Migrate build and deployment logic from GitLab CI to GitHub Actions

CommanderTvis · CommanderTvis · commit 91e653595228 · 2026-05-22T18:31:24.000+02:00
diff --git a/.github/actions/gradle-setup/action.yml b/.github/actions/gradle-setup/action.yml
@@ -0,0 +1,20 @@
+name: Gradle + GraalVM setup
+description: >-
+  Installs a GraalVM 21 JDK and
+  configures the Gradle build with dependency caching.
+
+runs:
+  using: composite
+  steps:
+    # GraalVM (not just any JDK ): needed for :rell-base:testTruffle
+    - name: Set up GraalVM 21
+      uses: graalvm/setup-graalvm@v1
+      with:
+        java-version: "21"
+        distribution: graalvm
+        github-token: ${{ github.token }}
+
+    - name: Set up Gradle
+      uses: gradle/actions/setup-gradle@v4
+      with:
+        cache-read-only: ${{ github.ref != 'refs/heads/dev' }}
diff --git a/.github/actions/postgres/action.yml b/.github/actions/postgres/action.yml
@@ -0,0 +1,35 @@
+name: Start Postgres
+description: >-
+  Starts the PostgreSQL the test suite connects to (POSTCHAIN_DB_URL ->
+  localhost:5432, user/pass/db = postchain) using the runner's native PostgreSQL
+  service. A composite because GitHub Actions can't share `services:` blocks
+  across jobs (no YAML anchors). Server version is whatever the runner image
+  ships (Ubuntu 24.04 -> PostgreSQL 16.x).
+
+runs:
+  using: composite
+  steps:
+    - name: Start Postgres
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        # Runner images ship PostgreSQL preinstalled but stopped; install it if absent.
+        if ! command -v pg_lsclusters >/dev/null || [ -z "$(pg_lsclusters -h 2>/dev/null)" ]; then
+          sudo apt-get update -qq
+          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq postgresql postgresql-client
+        fi
+
+        sudo systemctl start postgresql
+
+        for _ in $(seq 1 30); do
+          if pg_isready -h localhost -p 5432 -q; then break; fi
+          sleep 1
+        done
+        pg_isready -h localhost -p 5432
+
+        # Superuser: the suite creates/drops per-test databases. Default pg_hba already allows
+        # scram password auth from localhost, so TCP connections from JDBC work once it has a password.
+        sudo -u postgres psql -v ON_ERROR_STOP=1 -c \
+          "CREATE ROLE postchain WITH LOGIN SUPERUSER PASSWORD 'postchain';"
+        sudo -u postgres createdb -O postchain postchain
diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
@@ -0,0 +1,80 @@
+name: Benchmarks (Pages)
+
+# Manual run that publishes the kotlinx-benchmark HTML report (plus the raw main.json) to GitHub
+# Pages under a per-commit path so same-branch reruns coexist for commit-to-commit diffs.
+#   https://chromiaproject.github.io/rell-performance-reports/bench-<branch-slug>-<sha>/report.html
+#   https://chromiaproject.github.io/rell-performance-reports/bench-<branch-slug>-<sha>/data/main.json
+# Published to the dedicated ChromiaProject/rell-performance-reports repo; the index app there
+# discovers deployments client-side, so there's no aggregation step.
+on:
+  workflow_dispatch:
+
+# Serialize the deployment workflows: each force-pushes the reports repo's gh-pages, so concurrent
+# runs would clobber each other.
+concurrency:
+  group: gh-pages
+  cancel-in-progress: false
+
+permissions:
+  contents: write
+
+env:
+  # linux-arm64-medium (4 vCPU / 16 GiB). No JUnit suite runs here (kotlinx-benchmark forks its own
+  # JVM), so the test-heap props are omitted: Gradle daemon 4g + Kotlin daemon 2g + the benchmark JVM
+  # (default ergonomic heap ~4g) ≈ 10g, well within 16g.
