运行来自分支的PR的Sonar扫描。

huangapple go评论101阅读模式
英文:

Run Sonar scan for PRs from forks

问题

我正在尝试设置一个GitHub Actions工作流,用于在每个PR上运行Sonar分析。我有一个作业用于运行单元测试并上传测试报告。然后第二个作业下载报告并运行分析。这对于我的PR工作正常。但是由来自分支仓库的PR触发的工作流程无法访问密钥,因此Sonar在那里无法正常工作。

我尝试通过将工作流程拆分为两个部分来解决这个问题,其中Sonar部分由PR的workflow_run触发。问题是,无论我做什么,Sonar都会忽略测试覆盖率报告,并标记PR为"没有覆盖信息"。

这是我使用的工作流程定义:

on:
  workflow_run:
    workflows:
      - Pull request verification
    types:
      - completed
env:
  JAVA_DISTRIBUTION: 'temurin'
  JAVA_VERSION: '17'

jobs:
  pr_sonar_analysis:
    name: PR sonar analysis
    runs-on: ubuntu-latest
    container:
      image: fedora:38
    steps:
      - name: Install dependencies
        shell: bash
        run: dnf --setopt install_weak_deps=False install -y gettext jss unzip tree git

      - name: Check out repository
        uses: actions/checkout@v3

      - name: Download test reports
        uses: actions/github-script@v6
        with:
          script: |
            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
               owner: context.repo.owner,
               repo: context.repo.repo,
               run_id: context.payload.workflow_run.id,
            });
            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
              return artifact.name == "unit_test_reports"
            })[0];
            let download = await github.rest.actions.downloadArtifact({
               owner: context.repo.owner,
               repo: context.repo.repo,
               artifact_id: matchArtifact.id,
               archive_format: 'zip',
            });
            let fs = require('fs');
            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/unit_test_reports.zip`, Buffer.from(download.data));            

      - name: 'Unzip artifact'
        run: unzip unit_test_reports.zip

      - name: Set up Java
        uses: actions/setup-java@v3
        with:
          distribution: ${{ env.JAVA_DISTRIBUTION }}
          java-version: ${{ env.JAVA_VERSION }}

      - name: Run sonar
        uses: gradle/gradle-build-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          arguments: sonar -x coverage
            -Dsonar.scm.provider=git
            -Dsonar.pullrequest.key=${{ github.event.workflow_run.pull_requests[0].number }}
            -Dsonar.pullrequest.base=${{ github.event.workflow_run.pull_requests[0].base.ref }}
            -Dsonar.pullrequest.branch=${{ github.event.workflow_run.pull_requests[0].head.ref }}
            -Dorg.gradle.jvmargs=-Xmx1g

我尝试过:

  • 仅上传覆盖率报告
  • 仅上传jacoco.exec并在Sonar作业中生成报告
  • 上传构建文件夹中的所有内容
  • 重新定义Jacoco生成报告和Sonar读取报告的路径
  • workflow_run中同时运行单元测试和Sonar。即使在这种情况下,Sonar也报告"没有覆盖信息"。

是否有什么方法可以强制Sonar使用我提供的覆盖率信息?

英文:

I am trying to setup a Github Actions Workflow that runs Sonar analysis for each PR. I have one job that runs unit tests and uploads the test reports. Second job then downloads the reports and runs the analysis. This works fine for my PRs. But workflows triggered by PR from forked repos do not have access to secrets so the sonar is not working there.

I tried to solve this by splitting the workflow in two where sonar part is triggered by workflow_run of the PR. The problem is that no matter what I do, the sonar ignores the test coverage reports and marks PR with "No Coverage information".

Here is the workflow definition I am using.

on:
  workflow_run:
    workflows:
      - Pull request verification
    types:
      - completed
env:
  JAVA_DISTRIBUTION: 'temurin'
  JAVA_VERSION: '17'

jobs:
  pr_sonar_analysis:
    name: PR sonar analysis
    runs-on: ubuntu-latest
    container:
      image: fedora:38
    steps:
      - name: Install dependencies
        shell: bash
        run: dnf --setopt install_weak_deps=False install -y gettext jss unzip tree git

      - name: Check out repository
        uses: actions/checkout@v3

      - name: Download test reports
        uses: actions/github-script@v6
        with:
          script: |
            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
               owner: context.repo.owner,
               repo: context.repo.repo,
               run_id: context.payload.workflow_run.id,
            });
            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
              return artifact.name == "unit_test_reports"
            })[0];
            let download = await github.rest.actions.downloadArtifact({
               owner: context.repo.owner,
               repo: context.repo.repo,
               artifact_id: matchArtifact.id,
               archive_format: 'zip',
            });
            let fs = require('fs');
            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/unit_test_reports.zip`, Buffer.from(download.data));            

      - name: 'Unzip artifact'
        run: unzip unit_test_reports.zip

      - name: Set up Java
        uses: actions/setup-java@v3
        with:
          distribution: ${{ env.JAVA_DISTRIBUTION }}
          java-version: ${{ env.JAVA_VERSION }}

      - name: Run sonar
        uses: gradle/gradle-build-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          arguments: sonar -x coverage
            -Dsonar.scm.provider=git
            -Dsonar.pullrequest.key=${{ github.event.workflow_run.pull_requests[0].number }}
            -Dsonar.pullrequest.base=${{ github.event.workflow_run.pull_requests[0].base.ref }}
            -Dsonar.pullrequest.branch=${{ github.event.workflow_run.pull_requests[0].head.ref }}
            -Dorg.gradle.jvmargs=-Xmx1g

I tried:

  • Uploading just the coverage report
  • Uploading just jacoco.exec and generating report in sonar job
  • Uploading everything in build folder
  • Redefining paths where jacoco generates reports and from where sonar reads them
  • Running both unit tests and sonar in workflow_run. Even in this case sonar reports "No Coverage information"

Is there something to force sonar to use the coverage I am providing?

答案1

得分: 0

工作流程正在检出错误的分支。在切换分支后,工作流程按预期运行。

- name: 检出仓库
  uses: actions/checkout@v3
  with:
    repository: ${{ github.event.workflow_run.head_repository.full_name }}
    # 检出触发此工作流的提交
    ref: ${{ github.event.workflow_run.pull_requests[0].head.ref }}
    fetch-depth: 0
英文:

Workflow was checking out the wrong branch. After switching branches workflow works as expected.

- name: Check out repository
  uses: actions/checkout@v3
  with:
    repository: ${{ github.event.workflow_run.head_repository.full_name }}
    # checkout commit that triggered this workflow
    ref: ${{ github.event.workflow_run.pull_requests[0].head.ref }}
    fetch-depth: 0

huangapple
  • 本文由 发表于 2023年6月22日 13:32:52
  • 转载请务必保留本文链接:https://go.coder-hub.com/76528833.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定