Skip to content

Enable JDK-EA builds again #13036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 33 commits into from
Closed

Enable JDK-EA builds again #13036

wants to merge 33 commits into from

Conversation

@koppor
Copy link
Member

@koppor koppor commented Apr 30, 2025
edited
Loading

Experiments based on #13033 - not pushing to #13033, do avoid noice for the contributor.

With this PR, we are working towards having a single mise.toml configuring the JDK. Works for all GitHub workflows; need to update IDE instructions (there is a mise plugin) - and look at the dev container etc.

Howto for windows:

  1. mise install (in JabRef dir)
  2. Copy %APPDATA%\..\Local\mise\installs\* to c:\user\{login}\.asdf\installs\*. - see Add support for mise locations. gradle/foojay-toolchains#110
  3. Install Mise IntelliJ Plugin
  4. Update code howto that both JDK21 (for gradle) and other JDK is found

Kind of blocker: 134130/intellij-mise#234

Mandatory checks

  • I own the copyright of the code submitted and I license it under the MIT license
  • [.] Change in CHANGELOG.md described in a way that is understandable for the average user (if change is visible to the user)
  • [.] Tests created for changes (if applicable)
  • [.] Manually tested changed features in running JabRef (always required)
  • [.] Screenshots added in PR description (if change is visible to the user)
  • [.] Checked developer's documentation: Is the information available and up to date? If not, I outlined it in this pull request.
  • [.] Checked documentation: Is the information available and up to date? If not, I created an issue at https://github.com/JabRef/user-documentation/issues or, even better, I submitted a pull request to the documentation repository.

@koppor
Copy link
Member Author

koppor commented Apr 30, 2025
edited
Loading 

Underlying exception : org.mockito.exceptions.base.MockitoException: Could not modify all classes [class java.lang.Object, class org.jabref.logic.bibtex.FieldPreferences]
        at app//org.jabref.logic.shared.SynchronizationSimulatorTest.setup(SynchronizationSimulatorTest.java:56)

        Caused by:
        org.mockito.exceptions.base.MockitoException: Could not modify all classes [class java.lang.Object, class org.jabref.logic.bibtex.FieldPreferences]
            at app//net.bytebuddy.TypeCache.findOrInsert(TypeCache.java:168)
            at app//net.bytebuddy.TypeCache$WithInlineExpunction.findOrInsert(TypeCache.java:399)
            at app//net.bytebuddy.TypeCache.findOrInsert(TypeCache.java:190)
            at app//net.bytebuddy.TypeCache$WithInlineExpunction.findOrInsert(TypeCache.java:410)
            ... 1 more

            Caused by:
            java.lang.IllegalStateException: 
            Byte Buddy could not instrument all classes within the mock's type hierarchy

            This problem should never occur for javac-compiled classes. This problem has been observed for classes that are:
             - Compiled by older versions of scalac
             - Classes that are part of the Android distribution
                at org.mockito.internal.creation.bytebuddy.InlineBytecodeGenerator.triggerRetransformation(InlineBytecodeGenerator.java:291)
                at org.mockito.internal.creation.bytebuddy.InlineBytecodeGenerator.mockClass(InlineBytecodeGenerator.java:220)
                at org.mockito.internal.creation.bytebuddy.TypeCachingBytecodeGenerator.lambda$mockClass$0(TypeCachingBytecodeGenerator.java:78)
                at net.bytebuddy.TypeCache.findOrInsert(TypeCache.java:168)
                at net.bytebuddy.TypeCache$WithInlineExpunction.findOrInsert(TypeCache.java:399)
                at net.bytebuddy.TypeCache.findOrInsert(TypeCache.java:190)
                at net.bytebuddy.TypeCache$WithInlineExpunction.findOrInsert(TypeCache.java:410)
                at org.mockito.internal.creation.bytebuddy.TypeCachingBytecodeGenerator.mockClass(TypeCachingBytecodeGenerator.java:75)
                at org.mockito.internal.creation.bytebuddy.InlineDelegateByteBuddyMockMaker.createMockType(InlineDelegateByteBuddyMockMaker.java:429)
                at org.mockito.internal.creation.bytebuddy.InlineDelegateByteBuddyMockMaker.doCreateMock(InlineDelegateByteBuddyMockMaker.java:388)
                at org.mockito.internal.creation.bytebuddy.InlineDelegateByteBuddyMockMaker.createMock(InlineDelegateByteBuddyMockMaker.java:367)
                at org.mockito.internal.creation.bytebuddy.InlineByteBuddyMockMaker.createMock(InlineByteBuddyMockMaker.java:56)
                at org.mockito.internal.util.MockUtil.createMock(MockUtil.java:99)
                at org.mockito.internal.MockitoCore.mock(MockitoCore.java:84)
                at org.mockito.Mockito.mock(Mockito.java:2198)
                at org.mockito.Mockito.mock(Mockito.java:2113)
                ... 1 more

