225 lines
9.0 KiB
YAML
225 lines
9.0 KiB
YAML
|
|
name: SonarQube Analysis
|
|
|
|
on:
|
|
pull_request:
|
|
types: [opened, synchronize, reopened]
|
|
|
|
concurrency:
|
|
group: ${{ gitea.workflow }}-${{ gitea.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
sonarqube:
|
|
name: Build, Test & Analyse
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
|
|
env:
|
|
SONAR_PROJECT_KEY: demo-cp4-1
|
|
SONAR_ADMIN_TOKEN: ${{ secrets.SONAR_ADMIN_TOKEN }}
|
|
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
|
|
BACKSTAGE_CLEANUP_TOKEN: ${{ secrets.BACKSTAGE_CLEANUP_TOKEN }}
|
|
BACKSTAGE_URL: https://dev.backstage.kyndemo.live
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Set up JDK 17
|
|
uses: actions/setup-java@v4
|
|
with:
|
|
java-version: '17'
|
|
distribution: 'temurin'
|
|
|
|
- name: Make Maven wrapper executable
|
|
run: chmod +x mvnw
|
|
|
|
- name: Cache Maven packages
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: ~/.m2/repository
|
|
key: maven-${{ runner.os }}-${{ hashFiles('**/pom.xml') }}
|
|
restore-keys: maven-${{ runner.os }}-
|
|
|
|
- name: Cache SonarQube analysis data
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: ~/.sonar/cache
|
|
key: sonar-${{ runner.os }}-${{ hashFiles('**/pom.xml') }}
|
|
restore-keys: sonar-${{ runner.os }}-
|
|
|
|
- name: Validate required secrets
|
|
run: |
|
|
[[ -n "$SONAR_ADMIN_TOKEN" ]] || { echo "::error::SONAR_ADMIN_TOKEN is not set"; exit 1; }
|
|
[[ -n "$SONAR_HOST_URL" ]] || { echo "::error::SONAR_HOST_URL is not set"; exit 1; }
|
|
[[ -n "$SONAR_PROJECT_KEY" ]] || { echo "::error::SONAR_PROJECT_KEY is not set"; exit 1; }
|
|
|
|
SONAR_HOST_URL="${SONAR_HOST_URL%/}"
|
|
|
|
AUTH_RESPONSE=$(curl -s -o /tmp/sonar-auth-response.json -w "%{http_code}" \
|
|
-u "${SONAR_ADMIN_TOKEN}:" \
|
|
"${SONAR_HOST_URL}/api/authentication/validate")
|
|
|
|
if [[ "$AUTH_RESPONSE" != "200" ]]; then
|
|
echo "::error::SonarQube is unreachable or returned HTTP ${AUTH_RESPONSE} — check SONAR_HOST_URL"
|
|
exit 1
|
|
fi
|
|
|
|
TOKEN_VALID=$(jq -r '.valid' /tmp/sonar-auth-response.json 2>/dev/null || echo "false")
|
|
if [[ "$TOKEN_VALID" != "true" ]]; then
|
|
echo "::error::SONAR_ADMIN_TOKEN is invalid or has been revoked (SonarQube returned valid=false)"
|
|
exit 1
|
|
fi
|
|
|
|
echo "✅ SONAR_ADMIN_TOKEN verified against ${SONAR_HOST_URL}"
|
|
|
|
- name: Bootstrap SonarQube project and generate scan token
|
|
id: sonar-bootstrap
|
|
run: |
|
|
PROJECT_COUNT=$(curl -sf \
|
|
-u "${SONAR_ADMIN_TOKEN}:" \
|
|
"${SONAR_HOST_URL}/api/projects/search?projects=${SONAR_PROJECT_KEY}" \
|
|
| jq '.paging.total')
|
|
|
|
if [[ "$PROJECT_COUNT" == "0" ]]; then
|
|
echo "Project '${SONAR_PROJECT_KEY}' not found — creating it..."
