-
Notifications
You must be signed in to change notification settings - Fork 2
230 lines (207 loc) · 8.17 KB
/
zxc-code-analysis.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
##
# Copyright (C) 2023-2024 Hedera Hashgraph, LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
name: "ZXC: Code Analysis"
# The purpose of this reusable workflow is to perform static code analysis and code coverage reporting.
# This reusable component is called by the following workflows:
# - .github/workflows/flow-pull-request-checks.yaml
# - .github/workflows/flow-build-application.yaml
#
# This workflow is only run if the pull request is coming from the original repository and not a fork.
on:
workflow_call:
inputs:
enable-sonar-analysis:
description: "Sonar Analysis Enabled"
type: boolean
required: false
default: false
enable-codecov-analysis:
description: "CodeCov Analysis Enabled"
type: boolean
required: false
default: false
enable-snyk-scan:
description: "Snyk Scan Enabled"
type: boolean
required: false
default: false
java-distribution:
description: "Java JDK Distribution:"
type: string
required: false
default: "temurin"
java-version:
description: "Java JDK Version:"
type: string
required: false
default: "21.0.1"
gradle-version:
description: "Gradle Version:"
type: string
required: false
default: "wrapper"
node-version:
description: "NodeJS Version:"
type: string
required: false
default: "16"
custom-job-label:
description: "Custom Job Label:"
type: string
required: false
default: "Analyze"
secrets:
gradle-cache-username:
description: "The username used to authenticate with the Gradle Build Cache Node."
required: true
gradle-cache-password:
description: "The password used to authenticate with the Gradle Build Cache Node."
required: true
sonar-token:
description: "The SonarCloud access token used by the SonarQube agent to report an analysis."
required: false
snyk-token:
description: "The Snyk access token is used by Snyk to analyze the code for vulnerabilities "
required: false
codecov-token:
description: "The CodeCov access token is used by CodeCov.io to analyze the code coverage "
required: false
defaults:
run:
shell: bash
permissions:
contents: read
actions: read
pull-requests: write
checks: write
statuses: write
env:
GRADLE_CACHE_USERNAME: ${{ secrets.gradle-cache-username }}
GRADLE_CACHE_PASSWORD: ${{ secrets.gradle-cache-password }}
jobs:
analyze:
name: ${{ inputs.custom-job-label || 'Analyze' }}
runs-on: solo-linux-medium
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.workflow_run.head_branch }}
fetch-depth: ${{ inputs.enable-sonar-analysis && '0' || '' }}
- name: Setup Java
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
with:
distribution: ${{ inputs.java-distribution }}
java-version: ${{ inputs.java-version }}
- name: Setup Gradle
uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
with:
gradle-version: ${{ inputs.gradle-version }}
# Node.JS 16.x is required for the Snyk CLI, Sonar Scan, and CodeCov steps below.
- name: Setup Node
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: ${{ inputs.node-version }}
- name: Download Coverage Reports
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
if: ${{ (inputs.enable-codecov-analysis || inputs.enable-sonar-analysis) && !cancelled() && !failure() }}
with:
name: Coverage Reports
- name: Publish To Codecov
uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
if: ${{ inputs.enable-codecov-analysis && !cancelled() && !failure() }}
env:
CODECOV_TOKEN: ${{ secrets.codecov-token }}
- name: Compile
uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
with:
gradle-version: ${{ inputs.gradle-version }}
arguments: assemble --scan
- name: SonarCloud Options
id: sonar-cloud
env:
IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }}
if: ${{ inputs.enable-sonar-analysis && !cancelled() && !failure() }}
run: |
SONAR_OPTS="-Dsonar.branch.name=${{ github.ref_name }}"
if [[ "${IS_PULL_REQUEST}" == true ]]; then
SONAR_OPTS=""
fi
echo "options=${SONAR_OPTS}" >> "${GITHUB_OUTPUT}"
- name: SonarCloud Scan
uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
env:
GITHUB_TOKEN: ${{ secrets.access-token }}
SONAR_TOKEN: ${{ secrets.sonar-token }}
SONAR_OPTS: ${{ steps.sonar-cloud.outputs.options }}
if: ${{ inputs.enable-sonar-analysis && !cancelled() && !failure() }}
with:
gradle-version: ${{ inputs.gradle-version }}
arguments: sonar --info --scan ${{ steps.sonar-cloud.outputs.options }}
- name: Setup Snyk
env:
SNYK_TOKEN: ${{ secrets.snyk-token }}
if: ${{ inputs.enable-snyk-scan && !cancelled() && !failure() }}
run: npm install -g snyk snyk-to-html @wcj/html-to-markdown-cli
- name: Snyk Scan
id: snyk
env:
SNYK_TOKEN: ${{ secrets.snyk-token }}
if: ${{ inputs.enable-snyk-scan && !cancelled() && !failure() }}
run: snyk test --all-projects --severity-threshold=high --json-file-output=snyk-test.json
- name: Snyk Code
id: snyk-code
env:
SNYK_TOKEN: ${{ secrets.snyk-token }}
if: ${{ inputs.enable-snyk-scan && !cancelled() && !failure() }}
run: snyk code test --severity-threshold=high --json-file-output=snyk-code.json
- name: Publish Snyk Results
if: ${{ inputs.enable-snyk-scan && !cancelled() && !failure() }}
run: |
if [[ -f "snyk-test.json" && -n "$(cat snyk-test.json | tr -d '[:space:]')" ]]; then
snyk-to-html -i snyk-test.json -o snyk-test.html --summary
html-to-markdown snyk-test.html -o snyk
cat snyk/snyk-test.html.md >> $GITHUB_STEP_SUMMARY
fi
if [[ -f "snyk-code.json" && -n "$(cat snyk-code.json | tr -d '[:space:]')" ]]; then
snyk-to-html -i snyk-code.json -o snyk-code.html --summary
html-to-markdown snyk-code.html -o snyk
cat snyk/snyk-code.html.md >> $GITHUB_STEP_SUMMARY
fi
- name: Check Snyk Files
if: ${{ always() }}
run: |
echo "::group::Snyk File List"
ls -lah snyk* || true
echo "::endgroup::"
echo "::group::Snyk Test Contents"
cat snyk-test.json || true
echo "::endgroup::"
echo "::group::Snyk Code Contents"
cat snyk-code.json || true
echo "::endgroup::"
- name: Publish Snyk Reports
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
if: ${{ inputs.enable-snyk-scan && !cancelled() && !failure() }}
with:
name: Snyk Reports
path: |
snyk-*.html
snyk-*.json