                Caused by:
                java.lang.IllegalArgumentException: Java 25 (69) is not supported by the current version of Byte Buddy which officially supports Java 24 (68) - update Byte Buddy or set net.bytebuddy.experimental as a VM property

@koppor
Copy link
Member Author

koppor commented Apr 30, 2025

Updated bytebuddy to latest version to support JDK25: https://github.com/raphw/byte-buddy/releases/tag/byte-buddy-1.17.5

@Siedlerchr
Copy link
Member

Siedlerchr commented Apr 30, 2025

jmod module path on mac is wrong, uses/evaluates to --module-path /Users/runner/hostedtoolcache/Java_Temurin-Hotspot_jdk/21.0.7-6.0/arm64/Contents/Home/jmods/:build/jlinkbase/jlinkjars \

@koppor
Copy link
Member Author

koppor commented Apr 30, 2025

Windows:

> Could not copy file 'D:\a\jabref\jabref\jabgui\buildres\windows\JabRef-post-image.wsf' to 'D:\a\jabref\jabref\jabgui\build\jpackage-resource-dir\JabRef-post-image.wsf'.
You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.
   > Error - Invalid filter specification for org.apache.tools.ant.filters.ReplaceTokens

@koppor
Copy link
Member Author

koppor commented Apr 30, 2025

Windows:

[12:56:51.506] java.io.IOException: Command [cscript, D:\a\jabref\jabref\jabgui\build\installer\config\JabRef-post-image.wsf] in D:\a\jabref\jabref\jabgui\build\installer\images\win-msi.image exited with 1 code
	at jdk.jpackage/jdk.jpackage.internal.Executor.executeExpectSuccess(Executor.java:90)
	at jdk.jpackage/jdk.jpackage.internal.ScriptRunner.run(ScriptRunner.java:100)
	at jdk.jpackage/jdk.jpackage.internal.WinMsiBundler.execute(WinMsiBundler.java:440)
	at jdk.jpackage/jdk.jpackage.internal.Arguments.executeBundler(Arguments.java:740)
	at jdk.jpackage/jdk.jpackage.internal.Arguments.generateBundle(Arguments.java:701)
	at jdk.jpackage/jdk.jpackage.internal.Arguments.processArguments(Arguments.java:552)
	at jdk.jpackage/jdk.jpackage.main.Main.execute(Main.java:93)
	at jdk.jpackage/jdk.jpackage.main.Main.main(Main.java:54)
[12:56:51.507] Kept working directory for debug: D:\a\jabref\jabref\jabgui\build\installer
[12:56:51.507] jdk.jpackage.internal.model.PackagerException: java.io.IOException: Command [cscript, D:\a\jabref\jabref\jabgui\build\installer\config\JabRef-post-image.wsf] in D:\a\jabref\jabref\jabgui\build\installer\images\win-msi.image exited with 1 code
	at jdk.jpackage/jdk.jpackage.internal.WinMsiBundler.execute(WinMsiBundler.java:445)
	at jdk.jpackage/jdk.jpackage.internal.Arguments.executeBundler(Arguments.java:740)
	at jdk.jpackage/jdk.jpackage.internal.Arguments.generateBundle(Arguments.java:701)
	at jdk.jpackage/jdk.jpackage.internal.Arguments.processArguments(Arguments.java:552)
	at jdk.jpackage/jdk.jpackage.main.Main.execute(Main.java:93)
	at jdk.jpackage/jdk.jpackage.main.Main.main(Main.java:54)
Caused by: java.io.IOException: Command [cscript, D:\a\jabref\jabref\jabgui\build\installer\config\JabRef-post-image.wsf] in D:\a\jabref\jabref\jabgui\build\installer\images\win-msi.image exited with 1 code
	at jdk.jpackage/jdk.jpackage.internal.Executor.executeExpectSuccess(Executor.java:90)
	at jdk.jpackage/jdk.jpackage.internal.ScriptRunner.run(ScriptRunner.java:100)
	at jdk.jpackage/jdk.jpackage.internal.WinMsiBundler.execute(WinMsiBundler.java:440)
	... 5 more

