HV-2059 Integrate with Develocity build scans/build cache

.github/hibernate-github-bot.yml

@@ -27,3 +27,23 @@ jira:
     - "README.md"
     - "MAINTAINERS.md"
     - "CONTRIBUTING.md"
+develocity:
+  buildScan:
+    addCheck: true
+    tags:
+      - column: "OS"
+        pattern: "Linux"
+      - column: "OS"
+        pattern: "Windows.*"
+        replacement: "Windows"
+      - column: "Java"
+        pattern: "jdk-(.*)"
+        replacement: "$1"
+      - column: "TCK mode"
+        pattern: "(.+)-TCK"
+        replacement: "$1"
+      - column: "TCK Version"
+        pattern: "Validation-TCK-(.+)"
+        replacement: "$1"
+      - pattern: "org.hibernate.validator|Hibernate Validator|main|HEAD|\\d+.\\d+|PR-\\d+"
+        replacement: "" # Just remove these tags

.github/workflows/ci-report.yml

@@ -0,0 +1,71 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright Red Hat Inc. and Hibernate Authors
+
+name: GH Actions CI reporting
+
+on:
+  workflow_run:
+    workflows: [ "GH Actions CI" ]
+    types: [ completed ]
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  MAVEN_ARGS: "-e -B --settings .github/mvn-settings.xml --fail-at-end -Pci-build --no-transfer-progress"
+
+jobs:
+  publish-build-scans:
+    name: Publish Develocity build scans
+    if: github.repository == 'hibernate/hibernate-validator' && github.event.workflow_run.conclusion != 'cancelled'
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout target branch which has trusted code
+      - name: Check out target branch
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          ref: ${{ github.ref }}
+      - name: Set up Java 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: 21
+          distribution: temurin
+      # https://github.com/actions/cache/blob/main/examples.md#java---maven
+      - name: Cache local Maven repository
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository
+          # use a different key than workflows running untrusted code
+          key: trusted-${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            trusted-${{ runner.os }}-maven-
+      - name: Set up Maven
+        run: ./mvnw -v
+      - name: Download GitHub Actions artifacts for the Develocity build scans
+        id: downloadBuildScan
+        uses: actions/download-artifact@v4
+        with:
+          pattern: build-scan-data-*
+          github-token: ${{ github.token }}
+          repository: ${{ github.repository }}
+          run-id: ${{ github.event.workflow_run.id }}
+          path: /tmp/downloaded-build-scan-data/
+        # Don't fail the build if there are no matching artifacts
+        continue-on-error: true
+      - name: Publish Develocity build scans for previous builds
+        if: ${{ steps.downloadBuildScan.outcome != 'failure'}}
+        run: |
+          shopt -s nullglob # Don't run the loop below if there are no artifacts
+          status=0
+          mkdir -p ~/.m2/.develocity/
+          for build_scan_data_directory in /tmp/downloaded-build-scan-data/*
+          do
+            rm -rf ~/.m2/.develocity/build-scan-data
+            mv "$build_scan_data_directory" ~/.m2/.develocity/build-scan-data \
+            && ./mvnw $MAVEN_ARGS develocity:build-scan-publish-previous || status=1
+          done
+          exit $status
+        env:
+          DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY_PR }}

.github/workflows/ci.yml

@@ -103,35 +103,37 @@ jobs:
       - name: Set up Maven
         run: ./mvnw -v
 
-      - name: Build code and run tests and basic checks
+      - name: Build code and run tests and basic checks (Standalone)
         run: |
           ./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean install \
           -Pjqassistant -Pdist -Prelocation
+        env:
+          DEVELOCITY_ACCESS_KEY: "${{ secrets.DEVELOCITY_ACCESS_KEY || '' }}"
+      # For jobs running on 'pull_request', upload build scan data.
+      # The actual publishing must be done in a separate job (see ci-report.yml).
+      # We don't write to the remote cache as that would be unsafe.
+      - name: Upload GitHub Actions artifact for the Develocity build scan
+        uses: actions/upload-artifact@v4
+        if: "${{ github.event_name == 'pull_request' && !cancelled() }}"
+        with:
+          name: build-scan-data-standalone-${{ matrix.os.name }}
+          path: ~/.m2/.develocity/build-scan-data
 
