Run AppGateway tests in app-gateway workflow, split SonarCloud tests per slnf, and drop leftover SonarScanner steps from account and main workflows

tjementum · tjementum · commit af156d182cbe · 2026-05-15T22:21:16.000+02:00
diff --git a/.github/workflows/_deploy-container.yml b/.github/workflows/_deploy-container.yml
@@ -38,6 +38,10 @@ on:
         required: true
         type: string
 
+concurrency:
+  group: ${{ inputs.image_name }}-${{ inputs.azure_environment }}-deploy
+  cancel-in-progress: false
+
 jobs:
   deploy:
     name: Deploy
diff --git a/.github/workflows/_deploy-infrastructure.yml b/.github/workflows/_deploy-infrastructure.yml
@@ -49,6 +49,10 @@ on:
         type: string
         default: "-"
 
+concurrency:
+  group: ${{ inputs.unique_prefix }}-${{ inputs.azure_environment }}-infrastructure
+  cancel-in-progress: false
+
 jobs:
   plan:
     name: Plan
@@ -67,6 +71,7 @@ jobs:
             should_deploy="false"
           fi
           echo "should_deploy=$should_deploy" >> $GITHUB_OUTPUT
+
       - name: Checkout Code
         uses: actions/checkout@v6
 
diff --git a/.github/workflows/_migrate-database.yml b/.github/workflows/_migrate-database.yml
@@ -106,7 +106,7 @@ jobs:
         run: |
           ENTRA_USER=$(az postgres flexible-server microsoft-entra-admin list --resource-group ${{ env.CLUSTER_RESOURCE_GROUP_NAME }} --server-name ${{ env.POSTGRES_SERVER_NAME }} --query "[0].principalName" --output tsv)
           CONNECTION_STRING="Host=${{ env.POSTGRES_HOST }};Database=${{ inputs.database_name }};Username=$ENTRA_USER;Password=$(az account get-access-token --resource-type oss-rdbms --query accessToken --output tsv);Ssl Mode=VerifyFull;"
-          
+
           echo "Checking for pending migrations..."
           MIGRATION_INFO=$(dotnet ef migrations list \
             --project ${{ inputs.relative_project_path }} \
@@ -115,12 +115,12 @@ jobs:
             --connection "$CONNECTION_STRING" \
             --no-build \
             --json)
-          
+
           MIGRATION_JSON=$(echo "$MIGRATION_INFO" | sed -n '/^[{[]/,$p')
           PENDING_MIGRATIONS_JSON=$(echo "$MIGRATION_JSON" | jq '[.[] | select(.applied == false)]')
           PENDING_MIGRATIONS_COUNT=$(echo "$PENDING_MIGRATIONS_JSON" | jq '. | length')
           LAST_APPLIED_MIGRATION=$(echo "$MIGRATION_JSON" | jq -r '[.[] | select(.applied == true) | .id] | sort | last // "0"')
-          
+
           if [ "$PENDING_MIGRATIONS_COUNT" -gt "0" ]; then
             LAST_PENDING_MIGRATION=$(echo "$PENDING_MIGRATIONS_JSON" | jq -r '.[-1].id')
             echo "$PENDING_MIGRATIONS_COUNT pending migration(s) detected:"
@@ -135,13 +135,13 @@ jobs:
               --idempotent \
               --no-build \
               --output migration.sql
-            
+
             echo "has_migrations_to_apply=true" >> $GITHUB_OUTPUT
-            
+
             echo "migration_script<<EOF" >> $GITHUB_OUTPUT
             cat migration.sql >> $GITHUB_OUTPUT
             echo "EOF" >> $GITHUB_OUTPUT
-            
+
             echo "migration_json<<EOF" >> $GITHUB_OUTPUT
             echo "$PENDING_MIGRATIONS_JSON" >> $GITHUB_OUTPUT
             echo "EOF" >> $GITHUB_OUTPUT
@@ -178,22 +178,22 @@ jobs:
         with:
           script: |
             const migrationJson = JSON.parse(process.env.MIGRATION_JSON);
-            
+
             const migrationsList = migrationJson.map(m => `- ${m.name} (${m.id})`).join('\n');
-            
+
             const migrationInfo = `## Approve Database Migration \`${{ inputs.database_name }}\` database on \`${{ inputs.azure_environment }}\`
-            
+
             The following pending migration(s) will be applied to the database when approved:
             ${migrationsList}
-            
+
             ### Migration Script
             \`\`\`sql
             ${process.env.MIGRATION_SCRIPT}
             \`\`\`
             `;
-            
+
             console.log(migrationInfo);
-            
+
             core.setOutput('markdown', migrationInfo);
 
