Skip to content

Commit

Permalink
[improve][ci] Run CodeQL within Pulsar CI workflow as mandatory check (
Browse files Browse the repository at this point in the history
  • Loading branch information
lhotari authored Feb 28, 2024
1 parent 86b3203 commit 86dc039
Show file tree
Hide file tree
Showing 3 changed files with 81 additions and 6 deletions.
10 changes: 7 additions & 3 deletions .github/workflows/codeql.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,14 +22,18 @@ name: "CodeQL"
on:
push:
branches: [ 'master' ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ 'master' ]
schedule:
- cron: '27 21 * * 4'
workflow_dispatch:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
cancel-in-progress: true

jobs:
analyze:
# only run scheduled analysis in apache/pulsar repository
if: ${{ (github.event_name == 'schedule' && github.repository == 'apache/pulsar') || github.event_name != 'schedule' }}
name: Analyze
runs-on: 'ubuntu-latest'
timeout-minutes: 360
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/pulsar-ci-flaky.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ on:
pull_request:
branches:
- master
- branch-*
- pulsar-*
schedule:
# scheduled job with JDK 17
- cron: '0 12 * * *'
Expand Down
75 changes: 72 additions & 3 deletions .github/workflows/pulsar-ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ on:
pull_request:
branches:
- master
- branch-*
- pulsar-*
schedule:
# scheduled job with JDK 17
- cron: '0 12 * * *'
Expand Down Expand Up @@ -1331,6 +1333,71 @@ jobs:
- name: build package
run: mvn -B clean package -DskipTests -T 1C -ntp

codeql:
name: Run CodeQL Analysis
runs-on: ubuntu-22.04
timeout-minutes: 60
needs: ['preconditions', 'unit-tests']
if: ${{ needs.preconditions.outputs.docs_only != 'true' && ((github.event_name == 'pull_request' && github.base_ref == 'master') || (github.event_name != 'pull_request' && github.ref_name == 'master')) }}
permissions:
actions: read
contents: read
security-events: write
env:
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}
CI_JDK_MAJOR_VERSION: ${{ needs.preconditions.outputs.jdk_major_version }}
CODEQL_LANGUAGE: java-kotlin
steps:
- name: checkout
uses: actions/checkout@v4

- name: Tune Runner VM
uses: ./.github/actions/tune-runner-vm

- name: Clean Disk when needed
if: ${{ matrix.clean_disk }}
uses: ./.github/actions/clean-disk

- name: Setup ssh access to build runner VM
# ssh access is enabled for builds in own forks
if: ${{ github.repository != 'apache/pulsar' && github.event_name == 'pull_request' }}
uses: ./.github/actions/ssh-access
continue-on-error: true
with:
limit-access-to-actor: true

- name: Cache local Maven repository
uses: actions/cache@v4
timeout-minutes: 5
with:
path: |
~/.m2/repository/*/*/*
!~/.m2/repository/org/apache/pulsar
key: ${{ runner.os }}-m2-dependencies-all-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-m2-dependencies-core-modules-${{ hashFiles('**/pom.xml') }}
${{ runner.os }}-m2-dependencies-core-modules-
- name: Set up JDK ${{ env.CI_JDK_MAJOR_VERSION }}
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: ${{ env.CI_JDK_MAJOR_VERSION }}

- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ env.CODEQL_LANGUAGE }}

- name: Build Java code
run: |
mvn -B -ntp -Pcore-modules,-main install -DskipTests -Dlicense.skip=true -Drat.skip=true -Dcheckstyle.skip=true
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ env.CODEQL_LANGUAGE }}"

owasp-dep-check:
name: OWASP dependency check
runs-on: ubuntu-22.04
Expand Down Expand Up @@ -1429,7 +1496,7 @@ jobs:
# It cleans up the binaries in the same job in order to not spin up another runner for basically doing nothing.
pulsar-ci-checks-completed:
name: "Pulsar CI checks completed"
if: ${{ always() && ((github.event_name != 'schedule') || (github.repository == 'apache/pulsar')) }}
if: ${{ always() && needs.preconditions.result == 'success' }}
runs-on: ubuntu-22.04
timeout-minutes: 10
needs: [
Expand All @@ -1442,7 +1509,8 @@ jobs:
'unit-tests-upload-coverage',
'integration-tests-upload-coverage',
'system-tests-upload-coverage',
'owasp-dep-check'
'owasp-dep-check',
'codeql'
]
steps:
- name: Check that all required jobs were completed successfully
Expand All @@ -1453,6 +1521,7 @@ jobs:
&& "${{ needs.integration-tests.result }}" == "success" \
&& "${{ needs.system-tests.result }}" == "success" \
&& "${{ needs.macos-build.result }}" == "success" \
&& ( "${{ needs.codeql.result }}" == "success" || "${{ needs.codeql.result }}" == "skipped" ) \
) ]]; then
echo "Required jobs haven't been completed successfully."
exit 1
Expand All @@ -1474,4 +1543,4 @@ jobs:
if: ${{ needs.preconditions.outputs.docs_only != 'true' && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
run: |
gh-actions-artifact-client.js delete pulsar-maven-repository-binaries.tar.zst || true
gh-actions-artifact-client.js delete pulsar-server-distribution.tar.zst || true
gh-actions-artifact-client.js delete pulsar-server-distribution.tar.zst || true

0 comments on commit 86dc039

Please sign in to comment.