-
Notifications
You must be signed in to change notification settings - Fork 137
205 lines (182 loc) · 6.7 KB
/
sonarcloud-pull.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
name: Sonarcloud-Pull
on:
workflow_run:
workflows: ["Code Analysis"]
types:
- completed
env:
BASE_IMAGE: ${{ vars.BASE_IMAGE || 'registry.fedoraproject.org/fedora:latest' }}
COPR_REPO: ${{ vars.COPR_REPO || '@pki/master' }}
NAMESPACE: ${{ vars.REGISTRY_NAMESPACE || 'dogtagpki' }}
jobs:
retrieve-pr:
if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
runs-on: ubuntu-latest
outputs:
pr-number: ${{ steps.pr-artifact-script.outputs.result }}
pr-base: ${{ steps.pr-base-script.outputs.result }}
steps:
- name: 'Download PR artifact'
uses: actions/github-script@v7
id: download-pr
with:
result-encoding: string
script: |
var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "pr"
})[0];
if (matchArtifact == null){
core.setFailed("No PR artifact");
return "False";
}
var download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
return "True";
- name: Unzip the pr
if: steps.download-pr.outputs.result == 'True'
run: unzip pr.zip
- name: Retrieve the pr number
if: success()
id: pr-artifact-script
uses: actions/github-script@v7
with:
result-encoding: string
script: |
var fs = require('fs');
var pr_number = Number(fs.readFileSync('./NR'));
return pr_number;
- name: Retrieve the pr base
if: success()
id: pr-base-script
uses: actions/github-script@v7
with:
result-encoding: string
script: |
var fs = require('fs');
var pr_base = fs.readFileSync('./BaseBranch');
return pr_base;
build:
name: Building PKI for Sonar
needs: retrieve-pr
runs-on: ubuntu-latest
steps:
- name: Clone repository
uses: actions/checkout@v4
with:
repository: ${{ github.event.workflow_run.head_repository.full_name }}
ref: ${{ github.event.workflow_run.head_branch }}
fetch-depth: 0
- name: Rebase to master
run: |
git config --global --add safe.directory "$GITHUB_WORKSPACE"
git config user.name "GitHub Workflow Action"
git config user.email "[email protected]"
git remote add pki ${{ github.event.repository.clone_url }}
git fetch pki
git rebase pki/${{ needs.retrieve-pr.outputs.pr-base }}
- name: Update Dockerfile
run: |
# update registry namespace
sed -i "s/quay.io\/dogtagpki\//quay.io\/$NAMESPACE\//g" Dockerfile
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Cache Docker layers
id: cache-buildx
uses: actions/cache@v4
with:
key: buildx-${{ hashFiles('pki.spec') }}
path: /tmp/.buildx-cache
- name: Build pki-deps image
uses: docker/build-push-action@v5
with:
context: .
build-args: |
BASE_IMAGE=${{ env.BASE_IMAGE }}
COPR_REPO=${{ env.COPR_REPO }}
tags: pki-deps
target: pki-deps
cache-to: type=local,dest=/tmp/.buildx-cache
if: steps.cache-buildx.outputs.cache-hit != 'true'
- name: Build pki-builder-deps image
uses: docker/build-push-action@v5
with:
context: .
build-args: |
BASE_IMAGE=${{ env.BASE_IMAGE }}
COPR_REPO=${{ env.COPR_REPO }}
tags: pki-builder-deps
target: pki-builder-deps
cache-to: type=local,dest=/tmp/.buildx-cache
if: steps.cache-buildx.outputs.cache-hit != 'true'
- name: Build pki-runner image
uses: docker/build-push-action@v5
with:
context: .
build-args: |
BASE_IMAGE=${{ env.BASE_IMAGE }}
COPR_REPO=${{ env.COPR_REPO }}
tags: pki-runner
target: pki-runner
cache-from: type=local,src=/tmp/.buildx-cache
outputs: type=docker,dest=pki-runner.tar
- name: Store pki-runner image
uses: actions/cache@v4
with:
key: pki-sonar-runner-${{ github.event.workflow_run.id }}
path: pki-runner.tar
sonarcloud:
name: Sonar Cloud code analysis
needs: [retrieve-pr, build]
if: needs.retrieve-pr.outputs.pr-number != ''
runs-on: ubuntu-latest
env:
SHARED: /tmp/workdir/pki
steps:
- name: Retrieve pki-runner image
uses: actions/cache@v4
with:
key: pki-sonar-runner-${{ github.event.workflow_run.id }}
path: pki-runner.tar
- name: Load pki-runner image
run: docker load --input pki-runner.tar
- name: Checkout pulled branch
uses: actions/checkout@v4
with:
repository: ${{ github.event.workflow_run.head_repository.full_name }}
ref: ${{ github.event.workflow_run.head_branch }}
fetch-depth: 0
- name: Rebase to master
run: |
git config user.name "GitHub Workflow Action"
git remote add pki ${{ github.event.repository.clone_url }}
git fetch pki
git rebase pki/${{ needs.retrieve-pr.outputs.pr-base }}
- name: Set up PKI container
run: |
tests/bin/runner-init.sh pki
- name: Copy build in current folder
run: docker cp pki:/usr/share/java/pki ./build
- name: Remove maven related file
run: rm -f pom.xml
- name: Start Sonar analysis
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
args: >
-Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }}
-Dsonar.pullrequest.key=${{ needs.retrieve-pr.outputs.pr-number }}
-Dsonar.pullrequest.branch=${{ github.event.workflow_run.head_branch }}
-Dsonar.pullrequest.base=${{ github.event.workflow_run.pull_requests[0].base.ref }}