Skip to content

Code Analysis for Pull Fork #427

Code Analysis for Pull Fork

Code Analysis for Pull Fork #427

name: Code Analysis for Pull Fork
on:
workflow_run:
workflows: ["Code Analysis"]
types:
- completed
jobs:
retrieve-pr:
if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
runs-on: ubuntu-latest
outputs:
pr-number: ${{ steps.pr-artifact-script.outputs.result }}
pr-base: ${{ steps.pr-base-script.outputs.result }}
steps:
- name: Download PR artifact
uses: actions/github-script@v6
id: download-pr
with:
result-encoding: string
script: |
var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "pr"
})[0];
if (matchArtifact == null){
core.setFailed("No PR artifact");
return "False";
}
var download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
return "True";
- name: Unzip the PR
if: steps.download-pr.outputs.result == 'True'
run: unzip pr.zip
- name: Retrieve the PR number
if: success()
id: pr-artifact-script
uses: actions/github-script@v6
with:
result-encoding: string
script: |
var fs = require('fs');
var pr_number = Number(fs.readFileSync('./NR'));
return pr_number;
- name: Retrieve the PR base
if: success()
id: pr-base-script
uses: actions/github-script@v6
with:
result-encoding: string
script: |
var fs = require('fs');
var pr_base = fs.readFileSync('./BaseBranch');
return pr_base;
build:
name: Code analysis
needs: retrieve-pr
runs-on: ubuntu-latest
env:
HAVE_SONAR_TOKEN: ${{ secrets.SONAR_TOKEN != '' }}
steps:
- name: Stop if no Sonar secret
if: ${{ env.HAVE_SONAR_TOKEN == 'false' }}
run: exit 1
- uses: actions/checkout@v3
with:
repository: ${{ github.event.workflow_run.head_repository.full_name }}
ref: ${{ github.event.workflow_run.head_branch }}
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Rebase PR
run: |
git config user.name "GitHub Workflow Action"
git remote add jss ${{ github.event.repository.clone_url }}
git fetch jss
git rebase jss/${{ needs.retrieve-pr.outputs.pr-base }}
- name: Set up JDK 17
uses: actions/setup-java@v1
with:
java-version: 17
- name: Cache SonarCloud packages
uses: actions/cache@v1
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Cache Maven packages
uses: actions/cache@v1
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Build and analyze with SonarCloud
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: >
mvn
-B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
-Dsonar.projectKey=dogtagpki_jss
-pl '!native,!symkey'
-Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }}
-Dsonar.pullrequest.key=${{ needs.retrieve-pr.outputs.pr-number }}
-Dsonar.pullrequest.branch=${{ github.event.workflow_run.head_branch }}
-Dsonar.pullrequest.base=${{ github.event.workflow_run.pull_requests[0].base.ref }}