From 07000c843d5867c12a3c2b71f652174a240355d3 Mon Sep 17 00:00:00 2001 From: Marcus Aspin Date: Thu, 7 Nov 2024 11:55:47 +0000 Subject: [PATCH] PI-2624 Enable Gradle configuration cache (#4401) --- .github/actions/analyse/action.yml | 15 +++++----- .../actions/cloud-platform-deploy/action.yml | 4 +++ .github/actions/get-build-info/action.yml | 12 ++++---- .github/actions/setup-gradle/action.yml | 28 +++++++++++++++++++ .github/workflows/build.yml | 10 ++++--- .github/workflows/check.yml | 5 +++- .github/workflows/deploy.yml | 1 + .github/workflows/docs.yml | 9 ++---- .github/workflows/pipeline.yml | 6 ++-- .github/workflows/security.yml | 8 ++---- .github/workflows/templates.yml | 8 ++---- gradle.properties | 5 +++- 12 files changed, 69 insertions(+), 42 deletions(-) create mode 100644 .github/actions/setup-gradle/action.yml diff --git a/.github/actions/analyse/action.yml b/.github/actions/analyse/action.yml index 2c61a19fe5..8eb821695e 100644 --- a/.github/actions/analyse/action.yml +++ b/.github/actions/analyse/action.yml @@ -2,9 +2,12 @@ name: Analyse description: Publish test results to GitHub Actions, and analyse source code and results using Sonar inputs: - token: + sonar-token: description: Sonar token required: true + gradle-encryption-key: + description: Gradle encryption key + required: true runs: using: "composite" @@ -41,13 +44,9 @@ runs: echo "ORG_GRADLE_PROJECT_version=$version" | tee -a "$GITHUB_ENV" echo "version=$version" | tee -a "$GITHUB_OUTPUT" - - uses: actions/setup-java@v4 - with: - java-version: '21' - distribution: 'temurin' - - - uses: gradle/actions/setup-gradle@v4 + - uses: ./.github/actions/setup-gradle with: + cache-encryption-key: ${{ inputs.gradle-encryption-key }} cache-read-only: true - name: Sonar analysis @@ -55,4 +54,4 @@ runs: run: ./gradlew sonar shell: bash env: - SONAR_TOKEN: ${{ inputs.token }} + SONAR_TOKEN: ${{ inputs.sonar-token }} diff --git a/.github/actions/cloud-platform-deploy/action.yml b/.github/actions/cloud-platform-deploy/action.yml index a0dc2afca4..b86d8d9c02 100644 --- a/.github/actions/cloud-platform-deploy/action.yml +++ b/.github/actions/cloud-platform-deploy/action.yml @@ -29,6 +29,9 @@ inputs: ip-allowlists: description: The HMPPS IP allow list groups to apply, in base64-encoded YAML format required: true + gradle-encryption-key: + description: Gradle encryption key + required: true runs: using: composite @@ -46,6 +49,7 @@ runs: with: project: ${{ inputs.project }} version: ${{ inputs.version }} + gradle-encryption-key: ${{ inputs.gradle-encryption-key }} - name: Authenticate uses: ./.github/actions/cloud-platform-auth diff --git a/.github/actions/get-build-info/action.yml b/.github/actions/get-build-info/action.yml index 1550da0f75..85012c4674 100644 --- a/.github/actions/get-build-info/action.yml +++ b/.github/actions/get-build-info/action.yml @@ -8,6 +8,9 @@ inputs: version: description: The version of the service to deploy required: true + gradle-encryption-key: + description: Gradle encryption key + required: true runs: using: "composite" @@ -20,15 +23,10 @@ runs: with: files: projects/${{ inputs.project }}/build.gradle.kts - - uses: actions/setup-java@v4 - if: ${{ steps.gradle_file.outputs.files_exists == 'true' }} - with: - java-version: '21' - distribution: 'temurin' - - - uses: gradle/actions/setup-gradle@v4 + - uses: ./.github/actions/setup-gradle if: ${{ steps.gradle_file.outputs.files_exists == 'true' }} with: + cache-encryption-key: ${{ inputs.gradle-encryption-key }} cache-read-only: true - name: Get build info diff --git a/.github/actions/setup-gradle/action.yml b/.github/actions/setup-gradle/action.yml new file mode 100644 index 0000000000..a1cad2c105 --- /dev/null +++ b/.github/actions/setup-gradle/action.yml @@ -0,0 +1,28 @@ +name: Setup Gradle +description: Setup Java and Gradle actions + +inputs: + cache-read-only: + description: | + When 'true', existing entries will be read from the cache but no entries will be written. + By default this value is 'false' for workflows on the GitHub default branch and 'true' for workflows on other branches. + required: false + default: ${{ github.event.repository != null && github.ref_name != github.event.repository.default_branch }} + cache-encryption-key: + description: | + A base64 encoded AES key used to encrypt the configuration-cache data. The key is exported as 'GRADLE_ENCRYPTION_KEY' for later steps. + A suitable key can be generated with `openssl rand -base64 16`. + Configuration-cache data will not be saved/restored without an encryption key being provided. + required: false + +runs: + using: "composite" + steps: + - uses: actions/setup-java@v4 + with: + java-version: 21 + distribution: temurin + - uses: gradle/actions/setup-gradle@v4 + with: + cache-encryption-key: ${{ inputs.cache-encryption-key }} + cache-read-only: ${{ inputs.cache-read-only }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 