[StepSecurity] ci: Harden GitHub Actions #639
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Rhino CI | |
on: | |
push: | |
branches: [ master ] | |
pull_request: | |
branches: [ master ] | |
permissions: read-all | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
strategy: | |
# Some tests require more CPU, and all can use multiple CPUs | |
max-parallel: 1 | |
matrix: | |
java: [ '8', '11', '17' ] | |
name: Rhino Java ${{ matrix.java }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
with: | |
# Need all history or spotless check will fail | |
fetch-depth: 0 | |
- name: Check out test262 | |
# We don't actually want all the history for this part | |
run: git submodule update --init --single-branch | |
- name: Set up Java | |
uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 | |
with: | |
java-version: ${{ matrix.java }} | |
distribution: 'adopt' | |
- if: matrix.java == '8' | |
name: Check everything with Gradle on Java 8 | |
run: ./gradlew check jacocoTestReport | |
- if: matrix.java != '8' | |
name: Check everything with Gradle, modular Java | |
run: >- | |
./gradlew check jacocoTestReport | |
-Dorg.gradle.jvmargs="--add-exports jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED | |
--add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED | |
--add-exports jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED | |
--add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED | |
--add-exports jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED" | |
- name: Upload results | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: reports | |
path: buildGradle/reports | |