Siedlerchr
Siedlerchr reviewed Apr 30, 2025
View reviewed changes
.github/workflows/deployment.yml Outdated
cd jabgui
eval "$(mise hook-env)"
Copy link
Member

@Siedlerchr Siedlerchr Apr 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems like the env.JAVA_HOME var is not set correctly
jlink failed with: Error: jlink version 25.0 does not match target java.base version 21.0

Copy link
Member Author

@koppor koppor Apr 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

jdx/mise#4973

This was referenced Apr 30, 2025
Merged
Merged
@koppor
Copy link
Member Author

koppor commented May 1, 2025

Too much effort; we will "just" use JDK25 as soon as it is released.

@koppor koppor closed this May 1, 2025
@github-actions
Copy link
Contributor

github-actions bot commented May 1, 2025

The build for this PR is no longer available. Please visit https://builds.jabref.org/main/ for the latest build.

@koppor koppor reopened this May 4, 2025
@koppor koppor changed the title Update to JDK25 Enable JDK-EA builds again May 4, 2025
@koppor koppor mentioned this pull request May 4, 2025
Merged
1 task
github-advanced-security[bot]
github-advanced-security bot found potential problems May 4, 2025
View reviewed changes
.github/workflows/deployment-ea.yml
Comment on lines +38 to +306
strategy:
fail-fast: false
matrix:
include:
# if you change the os version rename all other occurrences
- os: ubuntu-22.04
displayName: linux
archivePortable: tar -c -C jabgui/build/distribution JabRef | pigz --rsyncable > jabgui/build/distribution/JabRef-portable_linux.tar.gz && rm -R jabgui/build/distribution/JabRef
archivePortableJabKit: tar -c -C jabkit/build/distribution jabkit | pigz --rsyncable > jabkit/build/distribution/jabkit-portable_linux.tar.gz && rm -R jabkit/build/distribution/jabkit
- os: windows-latest
displayName: windows
archivePortable: 7z a -r jabgui/build/distribution/JabRef-portable_windows.zip ./jabgui/build/distribution/JabRef && rm -R jabgui/build/distribution/JabRef
archivePortableJabKit: 7z a -r jabkit/build/distribution/jabkit-portable_windows.zip ./jabkit/build/distribution/jabkit && rm -R jabkit/build/distribution/jabkit
- os: macos-13 # intel image
displayName: macOS
suffix: ''
- os: macos-14
displayName: macOS (ARM64)
suffix: '_arm64'
runs-on: ${{ matrix.os }}
outputs:
major: ${{ steps.gitversion.outputs.Major }}
minor: ${{ steps.gitversion.outputs.Minor }}
branchname: ${{ steps.gitversion.outputs.branchName }}
name: ${{ matrix.displayName }} installer and portable version
steps:
- name: Check secrets presence
id: checksecrets
shell: bash
run: |
if [ "$BUILDJABREFPRIVATEKEY" == "" ]; then
echo "secretspresent=NO" >> $GITHUB_OUTPUT
echo "❌ Secret BUILDJABREFPRIVATEKEY not present"
else
echo "secretspresent=YES" >> $GITHUB_OUTPUT
echo "✔️ Secret BUILDJABREFPRIVATEKEY present"
fi
env:
BUILDJABREFPRIVATEKEY: ${{ secrets.buildJabRefPrivateKey }}
- name: Fetch all history for all tags and branches
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: 'true'
show-progress: 'false'
- name: Install pigz and cache (linux)
if: (matrix.os == 'ubuntu-22.04')
uses: awalsh128/cache-apt-pkgs-action@latest
with:
packages: pigz
version: 1.0
- name: Install GitVersion
uses: gittools/actions/gitversion/[email protected]
with:
versionSpec: "5.x"
- name: Run GitVersion
id: gitversion
uses: gittools/actions/gitversion/[email protected]

- name: Tell gradle to use JDK25
run: sed -i "s/JavaLanguageVersion.of(25)/JavaLanguageVersion.of(24)/" build-logic/src/main/kotlin/buildlogic.java-common-conventions.gradle.kts

# region setup-JDK
- name: Setup JDK 25 for "java toolchain" of Gradle
uses: jdx/mise-action@v2
with:
mise_toml: |
[tools]
java = { version = "openjdk-25.0.0-ea+21", release_type = "ea" }
- name: Debug
run: |
set -x
set -e
echo $JAVA_HOME
java --version
- name: Make JDK known to gradle (Linux, macOS)
if: (matrix.os != 'windows-latest')
shell: bash
# Hint by https://github.com/gradle/gradle/issues/29355#issuecomment-2598556970
run: ln -s ~/.local/share/mise ~/.asdf
- name: Make JDK known to gradle (Windows)
if: (matrix.os == 'windows-latest')
shell: bash
run: mv ~/AppData/Local/mise ~/.asdf
- name: Setup JDK for gradle itself
uses: actions/setup-java@v4
with:
java-version: '21'
distribution: 'temurin'
# endregion

- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4
- name: Prepare merged jars and modules dir (macOS)
# prepareModulesDir is executing a build, which should run through even if no upload to builds.jabref.org is made
if: (matrix.os == 'macos-13') || (matrix.os == 'macos-14') || (steps.checksecrets.outputs.secretspresent == 'NO')
run: ./gradlew -i -PprojVersion="${{ steps.gitversion.outputs.AssemblySemVer }}" -PprojVersionInfo="${{ steps.gitversion.outputs.InformationalVersion }}" :jabgui:prepareModulesDir
- name: Setup macOS key chain
if: ((matrix.os == 'macos-13') || (matrix.os == 'macos-14')) && (steps.checksecrets.outputs.secretspresent == 'YES')
uses: slidoapp/import-codesign-certs@1923310662e8682dd05b76b612b53301f431cd5d
with:
p12-file-base64: ${{ secrets.OSX_SIGNING_CERT }}
p12-password: ${{ secrets.OSX_CERT_PWD }}
keychain-password: jabref
- name: Setup macOS key chain for app id cert
if: ((matrix.os == 'macos-13') || (matrix.os == 'macos-14')) && (steps.checksecrets.outputs.secretspresent == 'YES')
uses: slidoapp/import-codesign-certs@1923310662e8682dd05b76b612b53301f431cd5d
with:
p12-file-base64: ${{ secrets.OSX_SIGNING_CERT_APPLICATION }}
p12-password: ${{ secrets.OSX_CERT_PWD }}
create-keychain: false
keychain-password: jabref
- name: Debug
run: |
echo $JAVA_HOME
cat mise.toml
mise hook-env -f
mise hook-env -f | grep 'export JAVA_HOME'
eval $(mise hook-env -f | grep 'export JAVA_HOME')
echo $JAVA_HOME
eval $(mise hook-env -f | grep 'export PATH')
echo $JAVA_HOME
- name: Build dmg and pkg (macOS)
if: ((matrix.os == 'macos-13') || (matrix.os == 'macos-14')) && (steps.checksecrets.outputs.secretspresent == 'YES')
shell: bash
run: |
set -e
cd jabgui
# see https://github.com/jdx/mise/discussions/4973
eval $(mise hook-env -f | grep 'export JAVA_HOME')
eval $(mise hook-env -f | grep 'export PATH')
echo $JAVA_HOME
# Use Java's packaging tool to create "JabRef.app"
jpackage \
--module org.jabref/org.jabref.Launcher \
--module-path $JAVA_HOME/jmods/:build/jlinkbase/jlinkjars \
--add-modules org.jabref,org.jabref.merged.module \
--add-modules jdk.incubator.vector \
--dest build/distribution \
--name JabRef \
--app-version ${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }} \
--verbose \
--mac-sign \
--vendor "JabRef e.V." \
--mac-package-identifier JabRef \
--mac-package-name JabRef \
--type app-image \
--mac-signing-key-user-name "JabRef e.V. (6792V39SK3)" \
--mac-package-signing-prefix org.jabref \
--mac-entitlements buildres/mac/jabref.entitlements \
--icon src/main/resources/icons/jabref.icns \
--resource-dir buildres/mac \
--file-associations buildres/mac/bibtexAssociations.properties \
--jlink-options --bind-services \
--java-options --add-exports=javafx.base/com.sun.javafx.event=org.jabref.merged.module \
--java-options --add-exports=javafx.controls/com.sun.javafx.scene.control=org.jabref.merged.module \
--java-options --add-opens=javafx.graphics/javafx.scene=org.jabref.merged.module \
--java-options --add-opens=javafx.controls/javafx.scene.control=org.jabref.merged.module \
--java-options --add-opens=javafx.controls/javafx.scene.control.skin=org.jabref.merged.module \
--java-options --add-opens=javafx.controls/com.sun.javafx.scene.control=org.jabref.merged.module \
--java-options --add-opens=javafx.controls/javafx.scene.control=org.jabref \
--java-options --add-exports=javafx.base/com.sun.javafx.event=org.jabref \
--java-options --add-exports=javafx.controls/com.sun.javafx.scene.control=org.jabref \