-      - name: Build code and run tests in container mode
+      - name: Run TCK tests in container mode
         run: |
           ./mvnw $MAVEN_ARGS ${{ matrix.os.maven.args }} clean verify \
           -Pjqassistant -Pskip-checks \
           -am -pl :hibernate-validator-tck-runner \
           -Dincontainer -Dincontainer-prepared
-      # Workaround for https://github.com/actions/upload-artifact/issues/240
-      - name: List build reports to upload (if build failed)
-        if: ${{ failure() || cancelled() }}
-        # The weird syntax is because we're setting a multiline environment variable
-        # See https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-of-a-multiline-string
-        run: |
-          {
-            echo 'buildReportPaths<<EOF'
-            find . -path '**/*-reports'
-            echo EOF
-          } >> "$GITHUB_ENV"
-      - name: Upload build reports (if build failed)
+        env:
+          DEVELOCITY_ACCESS_KEY: "${{ secrets.DEVELOCITY_ACCESS_KEY || '' }}"
+
+      - name: Upload GitHub Actions artifact for the Develocity build scan
         uses: actions/upload-artifact@v4
-        if: ${{ failure() || cancelled() }}
+        if: "${{ github.event_name == 'pull_request' && !cancelled() }}"
         with:
-          name: ${{ format('build-reports-{0}', matrix.os.name ) }}
-          path: ${{ env.buildReportPaths }}
-          retention-days: 7
+          name: build-scan-data-incontainer-${{ matrix.os.name }}
+          path: ~/.m2/.develocity/build-scan-data
 
       - name: Omit produced artifacts from build cache
         run: rm -r ~/.m2/repository/org/hibernate/validator

.gitignore

@@ -54,3 +54,6 @@ maven-eclipse.xml
 
 # Cache folders for formatting plugins:
 .cache
+
+# develocity cache related:
+.mvn/.develocity

.mvn/develocity.xml

@@ -0,0 +1,33 @@
+<develocity
+        xmlns="https://www.gradle.com/develocity-maven" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="https://www.gradle.com/develocity-maven https://www.gradle.com/schema/develocity-maven.xsd">
+    <server>
+        <url>https://ge.hibernate.org</url>
+        <allowUntrusted>false</allowUntrusted>
+    </server>
+    <buildScan>
+        <!--
+        Expression support is documented here: https://docs.gradle.com/enterprise/maven-extension/#expression_support
+        -->
+        <obfuscation>
+            <!-- Don't share ip addresses-->
+            <ipAddresses>#{{'0.0.0.0'}}</ipAddresses>
+        </obfuscation>
+        <capture>
+            <fileFingerprints>true</fileFingerprints>
+        </capture>
+        <!-- https://docs.gradle.com/enterprise/maven-extension/#manual_access_key_configuration -->
+        <backgroundBuildScanUpload>#{env['CI'] == null}</backgroundBuildScanUpload>
+    </buildScan>
+    <buildCache>
+        <local>
+            <enabled>#{properties['no-build-cache'] == null}</enabled>
+        </local>
+        <remote>
+            <enabled>#{properties['no-build-cache'] == null}</enabled>
+            <storeEnabled>
+                #{env['CI'] != null and (env['CHANGE_ID']?:'').isBlank() and (env['GITHUB_BASE_REF']?:'').isBlank() and !(env['DEVELOCITY_ACCESS_KEY']?:'').isBlank()}
+            </storeEnabled>
+        </remote>
+    </buildCache>
+</develocity>

.mvn/extensions.xml

@@ -0,0 +1,17 @@
+<extensions>
+    <extension>
+        <groupId>com.gradle</groupId>
+        <artifactId>develocity-maven-extension</artifactId>
+        <version>1.22.2</version>
+    </extension>
+    <extension>
+        <groupId>com.gradle</groupId>
+        <artifactId>common-custom-user-data-maven-extension</artifactId>
+        <version>2.0.1</version>
+    </extension>
+    <extension>
+        <groupId>org.hibernate.infra.develocity</groupId>
+        <artifactId>hibernate-develocity-maven-extension</artifactId>
+        <version>3.0.0.Final</version>
+    </extension>
+</extensions>

