feat(CNP-165): Add quality-gate action

.github/dependabot.yml

@@ -39,6 +39,7 @@ updates:
       - /setup-git
       - /setup-msbuild
       - /setup-nuget-sources
+      - /setup-qodana
       - /setup-terraform
       - /slack-notify
       - /sonar-scanner

.scripts/build-modules.js

@@ -1,3 +1,4 @@
+const { existsSync } = require('fs');
 const fs = require('fs-extra');
 const path = require('path');
 const esbuild = require('esbuild');
@@ -41,6 +42,26 @@ const build = async (baseDir) => {
     ],
   });
 
+  if (existsSync(path.join(baseDir, 'src', 'pre.js'))) {
+    await esbuild.build({
+      entryPoints: [`${srcDir}/post.js`],
+      platform: 'node',
+      bundle: true,
+      minify: true,
+      outfile: `${destDir}/post.js`,
+    });
+  }
+
+  if (existsSync(path.join(baseDir, 'src', 'post.js'))) {
+    await esbuild.build({
+      entryPoints: [`${srcDir}/post.js`],
+      platform: 'node',
+      bundle: true,
+      minify: true,
+      outfile: `${destDir}/post.js`,
+    });
+  }
+
   console.timeEnd(`build ${baseDir}`);
 };
 

README.md

@@ -34,6 +34,7 @@ The following actions are available
   * [pact-can-i-deploy](pact-can-i-deploy#readme)
   * [pact-publish](pact-publish#readme)
   * [pact-tag-version](pact-tag-version#readme)
+  * [quality-gate](quality-gate#readme)
   * [repository-dispatch](repository-dispatch#readme)
   * ~~[rs-create-installerpkg](rs-create-installerpkg#readme)~~
   * ~~[rs-permission-converter](rs-permission-converter#readme)~~

quality-gate/README.md

@@ -0,0 +1,78 @@
+# quality-gate
+
+This is a GitHub Action to enforce a quality gate on your software project. This a composite-action that strives to
+provide a vendor-agnostic quality gate feature. Behind the scenes the quality-gate is calculated by an external
+code-scanning vendor.
+
+The goal of this action is to hide implementation details of the active quality-gate provider. It is not a goal to
+support multiple vendors at the same time. When this action is implemented in a pipeline, Extenda Retail should be able
+to change the underlying quality-gate implementation without impacting pipelines.
+
+## Usage
+
+See [action.yml](action.yml).
+
+The quality-gate action behavior can be controlled with the follow commit messages
+
+  * `[init quality]` - Use on first run to initialize a quality baseline
+  * `[rebase quality]` - Rebase the quality baseline, e.g. if baseline issues has been fixed
+  * `[force quality]` - Force a full quality check instead of just checking changed files
+  * `[skip quality]` - Skip the quality gate check
+
+### Secrets
+
+This action can be used either with GCP Secret Manager or with GitHub Action secrets.
+
+If this action is used with GCP Secret Manager it requires a GCP service account key with permission to access
+secret payloads. Once created, the JSON key should be `base64` encoded and added as secret in the GitHub repository.
+
+It is recommended that the service account _only_ has permissions to access secrets. Do not allow modifications or
+access to any other resources in your project.
+
+To use the action with GitHub Actions secrets, set the `QUALITY_GATE_TOKEN` environment variable with the the secret
+value.
+
+### Examples
+
+This example showcases how a `push` based test workflow can include a quality-gate to measure both code quality and
+coverage.
+
+```yaml
+on: push
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-java@v4
+        with:
+          java-version-file: .java-version
+          distribution: temurin
+          cache: maven
+
+      - uses: extenda/actions/maven@v0
+        with:
+          service-account-key: ${{ secrets.SECRET_AUTH }}
+          args: verify
+
+      - name: Quality Gate
+        uses: extenda/actions/quality-gate@v0
+        with:
+          service-account-key: ${{ secrets.SECRET_AUTH }}
+          collection: platform
+```
+
+If GCP Secret Manager isn't in use, pass the `QUALITY_GATE_TOKEN` as an environment variable instead of using
+`service-account-key`.
+
+```yaml
+- name: Quality Gate
+  uses: extenda/actions/quality-gate@v0
+  with:
+    collection: platform
+  env:
+    QUALITY_GATE_TOKEN: ${{ secrets.QUALITY_GATE_TOKEN }}
+```