117be5e114..6bb37a928c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,6 +9,10 @@ on: force-deploy: type: boolean default: false + secrets: + GRADLE_ENCRYPTION_KEY: + required: true + description: Used for encrypting the Gradle cache. See https://github.com/gradle/actions/blob/main/docs/setup-gradle.md#saving-configuration-cache-data outputs: version: value: ${{ jobs.build-gradle.outputs.version }} @@ -89,11 +93,9 @@ jobs: changes: ${{ steps.check-changes.outputs.changes }} steps: - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: ./.github/actions/setup-gradle with: - java-version: '21' - distribution: 'temurin' - - uses: gradle/actions/setup-gradle@v4 + cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }} - name: Set version id: version diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index c07b13f3bb..470632ba99 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -10,6 +10,8 @@ jobs: build: name: Build uses: ./.github/workflows/build.yml + secrets: + GRADLE_ENCRYPTION_KEY: ${{ secrets.GRADLE_ENCRYPTION_KEY }} post-build: name: Post-build @@ -29,7 +31,8 @@ jobs: - uses: actions/checkout@v4 - uses: ./.github/actions/analyse with: - token: ${{ secrets.SONAR_TOKEN }} + sonar-token: ${{ secrets.SONAR_TOKEN }} + gradle-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }} lint: name: Lint diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index d22a0bad5e..b857195496 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -133,6 +133,7 @@ jobs: namespace: ${{ secrets.KUBE_NAMESPACE }} token: ${{ secrets.KUBE_TOKEN }} ip-allowlists: ${{ vars.HMPPS_IP_ALLOWLIST_GROUPS_YAML }} + gradle-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }} - uses: docker/login-action@v3 if: ${{ steps.check_files.outputs.files_exists == 'true' && steps.enabled.outputs.enabled == 'true' }} diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 3bfe667c06..0a3bde5551 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -67,15 +67,10 @@ jobs: echo "has_rest_api=$(yq '. | has("api_path")' 'projects/${{ matrix.project }}/tech-docs/config/tech-docs.yml')" | tee -a "$GITHUB_OUTPUT" echo "has_async_api=$(test -f 'projects/${{ matrix.project }}/tech-docs/source/asyncapi-reference.html.md.erb' && echo 'true' || echo 'false')" | tee -a "$GITHUB_OUTPUT" - - uses: actions/setup-java@v4 - if: steps.check_config.outputs.has_rest_api == 'true' || steps.check_config.outputs.has_async_api == 'true' - with: - java-version: '21' - distribution: 'temurin' - - - uses: gradle/actions/setup-gradle@v4 + - uses: ./.github/actions/setup-gradle if: steps.check_config.outputs.has_rest_api || steps.check_config.outputs.has_async_api with: + cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }} cache-read-only: true - name: Host API specs diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index fc53af4d63..f1dda8d2d2 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -18,7 +18,8 @@ jobs: with: push: true force-deploy: "${{ inputs.force-deploy || false }}" - secrets: inherit + secrets: + GRADLE_ENCRYPTION_KEY: ${{ secrets.GRADLE_ENCRYPTION_KEY }} post-build: name: Post-build @@ -41,7 +42,8 @@ jobs: - uses: actions/checkout@v4 - uses: ./.github/actions/analyse with: - token: ${{ secrets.SONAR_TOKEN }} + sonar-token: ${{ secrets.SONAR_TOKEN }} + gradle-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }} deploy-to-test: name: Deploy to test diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 3751b1c11a..f2b09caeeb 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -145,13 +145,9 @@ jobs: - get-projects steps: - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 - with: - java-version: 21 - distribution: temurin - - - uses: gradle/actions/setup-gradle@v4 + - uses: ./.github/actions/setup-gradle with: + cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }} cache-read-only: true - name: Build jars diff --git a/.github/workflows/templates.yml b/.github/workflows/templates.yml index 6ad444ab30..1145d7ceee 100644 --- a/.github/workflows/templates.yml +++ b/.github/workflows/templates.yml @@ -26,13 +26,9 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 - with: - java-version: '21' - distribution: 'temurin' - - - uses: gradle/actions/setup-gradle@v4 + - uses: ./.github/actions/setup-gradle with: + cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }} cache-read-only: true - name: Render project template diff --git a/gradle.properties b/gradle.properties index 183b929d11..13c47f9710 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,5 +1,8 @@ -org.gradle.caching=true org.gradle.parallel=true +org.gradle.caching=true +org.gradle.configuration-cache=true +org.gradle.configuration-cache.problems=warn +# Remove the above line once https://github.com/n0mer/gradle-git-properties/pull/235 is released org.gradle.jvmargs=-Xmx4g "-XX:MaxMetaspaceSize=1g" systemProp.sonar.host.url=https://sonarcloud.io systemProp.sonar.organization=ministryofjustice