pan3793 commented on code in PR #8412: URL: https://github.com/apache/hadoop/pull/8412#discussion_r3121441011
########## .github/workflows/tmpl_build_and_test.yml: ########## @@ -0,0 +1,175 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +name: Build and Test + +on: + workflow_call: + inputs: + java: + required: false + type: string + default: 17 + branch: + required: false + type: string + description: Branch to run the build against + default: trunk + os: + required: false + type: string + description: Operating system to run the build on + default: ubuntu_24 + jobs: + required: false + type: string + description: >- + Jobs to run, and should be in JSON Array format. + Candidates: "build-only". + default: '[ "build-only" ]' + +# Default to minimal permissions for workflow. +permissions: + packages: read + +concurrency: + group: >- + build-and-test + ${{ github.workflow }} + ${{ github.repository == 'apache/hadoop' && github.run_id || github.ref }} + ${{ inputs.java }} + ${{ inputs.branch }} + ${{ inputs.os }} + ${{ inputs.jobs }} + cancel-in-progress: true + +env: + MAVEN_ARGS: + --batch-mode + --no-transfer-progress + -Pyarn-ui + -Pnative + -Drequire.test.libhadoop + -Drequire.fuse + -Drequire.openssl + -Drequire.snappy + -Drequire.valgrind + -Dmaven.test.failure.ignore=false + +jobs: + precondition: + name: Preparation + runs-on: ubuntu-24.04 + outputs: + build_image_url: ${{ steps.variables.outputs.build_image_url }} + steps: + - name: Set up Outputs + id: variables + # Security: passing inputs.{os, branch} through workflow (above) inputs removes + # ability to do shell injection below. + # See: https://securitylab.github.com/resources/github-actions-untrusted-input/ + run: | + # Convert to lowercase to meet Docker repo name requirement + REPO_OWNER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]') + echo "build_image_url=ghcr.io/${REPO_OWNER}/gha-build-${{ inputs.os }}:${{ inputs.branch }}-${{ github.run_id }}" >> $GITHUB_OUTPUT + build-image: + name: Build Image ${{ inputs.os }}-${{ inputs.branch }} + runs-on: ubuntu-24.04 + needs: [ precondition ] + # Security: this does not leak write access for our image repository to + # forked repos. + # + # We have `packages: write` permissions for our GITHUB_TOKEN below. However: + # + # - For `pull_request`, GitHub downgrades GITHUB_TOKEN permissions to + # read-only. + # - For `push` triggers on a fork, the GITHUB_TOKEN retains write + # permissions, but the `push` is happening in the context of the fork, not + # the upstream repo. + # - For `pull_request_target` (risky), the write permission is + # overridden by our repository's setting "Send write tokens to workflows + # from pull requests" which should be disabled. Review Comment: I reverted the pull that includes this comment and restored the code to the snapshot that gets approval (with additional squash to make Yetus happy). So, merge this PR as-is after Yetus is happy, and revise those comments later? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
