-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
141 lines (132 loc) · 5.72 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: "PMD"
description: "Run PMD against changes in a pull request"
inputs:
pmd-version:
description: The version of PMD to use
required: false
default: "7.7.0"
pmd-sha256-digest:
description: The expected SHA-256 digest of the PMD zip file (64 digit hexidecimal value).
required: false
default: "be8bf68f6c1d66984bd9645a93e631b78a1c2f42f5f0f8719082fead67553940"
create-github-annotations:
description: |
Whether to create inline comments on the PR using GH Advanced Security. This is free for open source projects but
requires a license for private repos.
required: false
default: "true"
fail-on-new-issues:
description: |
When set to true this fails the build if the PR introduces more issues than it resolves.
required: false
default: "true"
pmd-ruleset-repo:
description: |
The GitHub repository containing the PMD ruleset.
required: false
default: "Alfresco/pmd-ruleset"
pmd-ruleset-ref-override:
description: |
A git reference (e.g. branch name, tag name or commit id) for the ruleset project. If this is not provided then the
default is the latest tag alphabetically with the name starting with the PMD version (for example this could be a
tag 7.1.0_20240723 if pmd-version is set to 7.1.0) and falling back to the default commit checked out by a clone.
required: false
default: ""
pmd-ruleset-path:
description: |
The path to the PMD ruleset file from the root of the ruleset project. Optionally other paths to local rulesets
can be appended to this separated by commas.
required: false
default: pmd-ruleset.xml
classpath-enable:
description: |
Whether to set the classpath before the scan (used by certain rules - for example MissingOverride). This assumes
the project uses maven.
required: false
default: "true"
classpath-build-command:
description: Command to build the class files so that the classpath can be used.
required: false
default: mvn -ntp test-compile
classpath-directory-list:
description: |
A colon-separated list of directories containing class files. Using wildcards (*) or globstar (**) is
also supported in order to select items at one or many levels deep.
required: false
default: "**/target/classes"
runs:
using: "composite"
steps:
- name: Clone the full history
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Download ruleset
uses: actions/checkout@v4
with:
repository: ${{ inputs.pmd-ruleset-repo }}
path: pmd-ruleset
fetch-depth: 0
- name: Determine ruleset ref to checkout
id: find-ruleset-ref
run: |
cd pmd-ruleset;
if [[ -z "${{ inputs.pmd-ruleset-ref-override }}" ]]; then
echo "No ruleset ref override provided, finding latest tag starting with PMD version: ${{ inputs.pmd-version }}";
ruleset_ref="$(git tag --list --sort=-taggerdate "${{ inputs.pmd-version }}*" | head -1)";
else
echo "Using ruleset ref override: ${{ inputs.pmd-ruleset-ref-override }}";
ruleset_ref=${{ inputs.pmd-ruleset-ref-override }};
fi
if [[ -z "$ruleset_ref" ]]; then
echo "No ruleset ref found, falling back to HEAD.";
ruleset_ref=HEAD;
fi
echo "Checking out ruleset ref: ${ruleset_ref}";
git checkout $ruleset_ref;
shell: bash
- name: Install PMD
run: |
wget --no-verbose https://github.com/pmd/pmd/releases/download/pmd_releases%2F${{ inputs.pmd-version }}/pmd-dist-${{ inputs.pmd-version }}-bin.zip
echo "${{ inputs.pmd-sha256-digest }} pmd-dist-${{ inputs.pmd-version }}-bin.zip" | sha256sum --check
mkdir -p /opt/hostedtoolcache/pmd/${{ inputs.pmd-version }}/x64/
unzip -q pmd-dist-${{ inputs.pmd-version }}-bin.zip -d /opt/hostedtoolcache/pmd/${{ inputs.pmd-version }}/x64/
shell: bash
- name: Run PMD scan against changes
run: |
${{ github.action_path }}/delta-scan.sh \
"pmd-ruleset/${{ inputs.pmd-ruleset-path }}" \
"origin/${{ github.base_ref }}" \
"origin/${{ github.head_ref }}" \
"${{ inputs.create-github-annotations }}" \
"${{ inputs.classpath-enable }}" \
"${{ inputs.classpath-build-command }}" \
"${{ inputs.classpath-directory-list }}"
if: ${{ github.event_name == 'pull_request' }}
shell: bash
env:
PMD_VERSION: ${{ inputs.pmd-version }}
- name: Create a summary of PMD findings
run: |
python ${{ github.action_path }}/create-summary.py \
-o "${{ env.OLD_REPORT_FILE }}" \
-n "${{ env.NEW_REPORT_FILE }}" \
-d "${{ env.FULL_DIFF_FILE }}" \
-t $'PMD differences between ${{ env.BASELINE_REF }} and ${{ env.HEAD_REF }}\n\nNumber of PMD issues in edited files went from ${{ env.OLD_ISSUE_COUNT }} to ${{ env.NEW_ISSUE_COUNT }}'
if: ${{ github.event_name == 'pull_request' }}
shell: bash
- name: Archive PMD summary
uses: actions/upload-artifact@v4
if: ${{ github.event_name == 'pull_request' }}
with:
name: PMD Summary (Human Readable)
path: ${{ env.PMD_SUMMARY_FILE }}
- name: Create GitHub annotations
uses: github/codeql-action/upload-sarif@v3
if: ${{ github.event_name == 'pull_request' && inputs.create-github-annotations == 'true' }}
with:
sarif_file: ${{ env.SARIF_REPORT_FILE }}
- name: Determine whether to fail the build due to violations.
run: ${{ github.action_path }}/evaluate-status.sh "${{ env.OLD_ISSUE_COUNT }}" "${{ env.NEW_ISSUE_COUNT }}" "${{ inputs.fail-on-new-issues }}"
if: ${{ github.event_name == 'pull_request' }}
shell: bash