Create GitHub actions for code formatting and code quality

kiron-mx · Jul 21, 2023 · 72d1610 · 72d1610
1 parent 7ce5d5e
commit 72d1610
Show file tree

Hide file tree

Showing 3 changed files with 103 additions and 3 deletions.
diff --git a/.github/workflows/code-format.yml b/.github/workflows/code-format.yml
@@ -0,0 +1,21 @@
+# This is a rather superficial check that only verifies compliance with the formatting style.
+
+name: Java code format checks
+
+on: push
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK 11
+        uses: actions/setup-java@v3
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+          cache: maven
+      - name: Check code formatting compliance
+        run: mvn spotless:check
diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
@@ -0,0 +1,61 @@
+# Run various code quality checks when pushing to main or when opening pull requests.
+# - This will run the tests, as well as
+# - Perform an analysis via SonarCloud
+# - Examine whether any of the dependencies contain known vulnerabilities
+
+name: Code quality checks
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  analyze_sonar:
+    name: Run unit tests and Sonar analysis
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: Set up JDK 11
+        uses: actions/setup-java@v3
+        with:
+          java-version: 11
+          distribution: 'temurin'
+      - name: Cache SonarCloud packages
+        uses: actions/cache@v3
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+          restore-keys: ${{ runner.os }}-sonar
+      - name: Cache Maven packages
+        uses: actions/cache@v3
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+      - name: Analyze code quality
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        # note that we deliberately turn off the OWASP dependency checker here, it will run in a separate job,
+        # such that its results can be viewed independently of what Sonar has to say
+        run: |
+          mvn -B verify sonar:sonar -Dsonar.projectKey=siemens_cmp-ra-component -Ddependency-check.skip=true -Dgpg.skip
+
+  analyze_dependencies_owasp:
+    name: Check dependencies with OWASP
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Set up JDK 11
+        uses: actions/setup-java@v3
+        with:
+          java-version: 11
+          distribution: 'temurin'
+      - name: Analyze dependencies
+        # this will run the OWASP dependency checker only
+        run: mvn -B verify -DskipTests -Dgpg.skip
diff --git a/pom.xml b/pom.xml
@@ -9,7 +9,6 @@
 	<artifactId>LightweightCmpRa</artifactId>
 	<version>2.7.5</version>
 	<properties>
-		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<parent.basedir>.</parent.basedir>
 		<spotless.version>2.38.0</spotless.version>
@@ -19,6 +18,13 @@
 		<maven.compiler.target>11</maven.compiler.target>
 		<maven-failsafe-plugin.version>3.0.0-M3</maven-failsafe-plugin.version>
 		<maven-site-plugin.version>3.8.2</maven-site-plugin.version>
+		<sonar.organization>siemens</sonar.organization>
+		<sonar.host.url>https://sonarcloud.io</sonar.host.url>
+		<sonar.java.coveragePlugin>jacoco</sonar.java.coveragePlugin>
+		<sonar.dynamicAnalysis>reuseReports</sonar.dynamicAnalysis>
+		<sonar.coverage.jacoco.xmlReportPaths>${project.basedir}/target/site/jacoco/jacoco.xml</sonar.coverage.jacoco.xmlReportPaths>
+		<sonar.language>java</sonar.language>
+		<sonar.verbose>true</sonar.verbose>
 	</properties>
 	<build>
 		<plugins>
@@ -92,7 +98,7 @@
 						<importOrder />
 						<removeUnusedImports />
 						<formatAnnotations />
-						<endWithNewline />
+						<endWithNewline/>
 					</java>
 				</configuration>
 			</plugin>
@@ -197,6 +203,18 @@
 			<artifactId>jackson-databind</artifactId>
 			<version>2.15.2</version>
 		</dependency>
+		<dependency>
+			<groupId>org.jacoco</groupId>
+			<artifactId>jacoco-maven-plugin</artifactId>
+			<version>${jacoco.version}</version>
+		</dependency>
+		<dependency>
+<!--		Indirect dependency of jacoco-maven-plugin. We add this one explicitly, otherwise the included version-->
+<!--		would pull maven-artifact-manager-2.0.2 and lead to CVE-2021-26291.-->
+			<groupId>org.apache.maven.shared</groupId>
+			<artifactId>file-management</artifactId>
+			<version>3.1.0</version>
+		</dependency>
 	</dependencies>
 	<scm>
 		<url>git:[email protected]:siemens/LightweightCmpRa.git</url>
@@ -208,4 +226,4 @@
 	<name>Lightweight CMP RA</name>
 	<description>This project provides a Proof of Concept (PoC) implementation
 		of the Lightweight CMP Profile for CMP [RFC 4210].</description>
-</project>
+</project>