+  GRADLE_FLAGS: >-
+    -Dorg.gradle.caching=true
+    --max-workers=1
+    -Dorg.gradle.jvmargs=-Xmx4g
+    -Pkotlin.daemon.jvmargs=-Xmx2g
+
+jobs:
+  benchmarks:
+    name: Run benchmarks + publish
+    runs-on: linux-arm64-medium
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/gradle-setup
+
+      - name: Compute deployment prefix
+        id: prefix
+        run: |
+          slug=$(echo "${GITHUB_REF_NAME}" | tr -c 'A-Za-z0-9' '-' | sed 's/-\+/-/g; s/^-//; s/-$//')
+          echo "slug=$slug" >> "$GITHUB_OUTPUT"
+          echo "sha=${GITHUB_SHA::8}" >> "$GITHUB_OUTPUT"
+          echo "dir=bench-${slug}-${GITHUB_SHA::8}" >> "$GITHUB_OUTPUT"
+
+      - name: Run benchmarks
+        run: ./gradlew $GRADLE_FLAGS :performance:mainBenchmark
+
+      - name: Assemble site
+        env:
+          DIR: ${{ steps.prefix.outputs.dir }}
+          SLUG: ${{ steps.prefix.outputs.slug }}
+          SHA: ${{ steps.prefix.outputs.sha }}
+        run: |
+          dest="site/$DIR"
+          mkdir -p "$dest/data"
+          cp -r performance/build/reports/benchmarks/html/. "$dest/"
+          # Newest kotlinx-benchmark JSON -> stable data/main.json for programmatic ingestion.
+          latest_json=$(find performance/build/reports/benchmarks/main -type f -name '*.json' -printf '%T@ %p\n' | sort -nr | head -n1 | cut -d' ' -f2-)
+          if [ -z "$latest_json" ]; then
+            echo "ERROR: no benchmark JSON found under performance/build/reports/benchmarks/main" >&2
+            exit 1
+          fi
+          cp "$latest_json" "$dest/data/main.json"
+          # meta.json drives the client-side index; index.html at the root is refreshed each run.
+          jq -n --arg kind benchmarks --arg slug "$SLUG" --arg sha "$SHA" \
+            --arg title "$(git log -1 --format=%s)" --arg ts "$(git log -1 --format=%cI)" \
+            --argjson data true \
+            '{kind:$kind, slug:$slug, sha:$sha, title:$title, ts:$ts, data:$data}' > "$dest/meta.json"
+          cp performance/ci-index/index.html site/index.html
+
+      - name: Publish to reports repo
+        uses: peaceiris/actions-gh-pages@v4
+        with:
+          deploy_key: ${{ secrets.RELL_REPORTS_DEPLOY_KEY }}
+          external_repository: ChromiaProject/rell-performance-reports
+          publish_dir: ./site
+          keep_files: true
+          commit_message: "benchmarks: ${{ steps.prefix.outputs.dir }}"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,117 @@
+name: Build
+
+# `check` runs on every branch push (not just PRs) for ad-hoc debugging; publication is gated
+# to the protected branches (the `publish` job).
+on:
+  push:
+    branches: ["**"]
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      publish_build_scan:
+        description: "Publish a Develocity build scan (scans.gradle.com) for this run"
+        type: boolean
+        default: false
+
+# Supersede in-flight runs of the same ref.
+concurrency:
+  group: build-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+env:
+  # Heap budget on linux-arm64-xlarge (16 vCPU / 64 GiB). Concurrent test JVMs are capped at
+  # --max-workers — each Test task is maxParallelForks=1 (one fork per task), and junitParallelThreads
+  # is in-JVM ForkJoinPool parallelism, not extra JVMs — so the test footprint can't exceed 8 x 4g.
+  # Peak: Gradle daemon 12g + Kotlin daemon 6g + 8 test forks x 4g = 50g heap (~60g resident with JVM
+  # overhead), leaving room for native Postgres + OS. Native Postgres (no dockerd/DIND) on the 600 GB
+  # SSD gives more margin than a tmpfs PGDATA would. If the peak ever OOMs, drop to --max-workers=7.
+  GRADLE_FLAGS: >-
+    -Dorg.gradle.caching=true
+    --max-workers=8
+    -Dorg.gradle.jvmargs=-Xmx12g
+    -Pkotlin.daemon.jvmargs=-Xmx6g
+    -PtestJvmMaxHeap=4g
+    -PjunitParallelThreads=4
+  POSTCHAIN_DB_URL: jdbc:postgresql://localhost:5432/postchain
+  JACOCO_REPORT_DIR: coverage-report-aggregate/build/reports/jacoco/testCodeCoverageReport
+
+jobs:
+  build:
+    name: Check + coverage
+    # jacoco-report posts coverage as a PR comment (or a commit comment on push).
