language-specific sonar files, sonar scanner updated for akeyless secret, UDF fields on main pull request

Author: brianLoomis

.github/workflows/blackduck-polaris.yml

@@ -4,6 +4,10 @@
 # 
 # from https://documentation.blackduck.com/bundle/bridge/page/documentation/t_github-polaris-quickstart.html
 # parameters @ https://documentation.blackduck.com/bundle/bridge/page/documentation/c_github-polaris.html
+#
+# internal confluence https://progresssoftware.atlassian.net/wiki/spaces/TCE/pages/1010336076/Polaris#Examples
+# TODO: update internal page with final action
+# chehf-vault at https://polaris.blackduck.com/portfolio/portfolios/8b7ad6f7-6dcb-49ec-bded-bfc4f190d4f8/portfolio-items/fe369baf-11d2-4989-bcb7-045577856dcc/projects/2460eabd-d033-48a1-a378-6cadd49be6d1/tests/sast?branchId=a6d2c02a-05f8-4557-bfa1-c40e9337ee5d
 name: Blackduck Polaris scan
 
 on:

.github/workflows/ci-main-pull-request.yml

@@ -22,11 +22,6 @@ name: CI flow containing PR checks for main & release, v2
 on:
   workflow_call:
     inputs:
-      language:
-        description: 'Primary language in the repository, for language-specific checks'
-        required: false
-        type: string
-        default: 'Go'
       visibility:
         description: 'Visibility of the repository'
         required: false
@@ -67,6 +62,11 @@ on:
         required: false
         type: boolean
         default: true
+      language:
+        description: 'Primary language in the repository, for language-specific 3rd party dep checks, builds, and unit testing'
+        required: false
+        type: string
+        default: 'Go' # (Go, Ruby, Rust)
       unit-tests:
         description: 'Run unit tests (language-specific)'
         required: false
@@ -77,6 +77,51 @@ on:
         required: false
         type: boolean
         default: true
+      perform-sonar-build: 
+        description: 'Perform the build (in specified language and profile)'
+        required: false
+        type: boolean
+        default: true
+      build-profile: 
+        description: 'Build profile for SonarQube - application specific path'
+        required: false
+        type: string
+        default: 'default'
+      report-unit-test-coverage: 
+        description: 'Perform unit tests and report coverage to SonarQube'
+        required: false
+        type: boolean
+        default: true
+      report-to-atlassian-dashboard: 
+        description: 'Report Sonar test coverage and other metrics to Atlassian dashboard (Irfan's QA dashboard)'
+        required: false
+        type: boolean
+        default: true     
+      quality-product-name:
+        description: 'Product name for quality reporting (Chef360, Courier, Inspec)'
+        required: false
+        type: string
+        default: 'Chef360'
+      quality-sonar-app-name:
+        description: 'Sonar application name for quality reporting'
+        required: false
+        type: string
+        default: 'YourSonarAppName'
+      quality-testing-type:
+        description: 'Testing type for quality reporting (Unit, Integration, e2e, api, Performance, Security)'
+        required: false
+        type: string
+        default: 'Integration'
+      quality-service-name:
+        description: 'Service or repository name for quality reporting'
+        required: false
+        type: string
+        default: 'YourServiceOrRepoName'
+      quality-junit-report:
+        description: 'Path to JUnit report for quality reporting'
+        required: false
+        type: string
+        default: 'path/to/junit/report'
       perform-blackduck-coverity:
         description: 'Perform BlackDuck coverity scan'
         required: false
@@ -92,6 +137,26 @@ on:
         required: false
         type: boolean
         default: true
+      go-private-modules:
+        description: 'GOPRIVATE for Go private modules'
+        required: false
+        type: string
+        default: 'github.com/progress-platform-services/*'
+      udf1:
+        description: 'User defined flag 1'
+        required: false
+        type: string
+        default: 'default'
+      udf2:
+        description: 'User defined flag 2'
+        required: false
+        type: string
+        default: 'default'
+      udf3:
+        description: 'User defined flag 3'
+        required: false
+        type: string
+        default: 'default'
 
 env:
   REPO_VISIBILITY: ${{ github.event.repository.visibility }}

.github/workflows/sbom.yml

@@ -125,6 +125,7 @@ jobs:
 
 # example project https://progresssoftware.app.blackduck.com/api/risk-profile-dashboard?limit=25&offset=0
 # server URL https://progresssoftware.app.blackduck.com/api/projects/c7954ee4-348d-4c2f-b259-d577e1df40dc
+# and https://progresssoftware.app.blackduck.com/api/risk-profile-dashboard?limit=25&offset=0
 #
 # Blackduck SBOM is at SERVER: https://progresssoftware.app.blackduck.com/ - org variable!
 # API token in repo - https://github.com/chef/chef-vault/settings/secrets/actions

