- Notifications
You must be signed in to change notification settings - Fork2
Secure reusable build infrastructure
License
elide-dev/build-infra
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Each workflow profile is defined in this repository as a GitHub Workflow, using YAML. In some cases, workflows are pairedwith a container image which includes the tools which are used by the workflow. The image typically isn't required (unlessnoted) but may vastly speed up builds by pre-including tools.
For an exhaustive list of build profiles and their use, see the table further down.
Containers: Container image definitions which are used byactions andworkflows; some ofthese can also be used directly in downstream workflows.
Actions: Custom GitHub Actions for use in Elide codebases. Actions are used like any other GitHub Action,but with references to this repository instead.
Workflows: Custom YAML workflow definitions for use in Elide codebases. Workflows are used as external
workflow_calltargets.Gradle: Gradle build conventions which are re-usable across projects, as a suite of easily applicable build conventionplugins and version catalogs.
In a.github/workflows/<x>.yml:
# ...jobs:## Build containerbuild-a-container:name:"Image"uses:elide-dev/build-infra/.github/workflows/container.yml@mainsecrets:inheritpermissions:checks:writeid-token:writecontents:readpackages:writepull-requests:writewith:image:elide-dev/build-infra/gvmpath:containers/gvmpush:${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
The above job uses thecontainer.yml "build profile" (see all profiles listed below). By using the re-usable workflow, yougain consistency:
- Repository authentication is handled for you
- Intelligent platform selection (with override)
- Consistent tagging and labeling of images
- Underlying Github Actions updates happen without repo commits
| Name | Description |
|---|---|
android.yml | Build an Android app with Gradle |
container.yml | Build and push a container image |
jvm.gradle.yml | Run a Gradle build targeting JVM |
jvm.maven.yml | Run a Maven build targeting JVM |
bazel.yml | Build targets with Bazel |
See below for documentation about reusable workflow inputs.
See below for an exhaustive list of all inputs for each build profile. You can use these inputs in thewith: {} block of your workflow invocation.
- Description: Consistently build properly tagged container images in sync with source control
- Workflow:
.github/workflows/container.yml
| Name | Type | Description | Default value |
|---|---|---|---|
image* | string | Image coordinate to build | (None. Required.) |
auth | boolean | Whether to authenticate | true |
dockerfile | string | Full path to Dockerfile to build | "Dockerfile" |
path | string | Docker context path for build | "." |
platforms | string | Architectures/platforms to build | "linux/amd64,linux/arm64" |
push | boolean | Whether to push after building | false |
registry | string | Whether to push after building | "ghcr.io" |
runner | string | Runner to use for all tasks | (See runner docs) |
tags | string | Tags to push to with built image | (None.) |
- Description: Consistently build JVM outputs using Gradle
- Workflow:
.github/workflows/jvm.gradle.yml
| Name | Type | Description | Default value |
|---|---|---|---|
action | string | Gradle task(s) to execute | "build" |
android | boolean | Install Android SDK | true |
artifact | string | Name of output artifact to use | (None.) |
artifacts | boolean | Upload built artifacts | false |
cache_action | boolean | Turn GHA cache on/off | true |
cache_local | boolean | Turn local caching on/off | false |
cache_read_only | boolean | GHA cache read-only status | false |
cache_remote | boolean | Turn remote caching on/off | true |
checks | boolean | Run checks and Sonar | true |
coverage | boolean | Upload → Codecov after build | false |
coverage_report | string | Path to coverage report | (None.) |
coverage_flags | string | Extra flags to pass to Codecov | (None.) |
flags | string | Extra flags to append | (None.) |
gradle | string | Gradle version to install & use | "wrapper" |
install_jvm | boolean | Setup a regular JVM before build | true |
jvm | string | JVM version to install/target | (See JVM notes below) |
jvm_dist | string | JVM distribution to use | "adopt-hotspot" |
label | string | Label to show for build step | "Gradle" |
reports | boolean | Whether to upload built reports | true |
runner | string | Runner to use for all tasks | (See runner docs) |
- Description: Consistently build JVM outputs using Gradle
- Workflow:
.github/workflows/jvm.gradle.yml
| Name | Type | Description | Default value |
|---|---|---|---|
action | string | Gradle task(s) to execute | "build" |
artifact | string | Name of output artifact to use | (None.) |
artifacts | boolean | Upload built artifacts | false |
cache_action | boolean | Turn GHA cache on/off | true |
cache_local | boolean | Turn local caching on/off | false |
cache_read_only | boolean | GHA cache read-only status | false |
cache_remote | boolean | Turn remote caching on/off | true |
checks | boolean | Run checks and Sonar | true |
coverage | boolean | Upload → Codecov after build | false |
coverage_report | string | Path to coverage report | (None.) |
coverage_flags | string | Extra flags to pass to Codecov | (None.) |
flags | string | Extra flags to append | (None.) |
gradle | string | Gradle version to install & use | "wrapper" |
gvm | string | GraalVM version to use | (See JVM notes below) |
