Skip to content

Add main CI job and GitHub workflows to build PRs #11541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
beikov merged 1 commit into from
Jan 7, 2026
Merged

Add main CI job and GitHub workflows to build PRs #11541

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .github/ci-prerequisites.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Reclaim disk space, otherwise we only have 13 GB free at the start of a job

# Remove the container images for node:
docker rmi node:10 node:12 mcr.microsoft.com/azure-pipelines/node8-typescript:latest
# That is 18 GB
sudo rm -rf /usr/share/dotnet
# That is 1.2 GB
sudo rm -rf /usr/share/swift
78 changes: 78 additions & 0 deletions .github/workflows/ci-report.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
name: GH Actions CI reporting

on:
workflow_run:
workflows: [ "GH Actions CI" ]
types: [ completed ]

defaults:
run:
shell: bash

jobs:
publish-build-scans:
name: Publish Develocity build scans
if: github.repository == 'hibernate/hibernate-orm' && github.event.workflow_run.conclusion != 'cancelled'
runs-on: ubuntu-latest
steps:
# Checkout target branch which has trusted code
- name: Check out target branch
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
ref: ${{ github.ref }}
- name: Set up JDK
uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
with:
distribution: 'temurin'
java-version: '8'

- name: Generate cache key
id: cache-key
run: |
CURRENT_BRANCH="${{ github.repository != 'hibernate/hibernate-orm' && 'fork' || github.base_ref || github.ref_name }}"
CURRENT_MONTH=$(/bin/date -u "+%Y-%m")
CURRENT_DAY=$(/bin/date -u "+%d")
ROOT_CACHE_KEY="buildtool-cache"
echo "buildtool-monthly-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}" >> $GITHUB_OUTPUT
echo "buildtool-monthly-branch-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}" >> $GITHUB_OUTPUT
echo "buildtool-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}-${CURRENT_DAY}" >> $GITHUB_OUTPUT
- name: Restore Maven/Gradle Dependency/Dist Caches
uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
with:
path: |
~/.m2/repository/
~/.m2/wrapper/
~/.gradle/caches/modules-2
~/.gradle/wrapper/
key: ${{ steps.cache-key.outputs.buildtool-cache-key }}
restore-keys: |
${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}-
${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}-

- name: Download GitHub Actions artifacts for the Develocity build scans
id: downloadBuildScan
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
pattern: build-scan-data-*
github-token: ${{ github.token }}
repository: ${{ github.repository }}
run-id: ${{ github.event.workflow_run.id }}
path: /tmp/downloaded-build-scan-data/
# Don't fail the build if there are no matching artifacts
continue-on-error: true
- name: Publish Develocity build scans for previous builds
if: ${{ steps.downloadBuildScan.outcome != 'failure'}}
run: |
shopt -s nullglob # Don't run the loop below if there are no artifacts
status=0
mkdir -p ~/.gradle/
for build_scan_data_directory in /tmp/downloaded-build-scan-data/*
do
rm -rf ~/.gradle/build-scan-data
mv "$build_scan_data_directory" ~/.gradle/build-scan-data \
&& ./gradlew --no-build-cache buildScanPublishPrevious || status=1
done
exit $status
env:
DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY_PR }}
120 changes: 120 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
name: GH Actions CI

on:
pull_request:
branches:
- '5.3'
# Ignore dependabot PRs that are not just about build dependencies or workflows;
# we'll reject such PRs and send one ourselves.
- '!dependabot/**'
- 'dependabot/maven/build-dependencies-**'
- 'dependabot/github_actions/workflow-actions-**'

permissions: { } # none

# See https://github.com/hibernate/hibernate-orm/pull/4615 for a description of the behavior we're getting.
concurrency:
# Consider that two builds are in the same concurrency group (cannot run concurrently)
# if they use the same workflow and are about the same branch ("ref") or pull request.
group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}"
# Cancel previous builds in the same concurrency group even if they are in progress
# for pull requests or pushes to forks (not the upstream repository).
cancel-in-progress: ${{ github.event_name == 'pull_request' || github.repository != 'hibernate/hibernate-orm' }}

jobs:

# Main job for h2/docker DBs.
build:
permissions:
contents: read
name: OpenJDK 8 - ${{matrix.rdbms}}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- rdbms: h2
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Reclaim Disk Space
run: .github/ci-prerequisites.sh
- name: Set up Java 8
uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
with:
distribution: 'temurin'
java-version: '8'

