diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml index b4b3e4e926..6bc5c8e721 100644 --- a/.github/workflows/sonar.yaml +++ b/.github/workflows/sonar.yaml @@ -1,113 +1,119 @@ -# This workflow is used to perform static code analysis on a gradle build - -name: "Sonar Scanner" - -on: - workflow_call: - secrets: - CDC_NBS_SANDBOX_SHARED_SERVICES_ACCOUNTID: - description: "Secret named CDC_NBS_SANDBOX_SHARED_SERVICES_ACCOUNTID where ECR resides." - required: true - PASSED_GITHUB_TOKEN: - description: "Secret named GITHUB_TOKEN that references the github token for this repository." - required: true - SONAR_TOKEN: - description: "Secret named SONAR_TOKEN that references the sonar token secret corresponding to the project in sonarcloud." - required: true - DATABASE_USER: - description: "Secret named DATABASE_USER that references the test database container default username" - required: true - DATABASE_PASSWORD: - description: "Secret named DATABASE_PASSWORD that references the test database container default password" - required: true - TOKEN_SECRET: - description: "Secret named TOKEN_SECRET that references a default JWT token key" - required: true - PARAMETER_SECRET: - description: "Secret named PARAMETER_SECRET that references a default key for encrypting search parameters" - required: true - pull_request: - paths: - - "apps/**" - - "!apps/modernization-ui/**" - - "libs/**" - - "build.gradle" - - "settings.gradle" - - "gradle/**" - - ".github/workflows/sonar.yaml" -env: - deployment_env: dev - accountid: ${{secrets.CDC_NBS_SANDBOX_SHARED_SERVICES_ACCOUNTID}} - passed_github_token: ${{secrets.PASSED_GITHUB_TOKEN}} - sonar_token: ${{secrets.SONAR_TOKEN}} - test_database_user: ${{secrets.DATABASE_USER}} - test_database_password: ${{secrets.DATABASE_PASSWORD}} - token_secret: ${{secrets.TOKEN_SECRET}} - parameter_secret: ${{secrets.PARAMETER_SECRET}} - -jobs: - pipeline: - name: Build and analyze - runs-on: ubuntu-latest - - permissions: - id-token: write - contents: read - - steps: - - uses: actions/checkout@v2 - with: - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - - - name: Set up JDK 21 - uses: actions/setup-java@v4 - with: - distribution: "temurin" - java-version: "21" - - - name: Cache Gradle packages - uses: actions/cache@v4 - with: - path: ~/.gradle/caches - key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }} - restore-keys: ${{ runner.os }}-gradle - - - name: Configure Environment Variables - run: | - github_repo_name="$(echo $GITHUB_REPOSITORY | cut -d'/' -f2)" - echo "github_repo_name=$github_repo_name" >> $GITHUB_ENV - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - role-to-assume: "arn:aws:iam::${{ env.accountid }}:role/cdc-github-${{ env.github_repo_name }}-${{ env.deployment_env }}-role" - aws-region: us-east-1 - - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 - - - name: Login to ECR docker registry - uses: docker/login-action@v2 - with: - registry: ${{ env.accountid }}.dkr.ecr.us-east-1.amazonaws.com - - - name: Build and analyze - working-directory: ./ - env: - GITHUB_TOKEN: ${{ env.passed_github_token }} # Needed to get PR information, if any - SONAR_TOKEN: ${{ env.sonar_token }} - DATABASE_USER: ${{env.test_database_user}} - DATABASE_PASSWORD: ${{ env.test_database_password }} - TOKEN_SECRET: ${{ env.token_secret }} - PARAMETER_SECRET: ${{ env.parameter_secret }} - run: ./gradlew clean build codeCoverageReport sonar -Dtesting.database.image=${{ env.accountid }}.dkr.ecr.us-east-1.amazonaws.com/cdc-nbs-modernization/modernization-test-db:6.0.17.1 - - - name: Zip test report - run: zip -r test-report.zip ./build/reports/* - - - name: Publish Testing Reports - uses: actions/upload-artifact@v4 - with: - name: testing - path: ./test-report.zip +# This workflow is used to perform static code analysis on a gradle build + +name: "Sonar Scanner" + +on: + workflow_call: + secrets: + NBS_ACCOUNTID: + description: "Secret named NBS_ACCOUNTID where ECR resides." + required: true + PASSED_GITHUB_TOKEN: + description: "Secret named GITHUB_TOKEN that references the github token for this repository." + required: true + SONAR_TOKEN: + description: "Secret named SONAR_TOKEN that references the sonar token secret corresponding to the project in sonarcloud." + required: true + DATABASE_USER: + description: "Secret named DATABASE_USER that references the test database container default username" + required: true + DATABASE_PASSWORD: + description: "Secret named DATABASE_PASSWORD that references the test database container default password" + required: true + TOKEN_SECRET: + description: "Secret named TOKEN_SECRET that references a default JWT token key" + required: true + PARAMETER_SECRET: + description: "Secret named PARAMETER_SECRET that references a default key for encrypting search parameters" + required: true + pull_request: + paths: + - "apps/**" + - "!apps/modernization-ui/**" + - "libs/**" + - "build.gradle" + - "settings.gradle" + - "gradle/**" + - ".github/workflows/sonar.yaml" +env: + deployment_env: dev + accountid: ${{secrets.NBS_ACCOUNTID}} + passed_github_token: ${{secrets.PASSED_GITHUB_TOKEN}} + sonar_token: ${{secrets.SONAR_TOKEN}} + test_database_user: ${{secrets.DATABASE_USER}} + test_database_password: ${{secrets.DATABASE_PASSWORD}} + token_secret: ${{secrets.TOKEN_SECRET}} + parameter_secret: ${{secrets.PARAMETER_SECRET}} + +jobs: + pipeline: + name: Build and analyze + runs-on: ubuntu-latest + + permissions: + id-token: write + contents: read + + steps: + - uses: actions/checkout@v2 + with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + + - name: Set up JDK 21 + uses: actions/setup-java@v4 + with: + distribution: "temurin" + java-version: "21" + + - name: Cache Gradle packages + uses: actions/cache@v4 + with: + path: ~/.gradle/caches + key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }} + restore-keys: ${{ runner.os }}-gradle + + - name: Configure Environment Variables + run: | + github_repo_name="$(echo $GITHUB_REPOSITORY | cut -d'/' -f2)" + echo "github_repo_name=$github_repo_name" >> $GITHUB_ENV + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: "arn:aws:iam::${{ env.accountid }}:role/github-actions-nbs-deployment-role" + aws-region: us-east-2 + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Login to ECR docker registry + uses: docker/login-action@v2 + with: + registry: ${{ env.accountid }}.dkr.ecr.us-east-2.amazonaws.com + + - name: Build Test Database Container + working-directory: ./cdc-sandbox/db + run: | + docker build -t modernization-test-db:local . + echo "Built test database container from cdc-sandbox/db" + + - name: Build and analyze + working-directory: ./ + env: + GITHUB_TOKEN: ${{ env.passed_github_token }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ env.sonar_token }} + DATABASE_USER: ${{env.test_database_user}} + DATABASE_PASSWORD: ${{ env.test_database_password }} + TOKEN_SECRET: ${{ env.token_secret }} + PARAMETER_SECRET: ${{ env.parameter_secret }} + run: ./gradlew clean build codeCoverageReport sonar -Dtesting.database.image=modernization-test-db:local + + - name: Zip test report + run: zip -r test-report.zip ./build/reports/* + + - name: Publish Testing Reports + uses: actions/upload-artifact@v4 + with: + name: testing + path: ./test-report.zip