Skip to content

Prepare v0.7.5 release #186

Prepare v0.7.5 release

Prepare v0.7.5 release #186

Workflow file for this run

name: Codacy SARIF
on:
push:
branches:
- master
pull_request:
branches:
- master
schedule:
- cron: "17 3 * * 1"
workflow_dispatch:
permissions:
actions: read
contents: read
security-events: write
env:
CODACY_ANALYSIS_CLI_VERSION: "0.9.0"
CODACY_CLOUD_CLI_VERSION: "1.2.0"
NPM_CONFIG_REGISTRY: "https://registry.npmjs.org"
jobs:
codacy-sarif:
name: Generate and upload Codacy SARIF
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: "26"
- name: Generate Codacy SARIF
id: analyze
shell: bash
env:
CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}
run: |
set -euo pipefail
mkdir -p .local/codacy "${RUNNER_TEMP}/codacy-home" "${RUNNER_TEMP}/npm-cache"
export HOME="${RUNNER_TEMP}/codacy-home"
export npm_config_cache="${RUNNER_TEMP}/npm-cache"
if [ -f .codacy/codacy.config.json ]; then
echo "Using committed Codacy configuration."
echo "codacy_enforce=true" >> "${GITHUB_OUTPUT}"
elif [ -n "${CODACY_API_TOKEN:-}" ]; then
npm exec --yes --package "@codacy/analysis-cli@${CODACY_ANALYSIS_CLI_VERSION}" -- \
codacy-analysis init --remote gh netdata systemd-journal-sdk
echo "codacy_enforce=true" >> "${GITHUB_OUTPUT}"
else
echo "No tuned Codacy configuration is available in this workflow."
echo "Uploading an empty Codacy SARIF closeout for old local default-config alerts."
echo "codacy_enforce=false" >> "${GITHUB_OUTPUT}"
python3 tests/code_scanning/write_empty_codacy_sarif.py \
.local/codacy/codacy-analysis.sarif
echo "codacy_status=0" >> "${GITHUB_OUTPUT}"
{
echo "## Codacy Analysis CLI"
echo
echo "Skipped local default analysis because no tuned Codacy configuration is available."
echo "Uploaded an empty closeout SARIF for stale default-config alerts."
} >> "${GITHUB_STEP_SUMMARY}"
exit 0
fi
set +e
npm exec --yes --package "@codacy/analysis-cli@${CODACY_ANALYSIS_CLI_VERSION}" -- \
codacy-analysis analyze . \
--install-dependencies \
--tool Bandit \
--tool ESLint9 \
--tool flawfinder \
--tool markdownlint \
--tool PyLintPython3 \
--tool shellcheck \
--output-format sarif \
--output .local/codacy/codacy-analysis.sarif \
--parallel-tools 4
codacy_status=$?
set -e
if [ ! -s .local/codacy/codacy-analysis.sarif ]; then
echo "Codacy analysis did not produce a SARIF file." >&2
exit 1
fi
echo "codacy_status=${codacy_status}" >> "${GITHUB_OUTPUT}"
python3 tests/code_scanning/summarize_findings.py \
--sarif .local/codacy/codacy-analysis.sarif \
--json-output .local/codacy/codacy-analysis-summary.json \
--markdown-output .local/codacy/codacy-analysis-summary.md
cat .local/codacy/codacy-analysis-summary.md >> "${GITHUB_STEP_SUMMARY}"
- name: Upload Codacy SARIF to GitHub code scanning
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: .local/codacy/codacy-analysis.sarif
category: codacy-analysis-cli
- name: Write Codacy tool closeout SARIF
if: ${{ steps.analyze.outputs.codacy_enforce == 'true' && steps.analyze.outputs.codacy_status == '0' }}
shell: bash
run: |
set -euo pipefail
python3 tests/code_scanning/write_empty_codacy_sarif.py \
.local/codacy/codacy-tool-closeout.sarif
- name: Upload Codacy tool closeout SARIF
if: ${{ steps.analyze.outputs.codacy_enforce == 'true' && steps.analyze.outputs.codacy_status == '0' }}
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: .local/codacy/codacy-tool-closeout.sarif
category: codacy-analysis-cli
- name: Export Codacy cloud issues when token is available
shell: bash
env:
CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}
run: |
set -euo pipefail
if [ -z "${CODACY_API_TOKEN:-}" ]; then
{
echo
echo "## Codacy cloud export"
echo
echo "Skipped: \`CODACY_API_TOKEN\` secret is not configured."
} >> "${GITHUB_STEP_SUMMARY}"
exit 0
fi
python3 tests/code_scanning/export_codacy_issues.py \
--source api \
--provider gh \
--organization netdata \
--repository systemd-journal-sdk \
--branch master \
--output-dir .local/codacy
python3 tests/code_scanning/summarize_findings.py \
--codacy-issues .local/codacy/codacy-issues.json \
--json-output .local/codacy/codacy-cloud-summary.json \
--markdown-output .local/codacy/codacy-cloud-summary.md
cat .local/codacy/codacy-cloud-summary.md >> "${GITHUB_STEP_SUMMARY}"
- name: Fail on Codacy analysis findings
if: ${{ steps.analyze.outputs.codacy_enforce == 'true' && steps.analyze.outputs.codacy_status != '0' }}
shell: bash
env:
CODACY_STATUS: ${{ steps.analyze.outputs.codacy_status }}
run: |
echo "Codacy Analysis CLI reported findings or failed with exit ${CODACY_STATUS} after producing SARIF. The SARIF has been uploaded to GitHub code scanning." >&2
exit 1