chore: sync with microG unofficial installer #108

Workflow file for this run

.github/workflows/code-scan.yml at 0dc0564

	---
	# SPDX-FileCopyrightText: NONE
	# SPDX-License-Identifier: CC0-1.0

	name: "Code scan"
	permissions: {}
	on:
	push:
	paths:
	- "**"
	branches:
	- "main"
	schedule:
	# At 12:00 AM, every 31 days, only in January (UTC)
	- cron: "0 0 /31 1 "

	jobs:
	pre-requisites:
	name: "Pre-requisites"
	runs-on: ubuntu-latest
	timeout-minutes: 10
	if: "${{ github.event_name == 'push' }}"
	outputs:
	dependency-graph-enabled: "${{ steps.dependency-graph.outputs.result }}"
	codacy-token-set: "${{ steps.check-tokens.outputs.CODACY_TOKEN_SET }}"
	sonar-token-set: "${{ steps.check-tokens.outputs.SONAR_TOKEN_SET }}"

	steps:
	- name: "Verify tokens"
	id: check-tokens
	shell: bash
	env:
	CODACY_TOKEN: "${{ secrets.CODACY_PROJECT_TOKEN }}"
	SONAR_TOKEN: "${{ secrets.SONAR_TOKEN }}"
	run: \|
	# Verifying tokens...
	# Codacy
	if test -n "${CODACY_TOKEN?}"; then token_set='true'; else token_set='false'; fi
	printf 'CODACY_TOKEN_SET=%s\n' "${token_set:?}" 1>> "${GITHUB_OUTPUT?}"
	# SonarQube
	if test -n "${SONAR_TOKEN?}"; then token_set='true'; else token_set='false'; fi
	printf 'SONAR_TOKEN_SET=%s\n' "${token_set:?}" 1>> "${GITHUB_OUTPUT?}"
	- name: "Verify the dependency graph"
	id: dependency-graph
	uses: actions/github-script@v8
	timeout-minutes: 5
	with:
	retries: 3
	script: \|
	/* jshint esversion: 6 */
	const response = await github.rest.dependencyGraph.exportSbom({
	owner: context.repo.owner,
	repo: context.repo.repo,
	}).catch(response => response);
	if(response && response.status === 200) {
	console.log('The dependency graph is enabled.');
	return true;
	} else if(response && response.status === 404) {
	console.error('::error::The dependency graph is disabled.');
	} else {
	let errorMsg = 'exportSbom failed';
	if(response && response.status && response.message) errorMsg += ' with error ' + response.status + ' (' + response.message + ')';
	throw new Error(errorMsg);
	}
	return false;

	dependency-submission:
	name: "Dependency submission"
	needs: [pre-requisites]
	runs-on: ubuntu-latest
	timeout-minutes: 10
	if: "${{ github.event_name == 'push' && needs.pre-requisites.outputs.dependency-graph-enabled == 'true' }}"
	permissions:
	contents: write

	steps:
	- name: "Checkout sources"
	uses: actions/checkout@v5
	- name: "Setup Java"
	uses: actions/setup-java@v5
	with:
	distribution: "temurin"
	java-version-file: ".tool-versions"
	- name: "Generate and submit dependency graph"
	uses: gradle/actions/dependency-submission@v4
	with:
	cache-read-only: true
	dependency-graph: "generate-and-submit"
	validate-wrappers: true

	codacy:
	name: "Codacy"
	needs: [pre-requisites]
	runs-on: ubuntu-latest
	timeout-minutes: 20
	if: "${{ github.event_name == 'push' && needs.pre-requisites.outputs.codacy-token-set == 'true' }}"
	concurrency:
	group: "${{ github.repository_id }}-${{ github.workflow }}-codacy"
	cancel-in-progress: false
	permissions:
	security-events: write

	steps:
	- name: "Checkout sources"
	uses: actions/checkout@v5
	- name: "Codacy analysis"
	uses: codacy/codacy-analysis-cli-action@v4
	timeout-minutes: 10
	with:
	project-token: "${{ secrets.CODACY_PROJECT_TOKEN }}"
	#verbose: true
	output: "results.sarif"
	format: "sarif"
	# Adjust severity of non-security issues
	gh-code-scanning-compat: true
	# Force 0 exit code to allow SARIF file generation
	# This will hand over control about PR rejection to the GitHub side
	max-allowed-issues: 2147483647
	upload: false
	- name: "Combine multiple SARIF runs"
	shell: bash
	run: \|
	jq '.runs \|= unique_by({tool, invocations, results})' 0< './results.sarif' 1> './results-combined.sarif'
	- name: "Upload SARIF results file"
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: "results-combined.sarif"
	category: "Codacy"

	sonarqube:
	name: "SonarQube"
	needs: [pre-requisites]
	runs-on: ubuntu-latest
	timeout-minutes: 20
	if: "${{ github.event_name == 'push' && needs.pre-requisites.outputs.sonar-token-set == 'true' }}"

	steps:
	- name: "Checkout sources"
	uses: actions/checkout@v5
	with:
	fetch-depth: "0" # Shallow clones should be disabled for a better relevancy of analysis
	- name: "SonarQube scan"
	uses: SonarSource/sonarqube-scan-action@v6
	timeout-minutes: 10
	env:
	SONAR_TOKEN: "${{ secrets.SONAR_TOKEN }}"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

chore: sync with microG unofficial installer #108

Workflow file

chore: sync with microG unofficial installer #108

Uh oh!

Workflow file for this run