|
|
curl -sf -X POST \
|
|
-u "${SONAR_ADMIN_TOKEN}:" \
|
|
"${SONAR_HOST_URL}/api/projects/create" \
|
|
--data-urlencode "name=${SONAR_PROJECT_KEY}" \
|
|
--data-urlencode "project=${SONAR_PROJECT_KEY}" \
|
|
--data-urlencode "mainBranch=main" \
|
|
--data-urlencode "visibility=private"
|
|
echo "✅ Project created."
|
|
else
|
|
echo "✅ Project '${SONAR_PROJECT_KEY}' already exists — skipping creation."
|
|
fi
|
|
|
|
TOKEN_NAME="gitea-scan-${SONAR_PROJECT_KEY}"
|
|
curl -sf -X POST \
|
|
-u "${SONAR_ADMIN_TOKEN}:" \
|
|
"${SONAR_HOST_URL}/api/user_tokens/revoke" \
|
|
--data-urlencode "name=${TOKEN_NAME}" \
|
|
> /dev/null 2>&1 || true
|
|
|
|
SCAN_TOKEN=$(curl -sf -X POST \
|
|
-u "${SONAR_ADMIN_TOKEN}:" \
|
|
"${SONAR_HOST_URL}/api/user_tokens/generate" \
|
|
--data-urlencode "name=${TOKEN_NAME}" \
|
|
--data-urlencode "type=PROJECT_ANALYSIS_TOKEN" \
|
|
--data-urlencode "projectKey=${SONAR_PROJECT_KEY}" \
|
|
| jq -r '.token')
|
|
|
|
[[ -n "$SCAN_TOKEN" ]] || { echo "::error::Failed to generate scan token"; exit 1; }
|
|
|
|
echo "✅ Scan token generated for project '${SONAR_PROJECT_KEY}'"
|
|
echo "::add-mask::${SCAN_TOKEN}"
|
|
echo "SCAN_TOKEN=${SCAN_TOKEN}" >> "$GITHUB_ENV"
|
|
|
|
- name: Build and test
|
|
run: |
|
|
./mvnw -B verify \
|
|
-Dtest='!PostgresIntegrationTests,!MySqlIntegrationTests'
|
|
|
|
- name: SonarQube analysis
|
|
run: |
|
|
./mvnw -B org.sonarsource.scanner.maven:sonar-maven-plugin:4.0.0.4121:sonar \
|
|
-Dsonar.projectKey="${SONAR_PROJECT_KEY}" \
|
|
-Dsonar.host.url="${SONAR_HOST_URL}" \
|
|
-Dsonar.token="${SCAN_TOKEN}" \
|
|
-Dsonar.java.source=17 \
|
|
-Dsonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml
|
|
|
|
- name: Quality Gate check
|
|
id: quality-gate
|
|
run: |
|
|
echo "Waiting for SonarQube to process the analysis..."
|
|
for i in $(seq 1 24); do
|
|
RESPONSE=$(curl -sf -u "${SCAN_TOKEN}:" \
|
|
"${SONAR_HOST_URL}/api/qualitygates/project_status?projectKey=${SONAR_PROJECT_KEY}" || true)
|
|
STATUS=$(echo "$RESPONSE" | jq -r '.projectStatus.status' 2>/dev/null || echo "NONE")
|
|
if [[ "$STATUS" =~ ^(OK|ERROR|WARN)$ ]]; then break; fi
|
|
echo " Status: ${STATUS:-pending} — retrying in 5s..."
