Update .gitea/workflows/sonar-scan.yaml
This commit is contained in:
@@ -2,28 +2,25 @@ name: SonarQube Analysis
|
|||||||
|
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
pull_request:
|
pull_request:
|
||||||
types: [opened, synchronize, reopened]
|
types: [opened, synchronize, reopened]
|
||||||
|
|
||||||
|
concurrency:
|
||||||
|
group: ${{ github.workflow }}-${{ github.ref }}
|
||||||
|
cancel-in-progress: true
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
sonarqube:
|
sonarqube:
|
||||||
name: Build, Test & Analyse
|
name: Build, Test & Analyse
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
timeout-minutes: 15
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
# ------------------------------------------------------------------ #
|
|
||||||
# 1. Full checkout — shallow clones degrade SonarQube blame/new-code #
|
|
||||||
# ------------------------------------------------------------------ #
|
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|
||||||
# ------------------------------------------------------------------ #
|
|
||||||
# 2. Java 17 — matches spring-petclinic's java.version property #
|
|
||||||
# ------------------------------------------------------------------ #
|
|
||||||
- name: Set up JDK 17
|
- name: Set up JDK 17
|
||||||
uses: actions/setup-java@v4
|
uses: actions/setup-java@v4
|
||||||
with:
|
with:
|
||||||
@@ -33,9 +30,6 @@ jobs:
|
|||||||
- name: Make Maven wrapper executable
|
- name: Make Maven wrapper executable
|
||||||
run: chmod +x mvnw
|
run: chmod +x mvnw
|
||||||
|
|
||||||
# ------------------------------------------------------------------ #
|
|
||||||
# 3. Cache Maven local repository and the SonarQube analysis cache #
|
|
||||||
# ------------------------------------------------------------------ #
|
|
||||||
- name: Cache Maven packages
|
- name: Cache Maven packages
|
||||||
uses: actions/cache@v4
|
uses: actions/cache@v4
|
||||||
with:
|
with:
|
||||||
@@ -50,73 +44,48 @@ jobs:
|
|||||||
key: sonar-${{ runner.os }}
|
key: sonar-${{ runner.os }}
|
||||||
restore-keys: sonar-${{ runner.os }}
|
restore-keys: sonar-${{ runner.os }}
|
||||||
|
|
||||||
# ------------------------------------------------------------------ #
|
- name: Validate required secrets
|
||||||
# 4. Build, run tests, collect JaCoCo coverage, then push to Sonar. #
|
env:
|
||||||
# #
|
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
|
||||||
# Why one command? #
|
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
|
||||||
# - `verify` compiles, runs unit + integration tests, and lets #
|
SONAR_PROJECT_KEY: ${{ secrets.SONAR_PROJECT_KEY }}
|
||||||
# JaCoCo write target/site/jacoco/jacoco.xml #
|
run: |
|
||||||
# - `sonar:sonar` reads the compiled bytecode, test results, and #
|
[[ -n "$SONAR_TOKEN" ]] || { echo "::error::SONAR_TOKEN is not set"; exit 1; }
|
||||||
# coverage report that `verify` just produced #
|
[[ -n "$SONAR_HOST_URL" ]] || { echo "::error::SONAR_HOST_URL is not set"; exit 1; }
|
||||||
# #
|
[[ -n "$SONAR_PROJECT_KEY" ]] || { echo "::error::SONAR_PROJECT_KEY is not set"; exit 1; }
|
||||||
# The H2 in-memory database is active by default so no external DB #
|
|
||||||
# service is needed for the standard test suite. #
|
|
||||||
# #
|
|
||||||
# Required secrets (Settings → Secrets): #
|
|
||||||
# SONAR_TOKEN – SonarQube user / project token #
|
|
||||||
# #
|
|
||||||
# Required variables (Settings → Variables): #
|
|
||||||
# SONAR_HOST_URL – e.g. http://sonarqube.example.com:9000 #
|
|
||||||
# SONAR_PROJECT_KEY – e.g. spring-petclinic #
|
|
||||||
# ------------------------------------------------------------------ #
|
|
||||||