.github/workflows/sonarqube-internal-repo.yml

@@ -3,55 +3,135 @@ name: SonarQube scan for internal repositories
 # configuration @ https://github.com/marketplace/actions/official-sonarqube-scan
 # TODO: replace existing sonarqube.yml in PPS repos (like https://github.com/progress-platform-services/chef-node-enrollment-api/blob/main/.github/workflows/sonarqube.yml)
 # TODO: remove from PPS code gen, just use the stub
+# TODO: add version to each pipeline stage
 
 on:
   workflow_call:
-    
+    # all secrets are inherited from the calling workflow, typically SONAR_TOKEN, SONAR_HOST_URL, GH_TOKEN
+    inputs:
+      perform-build: 
+        required: false
+        type: boolean
+      build-profile:  # TODO: implmenet this flag - chef360 container build flags, etc
+        required: false
+        type: string
+      language: 
+        required: false
+        type: string
+      report-unit-test-coverage: 
+        required: false
+        type: boolean
+      report-to-atlassian-dashboard: 
+        required: false
+        type: boolean
+      quality-product-name:
+        required: false
+        type: string
+      quality-sonar-app-name:
+        required: false
+        type: string
+      quality-testing-type:
+        required: false
+        type: string
+      quality-service-name:
+        required: false
+        type: string
+      quality-junit-report:
+        required: false
+        type: string
+      visibility: # TODO: simplify the sonar step by bringing in the other variants (private, public, internal) from the calling workflow
+        required: false
+        type: string
+      go-private-modules:
+        required: false
+        type: string
+      udf1:
+        required: false
+        type: string
+      udf2:
+        required: false
+        type: string
+      udf3:
+        required: false
+        type: string
+      
 jobs:
-  # echo-inputs:
-  #   name: 'Echo inputs'
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #   - name: Echo inputs
-  #     run: |
-  #       echo "Sonarqube scan for INTERNAL repositories, running on ubuntu-latest-4-cores runner"
-  #       echo "Sonar host URL ${{ secrets.SONAR_HOST_URL}}"
-  # #       echo "Skip unit tests set to ${{ inputs.skip-unit-tests }}"
-  
+  echo-inputs:
+    name: 'Echo inputs'
+    runs-on: ubuntu-latest
+    steps:
+    - name: Echo inputs
+      run: |
+        echo "Sonarqube scan for INTERNAL repositories, running on ubuntu-latest-4-cores runner"
+        echo "Perform build set to ${{ inputs.perform-build }}"
+        echo "Build profile set to ${{ inputs.build-profile }}"
+        echo "Language set to ${{ inputs.language }} "
+        echo "Visibility set to ${{ inputs.visibility }} [ ${{ github.event.repository.visibility }} ]"
+        echo "Perform unit test coverage set to ${{ inputs.report-unit-test-coverage }}"
+        echo "Report to Atlassian dashboard set to ${{ inputs.report-to-atlassian-dashboard }}"
+        echo "Quality product name set to ${{ inputs.quality-product-name }}" 
+        echo "Quality sonar application name set to ${{ inputs.quality-sonar-app-name }}"
+        echo "Quality testing type set to ${{ inputs.quality-testing-type }}"
+        echo "Quality service name set to ${{ inputs.quality-service-name }}"
+        echo "Quality JUnit report set to ${{ inputs.quality-junit-report }}"
+        echo "Go private modules set to ${{ inputs.go-private-modules }}"
+      
   SonarQube:
     runs-on: ubuntu-latest-4-cores
     steps:
-    # unit-tests:
-  #   runs-on: ubuntu-latest
-  #   if: ${{ inputs.skip-unit-tests == false }}
-  #   steps:
-  #   - name: Run unit tests
-  #     run: | 
-  #       echo "Running unit tests..."
-    - uses: actions/checkout@v4
+    - name: checkout
+      if: ${{ inputs.perform-build == true && inputs.visibility == 'internal' }}
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
     - name: Set up Go
-      uses: actions/setup-go@v4
+      if: ${{ inputs.perform-build == true && inputs.language == 'Go' && inputs.visibility == 'internal' }}
+      uses: actions/setup-go@v5
       with:
-        go-version: 1.24.2
-        check-latest: true
-   
+        go-version: 'stable'
+#        go-version: 1.24.2
+#        check-latest: true
+
     - name: Configure git for private modules
+      if: ${{ inputs.perform-build == true && inputs.visibility == 'internal' }}
       env:
-        GOPRIVATE: github.com/progress-platform-services/*
+        GOPRIVATE: ${{ inputs.go-private-modules }}   # github.com/progress-platform-services/*
       run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
 
-    - name: Generate coverage files
-      run: go test -v -coverprofile="coverage.out" ./... 
-    - name: Copy file
-      run: mkdir -p test/coverage; cp coverage.out test/coverage/coverage.out          
+    - name: Generate unit test coverage files
+      if: ${{ inputs.perform-build == true && inputs.report-unit-test-coverage == true && inputs.language == 'Go' && inputs.visibility == 'internal'}}
+      run: |
+        go test -v -coverprofile="coverage.out" ./... 
+        mkdir -p test/coverage
+        cp coverage.out test/coverage/coverage.out          
 