       - name: Add Migration Information to Pull Request
diff --git a/.github/workflows/account.yml b/.github/workflows/account.yml
@@ -12,7 +12,6 @@ on:
       - ".github/workflows/account.yml"
       - ".github/workflows/_deploy-container.yml"
       - ".github/workflows/_migrate-database.yml"
-      - ".github/workflows/_preview-migrations.yml"
       - "!**.md"
   pull_request:
     paths:
@@ -23,7 +22,6 @@ on:
       - ".github/workflows/account.yml"
       - ".github/workflows/_deploy-container.yml"
       - ".github/workflows/_migrate-database.yml"
-      - ".github/workflows/_preview-migrations.yml"
       - "!**.md"
   workflow_dispatch:
 
@@ -93,32 +91,15 @@ jobs:
           # Generate a 512-bit key and set it as a user secret that can be use for token signing when running tests
           dotnet user-secrets set "authentication-token-signing-key" "$(openssl rand -base64 64)" --id $USER_SECRETS_ID
 
-      - name: Setup Java JDK for SonarScanner
-        uses: actions/setup-java@v5
-        with:
-          distribution: "microsoft"
-          java-version: "17"
-
       - name: Build Email Templates
         working-directory: application
         run: npx turbo run build --filter=@repo/emails
 
-      - name: Run Tests with SonarScanner Analysis
+      - name: Run Tests
         working-directory: application
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: |
-          if [[ "${{ vars.SONAR_PROJECT_KEY }}" == "" ]] || [[ "${{ vars.SONAR_ORGANIZATION }}" == "" ]] || [[ "${{ secrets.SONAR_TOKEN }}" == "" ]]; then
-            echo "SonarCloud is not enabled. Skipping SonarCloud analysis."
-            dotnet build account/Account.slnf --no-restore /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }} &&
-            dotnet test account/Account.slnf --no-build
-          else
-            dotnet sonarscanner begin /k:"${{ vars.SONAR_PROJECT_KEY }}" /o:"${{ vars.SONAR_ORGANIZATION }}" /d:sonar.host.url="https://sonarcloud.io" &&
-            dotnet build account/Account.slnf --no-restore /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }} &&
-            dotnet test account/Account.slnf --no-build &&
-            dotnet sonarscanner end
-          fi
+          dotnet build account/Account.slnf --no-restore /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }} &&
+          dotnet test account/Account.slnf --no-build
 
       - name: Save Backend Build Artifacts for Migration Plan
         if: ${{ vars.STAGING_CLUSTER_ENABLED == 'true' }}
@@ -149,7 +130,8 @@ jobs:
         if: ${{ steps.determine_deployment.outputs.deploy_staging == 'true' }}
         working-directory: application/account
         run: |
-          dotnet publish ./Api/Account.Api.csproj --no-restore --configuration Release --output ./Api/publish /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }}
+          dotnet publish ./Api/Account.Api.csproj --configuration Release --no-restore --output ./Api/publish /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }}
+
       - name: Save API Artifacts
         if: ${{ steps.determine_deployment.outputs.deploy_staging == 'true' }}
         uses: actions/upload-artifact@v7
@@ -161,13 +143,15 @@ jobs:
         if: ${{ steps.determine_deployment.outputs.deploy_staging == 'true' }}
         working-directory: application/account
         run: |
-          dotnet publish ./Workers/Account.Workers.csproj --no-restore --configuration Release --output ./Workers/publish /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }}
+          dotnet publish ./Workers/Account.Workers.csproj --configuration Release --no-restore --output ./Workers/publish /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }}
+
       - name: Save Workers Artifacts
         if: ${{ steps.determine_deployment.outputs.deploy_staging == 'true' }}
         uses: actions/upload-artifact@v7
         with:
           name: account-workers
           path: application/account/Workers/publish/**/*
+
   database-migrations-stage:
     name: Database Staging
     if: ${{ vars.STAGING_CLUSTER_ENABLED == 'true' }}
diff --git a/.github/workflows/app-gateway.yml b/.github/workflows/app-gateway.yml
@@ -51,7 +51,7 @@ jobs:
         run: |
           deploy_staging="${{ github.ref == 'refs/heads/main' && vars.STAGING_CLUSTER_ENABLED == 'true' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'Deploy to Staging')) }}"
           echo "deploy_staging=$deploy_staging" >> $GITHUB_OUTPUT
-          
+
           deploy_production="${{ github.ref == 'refs/heads/main' && vars.PRODUCTION_CLUSTER1_ENABLED == 'true' }}"
           echo "deploy_production=$deploy_production" >> $GITHUB_OUTPUT
 
