-
Notifications
You must be signed in to change notification settings - Fork 30
132 lines (114 loc) · 4.2 KB
/
code-analysis-pull.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Code Analysis for Pull Fork
on:
workflow_run:
workflows: ["Code Analysis"]
types:
- completed
jobs:
retrieve-pr:
if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
runs-on: ubuntu-latest
outputs:
pr-number: ${{ steps.pr-artifact-script.outputs.result }}
pr-base: ${{ steps.pr-base-script.outputs.result }}
steps:
- name: Download PR artifact
uses: actions/github-script@v6
id: download-pr
with:
result-encoding: string
script: |
var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "pr"
})[0];
if (matchArtifact == null){
core.setFailed("No PR artifact");
return "False";
}
var download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
return "True";
- name: Unzip the PR
if: steps.download-pr.outputs.result == 'True'
run: unzip pr.zip
- name: Retrieve the PR number
if: success()
id: pr-artifact-script
uses: actions/github-script@v6
with:
result-encoding: string
script: |
var fs = require('fs');
var pr_number = Number(fs.readFileSync('./NR'));
return pr_number;
- name: Retrieve the PR base
if: success()
id: pr-base-script
uses: actions/github-script@v6
with:
result-encoding: string
script: |
var fs = require('fs');
var pr_base = fs.readFileSync('./BaseBranch');
return pr_base;
build:
name: Code analysis
needs: retrieve-pr
runs-on: ubuntu-latest
env:
HAVE_SONAR_TOKEN: ${{ secrets.SONAR_TOKEN != '' }}
steps:
- name: Stop if no Sonar secret
if: ${{ env.HAVE_SONAR_TOKEN == 'false' }}
run: exit 1
- uses: actions/checkout@v3
with:
repository: ${{ github.event.workflow_run.head_repository.full_name }}
ref: ${{ github.event.workflow_run.head_branch }}
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Rebase PR
run: |
git config user.name "GitHub Workflow Action"
git remote add jss ${{ github.event.repository.clone_url }}
git fetch jss
git rebase jss/${{ needs.retrieve-pr.outputs.pr-base }}
- name: Set up JDK 17
uses: actions/setup-java@v1
with:
java-version: 17
- name: Cache SonarCloud packages
uses: actions/cache@v1
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Cache Maven packages
uses: actions/cache@v1
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Build and analyze with SonarCloud
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: >
mvn
-B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
-Dsonar.projectKey=dogtagpki_jss
-pl '!native,!symkey'
-Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }}
-Dsonar.pullrequest.key=${{ needs.retrieve-pr.outputs.pr-number }}
-Dsonar.pullrequest.branch=${{ github.event.workflow_run.head_branch }}
-Dsonar.pullrequest.base=${{ github.event.workflow_run.pull_requests[0].base.ref }}