     - name: SonarQube Scan
+      if: ${{ inputs.perform-build == true && inputs.report-unit-test-coverage == true && inputs.visibility == 'internal' }}
       uses: sonarsource/sonarqube-scan-action@v5.1.0
       # was uses: sonarsource/sonarqube-scan-action@master
       continue-on-error: true
       env:
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}    
+        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}    
+
+#TODO: Test adding Irfan's quality reporting stage inline here after sonar run (https://github.com/Progress-I360/github-action-reporting)
+# PRODUCT_NAME = [Chef360 | Courier | Inspec]
+    - name: Run SonarQube report generation
+      if: ${{ inputs.report-to-atlassian-dashboard == true && inputs.visibility == 'internal' }}
+      uses: Progress-I360/github-action-reporting/sonarqube@main
+      with:
+        PRODUCT_NAME: ${{ inputs.quality-product-name }}
+        SONAR_APP_NAME: ${{ inputs.quality-sonar-app-name }}
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+# TESTING_TYPE = [Unit | Integration | e2e | api | Performance | Security]
+# ENVIRONMENT = [DEV | STAGE | PROD] (optional)
+    - name: Run report generation
+      if: ${{ inputs.report-to-atlassian-dashboard == true && inputs.report-unit-test-coverage == true && inputs.visibility == 'internal' }}
+      uses: Progress-I360/github-action-reporting/automation@main
+      with:
+        PRODUCT_NAME: ${{ inputs.quality-product-name }}
+        TESTING_TYPE: ${{ inputs.quality-testing-type }}
+        SERVICE_NAME: ${{ inputs.quality-service-name }}
+        JUNIT_REPORT: ${{ inputs.quality-junit-report }}

.github/workflows/sonarqube-private-repo.yml

@@ -4,24 +4,85 @@ name: SonarQube scan for private repositories
 
 on:
   workflow_call:
-    
+    # all secrets are inherited from the calling workflow, typically SONAR_TOKEN, SONAR_HOST_URL
+    inputs:
+      perform-build: 
+        required: false
+        type: boolean
+      build-profile:  # TODO: implmenet this flag - chef360 container build flags, etc
+        required: false
+        type: string
+      language: 
+        required: false
+        type: string
+      report-unit-test-coverage: 
+        required: false
+        type: boolean
+      report-to-atlassian-dashboard: 
+        required: false
+        type: boolean
+      quality-product-name:
+        required: false
+        type: string
+      quality-sonar-app-name:
+        required: false
+        type: string
+      quality-testing-type:
+        required: false
+        type: string
+      quality-service-name:
+        required: false
+        type: string
+      quality-junit-report:
+        required: false
+        type: string
+      visibility: # TODO: simplify the sonar step by bringing in the other variants (private, public, internal) from the calling workflow
+        required: false
+        type: string
+      go-private-modules:
+        required: false
+        type: string
+      udf1:
+        required: false
+        type: string
+      udf2:
+        required: false
+        type: string
+      udf3:
+        required: false
+        type: string
+
 jobs:
-  # echo-inputs:
-  #   name: 'Echo inputs'
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #   - name: Echo inputs
-  #     run: |
-  #       echo "Sonarqube scan for PRIVATE repositories, running on ubuntu-latest-4-cores runner"
-  #       echo "Sonar host URL ${{ secrets.SONAR_HOST_URL}}"
-              
+  echo-inputs:
+    name: 'Echo inputs'
+    runs-on: ubuntu-latest
+    steps:
+    - name: Echo inputs
+      run: |
+        echo "Sonarqube scan for PRIVATE repositories, running on ubuntu-latest-4-cores runner"
+        echo "Perform build set to ${{ inputs.perform-build }}"
+        echo "Build profile set to ${{ inputs.build-profile }}"
+        echo "Language set to ${{ inputs.language }} "
+        echo "Visibility set to ${{ inputs.visibility }} [ ${{ github.event.repository.visibility }} ]"
+        echo "Perform unit test coverage set to ${{ inputs.report-unit-test-coverage }}"
+        echo "Report to Atlassian dashboard set to ${{ inputs.report-to-atlassian-dashboard }}"
+        echo "Quality product name set to ${{ inputs.quality-product-name }}" 
+        echo "Quality sonar application name set to ${{ inputs.quality-sonar-app-name }}"
+        echo "Quality testing type set to ${{ inputs.quality-testing-type }}"
+        echo "Quality service name set to ${{ inputs.quality-service-name }}"
+        echo "Quality JUnit report set to ${{ inputs.quality-junit-report }}"
+        echo "Go private modules set to ${{ inputs.go-private-modules }}" 
+      
   SonarQube:
     runs-on: ubuntu-latest-4-cores
     steps:
-    - uses: actions/checkout@v4
+    - name:
+      if: ${{ inputs.visibility == 'private' }}
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - name: SonarQube Scan
+      if: ${{ inputs.visibility == 'private' }}
       uses: sonarsource/sonarqube-scan-action@v5.1.0
       continue-on-error: true
       env: