add pre-build-checks workflow

.ci/gen_pre_build_summ.sh

@@ -0,0 +1,116 @@
+#!/bin/bash
+
+# Function to read coverage data
+read_coverage() {
+  covPct=$(jq '.totals.percent_covered' coverage.json)
+  covPctRounded=$(printf "%.0f" "$covPct")
+  message="Coverage percentage: $covPctRounded"
+  echo "$message"
+  export COVERAGE_SUMMARY="$message"
+  if (( covPctRounded < 70 )); then
+    return 1
+  else
+    return 0
+  fi
+}
+
+# Function to read test data
+read_test() {
+  testJson=$(jq '.report.summary' test-report.json)
+  testPassed=$(echo "$testJson" | jq '.passed // 0')
+  testFailed=$(echo "$testJson" | jq '.failed // 0')
+  message="Unit tests passed: $testPassed, failed: $testFailed"
+  echo "$message"
+  export UNITTEST_SUMMARY="$message"
+  if [ "$testFailed" -ne 0 ]; then
+    return 1
+  else
+    return 0
+  fi
+}
+
+# Function to read lint data
+read_lint() {
+  last_line=$(tail -n 1 flake8-report.txt)
+  message="Lint errors: $last_line"
+  echo "$message"
+  export LINT_SUMMARY="$message"
+  if [ "$last_line" -ne 0 ]; then
+    return 1
+  else
+    return 0
+  fi
+}
+
+# Function to read dependency data
+read_dependency() {
+  content=$(<pip-audit-count.txt)
+  if [[ $content == *"No known vulnerabilities found"* ]]; then
+    numVul=0
+  else
+    numVul=$(grep -oP 'Found \K\d+' pip-audit-count.txt)
+  fi
+  message="Dependency vulnerabilities found: $numVul"
+  echo "$message"
+  export DEPENDENCY_SUMMARY="$message"
+  if [ "$numVul" -ne 0 ]; then
+    return 1
+  else
+    return 0
+  fi
+}
+
+# Function to read license data
+read_license() {
+  content=$(<licenses-found.md)
+  copyleftLic=("GPL" "LGPL" "MPL" "AGPL" "EUPL" "CCDL" "EPL" "CC-BY-SA" "OSL" "CPL")
+  numCopyleftLic=0
+  for lic in "${copyleftLic[@]}"; do
+    if [[ $content == *"$lic"* ]]; then
+      ((numCopyleftLic++))
+    fi
+  done
+  message="Copyleft licenses found: $numCopyleftLic"
+  export LICENSE_SUMMARY="$message"
+  echo "$message"
+  if [ "$numCopyleftLic" -ne 0 ]; then
+    return 1
+  else
+    return 0
+  fi
+}
+
+# Main function to determine which summary to generate
+gen_summary() {
+  if [[ $# -eq 0 ]]; then
+    echo "No summaryToGen provided"
+    exit 1
+  fi
+
+  summaryToGen=$1
+
+  case $summaryToGen in
+    "coverage")
+      read_coverage
+      ;;
+    "test")
+      read_test
+      ;;
+    "lint")
+      read_lint
+      ;;
+    "dependency")
+      read_dependency
+      ;;
+    "license")
+      read_license
+      ;;
+    *)
+      echo "Unknown summary type: $summaryToGen"
+      exit 1
+      ;;
+  esac
+}
+
+# Execute the main function
+gen_summary "$@"

.ci/run-codeql-summ.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+# Note: this script must be run using source
+
+# Default values
+REPO="aiverify-foundation/moonshot"
+OUTPUT_FILE=".codeql-alerts.json"
+
+# Parse arguments
+while [[ "$#" -gt 0 ]]; do
+  case $1 in
+      -r|--repo) REPO="$2"; shift ;;
+      -o|--output) OUTPUT_FILE="$2"; shift ;;
+      -h|--help)
+          echo "Usage: $0 [-r|--repo <repository>] [-o|--output <output_file>]"
+          return 0
+          ;;
+      *) echo "Unknown parameter passed: $1"; return 1 ;;
+  esac
+  shift
+done
+
+OUTPUT_MESSAGES=""
+
+# Check if gh command is available
+if ! command -v gh &> /dev/null
+then
+  OUTPUT_MESSAGES+="gh command could not be found. Please install GitHub CLI.\n"
+  return 1
+fi
+
+# Fetch CodeQL alerts
+gh api -X GET "repos/$REPO/code-scanning/alerts" > "$OUTPUT_FILE"
+if [ $? -ne 0 ]; then
+  OUTPUT_MESSAGES+="Failed to fetch CodeQL alerts.\n"
+  return 1
+fi
+
+# Total alert count
+alerts_count=$(jq '. | length' "$OUTPUT_FILE")
+OUTPUT_MESSAGES+="Total CodeQL alerts: $alerts_count\n"
+
+# Display alerts by severity if there are any alerts
+if [ "$alerts_count" -gt 0 ]; then
+  OUTPUT_MESSAGES+="Alerts by severity:\n"
+  OUTPUT_MESSAGES+="$(jq -r '.[] | .rule.severity' "$OUTPUT_FILE" | sort | uniq -c)\n"
+  rm "$OUTPUT_FILE"
+  #echo -e "$OUTPUT_MESSAGES"
+  echo "There are CodeQL alerts, please check Security>Code Scanning tab in the repository for more details."
+  export CODEQL_SUMMARY="$OUTPUT_MESSAGES"
+  return 2
+else
+  rm "$OUTPUT_FILE"
+  echo -e "$OUTPUT_MESSAGES"
+  export CODEQL_SUMMARY="$OUTPUT_MESSAGES"
+  return 0
+fi

