Skip to content

Commit

Permalink
[Misc] Reduce runner permissions
Browse files Browse the repository at this point in the history
Summary: reduce arm runner permissions and update actions config

Testing: CI pipline

Reviewers: D-D-H, sendaoYan

Issue: #651
  • Loading branch information
Accelerator1996 committed Jul 9, 2024
1 parent cf827ca commit 933b25b
Show file tree
Hide file tree
Showing 4 changed files with 523 additions and 227 deletions.
63 changes: 63 additions & 0 deletions .github/actions/build-serverless-adapter/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
#
# Copyright (c) 2024 Alibaba Group Holding Limited. All Rights Reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation. Alibaba designates this
# particular file as subject to the "Classpath" exception as provided
# by Oracle in the LICENSE file that accompanied this code.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

name: 'Build serverless-adapter'
description: 'Build it using built JDK'
inputs:
jdk:
description: 'Boot JDK'
required: true

runs:
using: composite
steps:
- name: 'Checkout serverless-adapter source code'
id: serverless_adapter_checkout
uses: actions/checkout@v3
with:
repository: dragonwell-project/serverless-adapter-jdk8
ref: main
path: serverless-adapter

- name: 'Get Maven'
id: maven
run: |
mkdir -p /opt/maven
wget https://dlcdn.apache.org/maven/maven-3/3.8.8/binaries/apache-maven-3.8.8-bin.tar.gz
tar -xvf apache-maven-3.8.8-bin.tar.gz -C /opt/maven --strip-components=1
echo "::set-output name=path::/opt/maven"
shell: bash

- name: 'Build serverless-adapter'
id: serverless_adapter_build
run: |
export PATH=${{ inputs.jdk }}/bin:${{ steps.maven.outputs.path }}/bin:${PATH}
JAVA_HOME=${{ inputs.jdk }} mvn package
echo "::set-output name=path::${PWD}"
shell: bash
working-directory: serverless-adapter

- name: 'Copy serverless-adapter into boot jdk'
run: |
mkdir -p ${{ inputs.jdk }}/lib/serverless
cp -f ${{ steps.serverless_adapter_build.outputs.path }}/target/serverless-adapter-0.1.jar ${{ inputs.jdk }}/lib/serverless/serverless-adapter.jar
cp -f ${{ steps.serverless_adapter_build.outputs.path }}/output/libloadclassagent.so ${{ inputs.jdk }}/lib/serverless/libloadclassagent.so
shell: bash
143 changes: 143 additions & 0 deletions .github/workflows/build-linux.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
#
# Copyright (c) 2024 Alibaba Group Holding Limited. All Rights Reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation. Alibaba designates this
# particular file as subject to the "Classpath" exception as provided
# by Oracle in the LICENSE file that accompanied this code.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

name: 'Build (linux)'

on:
workflow_call:
inputs:
platform:
required: true
type: string
extra-conf-options:
required: false
type: string
make-target:
required: false
type: string
default: 'product-bundles test-bundles'
debug-levels:
required: false
type: string
default: '[ "fastdebug", "release" ]'
gcc-major-version:
required: false
type: string
gcc-package-suffix:
required: false
type: string
default: ''
apt-architecture:
required: false
type: string
apt-extra-packages:
required: false
type: string
configure-arguments:
required: false
type: string
make-arguments:
required: false
type: string
runs-on:
required: true
type: string

jobs:
build-linux:
name: build
runs-on: ${{fromJson(inputs.runs-on)}}

strategy:
fail-fast: false
matrix:
debug-level: ${{ fromJSON(inputs.debug-levels) }}
include:
- debug-level: release
flags: --with-debug-level=release
suffix: -release
- debug-level: fastdebug
flags: --with-debug-level=fastdebug
suffix: -fastdebug
steps:
- name: 'Checkout the JDK source'
uses: actions/checkout@v4

- name: 'Update apt and download dependency'
run: |
sudo apt update -y
sudo apt install -y libxtst-dev libxt-dev libxrender-dev libxrandr-dev libxi-dev libcups2-dev libfontconfig1-dev libasound2-dev unzip zip wget
if: inputs.platform != 'linux-aarch64'

- name: 'Get boot JDK'
id: bootjdk
run: |
if [ "${{ inputs.platform }}" = "linux-x64" ]; then
url=https://dragonwell.oss-cn-shanghai.aliyuncs.com/8.19.20/Alibaba_Dragonwell_Extended_8.19.20_x64_linux.tar.gz
else
url=https://dragonwell.oss-cn-shanghai.aliyuncs.com/8.19.20/Alibaba_Dragonwell_Extended_8.19.20_aarch64_linux.tar.gz
fi
wget ${url} -O jdk.tar.gz
mkdir -p ${PWD}/jdk-8
tar zxvf jdk.tar.gz -C ${PWD}/jdk-8/ --strip-components=1
rm -rf jdk.tar.gz
echo "::set-output name=path::${PWD}/jdk-8"
shell: bash