@@ -77,22 +77,40 @@ jobs:
         working-directory: application
         run: dotnet restore
 
+      - name: Generate and Set User Secret for Token Signing Key
+        working-directory: application/shared-kernel/SharedKernel
+        run: |
+          # Extract UserSecretsId from the .csproj file
+          USER_SECRETS_ID=$(grep -oP '(?<=<UserSecretsId>).*?(?=</UserSecretsId>)' SharedKernel.csproj)
+
+          # Generate a 512-bit key and set it as a user secret that can be use for token signing when running tests
+          dotnet user-secrets set "authentication-token-signing-key" "$(openssl rand -base64 64)" --id $USER_SECRETS_ID
+
+      - name: Run Tests
+        working-directory: application
+        run: |
+          dotnet build AppGateway.Tests/AppGateway.Tests.csproj --no-restore &&
+          dotnet test AppGateway.Tests/AppGateway.Tests.csproj --no-build
+
       - name: Build Backend Solution
         if: ${{ steps.determine_deployment.outputs.deploy_staging == 'true' }}
         working-directory: application
         run: |
           dotnet build PlatformPlatform.slnx --no-restore /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }}
+
       - name: Publish Build
         if: ${{ steps.determine_deployment.outputs.deploy_staging == 'true' }}
         working-directory: application
         run: |
-          dotnet publish ./AppGateway/AppGateway.csproj --no-restore --configuration Release --output ./AppGateway/publish /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }}
+          dotnet publish ./AppGateway/AppGateway.csproj --configuration Release --no-restore --output ./AppGateway/publish /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }}
+
       - name: Save Artifacts
         if: ${{ steps.determine_deployment.outputs.deploy_staging == 'true' }}
         uses: actions/upload-artifact@v7
         with:
           name: app-gateway
           path: application/AppGateway/publish/**/*
+
   api-stage:
     name: Staging
     if: ${{ needs.build-and-test.outputs.deploy_staging == 'true' }}
diff --git a/.github/workflows/code-style.yml b/.github/workflows/code-style.yml
@@ -137,6 +137,7 @@ jobs:
       - name: Run Backend Linting
         working-directory: developer-cli
         run: |
+          set -o pipefail
           dotnet run lint --backend ${{ needs.detect-scope.outputs.backend_scope }} --no-build | tee lint-output.log
 
           if ! grep -q "No backend issues found!" lint-output.log; then
@@ -272,7 +273,13 @@ jobs:
             exit 0
           fi
 
+          # Run test assemblies sequentially via per-SCS slnf files. Running `dotnet test
+          # PlatformPlatform.slnx` parallelizes test assemblies across processes, which races on
+          # PortAllocation.Load() (`.workspace/port.txt` half-created between O_CREAT and write).
+          # AppGateway.Tests is covered by app-gateway.yml. SharedKernel.Tests is included in both
+          # slnf files and will run twice; that is acceptable.
           dotnet sonarscanner begin /k:"${{ vars.SONAR_PROJECT_KEY }}" /o:"${{ vars.SONAR_ORGANIZATION }}" /d:sonar.host.url="https://sonarcloud.io" &&
           dotnet build PlatformPlatform.slnx --no-restore &&
-          dotnet test PlatformPlatform.slnx --no-build &&
+          dotnet test account/Account.slnf --no-build &&
+          dotnet test main/Main.slnf --no-build &&
           dotnet sonarscanner end
diff --git a/.github/workflows/developer-cli.yml b/.github/workflows/developer-cli.yml
@@ -51,6 +51,7 @@ jobs:
       - name: Run Code Linting
         working-directory: developer-cli
         run: |
+          set -o pipefail
           dotnet run --no-build -- lint --cli --no-build | tee lint-output.log
 
