google · sgammon · Mar 8, 2024 · Mar 8, 2024 · Mar 8, 2024 · Mar 8, 2024
diff --git a/.github/workflows/ci.build.yml b/.github/workflows/ci.build.yml
@@ -0,0 +1,215 @@
+# Guava GitHub CI
+# ---------------------------------------------------------------------------------------------------------------------
+# This is the main CI build on GitHub for the Google Guava project. This workflow is not invoked directly; instead, the
+# `on.pr.yml` and `on.push.yml` workflows kick in on PR and push events, respectively, and call this workflow as a
+# Reusable Workflow.
+#
+# This workflow can be tested independently of the entrypoint flow through the `workflow_dispatch` hook, which adds a
+# button within the UI of the GitHub repository. You can trigger the workflow from here:
+#
+# https://github.com/google/guava/actions/workflows/ci.build.yml
+#
+# ## Inputs
+#
+# See the set of input parameters underneath the `workflow_call` and `workflow_dispatch` hooks for ways this workflow
+# can be controlled when called.
+#
+# ## SLSA Provenance
+#
+# After building Guava in both JRE and Android variants, this workflow will (if enabled) generate provenance material
+# and upload it to an associated release. Learn more about SLSA here: https://slsa.dev.
+
+name: Build
+
+on:
+  workflow_call:
+    inputs:
+      provenance:
+        type: boolean
+        description: "Provenance"
+        default: false
+      provenance_publish:
+        type: boolean
+        description: "Publish: Provenance"
+        default: true
+      snapshot:
+        type: boolean
+        description: "Publish: Snapshot"
+        default: false
+      repository:
+        type: string
+        description: "Publish Repository"
+        default: "sonatype-nexus-snapshots"
+
+  workflow_dispatch:
+    inputs:
+      provenance:
+        type: boolean
+        description: "Provenance"
+        default: false
+      provenance_publish:
+        type: boolean
+        description: "Publish: Provenance"
+        default: false
+      snapshot:
+        type: boolean
+        description: "Publish: Snapshot"
+        default: true
+      repository:
+        type: string
+        description: "Publish Repository"
+        default: "sonatype-nexus-snapshots"
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        mode: ["JRE", "Android"]
+    name: "Build Guava (${{ matrix.mode }})"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    env:
+      ROOT_POM: ${{ matrix.mode == 'Android' && 'android/pom.xml' || 'pom.xml' }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.azul.com:443
+            api.github.com:443
+            cdn.azul.com:443
+            dl.google.com:443
+            docs.oracle.com:443
+            errorprone.info:443
+            github.com:443
+            objects.githubusercontent.com:443
+            oss.sonatype.org:443
+            repo.maven.apache.org:443
+            services.gradle.org:443
+      - name: 'Check out repository'
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+      - name: 'Set up JDK 21'
+        uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0
+        with:
+          java-version: 21
+          distribution: 'zulu'
+          cache: 'maven'
+      - name: 'Install'
+        shell: bash
+        run: |
+          ./mvnw \
+            --strict-checksums \
+            -B \
+            -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
+            install \
+            -U \
+            -DskipTests=true \
+            -Dmaven.javadoc.skip=false \
+            -Dguava.build.spdx=true \
+            -Dgpg.skip \
+            -f $ROOT_POM
+      - name: Generate hashes
+        shell: bash
+        id: hash
+        if: matrix.mode == 'JRE'
+        run: |
+          echo "Building SLSA provenance material..."