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: linux-arm64-xlarge
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/gradle-setup
+      - uses: ./.github/actions/postgres
+
+      # The Develocity plugin is deliberately not committed (so local devs neither pull it nor have
+      # its Terms of Use auto-accepted), and termsOfUseAgree can only be expressed from a DSL block —
+      # hence appending it at runtime. Manual-dispatch only (the input is empty on push/PR).
+      - name: Enable build scan
+        if: github.event.inputs.publish_build_scan == 'true'
+        run: |
+          cat >> settings.gradle.kts <<'EOF'
+
+          plugins { id("com.gradle.develocity") version "4.3.2" }
+
+          develocity {
+              buildScan {
+                  termsOfUseUrl = "https://gradle.com/help/legal-terms-of-use"
+                  termsOfUseAgree = "yes"
+                  uploadInBackground = false
+              }
+          }
+          EOF
+
+      - name: Check + aggregate coverage
+        run: ./gradlew $GRADLE_FLAGS check :coverage-report-aggregate:testCodeCoverageReport
+
+      - name: Coverage report
+        if: always()
+        uses: madrapps/jacoco-report@v1.7.2
+        with:
+          paths: ${{ env.JACOCO_REPORT_DIR }}/testCodeCoverageReport.xml
+          token: ${{ github.token }}
+          title: Coverage
+
+      - name: Upload test results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-results
+          path: |
+            ${{ env.JACOCO_REPORT_DIR }}/
+            **/build/test-results/**/*
+          retention-days: 7
+          if-no-files-found: ignore
+
+  # Gated continuation of `build`: runs only after tests+coverage pass, and only on the protected
+  # branches. Publishing to the GitLab Package Registry (gitlab.com project 32802097) compiles and
+  # assembles the jars but runs no tests, so it needs neither `check` nor Postgres here.
+  publish:
+    name: Publish to GitLab Packages
+    needs: build
+    if: >-
+      github.event_name == 'push' &&
+      (github.ref == 'refs/heads/dev' ||
+       github.ref == 'refs/heads/master' ||
+       startsWith(github.ref, 'refs/heads/version-'))
+    runs-on: linux-arm64-xlarge
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/gradle-setup
+
+      # Auth via ORG_GRADLE_PROJECT_* (Gradle reads them as the gitlabAuthHeaderName/Value project
+      # properties) rather than -P flags, so the token never lands on the command line.
+      - name: Publish
+        env:
+          ORG_GRADLE_PROJECT_gitlabAuthHeaderName: Private-Token
+          ORG_GRADLE_PROJECT_gitlabAuthHeaderValue: ${{ secrets.GITLAB_PUBLISH_TOKEN }}
+        run: ./gradlew $GRADLE_FLAGS publish
diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
@@ -0,0 +1,38 @@
+name: Dependency check
+
+on:
+  workflow_dispatch:
+
+concurrency:
+  group: dependency-check-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-check:
+    name: OWASP dependency check
+    runs-on: linux-arm64-medium
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/gradle-setup
+
+      # --no-parallel / --no-configuration-cache: dependencyCheckAggregate resolves every
+      # subproject's configurations from the root project, which Gradle 9 rejects under
+      # org.gradle.parallel=true.
+      # Memory is not a constraint on linux-arm64-medium (16 GiB): no tests and no Postgres, just the
+      # Gradle (4g) + Kotlin (2g) daemons.
+      - name: Run dependencyCheckAggregate
+        run: >-
+          ./gradlew -Dorg.gradle.caching=true --max-workers=1
+          -Dorg.gradle.jvmargs=-Xmx4g -Pkotlin.daemon.jvmargs=-Xmx2g
+          --no-configuration-cache --no-parallel dependencyCheckAggregate
+
+      - name: Upload report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-check-report
+          path: build/reports/dependency-check-report.*
+          if-no-files-found: ignore
diff --git a/.github/workflows/profile.yml b/.github/workflows/profile.yml
@@ -0,0 +1,87 @@
+name: Profile (Pages)
+
+# Manual end-to-end profiler run (Postgres + chr node + async-profiler + workload + HTML),
+# published to GitHub Pages per commit.
