Skip to content
Code scan

chore: minor changes #167

Sign in to view logs

chore: minor changes

chore: minor changes #167

Workflow file for this run

.github/workflows/code-scan.yml at c9ce8d4
---
# SPDX-FileCopyrightText: NONE
# SPDX-License-Identifier: CC0-1.0
name: "Code scan"
permissions: {}
on:
push:
paths:
- "**"
branches:
- "main"
schedule:
# At 12:00 AM, every 31 days, only in January (UTC)
- cron: "0 0 */31 1 *"
jobs:
pre-requisites:
name: "Pre-requisites"
runs-on: ubuntu-latest
timeout-minutes: 10
if: "${{ github.event_name == 'push' }}"
outputs:
dependency-graph-enabled: "${{ steps.dependency-graph.outputs.result }}"
codacy-token-set: "${{ steps.check-tokens.outputs.CODACY_TOKEN_SET }}"
sonar-token-set: "${{ steps.check-tokens.outputs.SONAR_TOKEN_SET }}"
steps:
- name: "Verify tokens"
id: check-tokens
shell: bash
env:
CODACY_TOKEN: "${{ secrets.CODACY_PROJECT_TOKEN }}"
SONAR_TOKEN: "${{ secrets.SONAR_TOKEN }}"
run: |
# Verifying tokens...
# Codacy
if test -n "${CODACY_TOKEN?}"; then token_set='true'; else token_set='false'; fi
printf 'CODACY_TOKEN_SET=%s\n' "${token_set:?}" 1>> "${GITHUB_OUTPUT?}"
# SonarQube
if test -n "${SONAR_TOKEN?}"; then token_set='true'; else token_set='false'; fi
printf 'SONAR_TOKEN_SET=%s\n' "${token_set:?}" 1>> "${GITHUB_OUTPUT?}"
- name: "Verify the dependency graph"
id: dependency-graph
uses: actions/github-script@v8
timeout-minutes: 5
with:
retries: 3
script: |
/* jshint esversion: 11 */
const response = await github.rest.dependencyGraph.exportSbom({
owner: context.repo.owner,
repo: context.repo.repo,
}).catch(response => response);
if(response && response.status === 200) {
console.log('The dependency graph is enabled.');
return true;
} else if(response && response.status === 404) {
console.error('::error::The dependency graph is disabled.');
} else {
let errorMsg = 'exportSbom failed';
if(response && response.status && response.message) errorMsg += ' with error ' + response.status + ' (' + response.message + ')';
throw new Error(errorMsg);
}
return false;
dependency-submission:
name: "Dependency submission"
needs: [pre-requisites]
runs-on: ubuntu-latest
timeout-minutes: 10
if: "${{ github.event_name == 'push' && needs.pre-requisites.outputs.dependency-graph-enabled == 'true' }}"
permissions:
contents: write
steps:
- name: "Checkout sources"
uses: actions/checkout@v6
with:
lfs: false
- name: "Setup Java"
uses: actions/setup-java@v5
with:
distribution: "temurin"
java-version-file: ".tool-versions"
- name: "Use Gradle wrapper cache"
uses: actions/cache@v5
timeout-minutes: 5
with:
key: "gradle-wrapper-${{ hashFiles('gradle/wrapper/gradle-wrapper.properties') }}"
path: |
~/.gradle/wrapper
~/.gradle/notifications
enableCrossOsArchive: true
- name: "Generate and submit dependency graph"
uses: gradle/actions/dependency-submission@v6
with:
dependency-graph: "generate-and-submit"
cache-disabled: true
validate-wrappers: true
codacy:
name: "Codacy"
needs: [pre-requisites]
runs-on: ubuntu-latest
timeout-minutes: 20
if: "${{ github.event_name == 'push' && needs.pre-requisites.outputs.codacy-token-set == 'true' }}"
concurrency:
group: "${{ github.repository_id }}-${{ github.workflow }}-codacy"
cancel-in-progress: false
permissions:
contents: read # Needed to checkout the repository (only required for private repositories)
security-events: write
steps:
- name: "Checkout sources"
uses: actions/checkout@v6
with:
lfs: false
- name: "Codacy analysis"
uses: codacy/codacy-analysis-cli-action@v4
timeout-minutes: 10
with:
project-token: "${{ secrets.CODACY_PROJECT_TOKEN }}"
#verbose: true
output: "results.sarif"
format: "sarif"
# Adjust severity of non-security issues
gh-code-scanning-compat: true
# Force 0 exit code to allow SARIF file generation
# This will hand over control about PR rejection to the GitHub side
max-allowed-issues: 2147483647
upload: false
- name: "Combine all SARIF runs by tool name"
shell: bash
run: |
jq '.runs |= (
# Group runs by tool name to create unique categories (Post-March 27, 2026 GitHub requirement)
group_by(.tool.driver.name) |
map(
# Store the group and the first element (as template)
. as $group |
.[0] as $first |
# Rebuild the run object by collecting data in a single pass
$first + {
# Add mandatory category ID
"automationDetails": ($first.automationDetails + { "id": ("Codacy/" + $first.tool.driver.name) }),
# Collect all results and artifacts from the group
"results": ([$group[].results[]] | unique),
"artifacts": ([$group[].artifacts[]] | unique),
# Merge all invocation fields and calculate global success
"invocations": [
(
reduce $group[].invocations[] as $item ({}; . + $item) |
. + { "executionSuccessful": ([$group[].invocations[].executionSuccessful] | all) }
)
]
}
)
)' -- './results.sarif' 1> './results-combined.sarif'
- name: "Upload SARIF results file to GitHub"
uses: github/codeql-action/upload-sarif@v4
if: "${{ github.ref == 'refs/heads/main' }}"
with:
sarif_file: "results-combined.sarif"
category: "Codacy"
sonarqube:
name: "SonarQube"
needs: [pre-requisites]
runs-on: ubuntu-latest
timeout-minutes: 20
if: "${{ github.event_name == 'push' && needs.pre-requisites.outputs.sonar-token-set == 'true' }}"
permissions:
contents: read # Needed to checkout the repository (only required for private repositories)
steps:
- name: "Checkout sources"
uses: actions/checkout@v6
with:
lfs: false
fetch-depth: "0" # Shallow clones should be disabled for a better relevancy of analysis
- name: "Avoid SonarQube warning"
shell: bash
run: |
# Avoiding the SonarQube warning...
mv -f -- ./build.gradle ./build-manually.gradle
- name: "SonarQube scan"
uses: SonarSource/sonarqube-scan-action@v7
timeout-minutes: 10
env:
SONAR_TOKEN: "${{ secrets.SONAR_TOKEN }}"
- name: "Post Avoid SonarQube warning"
shell: bash
if: "always()"
run: |
# Post job cleanup.
mv -f -- ./build-manually.gradle ./build.gradle