Jenkinsfile

@@ -246,9 +246,9 @@ stage('Default build') {
 		return
 	}
 	runBuildOnNode {
-		helper.withMavenWorkspace(mavenSettingsConfig: deploySnapshot ? helper.configuration.file.deployment.maven.settingsId : null) {
-			sh """ \
-					mvn clean \
+		withMavenWorkspace(mavenSettingsConfig: deploySnapshot ? helper.configuration.file.deployment.maven.settingsId : null) {
+			mvn """ \
+					clean \
 					--fail-at-end \
 					${deploySnapshot ? "\
 							deploy -DdeployAtEnd=true \
@@ -277,7 +277,7 @@ stage('Non-default environments') {
 	environments.content.jdk.enabled.each { JdkBuildEnvironment buildEnv ->
 		parameters.put(buildEnv.tag, {
 			runBuildOnNode {
-				helper.withMavenWorkspace {
+				withMavenWorkspace {
 					mavenNonDefaultBuild buildEnv, """ \
 							clean install \
 					"""
@@ -290,7 +290,7 @@ stage('Non-default environments') {
 	environments.content.wildflyTck.enabled.each { WildFlyTckBuildEnvironment buildEnv ->
 		parameters.put(buildEnv.tag, {
 			runBuildOnNode {
-				helper.withMavenWorkspace {
+				withMavenWorkspace {
 					mavenNonDefaultBuild buildEnv, """ \
 							clean install \
 							-pl tck-runner \
@@ -305,14 +305,15 @@ stage('Non-default environments') {
 	environments.content.sigtest.enabled.each { SigTestBuildEnvironment buildEnv ->
 		parameters.put(buildEnv.tag, {
 			runBuildOnNode {
-				helper.withMavenWorkspace(jdk: buildEnv.jdkTool) {
+				withMavenWorkspace(jdk: buildEnv.jdkTool) {
 					mavenNonDefaultBuild buildEnv, """ \
 							clean install \
 							-pl tck-runner \
 							-Psigtest \
 							-Denforcer.skip=true \
 							-DskipTests=true -Dcheckstyle.skip=true \
 							-DdisableDistributionBuild=true -DdisableDocumentationBuild=true \
+							-Dscan=false -Dno-build-cache \
 					"""
 				}
 			}
@@ -333,7 +334,7 @@ stage('Sonar analysis') {
 	def sonarCredentialsId = helper.configuration.file?.sonar?.credentials
 	if (sonarCredentialsId) {
 		runBuildOnNode {
-			helper.withMavenWorkspace {
+			withMavenWorkspace {
 				if (enableDefaultBuild && enableDefaultBuildIT) {
 					unstash name: "default-build-jacoco-reports"
 				}
@@ -536,8 +537,8 @@ void mavenNonDefaultBuild(BuildEnvironment buildEnv, String args, String project
 	def testSuffix = buildEnv.tag.replaceAll('[^a-zA-Z0-9_\\-+]+', '_')
 
 	dir(projectPath) {
-		sh """ \
-				mvn -Dsurefire.environment=$testSuffix \
+		mvn """ \
+				-Dsurefire.environment=$testSuffix \
 						${toTestJdkArg(buildEnv)} \
 						--fail-at-end \
 						$args \
@@ -577,3 +578,52 @@ String toTestJdkArg(BuildEnvironment buildEnv) {
 
