ci: Analysis workflow overhaul, use shared steps, fix

Signed-off-by: Larry Gritz <[email protected]>

Author: lgritz

.github/workflows/analysis.yml

@@ -11,13 +11,27 @@ on:
     # Run unconditionally once weekly
     # - cron: "0 0 * * 0"
   push:
+    # Run on pushes only to main or if the branch name contains "analysis"
     branches:
       - main
       - '*analysis*'
-    paths-ignore:
-      - '**.md'
-      - '**.rst'
-      - '**.tex'
+      - '*sonar*'
+    paths:
+      - '**'
+      - '!**.md'
+      - '!**.rst'
+      - '!**/ci.yml'
+      - '!**/docs.yml'
+      - '!**/scorecard.yml'
+      - '!**.properties'
+      - '!docs/**'
+  # Run analysis on PRs only if the branch name indicates that the purpose of
+  # the PR is related to the Sonar analysis. We don't run on every PR because
+  # the analysis run is very expensive and just isn't usually necessary.
+  pull_request:
+    branches:
+      - '*analysis*'
+      - '*sonar*'
   # Allow manual kicking off of the workflow from github.com
   workflow_dispatch:
 
@@ -31,19 +45,47 @@ concurrency:
 
 jobs:
 
-  aswf:
-    name: "SonarCloud Analysis"
+  sonar-analysis:
     if: |
       github.repository == 'AcademySoftwareFoundation/OpenShadingLanguage'
+    name: "${{matrix.desc}}"
+    uses: ./.github/workflows/build-steps.yml
+    with:
+      nametag: ${{ matrix.nametag || 'unnamed!' }}
+      runner: ${{ matrix.runner || 'ubuntu-latest' }}
+      container: ${{ matrix.container }}
+      cc_compiler: ${{ matrix.cc_compiler || 'gcc' }}
+      cxx_compiler: ${{ matrix.cxx_compiler || 'g++' }}
+      cxx_std: ${{ matrix.cxx_std || '17' }}
+      build_type: ${{ matrix.build_type || 'Release' }}
+      depcmds: ${{ matrix.depcmds }}
+      extra_artifacts: ${{ matrix.extra_artifacts }}
+      fmt_ver: ${{ matrix.fmt_ver }}
+      opencolorio_ver: ${{ matrix.opencolorio_ver }}
+      openexr_ver: ${{ matrix.openexr_ver }}
+      openimageio_ver: ${{ matrix.openimageio_ver }}
+      pybind11_ver: ${{ matrix.pybind11_ver }}
+      python_ver: ${{ matrix.python_ver }}
+      setenvs: ${{ matrix.setenvs }}
+      simd: ${{ matrix.simd }}
+      batched: ${{ matrix.batched }}
+      skip_build: ${{ matrix.skip_build }}
+      skip_tests: ${{ matrix.skip_tests }}
+      abi_check: ${{ matrix.abi_check }}
+      build_docs: ${{ matrix.build_docs }}
+      generator: ${{ matrix.generator }}
+      ctest_args: ${{ matrix.ctest_args }}
+      ctest_test_timeout: ${{ matrix.ctest_test_timeout || '800' }}
+      coverage: ${{ matrix.coverage || 0 }}
+      sonar: ${{ matrix.sonar || 0 }}
     strategy:
       fail-fast: false
       matrix:
         include:
-          - desc: sonar gcc9/C++17 llvm13 py3.9 exr3.1 oiio3.0 avx2
+          - desc: sonar VP2024 gcc11/C++17 llvm17 py3.11 oiio-rel avx2
             nametag: static-analysis-sonar
-            os: ubuntu-latest
-            vfxyear: 2024
-            vfxsuffix: -clang17
+            runner: ubuntu-latest
+            container: aswftesting/ci-osl:2024-clang17
             cxx_std: 17
             openimageio_ver: release
             python_ver: "3.11"
@@ -66,69 +108,3 @@ jobs:
                             CTEST_TEST_TIMEOUT=1200
                             CTEST_EXCLUSIONS="broken|noise-reg.regress|noise-gabor-reg.regress"
 
-    runs-on: ${{ matrix.os }}
-    container:
-      image: aswf/ci-osl:2024-clang17
-    env:
-      CXX: ${{matrix.cxx_compiler}}
-      CC: ${{matrix.cc_compiler}}
-      CMAKE_CXX_STANDARD: ${{matrix.cxx_std}}
-      FMT_VERSION: ${{matrix.fmt_ver}}
-      OPENEXR_VERSION: ${{matrix.openexr_ver}}
-      OPENIMAGEIO_VERSION: ${{matrix.openimageio_ver}}
-      PYBIND11_VERSION: ${{matrix.pybind11_ver}}
-      PYTHON_VERSION: ${{matrix.python_ver}}
-      USE_BATCHED: ${{matrix.batched}}
-      USE_SIMD: ${{matrix.simd}}
-      # DEBUG_CI: 1
-    steps:
-      # We would like to use harden-runner, but it flags too many false
-      # positives, every time we download a dependency. We should use it only
-      # on CI runs where we are producing artifacts that users might rely on.
-      # - name: Harden Runner
-      #   uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 # v1.4.3
-      #   with:
-      #     egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
-        with:
-          fetch-depth: '0'
-      - name: Prepare ccache timestamp
-        id: ccache_cache_keys
-        run: echo "::set-output name=date::`date -u +'%Y-%m-%dT%H:%M:%SZ'`"
-      - name: ccache
-        id: ccache
-        uses: actions/cache@c3f1317a9e7b1ef106c153ac8c0f00fed3ddbc0d # v3.0.4
-        with:
-          path: /tmp/ccache
-          key: ${{github.job}}-${{matrix.nametag}}-${{steps.ccache_cache_keys.outputs.date}}
-          restore-keys: ${{github.job}}-
-      - name: Build setup
-        run: |
-            ${{matrix.setenvs}}
-            src/build-scripts/ci-startup.bash
-      - name: Remove existing OIIO
-        if: matrix.openimageio_ver != ''
-        run: |
-            sudo rm -rf /usr/local/include/OpenImageIO
-            sudo rm -rf /usr/local/lib*/cmake/OpenImageIO
-            sudo rm -rf /usr/local/lib*/libOpenImageIO*
-            sudo rm -rf /usr/local/lib*/python3.9/site-packages/OpenImageIO*
-      - name: Dependencies
-        run: |
-            ${{matrix.depcmds}}
-            src/build-scripts/gh-installdeps.bash
-      - name: Build
-        run: src/build-scripts/ci-build.bash
-      - name: Testsuite
-        if: matrix.skip_tests != '1'
-        run: src/build-scripts/ci-test.bash
-      - name: Code coverage
-        if: matrix.coverage == '1'
-        run: src/build-scripts/ci-coverage.bash
-      - name: Sonar-scanner
-        if: matrix.sonar == 1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        run: |
-            sonar-scanner -X --define sonar.host.url="${{ env.SONAR_SERVER_URL }}" --define sonar.cfamily.build-wrapper-output="build/bw_output" --define sonar.cfamily.gcov.reportsPath="_coverage"