- name: Build and test
|
- name: Build and test
|
||||||
run: |
|
run: |
|
||||||
./mvnw -B verify \
|
./mvnw -B verify \
|
||||||
-Dtest='!PostgresIntegrationTests'
|
-Dtest='!PostgresIntegrationTests,!MySqlIntegrationTests'
|
||||||
|
|
||||||
- name: SonarQube analysis
|
- name: SonarQube analysis
|
||||||
env:
|
env:
|
||||||
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
|
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
|
||||||
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
|
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
|
||||||
|
SONAR_PROJECT_KEY: ${{ secrets.SONAR_PROJECT_KEY }}
|
||||||
run: |
|
run: |
|
||||||
./mvnw -B sonar:sonar \
|
./mvnw -B org.sonarsource.scanner.maven:sonar-maven-plugin:4.0.0.4121:sonar \
|
||||||
-Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }} \
|
-Dsonar.projectKey="${SONAR_PROJECT_KEY}" \
|
||||||
-Dsonar.projectName="Spring PetClinic" \
|
|
||||||
-Dsonar.host.url="${SONAR_HOST_URL}" \
|
-Dsonar.host.url="${SONAR_HOST_URL}" \
|
||||||
-Dsonar.token="${SONAR_TOKEN}" \
|
-Dsonar.token="${SONAR_TOKEN}" \
|
||||||
-Dsonar.java.source=17 \
|
-Dsonar.java.source=17 \
|
||||||
-Dsonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml
|
-Dsonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml
|
||||||
# ------------------------------------------------------------------ #
|
|
||||||
# 5. Quality Gate — poll until the result is ready, fail if red #
|
|
||||||
# ------------------------------------------------------------------ #
|
|
||||||
- name: Quality Gate check
|
- name: Quality Gate check
|
||||||
env:
|
env:
|
||||||
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
|
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
|
||||||
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
|
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
|
||||||
|
SONAR_PROJECT_KEY: ${{ secrets.SONAR_PROJECT_KEY }}
|
||||||
run: |
|
run: |
|
||||||
echo "Waiting for SonarQube to process the analysis..."
|
echo "Waiting for SonarQube to process the analysis..."
|
||||||
STATUS=""
|
for i in $(seq 1 24); do
|
||||||
for i in $(seq 1 24); do # up to ~2 minutes
|
RESPONSE=$(curl -sf -u "${SONAR_TOKEN}:" \
|
||||||
RESPONSE=$(curl -sf \
|
"${SONAR_HOST_URL}/api/qualitygates/project_status?projectKey=${SONAR_PROJECT_KEY}" || true)
|
||||||
-u "${SONAR_TOKEN}:" \
|
STATUS=$(echo "$RESPONSE" | jq -r '.projectStatus.status' 2>/dev/null || echo "NONE")
|
||||||
"${SONAR_HOST_URL}/api/qualitygates/project_status?projectKey=${{ secrets.SONAR_PROJECT_KEY }}" \
|
if [[ "$STATUS" =~ ^(OK|ERROR|WARN)$ ]]; then break; fi
|
||||||
|| true)
|
echo " Status: ${STATUS:-pending} — retrying in 5s..."
|
||||||
STATUS=$(echo "$RESPONSE" | python3 -c \
|
|
||||||
"import sys,json; print(json.load(sys.stdin)['projectStatus']['status'])" \
|
|
||||||
2>/dev/null || echo "NONE")
|
|
||||||
if [ "$STATUS" = "OK" ] || [ "$STATUS" = "ERROR" ] || [ "$STATUS" = "WARN" ]; then
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
echo " Status: ${STATUS:-pending} — retrying in 5 s..."
|
|
||||||
sleep 5
|
sleep 5
|
||||||
done
|
done
|
||||||
|
|
||||||
echo "Quality Gate status: $STATUS"
|
echo "Quality Gate status: $STATUS"
|
||||||
if [ "$STATUS" = "ERROR" ]; then
|
[[ "$STATUS" != "ERROR" ]] || { echo "::error::Quality Gate FAILED"; exit 1; }
|
||||||
echo "❌ Quality Gate FAILED — check ${{ secrets.SONAR_HOST_URL }}/dashboard?id=${{ secrets.SONAR_PROJECT_KEY }}"
|
|
||||||
exit 1
|
|
||||||
elif [ "$STATUS" = "OK" ]; then
|
|
||||||
echo "✅ Quality Gate PASSED"
|
|
||||||
else
|
|
||||||
echo "⚠️ Quality Gate status: $STATUS"
|
|
||||||
fi
|
|
||||||
Reference in New Issue
Block a user