-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
First attempt at GH Action updates #310
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks mostly good, but a few recommendations. Keeping to major versions of actions is best practice, AFAIK, and swapping for the Microsoft Build of OpenJDK seems relevant 😁.
@@ -38,11 +38,11 @@ jobs: | |||
|
|||
steps: | |||
- name: Checkout repository | |||
uses: actions/checkout@v2 | |||
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Latest suggested version is just v4. Should do... and will keep updating until v4 is no longer updated (and v5 becomes the main version to follow).
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
uses: actions/checkout@v4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can a link to an issue be provided? I'm trying to understand what is happening here in light of our upcoming changes to integrate the MS signing policy and our integration with jreleaser
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is just a GitHub Action version update for CI, it's separate to any jreleaser efforts.
.github/workflows/early_access.yml
Outdated
@@ -12,13 +12,13 @@ jobs: | |||
if: startsWith(github.event.head_commit.message, '[maven-release-plugin]') != true | |||
|
|||
steps: | |||
- uses: actions/checkout@v2 | |||
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- uses: actions/checkout@v4 |
|
||
- name: Set up JDK 11 | ||
uses: actions/setup-java@v2 | ||
uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
V2 is good. See this article...
uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 | |
uses: actions/setup-java@v2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah but v3.13.0 is the latest :-)
.github/workflows/early_access.yml
Outdated
with: | ||
java-version: 11 | ||
distribution: 'adopt' | ||
distribution: 'temurin' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You meant Microsoft, right? 😁
distribution: 'temurin' | |
distribution: 'microsoft' |
.github/workflows/maven.yml
Outdated
@@ -21,13 +21,13 @@ jobs: | |||
java: [11, 17] | |||
|
|||
steps: | |||
- uses: actions/checkout@v2 | |||
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- uses: actions/checkout@v4 |
.github/workflows/maven.yml
Outdated
with: | ||
java-version: ${{ matrix.java }} | ||
distribution: 'adopt' | ||
distribution: 'temurin' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
distribution: 'temurin' | |
distribution: 'microsoft' |
.github/workflows/publish.yml
Outdated
@@ -10,23 +10,23 @@ jobs: | |||
|
|||
steps: | |||
- name: Checkout project | |||
uses: actions/checkout@v2 | |||
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
uses: actions/checkout@v4 |
with: | ||
ref: main | ||
fetch-depth: 0 | ||
|
||
- name: Cache Maven | ||
uses: actions/cache@v2.1.4 | ||
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the latest major version to use for cache is v3.
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 | |
uses: actions/cache@v3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, it's 3.3.2, it's safer to use teh commit hash and a comment, dependabot knows what to do going forward
with: | ||
path: ~/.m2/repository | ||
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | ||
restore-keys: ${{ runner.os }}-m2 | ||
|
||
- name: Setup Java JDK | ||
uses: actions/setup-java@v2 | ||
uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 | |
uses: actions/setup-java@v2 |
.github/workflows/publish.yml
Outdated
with: | ||
java-version: '11' | ||
distribution: 'adopt' | ||
distribution: 'temurin' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
distribution: 'temurin' | |
distribution: 'microsoft' |
@d3r3kk FYI - the Better security practice is now to reference the hash commits of GH actions (as |
Oh interesting. Then I rescind all comments to that effect. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the updated info on best practices, I say 🚢 it.
No description provided.