Security: CI Hardening #31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Full CI matrix on all pushes to master branch, and all PRs | |
| name: Java CI | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| push: | |
| branches: | |
| - master | |
| permissions: | |
| contents: read | |
| env: | |
| ANT_OPTS: -Djava.security.manager=allow | |
| jobs: | |
| test: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| java: [8, 11, 17, 21] | |
| os: [ubuntu-latest, macos-latest] | |
| # Run all tests even if one fails | |
| fail-fast: false | |
| name: Test JDK ${{ matrix.java }}, ${{ matrix.os }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
| - name: Set up JDK | |
| uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 | |
| with: | |
| java-version: ${{ matrix.java }} | |
| distribution: 'zulu' | |
| - name: Linux requirements | |
| if: contains(matrix.os, 'ubuntu') | |
| run: sudo apt-get -y install texinfo | |
| - name: macOS requirements | |
| if: contains(matrix.os, 'macos') | |
| run: | | |
| brew update | |
| brew install automake --force | |
| brew install libtool --force | |
| brew install texinfo --force | |
| - name: Checkstyle | |
| if: contains(matrix.os, 'ubuntu') && contains(matrix.java, '8') | |
| run: | | |
| ant checkstyle | |
| ant dist | |
| - name: Build with Ant | |
| run: | | |
| ant test | |
| ant test-platform | |
| - name: Local Deploy | |
| run: ant deploy-local | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: jna-maven-bundle-${{ matrix.os }}-jdk${{ matrix.java }}-${{ github.sha }} | |
| path: build/stage | |
| if-no-files-found: error | |
| retention-days: 14 | |
| compression-level: 1 | |
| overwrite: true | |
| test-m1: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| java: [21] | |
| # macos-14 is documented to run on m1 | |
| # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories | |
| os: [macos-14] | |
| # Run all tests even if one fails | |
| fail-fast: true | |
| name: Test JDK ${{ matrix.java }}, ${{ matrix.os }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
| - name: Set up JDK | |
| uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 | |
| with: | |
| java-version: ${{ matrix.java }} | |
| distribution: 'zulu' | |
| - name: Linux requirements | |
| if: contains(matrix.os, 'ubuntu') | |
| run: sudo apt-get -y install texinfo | |
| - name: macOS requirements | |
| if: contains(matrix.os, 'macos') | |
| run: | | |
| brew update | |
| brew install automake --force | |
| brew install libtool --force | |
| brew install texinfo --force | |
| - name: Run test | |
| run: | | |
| ant test | |
| ant test-platform |