gvm_components | string | GraalVM components to install | "native-image,js" |
install_gvm | boolean | Setup a distribution of GraalVM | false |
install_jvm | boolean | Setup a regular JVM before build | true |
jvm | string | JVM version to install/target | (See JVM notes below) |
jvm_dist | string | JVM distribution to use | "adopt-hotspot" |
label | string | Label to show for build step | "Gradle" |
provenance | boolean | Stamp for SLSA provenance | false |
publish | boolean | Perform a publish after build | false |
reports | boolean | Whether to upload built reports | true |
runner | string | Runner to use for all tasks | (See runner docs) |
- Description: Consistently build JVM outputs using Maven
- Workflow:
.github/workflows/jvm.maven.yml
Inputs for the Maven workflow are nearly identical to those for the Gradle workflow (listed above):
| Name | Type | Description | Default value |
|---|---|---|---|
action | string | Maven goal(s) to execute | "package" |
artifact | string | Name of output artifact to use | (None.) |
artifacts | boolean | Upload built artifacts | false |
cache_action | boolean | Turn GHA cache on/off | true |
cache_local | boolean | Turn local caching on/off | false |
cache_read_only | boolean | GHA cache read-only status | false |
cache_remote | boolean | Turn remote caching on/off | true |
checks | boolean | Run checks and Sonar | true |
coverage | boolean | Upload → Codecov after build | false |
coverage_report | string | Path to coverage report | (None.) |
coverage_flags | string | Extra flags to pass to Codecov | (None.) |
flags | string | Extra flags to append | (None.) |
gvm | string | GraalVM version to use | (See JVM notes below) |
gvm_components | string | GraalVM components to install | "native-image,js" |
install_gvm | boolean | Setup a distribution of GraalVM | false |
install_jvm | boolean | Setup a regular JVM before build | true |
jvm | string | JVM version to install/target | (See JVM notes below) |
jvm_dist | string | JVM distribution to use | "adopt-hotspot" |
label | string | Label to show for build step | "Gradle" |
provenance | boolean | Stamp for SLSA provenance | false |
publish | boolean | Perform a publish after build | false |
reports | boolean | Whether to upload built reports | true |
runner | string | Runner to use for all tasks | (See runner docs) |
- Description: Run builds with Bazel
- Workflow:
.github/workflows/bazel.yml
There are no required inputs for a Bazel build; the target specification defaults to the value//..., which builds all targets. The defaultcommand isbuild. The build is executed withBazelisk, which will respect the.bazelversion present at the root of your project.
| Name | Type | Description | Default value |
|---|---|---|---|
artifact | string | Name of output artifact to use | (None.) |
artifacts | boolean | Upload built artifacts | false |
cache_action | boolean | Turn GHA cache on/off | true |
command | string | Bazel command to execute | "build" |
targets | string | Bazel target string | "//..." |
flags | string | Extra flags to append | (None.) |
gvm | string | GraalVM version to use | (See JVM notes below) |
gvm_components | string | GraalVM components to install | "native-image,js" |
install_gvm | boolean | Setup a distribution of GraalVM | false |
install_jvm | boolean | Setup a regular JVM before build | true |
jvm | string | JVM version to install/target | (See JVM notes below) |
jvm_dist | string | JVM distribution to use | "adopt-hotspot" |
runner | string | Runner to use for all tasks | (See runner docs) |
The Gradle conventions provided by this project are generic in nature and can be used in nearly any Gradle 8+ project.Conventions are applied in a cascading fashion, with relevant plugins being applied first, which then provide strongbaseline settings.
Gradle infra:
- Plugins for common build tasks, especially aroundJPMS. See the plugins list below.
- Catalogs defining security-hardened library catalogs
- Platforms which enforce different profiles of dependency constraints
Read more about the Gradle build infrahere. There aresamples.
dev.elide.gha: Integrate your Gradle build with GitHub Actions. Enables enhanced logging and reportingfeatures, PR integrations, and other features supported by the workflows in this repo.dev.elide.jmod: Buildjmodartifacts in Gradle JVM projects with Java 9+.jmodartifacts arecompatible withjlinkand make for great optimized build artifacts in modular projects.dev.elide.jpms: Toolkit plugin for Gradle builds enabled with modular Java (Java Platform Module System, orJPMS). Provides amodulepathconfiguration and modular builds for Java, Kotlin, and GraalVM.dev.elide.mrjar: Plugin for easily building multi-target MRJAR artifacts. This plugin goes above and beyondby building the entire project at each bytecode tier, so that modern Java runtimes can leverage the latest bytecode.dev.elide.jlink: Plugin for usingjmodandjpmsto build optimized, self-contained modular Java appsusingjlink.dev.elide.graalvm: Plugin for usingjmodandjpmsto build optimized, native AOT Java apps usingnative-image.
Follow the YAML and action convention within the repository; the multi-workspace expressed here for actions uses theGitHub Actions Toolkit andpnpmworkspaces.
Build configurations are validated on each push, and actions are built and tested to the extent possible. Once a PR is merged,it is expected to be deployed to private package storage, where update tools can pick it up.
This repository is shared openly for OSS use. It is licensed as MIT.
About
Secure reusable build infrastructure