-
Notifications
You must be signed in to change notification settings - Fork 13
188 lines (170 loc) · 6.81 KB
/
zxc-code-analysis.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
##
# Copyright (C) 2023-2024 Hedera Hashgraph, LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
name: 'ZXC: Code Analysis'
# The purpose of this reusable workflow is to perform static code analysis and code coverage reporting.
# This reusable component is called by the following workflows:
# - .github/workflows/flow-pull-request-checks.yaml
# - .github/workflows/flow-build-application.yaml
#
# This workflow is only run if the pull request is coming from the original repository and not a fork.
on:
workflow_call:
inputs:
enable-codecov-analysis:
description: 'CodeCov Analysis Enabled'
type: boolean
required: false
default: false
enable-codacy-coverage:
description: 'Codacy Coverage Enabled'
type: boolean
required: false
default: false
enable-e2e-coverage-report:
description: 'E2E Coverage Report Enabled'
type: boolean
required: false
default: false
enable-snyk-scan:
description: 'Snyk Scan Enabled'
type: boolean
required: false
default: false
node-version:
description: 'NodeJS Version:'
type: string
required: false
default: '20'
custom-job-label:
description: 'Custom Job Label:'
type: string
required: false
default: 'Analyze'
secrets:
snyk-token:
description: 'The Snyk access token is used by Snyk to analyze the code for vulnerabilities '
required: false
codecov-token:
description: 'The CodeCov access token is used by CodeCov.io to analyze the code coverage '
required: false
codacy-project-token:
description: 'The Codacy project token used to report code coverage.'
required: false
defaults:
run:
shell: bash
permissions:
contents: read
actions: read
pull-requests: write
checks: write
statuses: write
jobs:
analyze:
name: ${{ inputs.custom-job-label || 'Analyze' }}
runs-on: transaction-tools-linux-medium
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.workflow_run.head_branch }}
fetch-depth: ${{ inputs.enable-sonar-analysis && '0' || '' }}
- name: Setup Node
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: ${{ inputs.node-version }}
- name: Download Unit Test Coverage Report
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
if: ${{ (inputs.enable-codecov-analysis || inputs.enable-codacy-coverage) && !cancelled() && !failure() }}
with:
name: Unit Test Coverage Report
path: 'coverage/unit'
- name: Download E2E Coverage Report
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
if: ${{ (inputs.enable-codecov-analysis || inputs.enable-codacy-coverage) && inputs.enable-e2e-coverage-report && !cancelled() && !failure() }}
with:
name: E2E Coverage Report
path: 'coverage/e2e'
- name: Publish To Codecov
uses: codecov/codecov-action@5c47607acb93fed5485fdbf7232e8a31425f672a # v5.0.2
if: ${{ inputs.enable-codecov-analysis && !cancelled() && !failure() }}
env:
CODECOV_TOKEN: ${{ secrets.codecov-token }}
with:
verbose: true
directory: 'coverage'
- name: Publish to Codacy
env:
CODACY_PROJECT_TOKEN: ${{ secrets.codacy-project-token }}
if: ${{ inputs.enable-codacy-coverage && !cancelled() && !failure() }}
run: bash <(curl -Ls https://coverage.codacy.com/get.sh) report -l TypeScript $(find . -name 'lcov.info' -printf '-r %p ')
- name: Setup Snyk
env:
SNYK_TOKEN: ${{ secrets.snyk-token }}
if: ${{ inputs.enable-snyk-scan && !cancelled() && !failure() }}
run: npm install -g snyk snyk-to-html @wcj/html-to-markdown-cli
- name: Snyk Scan
id: snyk
env:
SNYK_TOKEN: ${{ secrets.snyk-token }}
if: ${{ inputs.enable-snyk-scan && !cancelled() && !failure() }}
run: snyk test --org=release-engineering-N6EoZVZn3jw4qNuVkiG5Qs --all-projects --severity-threshold=high --json-file-output=snyk-test.json
- name: Snyk Code
id: snyk-code
env:
SNYK_TOKEN: ${{ secrets.snyk-token }}
if: ${{ inputs.enable-snyk-scan && !cancelled() && !failure() }}
run: snyk code test --org=release-engineering-N6EoZVZn3jw4qNuVkiG5Qs --severity-threshold=high --json-file-output=snyk-code.json
- name: Publish Snyk Results
if: ${{ inputs.enable-snyk-scan && !cancelled() && !failure() }}
run: |
if [[ -f "snyk-test.json" && -n "$(cat snyk-test.json | tr -d '[:space:]')" ]]; then
snyk-to-html -i snyk-test.json -o snyk-test.html --summary
html-to-markdown snyk-test.html -o snyk
cat snyk/snyk-test.html.md >> $GITHUB_STEP_SUMMARY
fi
- name: Publish Snyk Code Results
if: ${{ inputs.enable-snyk-scan && !cancelled() && !failure() }}
run: |
if [[ -f "snyk-code.json" && -n "$(cat snyk-code.json | tr -d '[:space:]')" ]]; then
snyk-to-html -i snyk-code.json -o snyk-code.html --summary
html-to-markdown snyk-code.html -o snyk
cat snyk/snyk-code.html.md >> $GITHUB_STEP_SUMMARY
fi
- name: Check Snyk Files
if: ${{ always() }}
run: |
echo "::group::Snyk File List"
ls -lah snyk* || true
echo "::endgroup::"
echo "::group::Snyk Test Contents"
cat snyk-test.json || true
echo "::endgroup::"
echo "::group::Snyk Code Contents"
cat snyk-code.json || true
echo "::endgroup::"
- name: Publish Snyk Reports
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: ${{ inputs.enable-snyk-scan && !cancelled() && !failure() }}
with:
name: Snyk Reports
path: |
snyk-*.html
snyk-*.json