google-sync-addon/.github/workflows/code-scan.yml at 9c97207f5659bcaa3ca3a433d07c1e2c590dd0f3 · micro5k/google-sync-addon · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
---
# SPDX-FileCopyrightText: NONE
# SPDX-License-Identifier: CC0-1.0

name: "Code scan"
permissions: {}
on:
  push:
    paths:
      - "**"
    branches:
      - "main"
  schedule:
    # At 12:00 AM, every 31 days, only in January (UTC)
    - cron: "0 0 */31 1 *"

jobs:
  pre-requisites:
    name: "Pre-requisites"
    runs-on: ubuntu-latest
    timeout-minutes: 10
    if: "${{ github.event_name == 'push' }}"
    outputs:
      dependency-graph-enabled: "${{ steps.dependency-graph.outputs.result }}"
      codacy-token-set: "${{ steps.check-tokens.outputs.CODACY_TOKEN_SET }}"
      sonar-token-set: "${{ steps.check-tokens.outputs.SONAR_TOKEN_SET }}"

    steps:
      - name: "Verify tokens"
        id: check-tokens
        shell: bash
        env:
          CODACY_TOKEN: "${{ secrets.CODACY_PROJECT_TOKEN }}"
          SONAR_TOKEN: "${{ secrets.SONAR_TOKEN }}"
        run: |
          # Verifying tokens...
          # Codacy
          if test -n "${CODACY_TOKEN?}"; then token_set='true'; else token_set='false'; fi
          printf 'CODACY_TOKEN_SET=%s\n' "${token_set:?}" 1>> "${GITHUB_OUTPUT?}"
          # SonarQube
          if test -n "${SONAR_TOKEN?}"; then token_set='true'; else token_set='false'; fi
          printf 'SONAR_TOKEN_SET=%s\n' "${token_set:?}" 1>> "${GITHUB_OUTPUT?}"
      - name: "Verify the dependency graph"
        id: dependency-graph
        uses: actions/github-script@v8
        timeout-minutes: 5
        with:
          retries: 3
          script: |
            /* jshint esversion: 6 */
            const response = await github.rest.dependencyGraph.exportSbom({
              owner: context.repo.owner,
              repo: context.repo.repo,
            }).catch(response => response);
            if(response && response.status === 200) {
              console.log('The dependency graph is enabled.');
              return true;
            } else if(response && response.status === 404) {
              console.error('::error::The dependency graph is disabled.');
            } else {
              let errorMsg = 'exportSbom failed';
              if(response && response.status && response.message) errorMsg += ' with error ' + response.status + ' (' + response.message + ')';
              throw new Error(errorMsg);
            }
            return false;

  dependency-submission:
    name: "Dependency submission"
    needs: [pre-requisites]
    runs-on: ubuntu-latest
    timeout-minutes: 10
    if: "${{ github.event_name == 'push' && needs.pre-requisites.outputs.dependency-graph-enabled == 'true' }}"
    permissions:
      contents: write

    steps:
      - name: "Checkout sources"
        uses: actions/checkout@v5
      - name: "Setup Java"
        uses: actions/setup-java@v5
        with:
          distribution: "temurin"
          java-version-file: ".tool-versions"
      - name: "Generate and submit dependency graph"
        uses: gradle/actions/dependency-submission@v5
        with:
          cache-read-only: true
          dependency-graph: "generate-and-submit"
          validate-wrappers: true

  codacy:
    name: "Codacy"
    needs: [pre-requisites]
    runs-on: ubuntu-latest
    timeout-minutes: 20
    if: "${{ github.event_name == 'push' && needs.pre-requisites.outputs.codacy-token-set == 'true' }}"
    concurrency:
      group: "${{ github.repository_id }}-${{ github.workflow }}-codacy"
      cancel-in-progress: false
    permissions:
      security-events: write

    steps:
      - name: "Checkout sources"
        uses: actions/checkout@v5
      - name: "Codacy analysis"
        uses: codacy/codacy-analysis-cli-action@v4
        timeout-minutes: 10
        with:
          project-token: "${{ secrets.CODACY_PROJECT_TOKEN }}"
          #verbose: true
          output: "results.sarif"
          format: "sarif"
          # Adjust severity of non-security issues
          gh-code-scanning-compat: true
          # Force 0 exit code to allow SARIF file generation
          # This will hand over control about PR rejection to the GitHub side
          max-allowed-issues: 2147483647
          upload: false
      - name: "Combine multiple SARIF runs"
        shell: bash
        run: |
          jq '.runs |= unique_by({tool, invocations, results})' 0< './results.sarif' 1> './results-combined.sarif'
      - name: "Upload SARIF results file"
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "results-combined.sarif"
          category: "Codacy"

  sonarqube:
    name: "SonarQube"
    needs: [pre-requisites]
    runs-on: ubuntu-latest
    timeout-minutes: 20
    if: "${{ github.event_name == 'push' && needs.pre-requisites.outputs.sonar-token-set == 'true' }}"

    steps:
      - name: "Checkout sources"
        uses: actions/checkout@v5
        with:
          fetch-depth: "0" # Shallow clones should be disabled for a better relevancy of analysis
      - name: "SonarQube scan"
        uses: SonarSource/sonarqube-scan-action@v6
        timeout-minutes: 10
        env:
          SONAR_TOKEN: "${{ secrets.SONAR_TOKEN }}"