chore: build refactor for fork security

sgammon · Aug 14, 2023 · 6159d98 · 6159d98
1 parent 09b7e0d
commit 6159d98
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 164 deletions.
diff --git a/.github/workflows/module.build.yml b/.github/workflows/module.build.yml
@@ -16,6 +16,12 @@ name: "Build"
         type: boolean
         default: false
 
+      ## Whether to run tests
+      tests:
+        description: "Run Tests"
+        type: boolean
+        default: true
+
       ## Bazel version to use
       bazel_version:
         description: "Bazel version"
@@ -42,6 +48,10 @@ name: "Build"
         description: "Enable Bzlmod"
         type: boolean
         default: false
+      tests:
+        description: "Run Tests"
+        type: boolean
+        default: true
       labs:
         description: "Skip Failures"
         type: boolean
@@ -98,10 +108,58 @@ jobs:
           echo "build --remote_header=x-buildbuddy-api-key=${{ secrets.BUILDBUDDY_APIKEY }}" >> local.bazelrc
           echo "build --remote_header=x-api-key=${{ secrets.BUILDLESS_APIKEY }}" >> local.bazelrc
       - name: "Configure: Bzlmod"
-        if: ${{ inputs.bzlmod }}
+        if: inputs.bzlmod
         run: |
           echo "build --config=bzlmod" >> local.bazelrc
-      - name: "Build: Example"
+      - name: "Build: Project"
+        continue-on-error: ${{ inputs.labs }}
+        shell: bash
+        run: bazel build --config=ci "//..."
+      - name: "Test: Example"
+        if: inputs.tests
         continue-on-error: ${{ inputs.labs }}
         shell: bash
         run: bazel build --config=ci "//..."
+
+  integration-tests:
+    name: "Test: ${{ matrix.label }} (${{ inputs.label || 'Rules' }})"
+    runs-on: ${{ inputs.runner || 'ubuntu-latest' }}
+    continue-on-error: ${{ inputs.labs || matrix.labs }}
+    needs: ["build"]
+    if: inputs.tests
+    strategy:
+      fail-fast: false
+      matrix:
+        label: ["BCR"]
+        target: ["//sample"]
+        action: ["build"]
+        directory: ["./example/integration_tests/bzlmod"]
+        labs: [false]
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@v3
+      - name: "Setup: msbuild"
+        uses: microsoft/setup-msbuild@v1.1
+        if: ${{ contains(inputs.runner, 'windows') }}
+      - name: "Setup: Bazel"
+        uses: bazelbuild/setup-bazelisk@v2
+      - name: "Setup: Cache"
+        uses: actions/cache@v3
+        with:
+          path: "~/.cache/bazel"
+          key: bazel-v2
+      - name: "Configure: Bazel Version"
+        shell: bash
+        if: inputs.bazel_version != '' && inputs.bazel_config != ''
+        run: |
+          echo "${{ inputs.bazel_version }}" > .bazelversion
+          echo "import %workspace%/tools/bazel/${{ inputs.bazel_config }}.bazelrc" > version.bazelrc
+      - name: "Build: ${{ matrix.label }}"
+        continue-on-error: ${{ inputs.labs }}
+        working-directory: ${{ matrix.directory }}
+        shell: bash
+        run: bazel ${{ matrix.action || 'build' }} "${{ matrix.target || '//...' }}"
diff --git a/.github/workflows/module.test.yml b/.github/workflows/module.test.yml
diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml
@@ -34,7 +34,7 @@ jobs:
 
   test:
     name: "Test (${{ matrix.label }})"
-    uses: ./.github/workflows/module.test.yml
+    uses: ./.github/workflows/module.build.yml
     strategy:
       fail-fast: false
       matrix:

diff --git a/.github/workflows/on.push.yml b/.github/workflows/on.push.yml
@@ -2,6 +2,7 @@
 name: "CI"
 
 "on":
+  ## Events: Pushes on Main
   push:
     branches:
       - main
@@ -14,49 +15,21 @@ name: "CI"
 
 jobs:
   build:
-    name: "Build"
+    name: "Build (${{ matrix.label }})"
     uses: ./.github/workflows/module.build.yml
     strategy:
       fail-fast: false
       matrix:
         runner: [ubuntu-latest, windows-latest, macos-latest]
         include:
           - runner: ubuntu-latest
-            label: Ubuntu
+            label: Ubuntu - Standard
             bzlmod: true
             labs: false
-          - runner: windows-latest
-            label: Windows
-            bzlmod: false
-            labs: true
-          - runner: macos-latest
-            label: macOS
-            bzlmod: false
-            labs: false
-
-    secrets: inherit
-    with:
-      runner: ${{ matrix.runner }}
-      label: ${{ matrix.label }}
-      bzlmod: ${{ matrix.bzlmod }}
-      labs: ${{ matrix.labs }}
-
-  test:
-    name: "Test"
-    needs: ["build"]
-    uses: ./.github/workflows/module.test.yml
-    strategy:
-      fail-fast: false
-      matrix:
-        runner: [ubuntu-latest, windows-latest, macos-latest]
-        include:
-          - runner: ubuntu-latest
-            label: Ubuntu
-            labs: false
           - runner: ubuntu-latest
             label: Ubuntu - Bzlmod
             bzlmod: true
-            labs: true
+            labs: false
           - runner: windows-latest
             label: Windows
             bzlmod: false
@@ -72,3 +45,4 @@ jobs:
       label: ${{ matrix.label }}
       bzlmod: ${{ matrix.bzlmod }}
       labs: ${{ matrix.labs }}
+      tests: true