fix: permissions to write dependency graph from build #12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Push | |
| on: | |
| push: | |
| branches: [master, main, beta] | |
| paths-ignore: | |
| - README.md | |
| - ./*.md | |
| env: | |
| CI: "true" | |
| GRADLE_OPTS: -Dorg.gradle.jvmargs="-XX:+UseParallelGC -Xmx3g -XX:MetaspaceSize=512M -XX:MaxMetaspaceSize=512M" | |
| GRADLE_CACHE_LOCAL: true | |
| GRADLE_CACHE_REMOTE: true | |
| GRADLE_CACHE_PUSH: true | |
| GRADLE_CACHE_USERNAME: apikey | |
| GRADLE_CACHE_PASSWORD: ${{ secrets.BUILDLESS_APIKEY }} | |
| CACHE_ENDPOINT: ${{ vars.CACHE_ENDPOINT_GRADLE }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| TEST_EXCEPTIONS: true | |
| jobs: | |
| build: | |
| name: "Build (${{ matrix.label }})" | |
| permissions: | |
| actions: "read" | |
| contents: "write" | |
| id-token: "write" | |
| checks: "write" | |
| packages: "read" | |
| pull-requests: "write" | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| runner: [macOS-latest, windows-latest, ubuntu-latest] | |
| include: | |
| - runner: macOS-latest | |
| flags: "--no-configuration-cache" | |
| os: "macos" | |
| label: "Darwin" | |
| experimental: false | |
| coverage: true | |
| gvm: ${{ vars.GVM_VERSION }} | |
| java: ${{ vars.JVM_VERSION }} | |
| provenance: false | |
| - runner: windows-latest-8-cores | |
| flags: "--no-configuration-cache" | |
| os: "windows" | |
| label: "Windows" | |
| experimental: false | |
| coverage: true | |
| gvm: ${{ vars.GVM_VERSION }} | |
| java: ${{ vars.JVM_VERSION }} | |
| provenance: false | |
| - runner: ubuntu-latest-4-cores | |
| flags: "--no-configuration-cache -PsonarScan=true" | |
| os: "linux" | |
| label: "Linux" | |
| experimental: false | |
| coverage: true | |
| gvm: ${{ vars.GVM_VERSION }} | |
| java: ${{ vars.JVM_VERSION }} | |
| provenance: true | |
| uses: ./.github/workflows/step.build.yml | |
| secrets: inherit | |
| with: | |
| runner: ${{ matrix.runner }} | |
| os: ${{ matrix.os }} | |
| label: ${{ matrix.label }} | |
| flags: ${{ matrix.flags }} | |
| experimental: ${{ matrix.experimental }} | |
| java: ${{ matrix.java }} | |
| coverage: true | |
| provenance: ${{ matrix.provenance }} | |
| codeql: | |
| name: "Analysis: CodeQL" | |
| needs: ["build"] | |
| uses: ./.github/workflows/codeql.ci.yml | |
| secrets: inherit | |
| with: {} | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| qodana: | |
| name: "Analysis: Qodana" | |
| needs: ["build"] | |
| uses: ./.github/workflows/qodana.ci.yml | |
| with: {} | |
| secrets: inherit | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| publish-sandbox: | |
| permissions: | |
| actions: "read" | |
| contents: "write" | |
| id-token: "write" | |
| checks: "write" | |
| pull-requests: "write" | |
| packages: "write" | |
| name: "Publish: Sandbox" | |
| needs: ["build", "codeql", "qodana"] | |
| uses: ./.github/workflows/step.publish.yml | |
| secrets: | |
| GOOGLE_CREDENTIALS: ${{ secrets.BUILDBOT_SERVICE_ACCOUNT }} | |
| SIGNING_KEY: ${{ secrets.SIGNING_KEY }} | |
| with: | |
| version: "1.0-SNAPSHOT" | |
| repository: "gcs://elide-snapshots/repository/v3" | |
| logLevel: "info" | |
| snapshot: true | |
| release: false | |
| signing: true | |
| gcs: true | |
| environment: sandbox | |
| label: "Elide Sandbox" |