-
Notifications
You must be signed in to change notification settings - Fork 1
84 lines (72 loc) · 2.04 KB
/
scan-repo.yml
File metadata and controls
84 lines (72 loc) · 2.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: Scan repository
on:
pull_request:
push:
branches: [main]
schedule:
# Every Monday at 9am
- cron: "0 9 * * 1"
concurrency:
group: scan-repo-${{ github.head_ref || github.ref_name }}
cancel-in-progress: true
permissions: read-all
jobs:
unit-tests:
name: Test coverage
uses: ./.github/workflows/run-unit-tests.yml
with:
coverage-report: true
sonarcloud:
name: SonarCloud
needs: unit-tests
runs-on: ubuntu-latest
steps:
- name: Pull repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Gradle
uses: gradle/actions/setup-gradle@v4
with:
gradle-version: 8.13
- name: Set up JDK
uses: actions/setup-java@v4
with:
java-version: 17
distribution: corretto
cache: gradle
- name: Cache build artifacts
uses: actions/cache@v4
with:
key: ${{ runner.os }}-cri-lib-java-${{ github.head_ref || github.ref_name }}
restore-keys: ${{ runner.os }}-cri-lib-java-
path: |
build/
!build/jacoco
!build/reports
- name: Cache SonarCloud packages
uses: actions/cache@v4
with:
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
path: ~/.sonar/cache
- name: Get coverage results
uses: actions/download-artifact@v4
with:
name: ${{ needs.unit-tests.outputs.coverage-artifact }}
path: build/reports/jacoco/test
- name: Run SonarCloud scan
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: ./gradlew sonar --build-cache --parallel --info
codeql:
name: CodeQL
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Run CodeQL scan
uses: govuk-one-login/github-actions/code-quality/codeql@cd7d35dde348251237efbbaee5345e95adef0321
with:
languages: java