--java-options --add-opens=javafx.graphics/javafx.scene=org.jabref \
--java-options --add-opens=javafx.controls/javafx.scene.control=org.jabref \
--java-options --add-opens=javafx.controls/com.sun.javafx.scene.control=org.jabref \
--java-options --add-opens=javafx.base/javafx.collections=org.jabref \
--java-options --add-opens=javafx.base/javafx.collections.transformation=org.jabref \
--java-options --add-modules=jdk.incubator.vector
# Add additional files / directories
cp buildres/mac/jabrefHost.py build/distribution/JabRef.app/Contents/
cp -R buildres/mac/native-messaging-host build/distribution/JabRef.app/Contents/
# Sign the final artifact
codesign --force --deep --sign "Developer ID Application: JabRef e.V. (6792V39SK3)" \
--entitlements buildres/mac/jabref.entitlements \
--options runtime --timestamp build/distribution/JabRef.app
# pack dmg and pkg
hdiutil create -volname "JabRef" -srcfolder build/distribution/JabRef.app -ov -format UDZO build/distribution/JabRef${{ matrix.suffix }}.dmg
productbuild --component build/distribution/JabRef.app /Applications --sign "Developer ID Installer: JabRef e.V. (6792V39SK3)" build/distribution/JabRef${{ matrix.suffix }}.pkg
# Cleanup unpacked file
rm -rf build/distribution/JabRef.app
- name: Build runtime image and installer (linux, Windows)
if: (matrix.os != 'macos-13') && (matrix.os != 'macos-14') && (steps.checksecrets.outputs.secretspresent == 'YES')
shell: bash
run: ./gradlew -i -PprojVersion="${{ steps.gitversion.outputs.AssemblySemVer }}" -PprojVersionInfo="${{ steps.gitversion.outputs.InformationalVersion }}" :jabgui:jpackage
- name: Build JabKit
if: (steps.checksecrets.outputs.secretspresent == 'YES')
shell: bash
run: ./gradlew -i -PprojVersion="${{ steps.gitversion.outputs.AssemblySemVer }}" -PprojVersionInfo="${{ steps.gitversion.outputs.InformationalVersion }}" :jabkit:jpackage
- name: Remove JabKit build for macOS
if: (matrix.os == 'macos-13') || (matrix.os == 'macos-14')
run: rm -rf jabkit/build/distribution/jabkit.app
- name: Package application image (linux, Windows)
if: (matrix.os != 'macos-13') && (matrix.os != 'macos-14') && (steps.checksecrets.outputs.secretspresent == 'YES')
shell: bash
run: |
set -e
${{ matrix.archivePortable }}
${{ matrix.archivePortableJabKit }}
- name: Rename files
if: (matrix.os != 'macos-13') && (matrix.os != 'macos-14') && (steps.checksecrets.outputs.secretspresent == 'YES')
shell: pwsh
run: |
get-childitem -Path jabgui/build/distribution/* | rename-item -NewName {$_.name -replace "${{ steps.gitversion.outputs.AssemblySemVer }}","${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}"}
get-childitem -Path jabgui/build/distribution/* | rename-item -NewName {$_.name -replace "portable","${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-portable"}
- name: Repack deb file for Debian
if: (matrix.os == 'ubuntu-22.04') && (steps.checksecrets.outputs.secretspresent == 'YES')
shell: bash
run: |
cd jabgui/build/distribution
ar x jabref_${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}_amd64.deb
zstd -d < control.tar.zst | xz > control.tar.xz
zstd -d < data.tar.zst | xz > data.tar.xz
ar -m -c -a sdsd jabref_${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}_amd64_repackaged.deb debian-binary control.tar.xz data.tar.xz
rm debian-binary control.tar.* data.tar.*
mv -f jabref_${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}_amd64_repackaged.deb jabref_${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}_amd64.deb
- name: Setup rsync (macOS)
if: ${{ (!startsWith(github.ref, 'refs/heads/gh-readonly-queue')) && (steps.checksecrets.outputs.secretspresent == 'YES') && (((matrix.os == 'macos-13') || (matrix.os == 'macos-14')) && !((startsWith(github.ref, 'refs/tags/') || inputs.notarization == true))) }}
run: brew install rsync
- name: Setup rsync (Windows)
if: (matrix.os == 'windows-latest') && (steps.checksecrets.outputs.secretspresent == 'YES') && (!startsWith(github.ref, 'refs/heads/gh-readonly-queue'))
# We want to have rsync available at this place to avoid uploading and downloading from GitHub artifact store (taking > 5 minutes in total)
# We cannot use "action-rsyncer", because that requires Docker which is unavailable on Windows
# We cannot use "setup-rsync", because that does not work on Windows
# We do not use egor-tensin/setup-cygwin@v4, because it replaces the default shell
run: choco install --no-progress rsync