+          ls guava/target/*.jar guava-gwt/target/*.jar guava-testlib/target/*.jar
+          echo "hashes=$(sha256sum guava/target/*.jar guava-gwt/target/*.jar guava-testlib/target/*.jar | base64 -w0)" >> ./provenance-hashes.txt
+          cat ./provenance-hashes.txt >> "$GITHUB_OUTPUT"
+          echo "Gathered provenance hashes:"
+          cat ./provenance-hashes.txt
+      - name: 'Upload artifacts'
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        if: matrix.mode == 'JRE'
+        with:
+          name: guava-artifacts-${{ matrix.mode == 'Android' && 'android' || 'jre' }}-${{ github.sha }}
+          path: |
+            guava/target/*.jar
+            guava-gwt/target/*.jar
+            guava-testlib/target/*.jar
+            ./provenance-hashes.txt
+          if-no-files-found: warn
+          retention-days: 7
+
+  # Generate SLSA provenance
+  provenance:
+    needs: [build]
+    if: inputs.provenance
+    name: "SLSA Provenance"
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-assets: ${{ inputs.provenance_publish }}
+
+  # Publish snapshot JAR
+  publish_snapshot:
+    name: 'Publish Snapshot'
+    needs: [build, provenance]
+    if: inputs.snapshot
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: 'Check out repository'
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: 'Set up JDK 21'
+        uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0
+        with:
+          java-version: 21
+          distribution: 'zulu'
+          server-id: ${{ inputs.repository }}
+          server-username: CI_DEPLOY_USERNAME
+          server-password: CI_DEPLOY_PASSWORD
+          cache: 'maven'
+      - name: "Download artifacts"
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: guava-artifacts-jre-${{ github.sha }}
+      - name: 'Publish'
+        env:
+          CI_DEPLOY_USERNAME: ${{ secrets.CI_DEPLOY_USERNAME }}
+          CI_DEPLOY_PASSWORD: ${{ secrets.CI_DEPLOY_PASSWORD }}
+        run: ./util/deploy_snapshot.sh
+
+  generate_docs:
+    permissions:
+      contents: write
+    name: 'Generate Docs'
+    needs: build
+    if: github.event_name == 'push' && github.repository == 'google/guava'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: 'Check out repository'
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: 'Set up JDK 21'
+        uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # v4.1.0
+        with:
+          java-version: 21
+          distribution: 'zulu'
+          cache: 'maven'
+      - name: 'Generate latest docs'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: ./util/update_snapshot_docs.sh
diff --git a/.github/workflows/ci.test.yml b/.github/workflows/ci.test.yml
@@ -0,0 +1,116 @@
+# Guava GitHub CI
+# ---------------------------------------------------------------------------------------------------------------------
+# This is the main CI testsuite on GitHub for the Google Guava project. This workflow is not invoked directly; instead,
+# the `on.pr.yml` and `on.push.yml` workflows kick in on PR and push events, respectively, and call this workflow as a
+# Reusable Workflow.
+#
+# This workflow can be tested independently of the entrypoint flow through the `workflow_dispatch` hook, which adds a
+# button within the UI of the GitHub repository. You can trigger the workflow from here:
+#
+# https://github.com/google/guava/actions/workflows/ci.test.yml
+#
+# ## Inputs
+#
+# See the set of input parameters underneath the `workflow_call` and `workflow_dispatch` hooks for ways this workflow
+# can be controlled when called.
+#
+# ## Multi-OS and Multi-JVM Testing
+#
+# Guava is tested against each LTS release at JDK 8 through JDK 21, on Linux and on Windows (starting at JDK 17), and
+# in Android and JRE flavors.
+
+name: Tests
+
+on:
+  workflow_call: {}
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+    name: "JDK ${{ matrix.java }} ${{ matrix.mode }} (${{ matrix.os }})"
+    strategy:
+      matrix:
+        os: [ ubuntu-latest ]
+        java: [ 8, 11, 17, 21 ]
+        mode: [ 'JRE', 'Android' ]
+        include:
+          - os: windows-latest
+            java: 21
+            mode: JRE
+          - os: windows-latest
+            java: 21
+            mode: Android
+    runs-on: ${{ matrix.os }}
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    env:
+      ROOT_POM: ${{ matrix.mode == 'Android' && 'android/pom.xml' || 'pom.xml' }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.azul.com:443
+            api.github.com:443
+            cdn.azul.com:443
+            dl.google.com:443
+            docs.oracle.com:443
+            errorprone.info:443
+            github.com:443
+            objects.githubusercontent.com:443
+            oss.sonatype.org:443
+            repo.maven.apache.org:443
+            services.gradle.org:443
+      - name: 'Check out repository'
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          persist-credentials: false
+      - name: 'Set up JDK ${{ matrix.java }}'
+        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
+        with:
+          java-version: ${{ matrix.java }}
+          distribution: 'zulu'
+          cache: 'maven'
+      - name: 'Install'
+        shell: bash
+        run: |
+          ./mvnw \
+            --strict-checksums \
+            -B \
+            -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
+            install \
+            -U \
+            -DskipTests=true \
+            -Dgpg.skip \
+            -Dguava.build.spdx=false \
+            -Dmaven.javadoc.skip=true \
+            -f $ROOT_POM
+      - name: 'Test'
+        shell: bash
+        run: |
+          ./mvnw \
+            --strict-checksums \
+            -B \
+            -P!standard-with-extra-repos \
+            verify \
+            -U \
+            -Dgpg.skip \
+            -Dguava.build.spdx=false \
+            -Dmaven.javadoc.skip=true \
+            -f $ROOT_POM
+      - name: 'Print Surefire reports'
+        # Note: Normally a step won't run if the job has failed, but this causes it to
+        if: ${{ failure() }}
+        shell: bash
+        run: ./util/print_surefire_reports.sh
+      - name: 'Integration Test'
+        if: matrix.java == 11
+        shell: bash
+        run: util/gradle_integration_tests.sh