From 03907784ee87b3819507365c80c2356eec5c7778 Mon Sep 17 00:00:00 2001 From: Nadav Date: Fri, 14 Jun 2024 19:09:56 +0200 Subject: [PATCH] Moving code analysis to coresponded jobs RISDEV-0000 --- .../{backend-tests.yml => backend-checks.yml} | 47 ++++++++++ .github/workflows/frontend-checks.yml | 43 +++++++++ .github/workflows/pipeline.yml | 92 +------------------ 3 files changed, 95 insertions(+), 87 deletions(-) rename .github/workflows/{backend-tests.yml => backend-checks.yml} (60%) diff --git a/.github/workflows/backend-tests.yml b/.github/workflows/backend-checks.yml similarity index 60% rename from .github/workflows/backend-tests.yml rename to .github/workflows/backend-checks.yml index 4b32e229ba..90c60a0423 100644 --- a/.github/workflows/backend-tests.yml +++ b/.github/workflows/backend-checks.yml @@ -3,6 +3,10 @@ on: secrets: SLACK_WEBHOOK_URL: required: false + SONAR_TOKEN: + required: true + GITHUB_TOKEN: + required: true jobs: scan-backend-changes: @@ -77,3 +81,46 @@ jobs: if: ${{ failure() && github.ref == 'refs/heads/main' }} with: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + + analyze-backend: + runs-on: ubuntu-latest + if: ${{ github.ref == 'refs/heads/main' }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + - name: Set up JDK + uses: actions/setup-java@2e74cbce18569d23ca8b812590dbb83f13ac7c5a + with: + java-version: "17.0" + distribution: "temurin" + - name: Cache SonarQube packages + uses: actions/cache@v4 + with: + path: ~/.sonar/cache + key: ${{ runner.os }}-sonar + - name: Scan with SonarQube + uses: gradle/actions/setup-gradle@d9336dac04dea2507a617466bc058a3def92b18b + with: + gradle-version: ${{ env.GRADLE_VERSION }} + arguments: sonar --info + build-root-directory: ./backend + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + - name: Check SonarQube Quality Gate + # Third-party action, pin to commit SHA! + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + uses: sonarsource/sonarqube-quality-gate-action@72f24ebf1f81eda168a979ce14b8203273b7c3ad + with: + scanMetadataReportFile: backend/build/sonar/report-task.txt + timeout-minutes: 3 # Force to fail step after specific time + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + - name: Send status to Slack + # Third-party action, pin to commit SHA! + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 + if: ${{ failure() }} + with: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/frontend-checks.yml b/.github/workflows/frontend-checks.yml index d9f28250c5..cf4eac65e2 100644 --- a/.github/workflows/frontend-checks.yml +++ b/.github/workflows/frontend-checks.yml @@ -3,6 +3,10 @@ on: secrets: SLACK_WEBHOOK_URL: required: false + SONAR_TOKEN: + required: true + GITHUB_TOKEN: + required: true jobs: scan-frontend-changes: @@ -88,3 +92,42 @@ jobs: if: ${{ failure() && github.ref == 'refs/heads/main' }} with: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + + analyze-frontend: + runs-on: ubuntu-latest + if: ${{ github.ref == 'refs/heads/main' }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version-file: ./frontend/package.json + cache: npm + cache-dependency-path: ./frontend/package-lock.json + - name: Install SonarScanner + uses: digitalservicebund/setup-sonarscanner@3ade23691f865c02dce6b46452947a0e7944196e # v1.0.0 + - name: Scan with SonarQube + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: | + npm install + npm run coverage + sonar-scanner + working-directory: ./frontend + - name: Check SonarQube Quality Gate + uses: sonarsource/sonarqube-quality-gate-action@72f24ebf1f81eda168a979ce14b8203273b7c3ad + with: + scanMetadataReportFile: frontend/.scannerwork/report-task.txt + timeout-minutes: 3 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + - name: Send status to Slack + # Third-party action, pin to commit SHA! + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 + if: ${{ failure() }} + with: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 17ac0fb4ac..24a21a79cf 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -57,8 +57,8 @@ jobs: with: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - backend-tests: - uses: ./.github/workflows/backend-tests.yml + backend-checks: + uses: ./.github/workflows/backend-checks.yml secrets: inherit backend-build-image-and-scan: @@ -304,94 +304,12 @@ jobs: with: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - analyze-backend: - runs-on: ubuntu-latest - if: ${{ github.ref == 'refs/heads/main' }} - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - - name: Set up JDK - uses: actions/setup-java@2e74cbce18569d23ca8b812590dbb83f13ac7c5a - with: - java-version: "17.0" - distribution: "temurin" - - name: Cache SonarQube packages - uses: actions/cache@v4 - with: - path: ~/.sonar/cache - key: ${{ runner.os }}-sonar - - name: Scan with SonarQube - uses: gradle/actions/setup-gradle@d9336dac04dea2507a617466bc058a3def92b18b - with: - gradle-version: ${{ env.GRADLE_VERSION }} - arguments: sonar --info - build-root-directory: ./backend - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - name: Check SonarQube Quality Gate - # Third-party action, pin to commit SHA! - # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions - uses: sonarsource/sonarqube-quality-gate-action@72f24ebf1f81eda168a979ce14b8203273b7c3ad - with: - scanMetadataReportFile: backend/build/sonar/report-task.txt - timeout-minutes: 3 # Force to fail step after specific time - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - name: Send status to Slack - # Third-party action, pin to commit SHA! - # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions - uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 - if: ${{ failure() }} - with: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - - analyze-frontend: - runs-on: ubuntu-latest - if: ${{ github.ref == 'refs/heads/main' }} - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - - name: Setup Node - uses: actions/setup-node@v4 - with: - node-version-file: ./frontend/package.json - cache: npm - cache-dependency-path: ./frontend/package-lock.json - - name: Install SonarScanner - uses: digitalservicebund/setup-sonarscanner@3ade23691f865c02dce6b46452947a0e7944196e # v1.0.0 - - name: Scan with SonarQube - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - run: | - npm install - npm run coverage - sonar-scanner - working-directory: ./frontend - - name: Check SonarQube Quality Gate - uses: sonarsource/sonarqube-quality-gate-action@72f24ebf1f81eda168a979ce14b8203273b7c3ad - with: - scanMetadataReportFile: frontend/.scannerwork/report-task.txt - timeout-minutes: 3 - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - name: Send status to Slack - # Third-party action, pin to commit SHA! - # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions - uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 - if: ${{ failure() }} - with: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - push-backend-image-to-registry: runs-on: ubuntu-latest if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'dev-env') || contains(github.event.labeled.labels.*.name, 'dev-env') }} needs: - backend-build - - backend-tests + - backend-checks - backend-build-image-and-scan - audit-licenses-backend permissions: @@ -684,8 +602,8 @@ jobs: - push-backend-image-to-registry - e2e-tests - check-latest-deploy-tag - - analyze-backend - - analyze-frontend + - backend-checks + - frontend-checks permissions: id-token: write # Enable OIDC for gitsign steps: