post #310
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # secured workflow to analyze results from insecure 'ci' workflow that | |
| # builds and test the project. | |
| name: post | |
| on: | |
| workflow_run: | |
| workflows: | |
| - ci | |
| types: | |
| - completed | |
| permissions: | |
| actions: read | |
| checks: write | |
| contents: read | |
| pull-requests: read | |
| statuses: write | |
| jobs: | |
| sonar: | |
| name: sonar | |
| runs-on: ubuntu-latest | |
| if: github.repository == 'ansible/vscode-ansible' && github.event.workflow_run.conclusion == 'success' | |
| steps: | |
| - name: Create check run with link | |
| id: create-check | |
| uses: actions/github-script@v8 | |
| with: | |
| result-encoding: string | |
| script: | | |
| const check = await github.rest.checks.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| name: 'sonar', | |
| head_sha: '${{ github.event.workflow_run.head_sha }}', | |
| status: 'in_progress', | |
| details_url: '${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}', | |
| }); | |
| console.log(`In progress check created with ID: ${check.data.id}`); | |
| return check.data.id | |
| - name: Checkout Code | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.workflow_run.head_sha }} | |
| repository: ${{ github.event.workflow_run.head_repository.full_name }} | |
| - name: Download artifacts (coverage reports) | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 | |
| with: | |
| pattern: logs-*.zip | |
| path: . | |
| run-id: ${{ github.event.workflow_run.id }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Get PR context | |
| # Source: https://github.com/orgs/community/discussions/25220#discussioncomment-11316244 | |
| id: pr-context | |
| if: github.event.workflow_run.event == 'pull_request' | |
| env: | |
| # Token required for GH CLI: | |
| GH_TOKEN: ${{ github.token }} | |
| # Best practice for scripts is to reference via ENV at runtime. Avoid using the expression syntax in the script content directly: | |
| PR_TARGET_REPO: ${{ github.repository }} | |
| # If the PR is from a fork, prefix it with `<owner-login>:`, otherwise only the PR branch name is relevant: | |
| PR_BRANCH: |- | |
| ${{ | |
| (github.event.workflow_run.head_repository.owner.login != github.event.workflow_run.repository.owner.login) | |
| && format('{0}:{1}', github.event.workflow_run.head_repository.owner.login, github.event.workflow_run.head_branch) | |
| || github.event.workflow_run.head_branch | |
| }} | |
| # Query the PR number by repo + branch, then assign to step output: | |
| run: | | |
| gh pr view --repo "${PR_TARGET_REPO}" "${PR_BRANCH}" \ | |
| --json 'number,baseRefName' --jq '"number=\(.number)\nbase_ref=\(.baseRefName)"' \ | |
| >> "${GITHUB_OUTPUT}" | |
| echo "pr_branch=${PR_BRANCH}" >> "${GITHUB_OUTPUT}" | |
| - name: SonarCloud scan | |
| # Coverage processing if js map files are not present so we cannot do | |
| # this from inside 'check' job. | |
| uses: SonarSource/sonarqube-scan-action@v7 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets[format('{0}', vars.SONAR_TOKEN_SECRET_NAME)] }} | |
| with: | |
| args: > | |
| ${{ env.SONAR_ARGS }} | |
| -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} | |
| -Dsonar.pullrequest.key=${{ steps.pr-context.outputs.number }} | |
| -Dsonar.pullrequest.branch=${{ steps.pr-context.outputs.pr_branch }} | |
| -Dsonar.pullrequest.base=${{ steps.pr-context.outputs.base_ref }} | |
| -Dsonar.verbose=${{ secrets.ACTIONS_STEP_DEBUG }} | |
| - name: Update check run (success) | |
| if: success() | |
| uses: actions/github-script@v8 | |
| with: | |
| script: | | |
| await github.rest.checks.update({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| check_run_id: ${{ steps.create-check.outputs.result }}, | |
| status: 'completed', | |
| conclusion: 'success', | |
| completed_at: new Date().toISOString(), | |
| output: { | |
| title: 'Service Tests Passed', | |
| summary: `All service tests passed for PR #${{ steps.pr-context.outputs.number }}.` | |
| } | |
| }); | |
| - name: Update check run (failure) | |
| if: failure() | |
| uses: actions/github-script@v8 | |
| with: | |
| script: | | |
| await github.rest.checks.update({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| check_run_id: ${{ steps.create-check.outputs.result }}, | |
| status: 'completed', | |
| conclusion: 'failure', | |
| completed_at: new Date().toISOString(), | |
| output: { | |
| title: 'Service Tests Failed', | |
| summary: `The service tests failed for PR #${{ steps.pr-context.outputs.number }}. Click "Details" to view the full test output and logs.`, | |
| text: `**Workflow Run:** [View Details](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})\n\n**PR:** #${{ inputs.pr_number }}\n**Commit:** ${{ needs.setup.outputs.head_sha }}` | |
| } | |
| }); |