quality-gate/action.yml

@@ -0,0 +1,97 @@
+name: Quality Gate
+description: Enforce a quality gate on your software project.
+inputs:
+  service-account-key:
+    description: |
+      The service account key which will be used to access CI/CD pipeline secrets and
+      the storage bucket if data management is enabled.
+
+      This must be set unless the `QUALITY_GATE_TOKEN` environment variable is set
+      with the access token for the service provider.
+    default: ''
+  github-token:
+    description: The GitHub Actions token.
+    default: ${{ github.token }}
+  collection:
+    description: |
+      The collection name under which the project will be sorted. This can be a
+      team name or a category. This can be used to organize projects within
+      the quality gate reporting dashboards.
+    required: true
+  storage-bucket:
+    description: |
+      The GCS bucket used to store quality gate data. Set this to a blank string to
+      disable any data management performed by this action.
+    default: quality-gate-data
+runs:
+  using: composite
+  steps:
+    - name: Resolve quality gate access token
+      if: env.QUALITY_GATE_TOKEN == ''
+      uses: extenda/actions/gcp-secret-manager@v0
+      with:
+        service-account-key: ${{ inputs.service-account-key }}
+        secrets: |
+          QUALITY_GATE_TOKEN: qodana-organization-token
+
+    - name: Setup gcloud
+      uses: extenda/actions/setup-gcloud@v0
+      if: inputs.service-account-key != ''
+      with:
+        service-account-key: ${{ inputs.service-account-key }}
+        export-default-credentials: 'true'
+
+    - name: Download quality baseline from GCS
+      if: ${{ inputs.service-account-key != '' && inputs.storage-bucket != '' && !contains(github.event.head_commit.message, '[skip quality]') }}
+      run: |
+        gcloud storage cp \
+          gs://${{ inputs.storage-bucket }}/qodana/${{ github.repository }}/qodana-sarif.json \
+          managed-qodana.sarif.json || true
+      shell: bash
+
+    - name: Setup Qodana
+      uses: extenda/actions/setup-qodana@feat/quality-gate
+      id: setup-qodana
+      with:
+        qodana-token: ${{ env.QUALITY_GATE_TOKEN }}
+        qodana-team: ${{ inputs.collection }}
+        github-token: ${{ inputs.github-token }}
+
+    - name: Scan with Qodana
+      uses: extenda/qodana-action@feat/issue-number-discovery
+      if: ${{ !contains(github.event.head_commit.message, '[skip quality]') }}
+      with:
+        args: ${{ steps.setup-qodana.outputs.args }}
+        github-token: ${{ inputs.github-token }}
+        pr-mode: ${{ steps.setup-qodana.outputs.pr-mode }}
+      env:
+        QODANA_TOKEN: ${{ steps.setup-qodana.outputs.project-token }}
+
+    - name: Init quality gate baseline
+      if: failure() && inputs.service-account-key != '' && inputs.storage-bucket != '' && contains(github.event.head_commit.message, '[init quality]')
+      run: |
+        generated_baseline="${{ runner.temp }}/qodana/results/qodana.sarif.json"
+        gcs_path="gs://${{ inputs.storage-bucket }}/qodana/${{ github.repository }}/qodana-sarif.json"
+        ${{ github.action_path }}/update-qodana-baseline.sh "$generated_baseline" "$gcs_path"
+
+        echo ""
+        echo -e "\033[01;31mQUALITY-GATE BASELINE CREATED - RERUN JOB\033[00m"
+        echo ""
+        echo "The quality-gate baseline has been created."
+        echo "A rerun of this job should now pass the quality-gate check."
+        echo ""
+      shell: bash
+
+    - name: Rebase quality gate baseline
+      if: always() && inputs.service-account-key != '' && inputs.storage-bucket != '' && contains(github.event.head_commit.message, '[rebase quality]')
+      run: |
+        generated_baseline="${{ runner.temp }}/qodana/results/qodana.sarif.json"
+        gcs_path="gs://${{ inputs.storage-bucket }}/qodana/${{ github.repository }}/qodana-sarif.json"
+        ${{ github.action_path }}/update-qodana-baseline.sh "$generated_baseline" "$gcs_path"
+
+        echo ""
+        echo -e "\033[01;31mQUALITY-GATE BASELINE REBASED\033[00m"
+        echo ""
+        echo "The quality-gate baseline has been rebased."
+        echo ""
+      shell: bash

quality-gate/update-qodana-baseline.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env sh
+
+generated_baseline="$1"
+gcs_path="$2"
+
+if [ -f qodana.sarif.json ]; then
+  echo "User-provided qodana.sarif.json exists. Baseline automation disabled."
+  echo "rerun=false" >> "$GITHUB_OUTPUT"
+  exit 0
+fi
+
+if [ -f "$generated_baseline" ]; then
+  gcloud storage cp "$generated_baseline" "$gcs_path"
+  echo "rerun=true" >> "$GITHUB_OUTPUT"
+fi

setup-qodana/README.md

@@ -0,0 +1,26 @@
+# setup-qodana
+
+Setup Qodana for use with the Quality Gate Action. This action will discover qodana arguments and output them for use in
+the [quality-gate](../quality-gate#readme). This action is not meant to be used directly, but rather as a part of the
+quality-gate composite.
+
+This action supports the following
+
+* Project types
+  * TypeScript and JavaScript
+  * JVM Languages (Java, Kotlin)
+  * .NET Core (C#)
+* Qodana Cloud project
+  * Create project and project-token
+* Detect coverage directory
+  * lcov
+  * Jacoco XML
+* Detect `qodana.sarif.json`
+  * Decompress gzipped `qodana.sarif.json.gz` if detected
+* Sanity-check `qodana.yaml`
+  * Generate `qodana.yaml` file if missing
+  * Validate and enforce quality gate metrics
+    * Fresh code
+    * Issue count
+* Push `qodana.yaml` and `qodana.sarif.json` to auto-configure Qodana on first run in a branch that isn't the default
+  branch. The baseline will only be included if the quality gate failed.

setup-qodana/action.yml

@@ -0,0 +1,32 @@
+name: Setup Qodana
+description: Setup and configure Qodana for use as a Quality Gate.
+inputs:
+  qodana-token:
+    description: The Qodana organization access token.
+    required: true
+  qodana-team:
+    description: The Qodana team name used to organize projects.
+    required: true
+  project-directory:
+    description: Root directory of the project (default '.')
+    default: '.'
+  github-token:
+    description: The GitHub Actions token.
+    default: ${{ github.token }}
+outputs:
+  baseline:
+    description: The baseline.sarif.json file.
+  coverage-dir:
+    description: The directory containing coverage reports.
+  args:
+    description: The comma-separated arguments to pass to the qodana action.
+  project-token:
+    description: The qodana project token.
+  pr-mode:
+    description: Indicates if Qodana should run in pull request mode and do a diff-analysis.
+  update-baseline:
+    description: Indicates that the qodana.sarif.json baseline should updated after the run.
+runs:
+  using: node20
+  main: dist/index.js
+#  post: dist/post.js