-tests,parallel-tests,extract-flaky-tests
	verify
	\| tee "${BUILD_OUTPUT_FILE_PATH}"
	- name: Normalize artifact name
	run: echo "ARTIFACT_NAME=$(echo ${{ matrix.project }} \| sed 's/\//-/g')" >> $GITHUB_ENV
	- name: Analyze Test Runs
	if: always()
	uses: ./.github/actions/analyze-test-runs
	with:
	buildOutputFilePath: ${{ env.BUILD_OUTPUT_FILE_PATH }}
	- name: Upload test artifacts
	uses: ./.github/actions/collect-test-artifacts
	if: ${{ failure() \|\| cancelled() }}
	with:
	name: "unit tests"
	smoke-tests:
	name: "[Smoke] ${{ matrix.os }} with ${{ matrix.arch }}"
	timeout-minutes: 20
	runs-on: ${{ matrix.runner }}
	strategy:
	fail-fast: false
	matrix:
	os: [ macos, windows, linux ]
	arch: [ amd64 ]
	include:
	- os: macos
	runner: macos-latest
	- os: windows
	runner: windows-latest
	- os: linux
	runner: [ self-hosted, linux, amd64 ]
	- os: linux
	runner: "aws-arm-core-4-default"
	arch: arm64
	steps:
	- uses: actions/checkout@v4
	- uses: ./.github/actions/setup-zeebe
	with:
	go: false
	secret_vault_secretId: ${{ secrets.VAULT_SECRET_ID }}
	secret_vault_address: ${{ secrets.VAULT_ADDR }}
	secret_vault_roleId: ${{ secrets.VAULT_ROLE_ID }}
	docker: ${{ matrix.os != 'macos' && matrix.os != 'windows' }}
	- uses: ./.github/actions/build-zeebe
	id: build-zeebe
	with:
	go: false
	maven-extra-args: -T1C
	- uses: ./.github/actions/build-docker
	id: build-docker
	# Currently only Linux runners support building docker images without further ado
	if: ${{ runner.os == 'Linux' }}
	with:
	version: current-test
	distball: ${{ steps.build-zeebe.outputs.distball }}
	platforms: linux/${{ matrix.arch }}
	push: false
	- name: Run smoke test on ${{ matrix.arch }}
	env:
	# For non Linux runners there is no container available for testing, see build-docker job
	EXCLUDED_TEST_GROUPS: ${{ runner.os != 'Linux' && 'container' }}
	run: >
	./mvnw -B --no-snapshot-updates
	-DskipUTs -DskipChecks -Dsurefire.rerunFailingTestsCount=3
	-pl zeebe/qa/integration-tests
	-P smoke-test,extract-flaky-tests
	-D excludedGroups=$EXCLUDED_TEST_GROUPS
	verify
	- name: Upload test artifacts
	uses: ./.github/actions/collect-test-artifacts
	if: ${{ failure() \|\| cancelled() }}
	with:
	name: "[Smoke] ${{ matrix.os }} with ${{ matrix.arch }}"
	property-tests:
	name: Property Tests
	runs-on: [ self-hosted, linux, amd64, "16" ]
	timeout-minutes: 30
	steps:
	- uses: actions/checkout@v4
	- uses: ./.github/actions/setup-zeebe
	with:
	go: false
	secret_vault_secretId: ${{ secrets.VAULT_SECRET_ID }}
	secret_vault_address: ${{ secrets.VAULT_ADDR }}
	secret_vault_roleId: ${{ secrets.VAULT_ROLE_ID }}
	- uses: ./.github/actions/build-zeebe
	with:
	go: false
	maven-extra-args: -T1C
	- name: Create build output log file
	run: echo "BUILD_OUTPUT_FILE_PATH=$(mktemp)" >> $GITHUB_ENV
	- name: Maven Test Build
	run: >
	./mvnw -T1C -B --no-snapshot-updates
	-P parallel-tests,include-random-tests
	-D junitThreadCount=16
	-D skipChecks
	test
	\| tee "${BUILD_OUTPUT_FILE_PATH}"
	- name: Analyze Test Runs
	if: always()
	uses: ./.github/actions/analyze-test-runs
	with:
	buildOutputFilePath: ${{ env.BUILD_OUTPUT_FILE_PATH }}
	- name: Upload test artifacts
	uses: ./.github/actions/collect-test-artifacts
	if: ${{ failure() \|\| cancelled() }}
