Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: integration with TiCS code quality analysis #138

Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions .github/actions/build-chisel/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: "Build chisel"
description: >
Generates the version file and builds chisel from the current project directory.

The build can be configured via Go environment variables.
outputs:
CHISEL_VERSION:
description: "The chisel version"
value: ${{ steps.build.outputs.chisel-version }}
runs:
using: "composite"
steps:
- id: build
shell: bash
run: |
echo "Generating version file"
go generate ./cmd/

echo "Building for $GOOS $GOARCH"
go build -trimpath -ldflags='-s -w' ./cmd/chisel

# Get version via "chisel version" to ensure it matches that exactly
CHISEL_VERSION=$(GOOS=linux GOARCH=amd64 go run ./cmd/chisel version)
echo "Version: $CHISEL_VERSION"

# Version should not be "unknown"
[ "$CHISEL_VERSION" != "unknown" ] || exit 1

# Share variables with subsequent steps
echo "chisel-version=${CHISEL_VERSION}" >>$GITHUB_OUTPUT
19 changes: 2 additions & 17 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,28 +51,13 @@ jobs:
with:
go-version-file: 'go.mod'

- name: Build Chisel for linux/${{ matrix.arch }}
- uses: ./.github/actions/build-chisel/
name: Build Chisel for linux/${{ matrix.arch }}
id: build
env:
GOOS: "linux"
GOARCH: ${{ matrix.arch }}
CGO_ENABLED: "0"
run: |
echo "Generating version file"
go generate ./cmd/

echo "Building for $GOOS $GOARCH"
go build -trimpath -ldflags='-s -w' ./cmd/chisel

# Get version via "chisel version" to ensure it matches that exactly
CHISEL_VERSION=$(GOOS=linux GOARCH=amd64 go run ./cmd/chisel version)
echo "Version: $CHISEL_VERSION"

# Version should not be "unknown"
[ "$CHISEL_VERSION" != "unknown" ] || exit 1

# Share variables with subsequent steps
echo "CHISEL_VERSION=${CHISEL_VERSION}" >>$GITHUB_OUTPUT

- name: Test if is executable
run: test -x ./chisel
Expand Down
34 changes: 29 additions & 5 deletions .github/workflows/tests.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,23 @@
name: Tests

on:
workflow_call:
inputs:
repository:
description: 'Repository name (with owner) to clone'
required: true
type: string
ref:
description: 'The branch, tag or SHA to checkout'
required: true
type: string
outputs:
test-coverage-file:
description: 'The name of the coverage report file'
value: ${{ jobs.unit-tests.outputs.test-coverage-file }}
test-coverage-artifact:
description: 'The name used to upload the coverage file as a GH artifact'
value: ${{ jobs.unit-tests.outputs.test-coverage-artifact }}
workflow_dispatch:
push:
paths-ignore:
Expand All @@ -14,9 +31,16 @@ jobs:
name: Unit Tests
env:
TEST_COVERAGE_FILE: test-coverage.out
TEST_COVERAGE_ARTIFACT: chisel-test-coverage
TEST_COVERAGE_HTML_FILE: test-coverage.html
outputs:
test-coverage-file: ${{ env.TEST_COVERAGE_FILE }}
test-coverage-artifact: ${{ env.TEST_COVERAGE_ARTIFACT }}
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
ref: ${{ github.event_name == 'workflow_call' && inputs.ref || '' }}
repository: ${{ github.event_name == 'workflow_call' && inputs.repository || '' }}

- uses: actions/setup-go@v3
with:
Expand All @@ -36,13 +60,13 @@ jobs:
-o=${TEST_COVERAGE_HTML_FILE}
fi

