Continuous Integration and Continuous Delivery

OmegaT uses two CI/CD platforms:

  • Azure Pipelines — the primary platform, handling build, test, and publishing of Windows packages and documentation.

  • GitHub Actions — handles Linux package builds, daily quality checks, and supplementary publishing.

The pipeline configuration files are located under ci/azure-pipelines/ and .github/workflows/.

Azure Pipelines

The main pipeline definition is azure-pipelines.yml at the project root. It is triggered on pushes and pull requests targeting master and releases/* branches, as well as on a weekly schedule (every Saturday at 12:00 UTC).

The pipeline is structured into three stages:

Stage 1: TestAndDocCI

Runs on every push and pull request (but not on scheduled or manual runs, and not on release tags).

A CheckChanges job first inspects which files have changed since the previous commit (or since master for pull requests). Based on the result, downstream jobs are conditionally executed:

  • BuildDocument — runs only when documentation files under src_docs/ or tip-of-the-day files have changed.

  • testOnLinux / testOnWindows / testOnMac — run only when non-documentation source files have changed.

Stage 2: Weekly

Runs on a scheduled Saturday build or on a manual trigger.

This stage runs the following jobs in parallel before publishing:

  • CheckForWeekly — runs check_steps.yml, which executes the Gradle check task. This is a comprehensive quality gate that includes unit tests, style checks, and other verifications.

  • IntegrationTestForWeekly — runs integ_test_steps.yml, which launches Docker Compose-based integration tests (GIT type, with a 600 second duration limit).

  • WeeklyBuild — builds Windows and macOS distribution packages and documentation. Uses build_steps.yml and build_doc_steps.yml (see below).

WeeklyPublish depends on all three jobs above succeeding, then downloads the pipeline artifacts and uploads them to the SourceForge file release server via publish_weekly.yml.

Stage 3: Release

Triggered only when a version tag (matching refs/tags/v*) is pushed.

  • CheckForRelease — same as CheckForWeekly: runs the full Gradle check task.

  • ReleaseBuild — depends on CheckForRelease passing. Builds all distribution packages and documentation using build_steps.yml and build_doc_steps.yml.

  • ReleasePublish — downloads the built artifacts and uploads them to the SourceForge release directory via publish_release.yml.

Azure Pipeline Sub-tasks

The reusable step templates live under ci/azure-pipelines/:

File

Purpose

build_steps.yml

Downloads bundled JREs, builds Windows and macOS packages (win, mac), source distribution (sourceDistZip, distZip), and Javadoc.

build_doc_steps.yml

Builds the HTML manuals using the Gradle manualHtmls task with JDK 17.

check_steps.yml

Runs the Gradle check task and publishes test results as a pipeline report.

integ_test_steps.yml

Runs and tears down Docker Compose-based integration tests. Accepts testType and duration parameters.

publish_weekly.yml

Uploads distribution packages to SourceForge/Weekly and HTML manuals to the SourceForge project web snapshot directory, using SFTP via lftp.

publish_release.yml

Uploads distribution packages, HTML manuals, and Javadoc to versioned release directories on SourceForge, using SFTP via lftp.

test_java17_steps.yml

Runs the standard test suite on a given platform (Linux, Windows, macOS) using JDK 17.

GitHub Actions

Linux Package Build and Publish (publish-linux.yml)

This workflow builds Linux distribution packages and publishes them to SourceForge.

It is triggered by:

  • A version tag push (v*) — publishes as a release.

  • A weekly schedule (every Saturday at 13:18 UTC) — publishes as a weekly snapshot.

  • A manual workflow_dispatch — lets you choose release or weekly explicitly.

The build job uses a matrix strategy to build on two architectures in parallel:

Architecture

Runner

Gradle tasks

amd64

ubuntu-latest

linuxDistDeb linuxDistRpm linux64DistTarBz

aarch64

ubuntu-24.04-arm

linuxDistDeb linuxDistRpm linuxArm64DistTarBz

Each build step:

  1. Downloads the appropriate Temurin JRE 17 for its architecture into a local asset/ directory.

  2. Runs the Gradle tasks using jpackage-based tasks defined in org.omegat.linux-conventions.gradle and org.omegat.jpkg-conventions.gradle.

