Test download artifacts #192
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow validate Leshan Contribution. | |
| # We execute each step of the build separatly to be able to provide some feedback on failure as a PR comment. | |
| # | |
| # This jobs will be executed automatically on untrusted contribution and so have very limited right. | |
| # It will just store some very validation status in a "build_status.properties" file as workflow artifact. | |
| # | |
| # Then this artifact will be reused by a priviledged job to add comment to the PR (See "Comment Pull Request" workflow) | |
| # | |
| # See: | |
| # - https://github.com/eclipse/leshan/issues/1314 | |
| # - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
| name: Check Pull Request | |
| permissions: {} # Remove all permissions as this workflow which run untrusted code from PR | |
| on: | |
| pull_request: | |
| branches: [ "master" ] | |
| types: [synchronize, opened, reopened, ready_for_review] | |
| env: | |
| build_status_filename: "build_status" | |
| pr_id_key: "pullrequestid" | |
| run_id_key: "runid" | |
| build_status_key: "buildstatus" | |
| jobs: | |
| build: | |
| # don't run this workflow in forks | |
| if: github.event.pull_request.draft == false | |
| name : Code Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| - name: Set up JDK 11 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '11' | |
| distribution: 'temurin' | |
| cache: maven | |
| # ------------- Begin of : Build Steps ------------- | |
| - name: Check No Merge Commit | |
| id: nomerge | |
| uses: ./.github/actions/nomerge | |
| with: | |
| build_status_filename: ${{env.build_status_filename}} | |
| - name: POM Format Check | |
| id: sortpom | |
| if: always() | |
| uses: ./.github/actions/sortpom | |
| with: | |
| build_status_filename: ${{env.build_status_filename}} | |
| # ------------- End of : Build Steps ------------- | |
| # Store Data to be able to add comment in "Comment Pull Request" workflow | |
| # See : https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
| - name: Store Variables for "Comment Pull Request" Workflow | |
| if: always() | |
| # unstrusted action use commit ID instead of version | |
| uses: GuillaumeFalourd/write-java-properties-file@c6762204aa02d62718ed285bca4cbcc400c65a10 #v1 | |
| with: | |
| file_path: ${{env.build_status_filename}} | |
| property: | | |
| ${{env.pr_id_key}} | |
| ${{env.run_id_key}} | |
| ${{env.build_status_key}} | |
| value: | | |
| ${{ github.event.number }} | |
| ${{ github.run_id }} | |
| ${{ job.status }} | |
| - name: Upload Build Status File for "Comment Pull Request" Workflow | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{env.build_status_filename}} | |
| path: ${{env.build_status_filename}} |