Moving code analysis to coresponded jobs

RISDEV-0000
digitalservicebund · Jun 14, 2024 · 0390778 · 0390778
1 parent e833169
commit 0390778
Show file tree

Hide file tree

Showing 3 changed files with 95 additions and 87 deletions.
diff --git a/.github/workflows/backend-tests.yml → .github/workflows/backend-checks.yml b/.github/workflows/backend-tests.yml → .github/workflows/backend-checks.yml
@@ -3,6 +3,10 @@ on:
     secrets:
       SLACK_WEBHOOK_URL:
         required: false
+      SONAR_TOKEN:
+        required: true
+      GITHUB_TOKEN:
+        required: true
 
 jobs:
   scan-backend-changes:
@@ -77,3 +81,46 @@ jobs:
         if: ${{ failure() && github.ref == 'refs/heads/main' }}
         with:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+
+  analyze-backend:
+    runs-on: ubuntu-latest
+    if: ${{ github.ref == 'refs/heads/main' }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+      - name: Set up JDK
+        uses: actions/setup-java@2e74cbce18569d23ca8b812590dbb83f13ac7c5a
+        with:
+          java-version: "17.0"
+          distribution: "temurin"
+      - name: Cache SonarQube packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+      - name: Scan with SonarQube
+        uses: gradle/actions/setup-gradle@d9336dac04dea2507a617466bc058a3def92b18b
+        with:
+          gradle-version: ${{ env.GRADLE_VERSION }}
+          arguments: sonar --info
+          build-root-directory: ./backend
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      - name: Check SonarQube Quality Gate
+        # Third-party action, pin to commit SHA!
+        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+        uses: sonarsource/sonarqube-quality-gate-action@72f24ebf1f81eda168a979ce14b8203273b7c3ad
+        with:
+          scanMetadataReportFile: backend/build/sonar/report-task.txt
+        timeout-minutes: 3 # Force to fail step after specific time
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      - name: Send status to Slack
+        # Third-party action, pin to commit SHA!
+        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+        uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
+        if: ${{ failure() }}
+        with:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
diff --git a/.github/workflows/frontend-checks.yml b/.github/workflows/frontend-checks.yml
@@ -3,6 +3,10 @@ on:
     secrets:
       SLACK_WEBHOOK_URL:
         required: false
+      SONAR_TOKEN:
+        required: true
+      GITHUB_TOKEN:
+        required: true
 
 jobs:
   scan-frontend-changes:
@@ -88,3 +92,42 @@ jobs:
         if: ${{ failure() && github.ref == 'refs/heads/main' }}
         with:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+
+  analyze-frontend:
+    runs-on: ubuntu-latest
+    if: ${{ github.ref == 'refs/heads/main' }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ./frontend/package.json
+          cache: npm
+          cache-dependency-path: ./frontend/package-lock.json
+      - name: Install SonarScanner
+        uses: digitalservicebund/setup-sonarscanner@3ade23691f865c02dce6b46452947a0e7944196e # v1.0.0
+      - name: Scan with SonarQube
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: |
+          npm install
+          npm run coverage
+          sonar-scanner
+        working-directory: ./frontend
+      - name: Check SonarQube Quality Gate
+        uses: sonarsource/sonarqube-quality-gate-action@72f24ebf1f81eda168a979ce14b8203273b7c3ad
+        with:
+          scanMetadataReportFile: frontend/.scannerwork/report-task.txt
+        timeout-minutes: 3
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      - name: Send status to Slack
+        # Third-party action, pin to commit SHA!
+        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+        uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
+        if: ${{ failure() }}
+        with:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -57,8 +57,8 @@ jobs:
         with:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
 
-  backend-tests:
-    uses: ./.github/workflows/backend-tests.yml
+  backend-checks:
+    uses: ./.github/workflows/backend-checks.yml
     secrets: inherit
 
   backend-build-image-and-scan:
@@ -304,94 +304,12 @@ jobs:
         with:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
 
-  analyze-backend:
-    runs-on: ubuntu-latest
-    if: ${{ github.ref == 'refs/heads/main' }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
-      - name: Set up JDK
-        uses: actions/setup-java@2e74cbce18569d23ca8b812590dbb83f13ac7c5a
-        with:
-          java-version: "17.0"
-          distribution: "temurin"
-      - name: Cache SonarQube packages
-        uses: actions/cache@v4
-        with:
-          path: ~/.sonar/cache
-          key: ${{ runner.os }}-sonar
-      - name: Scan with SonarQube
-        uses: gradle/actions/setup-gradle@d9336dac04dea2507a617466bc058a3def92b18b
-        with:
-          gradle-version: ${{ env.GRADLE_VERSION }}
-          arguments: sonar --info
-          build-root-directory: ./backend
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-      - name: Check SonarQube Quality Gate
-        # Third-party action, pin to commit SHA!
-        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
-        uses: sonarsource/sonarqube-quality-gate-action@72f24ebf1f81eda168a979ce14b8203273b7c3ad
-        with:
-          scanMetadataReportFile: backend/build/sonar/report-task.txt
-        timeout-minutes: 3 # Force to fail step after specific time
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-      - name: Send status to Slack
-        # Third-party action, pin to commit SHA!
-        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
-        uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
-        if: ${{ failure() }}
-        with:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-
-  analyze-frontend:
-    runs-on: ubuntu-latest
-    if: ${{ github.ref == 'refs/heads/main' }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: ./frontend/package.json
-          cache: npm
-          cache-dependency-path: ./frontend/package-lock.json
-      - name: Install SonarScanner
-        uses: digitalservicebund/setup-sonarscanner@3ade23691f865c02dce6b46452947a0e7944196e # v1.0.0
-      - name: Scan with SonarQube
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        run: |
-          npm install
-          npm run coverage
-          sonar-scanner
-        working-directory: ./frontend
-      - name: Check SonarQube Quality Gate
-        uses: sonarsource/sonarqube-quality-gate-action@72f24ebf1f81eda168a979ce14b8203273b7c3ad
-        with:
-          scanMetadataReportFile: frontend/.scannerwork/report-task.txt
-        timeout-minutes: 3
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-      - name: Send status to Slack
-        # Third-party action, pin to commit SHA!
-        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
-        uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
-        if: ${{ failure() }}
-        with:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-
   push-backend-image-to-registry:
     runs-on: ubuntu-latest
     if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }}
     needs:
       - backend-build
-      - backend-tests
+      - backend-checks
       - backend-build-image-and-scan
       - audit-licenses-backend
     permissions:
@@ -684,8 +602,8 @@ jobs:
       - push-backend-image-to-registry
       - e2e-tests
       - check-latest-deploy-tag
-      - analyze-backend
-      - analyze-frontend
+      - backend-checks
+      - frontend-checks
     permissions:
       id-token: write # Enable OIDC for gitsign
     steps: