diff --git a/.github/workflows/address_undefined_behavior_leak_sanitizer.yml b/.github/workflows/address_undefined_behavior_leak_sanitizer.yml index e68875e2..9117222b 100644 --- a/.github/workflows/address_undefined_behavior_leak_sanitizer.yml +++ b/.github/workflows/address_undefined_behavior_leak_sanitizer.yml @@ -25,6 +25,8 @@ on: jobs: build_and_test_asan_ubsan_lsan: runs-on: ubuntu-24.04 + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/automated_release.yml b/.github/workflows/automated_release.yml index 619917b2..92633b1e 100644 --- a/.github/workflows/automated_release.yml +++ b/.github/workflows/automated_release.yml @@ -45,6 +45,12 @@ jobs: echo "Release version tag: $RELEASE_VERSION" echo "release-tag=$RELEASE_VERSION" >> $GITHUB_OUTPUT + - name: Delete trigger tag + run: | + gh api repos/${{ github.repository }}/git/refs/tags/${{ github.ref_name }} -X DELETE + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Create draft release id: create-release uses: softprops/action-gh-release@v2 @@ -65,7 +71,6 @@ jobs: uses: ./.github/workflows/build_and_test_qnx.yml permissions: contents: read - pull-requests: read secrets: SCORE_QNX_LICENSE: ${{ secrets.SCORE_QNX_LICENSE }} SCORE_QNX_USER: ${{ secrets.SCORE_QNX_USER }} @@ -81,11 +86,27 @@ jobs: run-coverage-report: needs: create-draft-release - uses: ./.github/workflows/release_coverage_report.yml - with: - release_tag: ${{ needs.create-draft-release.outputs.release-tag }} + uses: ./.github/workflows/coverage_report.yml + + upload-coverage-report: + needs: + - create-draft-release + - run-coverage-report + runs-on: ubuntu-24.04 permissions: contents: write + steps: + - name: Download coverage report artifact + uses: actions/download-artifact@v4 + with: + name: ${{ needs.run-coverage-report.outputs.artifact-name }} + path: ./ + + - name: Upload coverage report to existing draft release + run: | + gh release upload "${{ needs.create-draft-release.outputs.release-tag }}" "${{ needs.run-coverage-report.outputs.artifact-name }}.zip" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} finalize-release: runs-on: ubuntu-24.04 @@ -96,46 +117,30 @@ jobs: - run-thread-sanitizer - run-address-sanitizer - run-coverage-report - if: always() + - upload-coverage-report + if: ${{ success() }} permissions: contents: write steps: - name: Checkout repository uses: actions/checkout@v4.2.2 - - name: Check workflow results - id: check-results + - name: Report success + if: steps.check-results.outputs.all-success == 'true' run: | - RESULT_HOST="${{ needs.run-build-and-test-host.result }}" - RESULT_QNX="${{ needs.run-build-and-test-qnx.result }}" - RESULT_TSAN="${{ needs.run-thread-sanitizer.result }}" - RESULT_ASAN="${{ needs.run-address-sanitizer.result }}" - RESULT_COVERAGE="${{ needs.run-coverage-report.result }}" - - echo "Build and test host: $RESULT_HOST" - echo "Build and test QNX: $RESULT_QNX" - echo "Thread sanitizer: $RESULT_TSAN" - echo "Address sanitizer: $RESULT_ASAN" - echo "Coverage report: $RESULT_COVERAGE" - - if [[ "$RESULT_HOST" == "success" ]] && \ - [[ "$RESULT_QNX" == "success" ]] && \ - [[ "$RESULT_TSAN" == "success" ]] && \ - [[ "$RESULT_ASAN" == "success" ]] && \ - [[ "$RESULT_COVERAGE" == "success" ]]; then - echo "all-success=true" >> $GITHUB_OUTPUT - else - echo "all-success=false" >> $GITHUB_OUTPUT - fi + echo "All workflows succeeded. Draft release ${{ needs.create-draft-release.outputs.release-tag }} is ready for manual publishing." - - name: Delete trigger tag - run: | - gh api repos/${{ github.repository }}/git/refs/tags/${{ github.ref_name }} -X DELETE - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + delete-release-on-failure: + runs-on: ubuntu-24.04 + needs: create-draft-release + if: ${{ failure() || cancelled() }} + permissions: + contents: write + steps: + - name: Checkout repository + uses: actions/checkout@v4.2.2 - - name: Delete draft release (on