Build dev releases #93
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build dev releases | |
| # Builds Nextflow from nextflow-io/nextflow (tracked branches + recently | |
| # updated open PRs) and publishes the artifacts as pre-releases in this repo. | |
| # | |
| # Security note: PR builds execute untrusted code (gradle build scripts), so | |
| # the `build` job runs with a read-only token and no secrets. Publishing | |
| # happens in a separate job that never executes code from the source repo. | |
| on: | |
| schedule: | |
| - cron: '7,37 * * * *' | |
| workflow_dispatch: | |
| inputs: | |
| pr: | |
| description: 'Pull request number in nextflow-io/nextflow to build' | |
| required: false | |
| type: string | |
| branch: | |
| description: 'Branch in nextflow-io/nextflow to build' | |
| required: false | |
| type: string | |
| # Serialize runs so concurrent publishes don't race on git pushes | |
| concurrency: | |
| group: dev-builds | |
| cancel-in-progress: false | |
| env: | |
| SOURCE_REPO: nextflow-io/nextflow | |
| PR_ACTIVITY_WINDOW_DAYS: 7 | |
| jobs: | |
| plan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| outputs: | |
| matrix: ${{ steps.plan.outputs.matrix }} | |
| any: ${{ steps.plan.outputs.any }} | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Determine builds needed | |
| id: plan | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| INPUT_PR: ${{ inputs.pr }} | |
| INPUT_BRANCH: ${{ inputs.branch }} | |
| run: .github/scripts/plan-builds.sh | |
| build: | |
| needs: plan | |
| if: needs.plan.outputs.any == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| max-parallel: 3 | |
| matrix: ${{ fromJson(needs.plan.outputs.matrix) }} | |
| name: build ${{ matrix.version }} | |
| env: | |
| MATRIX_KIND: ${{ matrix.kind }} | |
| MATRIX_CHANNEL: ${{ matrix.channel }} | |
| MATRIX_SHA: ${{ matrix.sha }} | |
| MATRIX_VERSION: ${{ matrix.version }} | |
| steps: | |
| - name: Checkout ${{ env.SOURCE_REPO }}@${{ matrix.ref }} | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| repository: nextflow-io/nextflow | |
| ref: ${{ matrix.ref }} | |
| persist-credentials: false | |
| - name: Verify commit | |
| run: | | |
| actual=$(git rev-parse HEAD) | |
| if [ "$actual" != "$MATRIX_SHA" ]; then | |
| echo "::error::Head moved since planning: expected $MATRIX_SHA, got $actual. The next scheduled run will pick up the new commit." | |
| exit 1 | |
| fi | |
| - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 | |
| with: | |
| distribution: temurin | |
| java-version: 21 | |
| cache: gradle | |
| - name: Set dev version | |
| run: echo "$MATRIX_VERSION" > VERSION | |
| - name: Build distribution | |
| run: | | |
| ./gradlew buildInfo releaseInfo | |
| BUILD_PACK=1 ./gradlew pack | |
| - name: Stage release assets | |
| run: | | |
| set -euo pipefail | |
| mkdir stage | |
| cp "build/releases/nextflow-$MATRIX_VERSION-one.jar" stage/ | |
| cp "build/releases/nextflow-$MATRIX_VERSION-dist" stage/ | |
| cp nextflow stage/nextflow | |
| (cd stage && sha256sum * > checksums.sha256) | |
| jq -n \ | |
| --arg kind "$MATRIX_KIND" --arg channel "$MATRIX_CHANNEL" \ | |
| --arg sha "$MATRIX_SHA" --arg version "$MATRIX_VERSION" \ | |
| '{kind:$kind, channel:$channel, sha:$sha, version:$version}' \ | |
| > stage/meta.json | |
| - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: ${{ matrix.version }} | |
| path: stage | |
| retention-days: 3 | |
| publish: | |
| needs: [plan, build] | |
| # always() so that successful builds publish even when a sibling matrix entry failed | |
| if: always() && needs.plan.outputs.any == 'true' && needs.build.result != 'skipped' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| # credentials stay on disk because this job pushes pointer-file updates | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # zizmor: ignore[artipacked] | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| path: artifacts | |
| - name: Publish releases | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: .github/scripts/publish-releases.sh artifacts |