- name: 'Configure'
run: >
bash configure
--with-conf-name=${{ inputs.platform }}
${{ matrix.flags }}
--with-boot-jdk=${{ steps.bootjdk.outputs.path }}
--with-cacerts-file=${PWD}/common/security/cacerts
--with-milestone=fcs
--enable-unlimited-crypto || (
echo "Dumping config.log:" &&
cat config.log &&
exit 1)
shell: bash

- name: 'Build'
id: build
run: |
make ${{ inputs.make-target }} CONF_NAME=${{ inputs.make-arguments }}${{ matrix.suffix }}
echo "::set-output name=path::${PWD}/build/${{ inputs.make-arguments }}${{ matrix.suffix }}/images/j2sdk-image"
shell: bash

- name: 'Build Serverless Adapter'
uses: ./.github/actions/build-serverless-adapter
with:
jdk: ${{ steps.build.outputs.path }}

- name: 'Compress bundles'
id: compress_bundles
run: |
tar zcvf ${PWD}/bundles.tar.gz -C ${{ steps.build.outputs.path }}
echo "::set-output name=path::${PWD}/bundles.tar.gz"
shell: bash

- name: 'Upload bundles'
uses: actions/upload-artifact@v3
with:
name: bundles-${{ inputs.platform }}${{ matrix.suffix }}
path: ${{ steps.compress_bundles.outputs.path }}
retention-days: 3
51 changes: 47 additions & 4 deletions .github/workflows/check_pr.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#
# Copyright (c) 2019 Alibaba Group Holding Limited. All Rights Reserved.
# Copyright (c) 2024 Alibaba Group Holding Limited. All Rights Reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
Expand All @@ -19,13 +19,56 @@
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

name: Dragonwell_8_commit_style_check
name: Prerequisites

on: [pull_request]
on:
workflow_call:
inputs:
platforms:
required: true
type: string
outputs:
should_run:
value: ${{ jobs.prerequisites.outputs.should_run }}
bundle_id:
value: ${{ jobs.prerequisites.outputs.bundle_id }}
platform_linux_x64:
value: ${{ jobs.prerequisites.outputs.platform_linux_x64 }}
platform_linux_aarch64:
value: ${{ jobs.prerequisites.outputs.platform_linux_aarch64 }}

jobs:
check_commit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: dragonwell-releng/check_commit_action@master
- uses: dragonwell-releng/check_commit_action@master
if: github.event_name == 'pull_request'

prerequisites:
name: 'Prerequisites'
runs-on: ubuntu-latest
outputs:
should_run: ${{ steps.check_submit.outputs.should_run }}
bundle_id: ${{ steps.check_bundle_id.outputs.bundle_id }}
platform_linux_x64: ${{ steps.check_platforms.outputs.platform_linux_x64 }}
platform_linux_aarch64: ${{ steps.check_platforms.outputs.platform_linux_aarch64 }}

steps:
- name: 'Check if submit tests should actually run depending on secrets and manual triggering'
id: check_submit
run: echo "::set-output name=should_run::${{ inputs.platforms != '' || (!secrets.JDK_SUBMIT_FILTER || startsWith(github.ref, 'refs/heads/submit/')) }}"

- name: 'Check which platforms should be included'
id: check_platforms
run: |
echo "::set-output name=platform_linux_x64::${{ contains(inputs.platforms, 'linux x64') || (inputs.platforms == '') }}"
echo "::set-output name=platform_linux_aarch64::${{ contains(inputs.platforms, 'linux aarch64') || (inputs.platforms == '') }}"
echo "::set-output name=platform_windows_x64::${{ contains(inputs.platforms, 'windows x64') || (inputs.platforms == '') }}"
echo "::set-output name=platform_riscv64::${{ contains(inputs.platforms, 'riscv64') || (inputs.platforms == '') }}"
if: steps.check_submit.outputs.should_run != false

- name: 'Determine unique bundle identifier'
id: check_bundle_id
run: echo "::set-output name=bundle_id::${GITHUB_ACTOR}_${GITHUB_SHA:0:8}"
if: steps.check_submit.outputs.should_run != 'false'
Loading

0 comments on commit 933b25b

Please sign in to comment.