  3. Uploads the distribution files as GitHub Actions artifacts.

The publish job then:

  1. Downloads the artifacts from both architectures.

  2. Determines whether to publish to the Weekly folder or to a versioned release folder on SourceForge, based on the trigger event.

  3. Uploads via lftp over SFTP using an SSH key stored as a GitHub Actions secret.

Note: Both architectures must succeed (fail-fast: false is set, but publish requires both build jobs).

Daily Quality Checks on GitHub Actions

The following workflows run on every push to master / releases/* and on every pull request, providing continuous quality feedback. Most workflows skip ci/, src_docs/, and *.md changes to avoid unnecessary runs on non-code changes.

Workflow file

Name

What it checks

acceptance-master.yml

Acceptance Tests

Runs the UI acceptance test suite under a virtual framebuffer (Xvfb).

checkstyle-annotate.yml

Run checkstyle

Runs checkstyleMain and checkstyleTest Gradle tasks and annotates violations inline.

gradle-check-master.yml

Quality checks

Runs the full Gradle check task and verifies the Git working tree is clean after the build.

manuals-builds-master.yml

Check manuals build

Builds the HTML manuals with manualHtmls; triggered only when manual source files change.

pmd-annotate.yml

Run PMD

Runs pmdMain and pmdTest Gradle tasks and annotates findings inline.

qodana-code-quality.yml

Qodana

Runs a nightly JetBrains Qodana static analysis scan and uploads results to the Qodana cloud.

semgrep.yml

Run Semgrep

Runs Semgrep SAST analysis on every pull request and on pushes to master.

source-distribution-test.yml

Source Distribution Test

Builds the source distribution with installSourceDist, then compiles it from scratch and checks for duplicate dependencies — this catches any missing or incorrectly declared build dependencies.

spotbugs-annotate.yml

Run SpotBugs

Runs spotbugsMain and spotbugsTest Gradle tasks and annotates findings inline.

Notes on specific checks

  • Acceptance Tests require a display server; the workflow installs xvfb and related X11 libraries before running.

  • Qodana runs nightly on a schedule (daily at 21:03 UTC) rather than on every push, due to its longer execution time. It uses a baseline file (qodana.sarif.json) to suppress known issues.

  • Source Distribution Test is particularly important for catching missing dependency declarations: it installs the source distribution to a clean directory and attempts to build it independently, failing fast if any transitive dependency is absent from the declared dependency list.

  • Semgrep skips pull requests from dependabot[bot] to avoid permission issues with the Semgrep token.

Secrets and Credentials

The publish pipelines require the following secrets to be configured:

Secret

Platform

Purpose

SOURCEFORGE_CI_USER

Azure / GitHub

SourceForge SFTP username

SOURCEFORGE_KEY_PASS

Azure / GitHub

Passphrase for the SSH private key

omegat-ci-rsa (Azure Secure File) / OMEGAT_CI_RSA (GitHub Secret)

Azure / GitHub

SSH private key for SourceForge SFTP access

QODANA_TOKEN

GitHub

Authentication token for uploading Qodana results

SEMGREP_APP_TOKEN

GitHub

Authentication token for the Semgrep cloud app

CI File Locations Summary

azure-pipelines.yml                        # Root pipeline definition (Azure)
ci/
  azure-pipelines/
    build_steps.yml                        # Windows/macOS/source distribution build
    build_doc_steps.yml                    # Manual HTML build
    check_steps.yml                        # Gradle check + test result publishing
    integ_test_steps.yml                   # Docker Compose integration tests
    publish_weekly.yml                     # Upload to SourceForge Weekly
    publish_release.yml                    # Upload to SourceForge release folder
    test_java17_steps.yml                  # Cross-platform unit test run
.github/
  workflows/
    acceptance-master.yml                  # UI acceptance tests
    checkstyle-annotate.yml                # Checkstyle
    gradle-check-master.yml                # Gradle check + clean tree verification
    manuals-builds-master.yml              # Manuals HTML build check
    pmd-annotate.yml                       # PMD static analysis
    publish-linux.yml                      # Linux package build + SourceForge publish
    qodana-code-quality.yml                # Nightly Qodana scan
    semgrep.yml                            # Semgrep SAST
    source-distribution-test.yml           # Source distribution build + dependency check
    spotbugs-annotate.yml                  # SpotBugs static analysis