 	return args
 }
+
+void withMavenWorkspace(Closure body) {
+	withMavenWorkspace([:], body)
+}
+
+void withMavenWorkspace(Map args, Closure body) {
+	args.put("options", [
+			// Artifacts are not needed and take up disk space
+			artifactsPublisher(disabled: true),
+			// stdout/stderr for successful tests is not needed and takes up disk space
+			// we archive test results and stdout/stderr as part of the build scan anyway,
+			// see https://ge.hibernate.org/scans?search.rootProjectNames=Hibernate%20Validator
+			junitPublisher(disabled: true)
+	])
+	helper.withMavenWorkspace(args, body)
+}
+
+void mvn(String args) {
+	def develocityMainCredentialsId = helper.configuration.file?.develocity?.credentials?.main
+	def develocityPrCredentialsId = helper.configuration.file?.develocity?.credentials?.pr
+	if ( !helper.scmSource.pullRequest && develocityMainCredentialsId ) {
+		// Not a PR: we can pass credentials to the build, allowing it to populate the build cache
+		// and to publish build scans directly.
+		withCredentials([string(credentialsId: develocityMainCredentialsId,
+				variable: 'DEVELOCITY_ACCESS_KEY')]) {
+			withGradle { // withDevelocity, actually: https://plugins.jenkins.io/gradle/#plugin-content-capturing-build-scans-from-jenkins-pipeline
+				sh "mvn $args"
+			}
+		}
+	}
+	else if ( helper.scmSource.pullRequest && develocityPrCredentialsId ) {
+		// Pull request: we can't pass credentials to the build, since we'd be exposing secrets to e.g. tests.
+		// We do the build first, then publish the build scan separately.
+		tryFinally({
+			sh "mvn $args"
+		}, { // Finally
+			withCredentials([string(credentialsId: develocityPrCredentialsId,
+					variable: 'DEVELOCITY_ACCESS_KEY')]) {
+				withGradle { // withDevelocity, actually: https://plugins.jenkins.io/gradle/#plugin-content-capturing-build-scans-from-jenkins-pipeline
+					sh 'mvn develocity:build-scan-publish-previous || true'
+				}
+			}
+		})
+	}
+	else {
+		// No Develocity credentials.
+		sh "mvn $args"
+	}
+}

engine/pom.xml

@@ -25,6 +25,10 @@
         <hibernate-validator-parent.path>..</hibernate-validator-parent.path>
         <surefire.jvm.args.additional>-Duser.language=en -Duser.country=US</surefire.jvm.args.additional>
         <java.module.name>${hibernate-validator.module-name}</java.module.name>
+
+        <surefire.default.reportsDirectory>${project.build.directory}/surefire-reports/default</surefire.default.reportsDirectory>
+        <surefire.bytebuddy.reportsDirectory>${project.build.directory}/surefire-reports/bytebuddy</surefire.bytebuddy.reportsDirectory>
+
         <!--
             We want to skip the javadoc warnings for this module, since Jakarta Expression Language API is using proper modules,
             resulting in a warning like:
@@ -332,6 +336,7 @@
                             <includes>
                                 <include>**/ByteBuddy*Test</include>
                             </includes>
+                            <reportsDirectory>${surefire.bytebuddy.reportsDirectory}</reportsDirectory>
                         </configuration>
                     </execution>
                 </executions>

jenkins/nightly/Jenkinsfile

@@ -53,7 +53,8 @@ pipeline {
 								sh """mvn clean verify \
 									artifact:compare -Dreference.repo=hibernate-maven-central \
 									-Preproducibility-check \
-									--fail-at-end
+									--fail-at-end \
+									-Dscan=false -Dno-build-cache
 								"""
 							}
 						}
@@ -82,7 +83,8 @@ pipeline {
 								echo "Run a build with strict JAXP configuration."
 								sh """mvn clean install \
 									 -Dsurefire.jvm.args.jaxp.strict-args="-Djava.xml.config.file=$jaxpStrictProperties" \
-									 -Djava-version.test.release=23
+									 -Djava-version.test.release=23 \
+									 -Dscan=false -Dno-build-cache
 								"""
 							})
 						}

pom.xml

@@ -15,7 +15,7 @@
     <version>9.0.0-SNAPSHOT</version>
     <packaging>pom</packaging>
 
-    <name>Hibernate Validator Aggregator</name>
+    <name>Hibernate Validator</name>
     <url>https://hibernate.org/validator</url>
     <description>Aggregator of the Hibernate Validator modules.</description>
 
@@ -393,6 +393,7 @@
          -->
         <surefire.environment>default</surefire.environment>
         <jacoco.environment.sub-directory>${surefire.environment}</jacoco.environment.sub-directory>
+        <surefire.default.reportsDirectory>${project.build.directory}/surefire-reports</surefire.default.reportsDirectory>
 
         <arquillian.wildfly.jvm.args.add-opens></arquillian.wildfly.jvm.args.add-opens>
         <arquillian.wildfly.jvm.args.add-modules></arquillian.wildfly.jvm.args.add-modules>
@@ -980,6 +981,7 @@
                                  use the test Java home, not the Maven Java home -->
                             <JAVA_HOME>${java-version.test.launcher.java_home}</JAVA_HOME>
                         </environmentVariables>
+                        <reportsDirectory>${surefire.default.reportsDirectory}</reportsDirectory>
                     </configuration>
                     <dependencies>
                         <!--