	with:
	name: Property Tests
	performance-tests:
	name: Performance Tests
	runs-on: [ self-hosted, linux, amd64, "16" ]
	timeout-minutes: 30
	env:
	ZEEBE_PERFORMANCE_TEST_RESULTS_DIR: "/tmp/jmh"
	steps:
	- uses: actions/checkout@v4
	- uses: ./.github/actions/setup-zeebe
	with:
	go: false
	secret_vault_secretId: ${{ secrets.VAULT_SECRET_ID }}
	secret_vault_address: ${{ secrets.VAULT_ADDR }}
	secret_vault_roleId: ${{ secrets.VAULT_ROLE_ID }}
	- uses: ./.github/actions/build-zeebe
	with:
	go: false
	- name: Create build output log file
	run: echo "BUILD_OUTPUT_FILE_PATH=$(mktemp)" >> $GITHUB_ENV
	- name: Maven Test Build
	run: >
	./mvnw -B --no-snapshot-updates
	-P include-performance-tests
	-D skipChecks
	-T1C
	test
	\| tee "${BUILD_OUTPUT_FILE_PATH}"
	env:
	LARGE_STATE_CONTROLLER_PERFORMANCE_TEST_SIZE_GB: "4"
	- name: Analyze Test Runs
	if: always()
	uses: ./.github/actions/analyze-test-runs
	with:
	buildOutputFilePath: ${{ env.BUILD_OUTPUT_FILE_PATH }}
	- name: Summarize test results
	if: always()
	run: \|
	echo '## Performance Test Results' >> $GITHUB_STEP_SUMMARY
	echo '```' >> $GITHUB_STEP_SUMMARY
	FILES="${ZEEBE_PERFORMANCE_TEST_RESULTS_DIR}/*.txt"
	for file in $FILES; do
	cat "${file}" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	done
	echo '```' >> $GITHUB_STEP_SUMMARY
	- name: Upload test artifacts
	uses: ./.github/actions/collect-test-artifacts
	if: ${{ failure() \|\| cancelled() }}
	with:
	name: Performance Tests
	go-client:
	name: Go client tests
	runs-on: ubuntu-latest
	timeout-minutes: 20
	steps:
	- uses: actions/checkout@v4
	- uses: ./.github/actions/setup-zeebe
	with:
	secret_vault_secretId: ${{ secrets.VAULT_SECRET_ID }}
	secret_vault_address: ${{ secrets.VAULT_ADDR }}
	secret_vault_roleId: ${{ secrets.VAULT_ROLE_ID }}
	- uses: ./.github/actions/build-zeebe
	id: build-zeebe
	- uses: ./.github/actions/build-docker
	id: build-docker
	with:
	repository: camunda/zeebe
	version: current-test
	distball: ${{ steps.build-zeebe.outputs.distball }}
	- name: Run Go tests
	working-directory: clients/go
	run: go test -mod=vendor -v ./...
	codeql:
	name: CodeQL
	runs-on: [ self-hosted, linux, amd64, "16" ]
	permissions:
	security-events: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	- uses: ./.github/actions/setup-zeebe
	with:
	go: false
	secret_vault_secretId: ${{ secrets.VAULT_SECRET_ID }}
	secret_vault_address: ${{ secrets.VAULT_ADDR }}
	secret_vault_roleId: ${{ secrets.VAULT_ROLE_ID }}
	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: java
	queries: +security-and-quality
	- uses: ./.github/actions/build-zeebe
	with:
	maven-extra-args: -T1C
	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3
	with:
	upload: False
	output: sarif-results
	- name: Remove results for generated code
	uses: advanced-security/filter-sarif@main
	with:
	patterns: \|
	+*/.java
	-/generated-sources//*.java
	-/generated-test-sources//*.java
	input: sarif-results/java.sarif
	output: sarif-results/java.sarif
	- name: Upload CodeQL Results
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: sarif-results/java.sarif
	go-lint:
	name: Go linting
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: ./.github/actions/setup-zeebe
	with:
	java: false
