Skip to content

Commit

Permalink
separate sonar reports and publishing build steps
Browse files Browse the repository at this point in the history
  • Loading branch information
itsankit-google committed Jun 21, 2024
1 parent f05eb25 commit 43ea7d4
Show file tree
Hide file tree
Showing 2 changed files with 83 additions and 59 deletions.
76 changes: 76 additions & 0 deletions .github/workflows/build-sonar-report.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# Copyright © 2024 Cask Data, Inc.
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of
# the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under
# the License.

# This workflow will build a Java project with Maven
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
# Note: Any changes to this workflow would be used only after merging into develop
name: Build Sonar Report

on:
workflow_run:
workflows:
- Build with test coverage for Sonar
types:
- completed

jobs:
build:
runs-on: k8s-runner-build

steps:
- name: Cache SonarCloud packages
uses: actions/cache@v3
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar

- name: Download artifact
uses: actions/download-artifact@v2
with:
name: reports-${{ github.event.workflow_run.id }}
path: ./downloaded-artifact

- name: Validate PR
id: validate_pr
# For whatever reason we get PR 69 for develop branch with both head and base as develop.
if: ${{ github.event.workflow_run.pull_requests[0].head.ref != github.event.workflow_run.pull_requests[0].base.ref }}
run: |
echo "PR_KEY=${{ github.event.workflow_run.pull_requests[0].number }}"
echo "PR_BRANCH=${{ github.event.workflow_run.pull_requests[0].head.ref }}"
echo "PR_BASE=${{ github.event.workflow_run.pull_requests[0].base.ref }}"
- name: Sonar report
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
run: >-
mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -fae -T 2 -B -V
-Dmaven.repo.local=$HOME/.m2/repository11
-DcloudBuild
-Pcoverage,templates
-Dmaven.wagon.http.retryHandler.count=3
-Dmaven.wagon.httpconnectionManager.ttlSeconds=25
-Dsonar.pullrequest.key=$PR_KEY
-Dsonar.pullrequest.branch=$PR_BRANCH
-Dsonar.pullrequest.base=$PR_BASE
-Dsonar.branch.name=${{ github.event.workflow_run.head_branch }}

Check failure

Code scanning / CodeQL

Expression injection in Actions Critical

Potential injection from the ${{ github.event.workflow_run.head_branch }}, which may be controlled by an external user.
- name: Surefire Report
# Pinned 3.5.2 version
uses: mikepenz/action-junit-report@16a9560bd02f11e7e3bf6b3e2ef6bba6c9d07c32
if: always()
with:
report_paths: '**/target/surefire-reports/TEST-*.xml'
github_token: ${{ secrets.GITHUB_TOKEN }}
detailed_summary: true
commit: ${{ github.event.workflow_run.head_sha }}
check_name: Sonar Build Test Report
66 changes: 7 additions & 59 deletions .github/workflows/build-sonar.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,27 +12,22 @@
# This workflow will build a Java project with Maven
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
# Note: Any changes to this workflow would be used only after merging into develop
name: Build with test coverage and Sonar
name: Build with test coverage for Sonar

on:
workflow_run:
workflows:
- Trigger build
types:
- completed
push:
branches: [ develop, release/** ]
pull_request:
branches: [ develop, release/** ]
types: [opened, synchronize, reopened, labeled]

jobs:
build:
runs-on: k8s-runner-build

if: ${{ github.event.workflow_run.conclusion != 'skipped' }}

steps:
# Pinned 1.0.0 version
- uses: marocchino/action-workflow_run-status@54b6e87d6cb552fc5f36dbe9a722a6048725917a
- uses: actions/checkout@v3
with:
ref: ${{ github.event.workflow_run.head_sha }}
submodules: recursive
- name: Cache
uses: actions/cache@v3
Expand All @@ -41,12 +36,6 @@ jobs:
key: ${{ runner.os }}-maven-${{ github.workflow }}-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-${{ github.workflow }}
- name: Cache SonarCloud packages
uses: actions/cache@v3
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Build with Maven
run: >-
mvn clean verify -fae -T 2 -B -V -Dmaven.test.failure.ignore
Expand All @@ -59,48 +48,7 @@ jobs:
uses: actions/[email protected]
if: always()
with:
name: Build debug files
name: reports-${{ github.run_id }}
path: |
**/target/rat.txt
**/target/surefire-reports/*
- name: Validate PR
id: validate_pr
# For whatever reason we get PR 69 for develop branch with both head and base as develop.
if: ${{ github.event.workflow_run.pull_requests[0].head.ref != github.event.workflow_run.pull_requests[0].base.ref }}
run: |
echo ":set-output pr-key=${{ github.event.workflow_run.pull_requests[0].number }}"
echo ":set-output pr-branch=${{ github.event.workflow_run.pull_requests[0].head.ref }}"
echo ":set-output pr-base=${{ github.event.workflow_run.pull_requests[0].base.ref }}"
- name: Sonar report
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
run: >-
mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -fae -T 2 -B -V
-Dmaven.repo.local=$HOME/.m2/repository11
-DcloudBuild
-Pcoverage,templates
-Dmaven.wagon.http.retryHandler.count=3
-Dmaven.wagon.httpconnectionManager.ttlSeconds=25
-Dsonar.pullrequest.key=${{ steps.validate_pr.outputs.pr-key }}
-Dsonar.pullrequest.branch=${{ steps.validate_pr.outputs.pr-branch }}
-Dsonar.pullrequest.base=${{ steps.validate_pr.outputs.pr-base }}
-Dsonar.branch.name=${{ github.event.workflow_run.head_branch }}
- name: Archive build artifacts
uses: actions/upload-artifact@v3
if: always()
with:
name: Build debug files
path: |
**/target/rat.txt
**/target/surefire-reports/*
- name: Surefire Report
# Pinned 3.5.2 version
uses: mikepenz/action-junit-report@16a9560bd02f11e7e3bf6b3e2ef6bba6c9d07c32
if: always()
with:
report_paths: '**/target/surefire-reports/TEST-*.xml'
github_token: ${{ secrets.GITHUB_TOKEN }}
detailed_summary: true
commit: ${{ github.event.workflow_run.head_sha }}
check_name: Sonar Build Test Report

0 comments on commit 43ea7d4

Please sign in to comment.