.github/workflows/pre-build-checks.yaml

@@ -42,20 +42,22 @@ jobs:
       - name: Set Branch Variable (pull_request)
         if: github.event_name == 'pull_request'
         run: |
-          echo "BRANCH=${{ github.ref_name }}" >> "$GITHUB_ENV"
+          echo "BRANCH=${{ github.event.pull_request.head.ref }}" >> "$GITHUB_ENV"
+          echo "PR_NUM=#${{ github.event.pull_request.number }}" >> "$GITHUB_ENV"
 
       - name: Set Branch Variable (workflow_dispatch)
         if: github.event_name == 'workflow_dispatch'
         run: |
           echo "BRANCH=${{ inputs.branch_to_test }}" >> "$GITHUB_ENV"
+          echo "PR_NUM=#0" >> "$GITHUB_ENV"
 
-      - name: Checkout Code
+      - name: Checkout code
         uses: actions/checkout@v3
         with:
           ref: ${{ env.BRANCH }}
           submodules: recursive
 
-      - name: Setup Python 3.11
+      - name: Setup python 3.11
         uses: actions/setup-python@v5
         with:
           python-version: "3.11"
@@ -70,52 +72,66 @@ jobs:
 
       # Unit Tests & Coverage
       - name: Unit tests with coverage
+        id: unit_tests
         if: ${{ ! cancelled() }}
         timeout-minutes: 30
         run: |
+          set +e
           bash .ci/run-test.sh
+          source .ci/gen_pre_build_summ.sh test
+          test_status=$?
+          source .ci/gen_pre_build_summ.sh coverage
+          coverage_status=$?
+          echo "UNIT_TESTS_STATUS=$UNITTEST_SUMMARY" >> $GITHUB_ENV
+          echo "CODE_COVERAGE_STATUS=$COVERAGE_SUMMARY" >> $GITHUB_ENV
+          set -e
+          if [ $test_status -ne 0 ] || [ $coverage_status -ne 0 ]; then
+            exit 1
+          fi
 
       # Code Quality analysis - flake8
-      - name: Code quality analysis - flake8
+      - name: Code quality analysis (flake8)
+        id: code_quality
         if: ${{ ! cancelled() }}
         run: |
+          set +e
           bash .ci/run-flake8.sh
+          source .ci/gen_pre_build_summ.sh lint
+          lint_status=$?
+          echo "CODE_QUALITY_STATUS=$LINT_SUMMARY" >> $GITHUB_ENV
+          set -e
+          exit $lint_status
 
       # pip-audit
-      - name: Dependency analysis - vulnerabilities & licenses
+      - name: Dependency analysis (vulnerabilities & licenses)
+        id: dependency_analysis
         if: ${{ ! cancelled() }}
         run: |
+          set +e
           bash .ci/run-pip-audit.sh
+          source .ci/gen_pre_build_summ.sh dependency
+          dep_status=$?
+          source .ci/gen_pre_build_summ.sh license
+          lic_status=$?
+          echo "DEPENDENCY_STATUS=$DEPENDENCY_SUMMARY" >> $GITHUB_ENV
+          echo "LICENSE_STATUS=$LICENSE_SUMMARY" >> $GITHUB_ENV
+          set -e
+          if [ $dep_status -ne 0 ] || [ $lic_status -ne 0 ]; then
+            exit 1
+          fi
+
+      # Send slack notification
+      - name: Send slack notification
+        if: ${{ ! cancelled() }}
+        uses: slackapi/[email protected]
+        with:
+          payload: |
+            {
+              "workflow": "${{ github.repository }} | ${{ github.workflow }} | ${{ env.PR_NUM }}",
+              "status": "${{ job.status }}",
+              "details": "${{ env.UNIT_TESTS_STATUS }} | ${{ env.CODE_COVERAGE_STATUS }} | ${{ env.CODE_QUALITY_STATUS }} | ${{ env.DEPENDENCY_STATUS }} | ${{ env.LICENSE_STATUS }}",
+              "ref": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
 
-      ### Publish reports to ci dashboard ###
-#
-#      - name: Checkout dashboard
-#        if: ${{ github.event.pull_request.head.repo.full_name == github.repository && always() }}
-#        uses: actions/checkout@v3
-#        with:
-#          repository: aiverify-foundation/ci-dashboard
-#          token: ${{ secrets.CHECKOUT_TOKEN }}
-#          ref: main
-#          path: check-results
-#
-#      - name: Push results to dashboard
-#        if: ${{ github.event.pull_request.head.repo.full_name == github.repository && always() }}
-#        working-directory: ${{ github.workspace }}/check-results
-#        run: |
-#          set +e
-#          find ../ -type f -name ".gitignore" -exec rm {} +
-#          [ -d "docs/pre-build/moonshot-data" ] && rm -rf docs/pre-build/moonshot-data
-#          mkdir -p docs/pre-build/moonshot-data
-#          mv ../htmlcov docs/pre-build/moonshot-data/
-#          mv ../flake8-report docs/pre-build/moonshot-data/
-#          mv ../assets docs/pre-build/moonshot-data/
-#          mv ../*.svg docs/pre-build/moonshot-data/
-#          mv ../*.html docs/pre-build/moonshot-data/
-#          mv ../*.md docs/pre-build/moonshot-data/
-#          mv ../*.txt docs/pre-build/moonshot-data/
-#          git add docs/pre-build/moonshot-data
-#          git config user.name "moonshot"
-#          git config user.email "[email protected]"
-#          git commit -m "feat(moonshot-data) actions publish moonshot-data pre-build reports to dashboard"
-#          git push
-#          set -e