	secret_vault_secretId: ${{ secrets.VAULT_SECRET_ID }}
	secret_vault_address: ${{ secrets.VAULT_ADDR }}
	secret_vault_roleId: ${{ secrets.VAULT_ROLE_ID }}
	- name: golangci-lint
	uses: golangci/golangci-lint-action@v4
	with:
	# fixed to avoid triggering false positive; see https://github.com/golangci/golangci-lint-action/issues/535
	version: v1.55.2
	# caching issues, see: https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052190775
	skip-pkg-cache: true
	skip-build-cache: true
	working-directory: clients/go
	go-apidiff:
	name: Go Backward Compatibility
	runs-on: ubuntu-latest
	env:
	# bors-ng fails to set ${GITHUB_BASE_REF} to the target PR branch which breaks go-apidiff
	# so we use this fixed value as a workaround
	GO_CLIENT_BASE_REF: stable/8.4
	steps:
	- uses: actions/checkout@v4
	- uses: ./.github/actions/setup-zeebe
	with:
	java: false
	secret_vault_secretId: ${{ secrets.VAULT_SECRET_ID }}
	secret_vault_address: ${{ secrets.VAULT_ADDR }}
	secret_vault_roleId: ${{ secrets.VAULT_ROLE_ID }}
	# Fetching a shallow copy of the ${GITHUB_BASE_REF} branch to check the compatibility against
	- name: Fetching Base Branch
	run: \|
	git fetch --depth=1 origin ${{ env.GO_CLIENT_BASE_REF }}
	- uses: joelanford/go-apidiff@main
	with:
	base-ref: origin/${{ env.GO_CLIENT_BASE_REF }}
	java-checks:
	name: Java checks
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: ./.github/actions/setup-zeebe
	with:
	go: false
	maven-cache-key-modifier: java-checks
	secret_vault_secretId: ${{ secrets.VAULT_SECRET_ID }}
	secret_vault_address: ${{ secrets.VAULT_ADDR }}
	secret_vault_roleId: ${{ secrets.VAULT_ROLE_ID }}
	- run: ./mvnw -T1C -B -D skipTests -P !autoFormat,checkFormat,spotbugs verify
	docker-checks:
	name: Docker checks
	runs-on: ubuntu-latest
	services:
	# local registry is used as this job needs to push as it builds multi-platform images
	registry:
	image: registry:2
	ports:
	- 5000:5000
	env:
	LOCAL_DOCKER_IMAGE: localhost:5000/camunda/zeebe
	steps:
	- uses: actions/checkout@v4
	- uses: hadolint/hadolint-action@v3.1.0
	with:
	config: ./.hadolint.yaml
	dockerfile: ./Dockerfile
	format: sarif
	output-file: ./hadolint.sarif
	no-color: true
	verbose: true
	- name: Upload Hadolint Results
	if: always()
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: ./hadolint.sarif
	- uses: ./.github/actions/setup-zeebe
	with:
	secret_vault_secretId: ${{ secrets.VAULT_SECRET_ID }}
	secret_vault_address: ${{ secrets.VAULT_ADDR }}
	secret_vault_roleId: ${{ secrets.VAULT_ROLE_ID }}
	- uses: ./.github/actions/build-zeebe
	id: build-zeebe
	- uses: ./.github/actions/build-docker
	id: build-docker
	with:
	# we use a local registry for pushing
	repository: ${{ env.LOCAL_DOCKER_IMAGE }}
	distball: ${{ steps.build-zeebe.outputs.distball }}
	platforms: ${{ env.DOCKER_PLATFORMS }}
	# push is needed for multi-arch images as buildkit does not support loading them locally
	push: true
	- name: Verify Docker image
	uses: ./.github/actions/verify-zeebe-docker
	with:
	imageName: ${{ env.LOCAL_DOCKER_IMAGE }}
	date: ${{ steps.build-docker.outputs.date }}
	revision: ${{ github.sha }}
	version: ${{ steps.build-docker.outputs.version }}
	platforms: ${{ env.DOCKER_PLATFORMS }}
	test-summary:
