Prepare v0.7.5 release #186
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Codacy SARIF | |
| on: | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| branches: | |
| - master | |
| schedule: | |
| - cron: "17 3 * * 1" | |
| workflow_dispatch: | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| env: | |
| CODACY_ANALYSIS_CLI_VERSION: "0.9.0" | |
| CODACY_CLOUD_CLI_VERSION: "1.2.0" | |
| NPM_CONFIG_REGISTRY: "https://registry.npmjs.org" | |
| jobs: | |
| codacy-sarif: | |
| name: Generate and upload Codacy SARIF | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: "26" | |
| - name: Generate Codacy SARIF | |
| id: analyze | |
| shell: bash | |
| env: | |
| CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }} | |
| run: | | |
| set -euo pipefail | |
| mkdir -p .local/codacy "${RUNNER_TEMP}/codacy-home" "${RUNNER_TEMP}/npm-cache" | |
| export HOME="${RUNNER_TEMP}/codacy-home" | |
| export npm_config_cache="${RUNNER_TEMP}/npm-cache" | |
| if [ -f .codacy/codacy.config.json ]; then | |
| echo "Using committed Codacy configuration." | |
| echo "codacy_enforce=true" >> "${GITHUB_OUTPUT}" | |
| elif [ -n "${CODACY_API_TOKEN:-}" ]; then | |
| npm exec --yes --package "@codacy/analysis-cli@${CODACY_ANALYSIS_CLI_VERSION}" -- \ | |
| codacy-analysis init --remote gh netdata systemd-journal-sdk | |
| echo "codacy_enforce=true" >> "${GITHUB_OUTPUT}" | |
| else | |
| echo "No tuned Codacy configuration is available in this workflow." | |
| echo "Uploading an empty Codacy SARIF closeout for old local default-config alerts." | |
| echo "codacy_enforce=false" >> "${GITHUB_OUTPUT}" | |
| python3 tests/code_scanning/write_empty_codacy_sarif.py \ | |
| .local/codacy/codacy-analysis.sarif | |
| echo "codacy_status=0" >> "${GITHUB_OUTPUT}" | |
| { | |
| echo "## Codacy Analysis CLI" | |
| echo | |
| echo "Skipped local default analysis because no tuned Codacy configuration is available." | |
| echo "Uploaded an empty closeout SARIF for stale default-config alerts." | |
| } >> "${GITHUB_STEP_SUMMARY}" | |
| exit 0 | |
| fi | |
| set +e | |
| npm exec --yes --package "@codacy/analysis-cli@${CODACY_ANALYSIS_CLI_VERSION}" -- \ | |
| codacy-analysis analyze . \ | |
| --install-dependencies \ | |
| --tool Bandit \ | |
| --tool ESLint9 \ | |
| --tool flawfinder \ | |
| --tool markdownlint \ | |
| --tool PyLintPython3 \ | |
| --tool shellcheck \ | |
| --output-format sarif \ | |
| --output .local/codacy/codacy-analysis.sarif \ | |
| --parallel-tools 4 | |
| codacy_status=$? | |
| set -e | |
| if [ ! -s .local/codacy/codacy-analysis.sarif ]; then | |
| echo "Codacy analysis did not produce a SARIF file." >&2 | |
| exit 1 | |
| fi | |
| echo "codacy_status=${codacy_status}" >> "${GITHUB_OUTPUT}" | |
| python3 tests/code_scanning/summarize_findings.py \ | |
| --sarif .local/codacy/codacy-analysis.sarif \ | |
| --json-output .local/codacy/codacy-analysis-summary.json \ | |
| --markdown-output .local/codacy/codacy-analysis-summary.md | |
| cat .local/codacy/codacy-analysis-summary.md >> "${GITHUB_STEP_SUMMARY}" | |
| - name: Upload Codacy SARIF to GitHub code scanning | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: .local/codacy/codacy-analysis.sarif | |
| category: codacy-analysis-cli | |
| - name: Write Codacy tool closeout SARIF | |
| if: ${{ steps.analyze.outputs.codacy_enforce == 'true' && steps.analyze.outputs.codacy_status == '0' }} | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| python3 tests/code_scanning/write_empty_codacy_sarif.py \ | |
| .local/codacy/codacy-tool-closeout.sarif | |
| - name: Upload Codacy tool closeout SARIF | |
| if: ${{ steps.analyze.outputs.codacy_enforce == 'true' && steps.analyze.outputs.codacy_status == '0' }} | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: .local/codacy/codacy-tool-closeout.sarif | |
| category: codacy-analysis-cli | |
| - name: Export Codacy cloud issues when token is available | |
| shell: bash | |
| env: | |
| CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }} | |
| run: | | |
| set -euo pipefail | |
| if [ -z "${CODACY_API_TOKEN:-}" ]; then | |
| { | |
| echo | |
| echo "## Codacy cloud export" | |
| echo | |
| echo "Skipped: \`CODACY_API_TOKEN\` secret is not configured." | |
| } >> "${GITHUB_STEP_SUMMARY}" | |
| exit 0 | |
| fi | |
| python3 tests/code_scanning/export_codacy_issues.py \ | |
| --source api \ | |
| --provider gh \ | |
| --organization netdata \ | |
| --repository systemd-journal-sdk \ | |
| --branch master \ | |
| --output-dir .local/codacy | |
| python3 tests/code_scanning/summarize_findings.py \ | |
| --codacy-issues .local/codacy/codacy-issues.json \ | |
| --json-output .local/codacy/codacy-cloud-summary.json \ | |
| --markdown-output .local/codacy/codacy-cloud-summary.md | |
| cat .local/codacy/codacy-cloud-summary.md >> "${GITHUB_STEP_SUMMARY}" | |
| - name: Fail on Codacy analysis findings | |
| if: ${{ steps.analyze.outputs.codacy_enforce == 'true' && steps.analyze.outputs.codacy_status != '0' }} | |
| shell: bash | |
| env: | |
| CODACY_STATUS: ${{ steps.analyze.outputs.codacy_status }} | |
| run: | | |
| echo "Codacy Analysis CLI reported findings or failed with exit ${CODACY_STATUS} after producing SARIF. The SARIF has been uploaded to GitHub code scanning." >&2 | |
| exit 1 |