|
|
sleep 5
|
|
done
|
|
|
|
echo ""
|
|
echo "══════════════════════════════════════════"
|
|
echo " Quality Gate: $STATUS"
|
|
echo "══════════════════════════════════════════"
|
|
|
|
echo "$RESPONSE" | jq -r '
|
|
.projectStatus.conditions[] |
|
|
if .status == "ERROR" then " ❌ \(.metricKey): \(.actualValue) (threshold: \(.errorThreshold), comparator: \(.comparator))"
|
|
elif .status == "WARN" then " ⚠️ \(.metricKey): \(.actualValue) (threshold: \(.errorThreshold), comparator: \(.comparator))"
|
|
else " ✅ \(.metricKey): \(.actualValue)"
|
|
end'
|
|
|
|
echo "══════════════════════════════════════════"
|
|
|
|
FAILED=$(echo "$RESPONSE" | jq '[.projectStatus.conditions[] | select(.status == "ERROR")] | length')
|
|
if [[ "$FAILED" -gt 0 ]]; then
|
|
echo "::error::Quality Gate FAILED — $FAILED metric(s) did not meet threshold"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Notify Backstage on quality gate failure
|
|
if: always() && steps.quality-gate.outcome == 'failure'
|
|
run: |
|
|
echo "--- Backstage notification debug ---"
|
|
echo "BACKSTAGE_URL: ${BACKSTAGE_URL:-<not set>}"
|
|
echo "BACKSTAGE_CLEANUP_TOKEN set: $([[ -n "$BACKSTAGE_CLEANUP_TOKEN" ]] && echo yes || echo no)"
|
|
echo "SONAR_PROJECT_KEY: ${SONAR_PROJECT_KEY:-<not set>}"
|
|
echo "GITHUB_HEAD_REF: ${GITHUB_HEAD_REF:-<not set>}"
|
|
|
|
if [[ -z "$BACKSTAGE_URL" ]]; then
|
|
echo "::error::BACKSTAGE_URL is not set — cannot send notification"
|
|
exit 0
|
|
fi
|
|
if [[ -z "$BACKSTAGE_CLEANUP_TOKEN" ]]; then
|
|
echo "::error::BACKSTAGE_CLEANUP_TOKEN is not set — cannot send notification"
|
|
exit 0
|
|
fi
|
|
|
|
PAYLOAD="{
|
|
\"recipients\": { \"type\": \"entity\", \"entityRef\": \"group:default/platform-engineering\" },
|
|
\"payload\": {
|
|
\"title\": \"SonarQube Quality Gate Failed\",
|
|
"description": "Quality gate failed for ${SONAR_PROJECT_KEY} on branch ${GITHUB_HEAD_REF}.",
|
|
\"link\": \"${SONAR_HOST_URL}/dashboard?id=${SONAR_PROJECT_KEY}\",
|
|
\"severity\": \"high\",
|
|
\"topic\": \"sonarqube-quality-gate\"
|
|
}
|
|
}"
|
|
|
|
echo "Sending notification to: ${BACKSTAGE_URL}/api/notifications"
|
|
|
|
HTTP_CODE=$(curl -s -o /tmp/bs-notify-response.json -w "%{http_code}" \
|
|
-X POST "${BACKSTAGE_URL}/api/notifications" \
|
|
-H "Content-Type: application/json" \
|
|
-H "Authorization: Bearer ${BACKSTAGE_CLEANUP_TOKEN}" \
|
|
-d "${PAYLOAD}")
|
|
|
|
echo "HTTP response code: ${HTTP_CODE}"
|
|
echo "Response body:"
|
|
cat /tmp/bs-notify-response.json 2>/dev/null || echo "<empty response>"
|
|
|
|
if [[ "$HTTP_CODE" -ge 200 && "$HTTP_CODE" -lt 300 ]]; then
|
|
echo "✅ Backstage notification sent"
|
|
else
|
|
echo "⚠️ Backstage notification failed (HTTP ${HTTP_CODE})"
|
|
fi
|
|
|
|
- name: Revoke scan token
|
|
if: always()
|
|
run: |
|
|
curl -sf -X POST \
|
|
-u "${SONAR_ADMIN_TOKEN}:" \
|
|
"${SONAR_HOST_URL}/api/user_tokens/revoke" \
|
|
--data-urlencode "name=gitea-scan-${SONAR_PROJECT_KEY}" \
|
|
&& echo "✅ Scan token revoked" \
|
|
|| echo "⚠️ Token revocation failed"
|