	# Used by the merge queue to check all tests, including the unit test matrix.
	# New test jobs must be added to the `needs` lists!
	# This name is hard-coded in the branch rules; remember to update that if this name changes
	name: Test summary
	if: always()
	runs-on: ubuntu-latest
	needs:
	- integration-tests
	- unit-tests
	- smoke-tests
	- property-tests
	- performance-tests
	- go-client
	- codeql
	- java-checks
	- go-lint
	- go-apidiff
	- docker-checks
	steps:
	- run: exit ${{ ((contains(needs..result, 'skipped') \|\| contains(needs..result, 'failure')) && 1) \|\| 0 }}
	deploy-snapshots:
	name: Deploy snapshot artifacts
	needs: [ test-summary ]
	runs-on: ubuntu-latest
	if: github.repository == 'camunda/zeebe' && github.ref == 'refs/heads/main'
	concurrency:
	group: deploy-maven-snapshot
	cancel-in-progress: false
	steps:
	- uses: actions/checkout@v4
	- name: Import Secrets
	id: secrets
	uses: hashicorp/vault-action@v3.0.0
	with:
	url: ${{ secrets.VAULT_ADDR }}
	method: approle
	roleId: ${{ secrets.VAULT_ROLE_ID }}
	secretId: ${{ secrets.VAULT_SECRET_ID }}
	secrets: \|
	secret/data/products/zeebe/ci/zeebe ARTIFACTS_USR;
	secret/data/products/zeebe/ci/zeebe ARTIFACTS_PSW;
	- uses: actions/setup-java@v4.0.0
	with:
	distribution: 'temurin'
	java-version: '21'
	# Use CI Nexus as co-located pull-through cache for Maven artifacts via ~/.m2/settings.xml
	- name: 'Create settings.xml'
	uses: s4u/maven-settings-action@v3.0.0
	with:
	githubServer: false
	servers: \|
	[{
	"id": "camunda-nexus",
	"username": "${{ steps.secrets.outputs.ARTIFACTS_USR }}",
	"password": "${{ steps.secrets.outputs.ARTIFACTS_PSW }}"
	}]
	mirrors: '[{"url": "https://repository.nexus.camunda.cloud/content/groups/internal/", "id": "camunda-nexus", "mirrorOf": "zeebe,zeebe-snapshots", "name": "camunda Nexus"}]'
	# compile and generate-sources to ensure that the Javadoc can be properly generated; compile is
	# necessary when using annotation preprocessors for code generation, as otherwise the symbols are
	# not resolve-able by the Javadoc generator
	- run: ./mvnw -B -D skipTests -D skipChecks compile generate-sources source:jar javadoc:jar deploy
	env:
	MAVEN_USERNAME: ${{ steps.secrets.outputs.ARTIFACTS_USR }}
	MAVEN_PASSWORD: ${{ steps.secrets.outputs.ARTIFACTS_PSW }}
	deploy-docker-snapshot:
	name: Deploy snapshot Docker image
	needs: [ test-summary ]
	runs-on: ubuntu-latest
	if: github.repository == 'camunda/zeebe' && github.ref == 'refs/heads/main'
	concurrency:
	group: deploy-docker-snapshot
	cancel-in-progress: false
	steps:
	- uses: actions/checkout@v4
	- uses: ./.github/actions/setup-zeebe
	with:
	secret_vault_secretId: ${{ secrets.VAULT_SECRET_ID }}
	secret_vault_address: ${{ secrets.VAULT_ADDR }}
	secret_vault_roleId: ${{ secrets.VAULT_ROLE_ID }}
	docker-token: REGISTRY_HUB_DOCKER_COM_PSW
	- uses: ./.github/actions/build-zeebe
	id: build-zeebe
	- uses: ./.github/actions/build-docker
	id: build-docker
	with:
	repository: camunda/zeebe
	version: SNAPSHOT
	platforms: ${{ env.DOCKER_PLATFORMS }}
	push: true
	distball: ${{ steps.build-zeebe.outputs.distball }}
	deploy-benchmark-images:
	name: Deploy benchmark images
	needs: [ test-summary ]
	runs-on: ubuntu-latest
	if: github.repository == 'camunda/zeebe' && github.ref == 'refs/heads/main'
	concurrency:
	group: deploy-benchmark-images
	cancel-in-progress: false
	permissions:
	contents: 'read'
	id-token: 'write'
	steps:
	- uses: actions/checkout@v4
	- uses: google-github-actions/auth@v2
	id: auth
	with:
	token_format: 'access_token'
	workload_identity_provider: 'projects/628707732411/locations/global/workloadIdentityPools/zeebe-gh-actions/providers/gha-provider'
	service_account: 'zeebe-gh-actions@zeebe-io.iam.gserviceaccount.com'
	- name: Login to GCR
	uses: docker/login-action@v3
	with:
	registry: gcr.io
	username: oauth2accesstoken
	password: ${{ steps.auth.outputs.access_token }}
	- uses: ./.github/actions/setup-zeebe
	with:
	secret_vault_secretId: ${{ secrets.VAULT_SECRET_ID }}