           if ! grep -q "No developer-cli issues found!" lint-output.log; then
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -12,7 +12,6 @@ on:
       - ".github/workflows/main.yml"
       - ".github/workflows/_deploy-container.yml"
       - ".github/workflows/_migrate-database.yml"
-      - ".github/workflows/_preview-migrations.yml"
       - "!**.md"
   pull_request:
     paths:
@@ -23,7 +22,6 @@ on:
       - ".github/workflows/main.yml"
       - ".github/workflows/_deploy-container.yml"
       - ".github/workflows/_migrate-database.yml"
-      - ".github/workflows/_preview-migrations.yml"
       - "!**.md"
   workflow_dispatch:
 
@@ -89,36 +87,19 @@ jobs:
         run: |
           # Extract UserSecretsId from the .csproj file
           USER_SECRETS_ID=$(grep -oP '(?<=<UserSecretsId>).*?(?=</UserSecretsId>)' SharedKernel.csproj)
-          
+
           # Generate a 512-bit key and set it as a user secret that can be use for token signing when running tests
           dotnet user-secrets set "authentication-token-signing-key" "$(openssl rand -base64 64)" --id $USER_SECRETS_ID
 
-      - name: Setup Java JDK for SonarScanner
-        uses: actions/setup-java@v5
-        with:
-          distribution: "microsoft"
-          java-version: "17"
-
       - name: Build Email Templates
         working-directory: application
         run: npx turbo run build --filter=@repo/emails
 
-      - name: Run Tests with SonarScanner Analysis
+      - name: Run Tests
         working-directory: application
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         run: |
-          if [[ "${{ vars.SONAR_PROJECT_KEY }}" == "" ]] || [[ "${{ vars.SONAR_ORGANIZATION }}" == "" ]] || [[ "${{ secrets.SONAR_TOKEN }}" == "" ]]; then
-            echo "SonarCloud is not enabled. Skipping SonarCloud analysis."
-            dotnet build main/Main.slnf --no-restore /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }} &&
-            dotnet test main/Main.slnf --no-build
-          else
-            dotnet sonarscanner begin /k:"${{ vars.SONAR_PROJECT_KEY }}" /o:"${{ vars.SONAR_ORGANIZATION }}" /d:sonar.host.url="https://sonarcloud.io" &&
-            dotnet build main/Main.slnf --no-restore /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }} &&
-            dotnet test main/Main.slnf --no-build &&
-            dotnet sonarscanner end
-          fi
+          dotnet build main/Main.slnf --no-restore /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }} &&
+          dotnet test main/Main.slnf --no-build
 
       - name: Save Backend Build Artifacts for Migration Plan
         if: ${{ vars.STAGING_CLUSTER_ENABLED == 'true' }}
@@ -144,7 +125,8 @@ jobs:
         if: ${{ steps.determine_deployment.outputs.deploy_staging == 'true' }}
         working-directory: application/main
         run: |
-          dotnet publish ./Api/Main.Api.csproj --no-restore --configuration Release --output ./Api/publish /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }}
+          dotnet publish ./Api/Main.Api.csproj --configuration Release --no-restore --output ./Api/publish /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }}
+
       - name: Save API Artifacts
         if: ${{ steps.determine_deployment.outputs.deploy_staging == 'true' }}
         uses: actions/upload-artifact@v7
@@ -156,13 +138,15 @@ jobs:
         if: ${{ steps.determine_deployment.outputs.deploy_staging == 'true' }}
         working-directory: application/main
         run: |
-          dotnet publish ./Workers/Main.Workers.csproj --no-restore --configuration Release --output ./Workers/publish /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }}
+          dotnet publish ./Workers/Main.Workers.csproj --configuration Release --no-restore --output ./Workers/publish /p:Version=${{ steps.generate_version.outputs.version }} /p:DeploymentCommitHash=${{ github.event.pull_request.head.sha || github.sha }} /p:DeploymentGithubActionId=${{ github.run_id }}
+
       - name: Save Workers Artifacts
         if: ${{ steps.determine_deployment.outputs.deploy_staging == 'true' }}
         uses: actions/upload-artifact@v7
         with:
           name: main-workers
           path: application/main/Workers/publish/**/*
+
   database-migrations-stage:
     name: Database Staging
     if: ${{ vars.STAGING_CLUSTER_ENABLED == 'true' }}