failure) - if: steps.check-results.outputs.all-success == 'false' + - name: Delete draft release due to failure run: | gh release delete ${{ needs.create-draft-release.outputs.release-tag }} --yes env: @@ -144,10 +149,5 @@ jobs: - name: Report failure if: steps.check-results.outputs.all-success == 'false' run: | - echo "❌ One or more workflows failed. Draft release has been deleted." - exit 1 - - - name: Report success - if: steps.check-results.outputs.all-success == 'true' - run: | - echo "✅ All workflows succeeded. Draft release ${{ needs.create-draft-release.outputs.release-tag }} is ready for manual publishing." + echo "One or more workflows failed. Draft release has been deleted." + exit 1 \ No newline at end of file diff --git a/.github/workflows/build_and_test_host.yml b/.github/workflows/build_and_test_host.yml index 88c889d2..395b049f 100644 --- a/.github/workflows/build_and_test_host.yml +++ b/.github/workflows/build_and_test_host.yml @@ -28,6 +28,8 @@ jobs: matrix: toolchain: ["@llvm_toolchain//:cc-toolchain-x86_64-linux", "@gcc_toolchain//:host_gcc_12"] runs-on: ubuntu-24.04 + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/build_and_test_qnx.yml b/.github/workflows/build_and_test_qnx.yml index 123b844c..23e6da22 100644 --- a/.github/workflows/build_and_test_qnx.yml +++ b/.github/workflows/build_and_test_qnx.yml @@ -48,7 +48,6 @@ jobs: runs-on: ubuntu-24.04 permissions: contents: read - pull-requests: read steps: - name: Checkout repository uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/release_coverage_report.yml b/.github/workflows/coverage_report.yml similarity index 78% rename from .github/workflows/release_coverage_report.yml rename to .github/workflows/coverage_report.yml index f28797af..8e635a53 100644 --- a/.github/workflows/release_coverage_report.yml +++ b/.github/workflows/coverage_report.yml @@ -13,18 +13,21 @@ name: Coverage Report on: + pull_request: + types: [ opened, reopened, synchronize ] workflow_call: - inputs: - release_tag: - description: 'Release tag to upload artifacts to' - required: true - type: string + outputs: + artifact-name: + description: 'Name of the coverage report artifact' + value: ${{ jobs.coverage-report.outputs.artifact-name }} jobs: coverage-report: runs-on: ubuntu-24.04 permissions: contents: write # required to upload release assets + outputs: + artifact-name: ${{ steps.set-artifact-name.outputs.artifact-name }} steps: - name: Checkout Repository @@ -66,18 +69,18 @@ jobs: mkdir -p artifacts find bazel-testlogs/score/ -name 'test.xml' -print0 | xargs -0 -I{} cp --parents {} artifacts/ cp -r cpp_coverage artifacts/ - zip -r ${{ github.event.repository.name }}_coverage_report.zip artifacts/ + zip -r ${{ github.event.repository.name }}_coverage_report_${{ github.sha }}.zip artifacts/ shell: bash + - name: Set artifact name + id: set-artifact-name + run: | + echo "artifact-name=${{ github.event.repository.name }}_coverage_report_${{ github.sha }}" >> $GITHUB_OUTPUT + - name: Upload coverage artifacts uses: actions/upload-artifact@v4 with: - name: ${{ github.event.repository.name }}_coverage_report.zip - path: ${{ github.event.repository.name }}_coverage_report.zip + name: ${{ steps.set-artifact-name.outputs.artifact-name }} + path: ${{ github.event.repository.name }}_coverage_report_${{ github.sha }}.zip + - - name: Upload coverage report to existing draft release - run: | - # Upload the file to the existing release - gh release upload "${{ inputs.release_tag }}" "${{ github.event.repository.name }}_coverage_report.zip" - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/thread_sanitizer.yml b/.github/workflows/thread_sanitizer.yml index 2278d77f..2a5b810f 100644 --- a/.github/workflows/thread_sanitizer.yml +++ b/.github/workflows/thread_sanitizer.yml @@ -24,6 +24,8 @@ on: jobs: build_and_test_tsan: runs-on: ubuntu-24.04 + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v4.2.2