- name: Upload HTML test coverage
uses: actions/upload-artifact@v3
- name: Upload test coverage
uses: actions/upload-artifact@v4
if: always()
continue-on-error: true
with:
name: chisel-test-coverage.html
path: ./*.html
name: ${{ env.TEST_COVERAGE_ARTIFACT }}
path: ./test-coverage*

real-archive-tests:
# Do not change to newer releases as "fips" may not be available there.
Expand Down
126 changes: 126 additions & 0 deletions .github/workflows/tics.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
name: TiCS

on:
workflow_dispatch:
push:
branches: [main]
# Running on pull_request_target instead of pull_request because this workflow
# uses secrets, and thus we need to ensure it runs under this project's code base.
pull_request:
branches: [main]
schedule:
- cron: '0 10 * * *'

jobs:
set-project:
# This is needed because pull_request_target events will run workflows in
# the context of the base repository (the repository receiving the pull request).
#
# This means that, for such events, we need to explicitly tell the job to
# "action/checkout" the forked repository/ref (aka source of the PR).
name: Set project environment
runs-on: ubuntu-latest
outputs:
ref: ${{ steps.get-ref.outputs.ref }}
repo: ${{ steps.get-repo.outputs.repo }}
steps:
- id: get-ref
run: echo "ref=${{ github.event_name == 'pull_request_target' && github.head_ref || '' }}" >> $GITHUB_OUTPUT

- id: get-repo
run: echo "repo=${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name || '' }}" >> $GITHUB_OUTPUT

# This is safe because the reusable workflow does not require secrets and this
# call is not setting secret inheritance (i.e. "secrets: inherit")
call-unit-tests:
uses: ./.github/workflows/tests.yaml
needs: [set-project]
with:
ref: ${{ needs.set-project.outputs.ref }}
repository: ${{ needs.set-project.outputs.repo }}

tics-static-code-analysis:
runs-on: ubuntu-24.04
name: TiCS Static Code Analysis
needs: [set-project, call-unit-tests]
permissions:
pull-requests: write
env:
TICS_FILELIST: tics-filelist
steps:
- uses: actions/checkout@v4
with:
ref: ${{ needs.set-project.outputs.ref }}
repository: ${{ needs.set-project.outputs.repo }}

- name: Check changed paths in PR
id: changed-paths
if: github.event_name == 'pull_request'
uses: dorny/paths-filter@v3
with:
filters: |
any:
- "**/*"
list-files: csv

- id: get-pr-filelist
run: |
if [[ "${{ github.event_name }}" == "pull_request" ]]
then
echo "${{ steps.changed-paths.outputs.any_files }}" | tr "," "\n" > ${TICS_FILELIST}
else
echo "." > ${TICS_FILELIST}
fi

- uses: actions/setup-go@v3
with:
go-version-file: 'go.mod'

- uses: actions/download-artifact@v4

# This is safe because actions do not have access to secrets unless these
# are passed via inputs or environment variables.
# Ref: https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#accessing-your-secrets
- uses: ./.github/actions/build-chisel/
name: Build Chisel (TiCS analysis precondition)
env:
CGO_ENABLED: "0"

- name: Prepare cobertura XML results
env:
TICS_COVERAGE_FOLDER: ".coverage"
run: |
set -x
mkdir -p ${TICS_COVERAGE_FOLDER}
go install github.com/boumenot/gocover-cobertura@latest
gocover-cobertura \
< ${{ needs.call-unit-tests.outputs.test-coverage-artifact }}/${{ needs.call-unit-tests.outputs.test-coverage-file }} \
> ${TICS_COVERAGE_FOLDER}/coverage.xml

- run: go install honnef.co/go/tools/cmd/staticcheck@latest

- name: Run TiCS client analysis
uses: tiobe/tics-github-action@v3
if: github.event_name == 'pull_request'
with:
mode: 'client'
codetype: 'TESTCODE'
project: chisel
filelist: ${{ env.TICS_FILELIST }}
viewerUrl: 'https://canonical.tiobe.com/tiobeweb/TICS/api/cfg?name=default'
displayUrl: 'https://canonical.tiobe.com/tiobeweb/TICS'
installTics: true

- name: Run TiCS server analysis
uses: tiobe/tics-github-action@v3
if: github.event_name != 'pull_request'
with:
mode: 'qserver'
codetype: 'PRODUCTION'
project: chisel
branchdir: .
filelist: ${{ env.TICS_FILELIST }}
viewerUrl: 'https://canonical.tiobe.com/tiobeweb/TICS/api/cfg?name=default'
displayUrl: 'https://canonical.tiobe.com/tiobeweb/TICS'
ticsAuthToken: ${{ secrets.TICSAUTHTOKEN }}
installTics: true
Loading