- name: Generate cache key
id: cache-key
run: |
CURRENT_BRANCH="${{ github.repository != 'hibernate/hibernate-orm' && 'fork' || github.base_ref || github.ref_name }}"
CURRENT_MONTH=$(/bin/date -u "+%Y-%m")
CURRENT_DAY=$(/bin/date -u "+%d")
ROOT_CACHE_KEY="buildtool-cache"
echo "buildtool-monthly-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}" >> $GITHUB_OUTPUT
echo "buildtool-monthly-branch-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}" >> $GITHUB_OUTPUT
echo "buildtool-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}-${CURRENT_DAY}" >> $GITHUB_OUTPUT
- name: Cache Maven/Gradle Dependency/Dist Caches
id: cache-maven
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
# if it's not a pull request, we restore and save the cache
if: github.event_name != 'pull_request'
with:
path: |
~/.m2/repository/
~/.m2/wrapper/
~/.gradle/caches/modules-2
~/.gradle/wrapper/
# A new cache will be stored daily. After that first store of the day, cache save actions will fail because the cache is immutable but it's not a problem.
# The whole cache is dropped monthly to prevent unlimited growth.
# The cache is per branch but in case we don't find a branch for a given branch, we will get a cache from another branch.
key: ${{ steps.cache-key.outputs.buildtool-cache-key }}
restore-keys: |
${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}-
${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}-
- name: Restore Maven/Gradle Dependency/Dist Caches
uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
# if it a pull request, we restore the cache but we don't save it
if: github.event_name == 'pull_request'
with:
path: |
~/.m2/repository/
~/.m2/wrapper/
~/.gradle/caches/modules-2
~/.gradle/wrapper/
key: ${{ steps.cache-key.outputs.buildtool-cache-key }}
restore-keys: |
${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}-
${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}-

- name: Run build script
run: ./ci/build-github.sh
shell: bash
env:
RDBMS: ${{ matrix.rdbms }}
# For jobs running on 'push', publish build scan and cache immediately.
# This won't work for pull requests, since they don't have access to secrets.
POPULATE_REMOTE_GRADLE_CACHE: ${{ github.event_name == 'push' && github.repository == 'hibernate/hibernate-orm' && 'true' || 'false' }}
DEVELOCITY_ACCESS_KEY: "${{ secrets.DEVELOCITY_ACCESS_KEY }}"

# For jobs running on 'pull_request', upload build scan data.
# The actual publishing must be done in a separate job (see ci-report.yml).
# We don't write to the remote cache as that would be unsafe.
- name: Upload GitHub Actions artifact for the Develocity build scan
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
if: "${{ github.event_name == 'pull_request' && !cancelled() }}"
with:
name: build-scan-data-${{ matrix.rdbms }}
path: ~/.gradle/build-scan-data

- name: Upload test reports (if Gradle failed)
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
if: failure()
with:
name: test-reports-java11-${{ matrix.rdbms }}
path: |
./**/target/reports/tests/
- name: Omit produced artifacts from build cache
run: ./ci/before-cache.sh
74 changes: 74 additions & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
name: "CodeQL"

on:
pull_request:
branches: [ '5.3' ]

# See https://github.com/hibernate/hibernate-orm/pull/4615 for a description of the behavior we're getting.
concurrency:
# Consider that two builds are in the same concurrency group (cannot run concurrently)
# if they use the same workflow and are about the same branch ("ref") or pull request.
group: "workflow = ${{ github.workflow }}, ref = ${{ github.event.ref }}, pr = ${{ github.event.pull_request.id }}"
# Cancel previous builds in the same concurrency group even if they are in process
# for pull requests or pushes to forks (not the upstream repository).
cancel-in-progress: ${{ github.event_name == 'pull_request' || github.repository != 'hibernate/hibernate-orm' }}

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false
matrix:
language: [ 'java' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

steps:

- name: Set up JDK
uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
with:
distribution: 'temurin'
java-version: '8'

- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@7e3036b9cd87fc26dd06747b7aa4b96c27aaef3a # v3.28.4
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.

# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
queries: +security-and-quality


# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@7e3036b9cd87fc26dd06747b7aa4b96c27aaef3a # v3.28.4

# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.

# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@7e3036b9cd87fc26dd06747b7aa4b96c27aaef3a # v3.28.4
with:
category: "/language:${{matrix.language}}"
Loading
Loading