- name: Setup SSH key
if: ${{ (steps.checksecrets.outputs.secretspresent == 'YES') && (!startsWith(github.ref, 'refs/heads/gh-readonly-queue')) && (!((startsWith(github.ref, 'refs/tags/') || (inputs.notarization == true)))) }}
run: |
echo "${{ secrets.buildJabRefPrivateKey }}" > sshkey
chmod 600 sshkey
- name: Upload to builds.jabref.org (Windows)
if: (matrix.os == 'windows-latest') && (steps.checksecrets.outputs.secretspresent == 'YES') && (!startsWith(github.ref, 'refs/heads/gh-readonly-queue'))
shell: cmd
# for rsync installed by chocolatey, we need the ssh.exe delivered with that installation
run: |
rsync -rt --chmod=Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r --itemize-changes --stats --rsync-path="mkdir -p /var/www/builds.jabref.org/www/${{ steps.gitversion.outputs.branchName }} && rsync" -e 'C:\ProgramData\chocolatey\lib\rsync\tools\bin\ssh.exe -p 9922 -i sshkey -o StrictHostKeyChecking=no' jabgui/build/distribution/ [email protected]:/var/www/builds.jabref.org/www/${{ steps.gitversion.outputs.branchName }}/ || true
rsync -rt --chmod=Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r --itemize-changes --stats --rsync-path="mkdir -p /var/www/builds.jabref.org/www/${{ steps.gitversion.outputs.branchName }} && rsync" -e 'C:\ProgramData\chocolatey\lib\rsync\tools\bin\ssh.exe -p 9922 -i sshkey -o StrictHostKeyChecking=no' jabkit/build/distribution/ [email protected]:/var/www/builds.jabref.org/www/${{ steps.gitversion.outputs.branchName }}/ || true
- name: Upload to builds.jabref.org (linux, macOS)
# macOS: Negated condition of "Upload to GitHub workflow artifacts store (macOS)"
# Reason: We either upload the non-notarized files - or notarize the files later (and upload these later)
# needs to be on one line; multi line does not work
if: ${{ (!startsWith(github.ref, 'refs/heads/gh-readonly-queue')) && (steps.checksecrets.outputs.secretspresent == 'YES') && ((matrix.os == 'ubuntu-22.04') || (matrix.os == 'macos-13') || (matrix.os == 'macos-14')) && !((startsWith(github.ref, 'refs/tags/') || inputs.notarization == true)) }}
shell: bash
run: |
rsync -rt --chmod=Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r --itemize-changes --stats --rsync-path="mkdir -p /var/www/builds.jabref.org/www/${{ steps.gitversion.outputs.branchName }} && rsync" -e 'ssh -p 9922 -i sshkey -o StrictHostKeyChecking=no' jabgui/build/distribution/ [email protected]:/var/www/builds.jabref.org/www/${{ steps.gitversion.outputs.branchName }}/ || true
rsync -rt --chmod=Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r --itemize-changes --stats --rsync-path="mkdir -p /var/www/builds.jabref.org/www/${{ steps.gitversion.outputs.branchName }} && rsync" -e 'ssh -p 9922 -i sshkey -o StrictHostKeyChecking=no' jabkit/build/distribution/ [email protected]:/var/www/builds.jabref.org/www/${{ steps.gitversion.outputs.branchName }}/ || true
- name: Upload to GitHub workflow artifacts store (macOS)
if: ((matrix.os == 'macos-13') || (matrix.os == 'macos-14')) && (steps.checksecrets.outputs.secretspresent == 'YES') && (startsWith(github.ref, 'refs/tags/') || inputs.notarization == true)
uses: actions/upload-artifact@v4
with:
# tbn = to-be-notarized
name: JabRef-macOS-tbn-${{ matrix.os }}
path: build/distribution
compression-level: 0 # no compression
- name: Upload to GitHub workflow artifacts store
if: (steps.checksecrets.outputs.secretspresent != 'YES')
uses: actions/upload-artifact@v4
with:
name: JabRef-${{ matrix.os }}
path: build/distribution
compression-level: 0 # no compression
announce:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we will add a permissions block at the root level of the workflow to define the minimal permissions required for the GITHUB_TOKEN. Based on the workflow's operations, the contents: read permission is sufficient for most steps, as it allows the workflow to read repository contents without granting unnecessary write access. If specific jobs or steps require additional permissions, they can be defined at the job level.