	secret_vault_address: ${{ secrets.VAULT_ADDR }}
	secret_vault_roleId: ${{ secrets.VAULT_ROLE_ID }}
	- run: ./mvnw -B -D skipTests -D skipChecks -pl zeebe/benchmarks/project -am package
	- name: Build Starter Image
	run: ./mvnw -pl zeebe/benchmarks/project jib:build -P starter
	- name: Build Worker Image
	run: ./mvnw -pl zeebe/benchmarks/project jib:build -P worker
	deploy-snyk-projects:
	name: Deploy Snyk development projects
	needs: [ test-summary ]
	if: \|
	github.repository == 'camunda/zeebe' &&
	github.event_name == 'push' &&
	(startsWith(github.ref_name, 'stable/') \|\| github.ref_name == 'main')
	concurrency:
	group: deploy-snyk-projects
	cancel-in-progress: false
	uses: ./.github/workflows/snyk.yml
	with:
	monitor: true
	build: true
	secrets: inherit
	notify-if-failed:
	name: Send slack notification on build failure
	runs-on: ubuntu-latest
	needs: [ test-summary, deploy-snapshots, deploy-docker-snapshot, deploy-snyk-projects ]
	if: failure() && github.repository == 'camunda/zeebe' && github.ref == 'refs/heads/main'
	steps:
	- id: slack-notify
	name: Send slack notification
	uses: slackapi/slack-github-action@v1.25.0
	with:
	# For posting a rich message using Block Kit
	payload: \|
	{
	"text": ":alarm: Build on `main` failed! :alarm:\n${{ github.event.head_commit.url }}",
	"blocks": [
	{
	"type": "section",
	"text": {
	"type": "mrkdwn",
	"text": ":alarm: Build on `main` failed! :alarm:"
	}
	},
	{
	"type": "section",
	"text": {
	"type": "mrkdwn",
	"text": "Please check the related commit: ${{ github.event.head_commit.url }}\n \\cc @zeebe-medic"
	}
	}
	]
	}
	env:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
	SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
	auto-merge:
	# This workflow will auto merge a PR authored by backport-action or renovate[bot].
	# It runs only on open PRs ready for review.
	#
	# It will merge the PR only if it is authored by backport-action and all CI checks are successful
	# OR if it is authored by renovate[bot] and all CI checks are successful.
	#
	# The workflow is divided into multiple sequential jobs to allow giving only minimal permissions to
	# the GitHub token passed around.
	name: Auto-merge backport, release, and renovate PRs
	runs-on: ubuntu-latest
	needs: [ test-summary ]
	if: \|
	github.repository == 'camunda/zeebe' &&
	(github.actor == 'backport-action' \|\| github.actor == 'renovate[bot]' \|\| github.actor == 'camundait')
	permissions:
	checks: read
	pull-requests: write
	env:
	GITHUB_TOKEN: ${{ secrets.AUTOMERGE_TOKEN }}
	steps:
	- uses: actions/checkout@v4
	- id: approve-and-merge-backport-renovate
	name: Approve and merge backport PR
	run: \|
	gh pr review ${{ github.event.pull_request.number }} --approve
	# Call the API directly to work around https://github.com/cli/cli/issues/8352
	gh api graphql -f query='mutation PullRequestAutoMerge {enablePullRequestAutoMerge(input: {pullRequestId: "${{ github.event.pull_request.node_id }}"}) {clientMutationId}}'
	# This job will trigger another workflow such that it will trigger a re-run of this failing workflow
	# We can't automatically do this here, since you can only re-run a workflow if it has finished,
	# and while this job is running, the workflow clearly hasn't finished
	#
	# It will only retry if the workflow failed, the run count is < 3 (to avoid infinite loops), and
	# the author is backport-action, renovate, or camundait (for release PRs)
	retry-workflow:
	name: Retry release, renovate, or backport PRs automatically
	needs: [ test-summary ]
	if: \|
	failure() &&
	fromJSON(github.run_attempt) < 3 &&
	github.repository == 'camunda/zeebe' &&
	(github.actor == 'backport-action' \|\| github.actor == 'renovate[bot]' \|\| github.actor == 'camundait')
	runs-on: ubuntu-latest
	env:
	GH_REPO: ${{ github.repository }}
	GH_TOKEN: ${{ github.token }}
	steps:
	- name: Retry workflow run ${{ github.run_id }}
	run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CI #455

Workflow file

CI #455

Jobs

Run details

Workflow file for this run