+#   https://chromiaproject.github.io/rell-performance-reports/profile-<branch-slug>-<sha>/report.html
+on:
+  workflow_dispatch:
+
+# Serialize the deployment workflows: each force-pushes the reports repo's gh-pages, so concurrent
+# runs would clobber each other.
+concurrency:
+  group: gh-pages
+  cancel-in-progress: false
+
+permissions:
+  contents: write
+
+env:
+  # linux-arm64-medium (4 vCPU / 16 GiB). No JUnit suite (the profiler drives a chr node), so the
+  # test-heap props are omitted: Gradle 4g + Kotlin 2g + chr node JVM (~4g default) + native Postgres
+  # ~1g ≈ 11g of 16g, and the build/compile and workload phases don't peak together.
+  GRADLE_FLAGS: >-
+    -Dorg.gradle.caching=true
+    --max-workers=1
+    -Dorg.gradle.jvmargs=-Xmx4g
+    -Pkotlin.daemon.jvmargs=-Xmx2g
+  POSTCHAIN_DB_URL: jdbc:postgresql://localhost:5432/postchain
+  # `chr` reads its connection from CHR_DB_*; without these `chr node start` fails connection-refused.
+  CHR_DB_URL: jdbc:postgresql://localhost:5432/postchain
+  CHR_DB_USER: postchain
+  CHR_DB_PASSWORD: postchain
+
+jobs:
+  profile:
+    name: Profile + publish
+    runs-on: linux-arm64-medium
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/gradle-setup
+      - uses: ./.github/actions/postgres
+
+      # Persist the local Maven repo the chr bootstrap (:performance:buildLocalChr) populates,
+      # so chromia-cli deps survive across runs.
+      - name: Cache local-chr Maven repo
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository
+          key: local-chr-m2-${{ github.ref_name }}-${{ github.sha }}
+          restore-keys: |
+            local-chr-m2-${{ github.ref_name }}-
+            local-chr-m2-dev-
+
+      - name: Compute deployment prefix
+        id: prefix
+        run: |
+          slug=$(echo "${GITHUB_REF_NAME}" | tr -c 'A-Za-z0-9' '-' | sed 's/-\+/-/g; s/^-//; s/-$//')
+          echo "slug=$slug" >> "$GITHUB_OUTPUT"
+          echo "sha=${GITHUB_SHA::8}" >> "$GITHUB_OUTPUT"
+          echo "dir=profile-${slug}-${GITHUB_SHA::8}" >> "$GITHUB_OUTPUT"
+
+      - name: Run profiler
+        run: ./gradlew $GRADLE_FLAGS :performance:profile
+
+      - name: Assemble site
+        env:
+          DIR: ${{ steps.prefix.outputs.dir }}
+          SLUG: ${{ steps.prefix.outputs.slug }}
+          SHA: ${{ steps.prefix.outputs.sha }}
+        run: |
+          dest="site/$DIR"
+          mkdir -p "$dest"
+          cp -r performance/reports/. "$dest/"
+          # meta.json drives the client-side index; index.html at the root is refreshed each run.
+          jq -n --arg kind profile --arg slug "$SLUG" --arg sha "$SHA" \
+            --arg title "$(git log -1 --format=%s)" --arg ts "$(git log -1 --format=%cI)" \
+            --argjson data true \
+            '{kind:$kind, slug:$slug, sha:$sha, title:$title, ts:$ts, data:$data}' > "$dest/meta.json"
+          cp performance/ci-index/index.html site/index.html
+
+      - name: Publish to reports repo
+        uses: peaceiris/actions-gh-pages@v4
+        with:
+          deploy_key: ${{ secrets.RELL_REPORTS_DEPLOY_KEY }}
+          external_repository: ChromiaProject/rell-performance-reports
+          publish_dir: ./site
+          keep_files: true
+          commit_message: "profile: ${{ steps.prefix.outputs.dir }}"
diff --git a/.github/workflows/qodana.yml b/.github/workflows/qodana.yml
diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml
diff --git a/performance/ci-index/index.html b/performance/ci-index/index.html