Suggested changeset 1
.github/workflows/deployment-ea.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/deployment-ea.yml b/.github/workflows/deployment-ea.yml
--- a/.github/workflows/deployment-ea.yml
+++ b/.github/workflows/deployment-ea.yml
@@ -2,2 +2,5 @@
 
+permissions:
+  contents: read
+
 on:
EOF
@@ -2,2 +2,5 @@

permissions:
contents: read

on:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/deployment-ea.yml
Comment on lines +307 to +333
name: Comment on pull request
runs-on: ubuntu-22.04
needs: [build]
if: ${{ github.event_name == 'pull_request' }}
steps:
- name: Check secrets presence
id: checksecrets
shell: bash
run: |
if [ "$BUILDJABREFPRIVATEKEY" == "" ]; then
echo "secretspresent=NO" >> $GITHUB_OUTPUT
echo "❌ Secret BUILDJABREFPRIVATEKEY not present"
else
echo "secretspresent=YES" >> $GITHUB_OUTPUT
echo "✔️ Secret BUILDJABREFPRIVATEKEY present"
fi
env:
BUILDJABREFPRIVATEKEY: ${{ secrets.buildJabRefPrivateKey }}
- name: Comment PR
if: (steps.checksecrets.outputs.secretspresent == 'YES')
uses: thollander/actions-comment-pull-request@v3
with:
message: |
The build of this PR is available at <https://builds.jabref.org/pull/${{ github.event.pull_request.number }}/merge>.
comment-tag: download-link
mode: recreate
notarize: # outsourced in a separate job to be able to rerun if this fails for timeouts

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 6 months ago

To fix the issue, we will add a permissions block to the announce job to explicitly define the minimal permissions required. Since the job interacts with pull requests by adding comments, it needs pull-requests: write. All other permissions will be omitted to restrict access.

Suggested changeset 1
.github/workflows/deployment-ea.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/deployment-ea.yml b/.github/workflows/deployment-ea.yml
--- a/.github/workflows/deployment-ea.yml
+++ b/.github/workflows/deployment-ea.yml
@@ -310,2 +310,4 @@
     if: ${{ github.event_name == 'pull_request' }}
+    permissions:
+      pull-requests: write
     steps:
EOF
@@ -310,2 +310,4 @@
if: ${{ github.event_name == 'pull_request' }}
permissions:
pull-requests: write
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
@trag-bot
Copy link

trag-bot bot commented May 4, 2025

@trag-bot didn't find any issues in the code! ✅✨

@koppor
Copy link
Member Author

koppor commented May 4, 2025

Closing, because too much back and forth - will start a clean PR - which "just" enables -ea builds.

@koppor koppor closed this May 4, 2025
@koppor koppor mentioned this pull request May 4, 2025
Merged
1 task
@koppor koppor deleted the fix-jpackage-post-image-update-to-JDK25 branch May 11, 2025 15:01
@koppor koppor mentioned this pull request Oct 8, 2025
Draft
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Siedlerchr Siedlerchr Siedlerchr left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@koppor @Siedlerchr @alexeysemenyukoracle