Improve GitHub Actions behavior for external PRs (#19)

* move Coveralls to conditional job based on secret availability ** also discovered Coveralls Github Action doesn't work with Java ☹️ * add preconditional secret check job for Sonar * GitHub Actions conditional flow is a lot of work: github/docs#6861 actions/runner#520 actions/runner#953 actions/runner#1138
chabala · Feb 11, 2023 · 602cc81 · 602cc81
1 parent aa8cd90
commit 602cc81
Showing 1 changed file with 53 additions and 3 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -23,17 +23,67 @@ jobs:
 
       - name: 'Build'
         run: |
-          mvn -V --batch-mode verify jacoco:report coveralls:report \
-          -DrepoToken=${{ secrets.COVERALLS_TOKEN }} -DpullRequest=${{ github.event.number }}
+          mvn -V --batch-mode verify jacoco:report
 
       - name: 'Upload directory to pass to next job'
         uses: actions/upload-artifact@v3
         with:
           name: build
           path: .
-  sonar:
+  coveralls-pre-check:
+    needs: build
+    runs-on: ubuntu-latest
+    outputs:
+      HAVE_REPO_TOKEN: ${{ steps.step1.outputs.HAVE_REPO_TOKEN }}
+    steps:
+      - id: step1
+        name: 'Check secret access for fast fail'
+        run: |
+          echo "HAVE_REPO_TOKEN=$HAVE_REPO_TOKEN" >> $GITHUB_OUTPUT
+          echo "HAVE_REPO_TOKEN=$HAVE_REPO_TOKEN" >> $GITHUB_STEP_SUMMARY
+        env:
+          HAVE_REPO_TOKEN: ${{ secrets.COVERALLS_TOKEN != '' }}
+  coveralls:
+    needs: coveralls-pre-check
+    if: needs.coveralls-pre-check.outputs.HAVE_REPO_TOKEN == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Restore directory from build'
+        uses: actions/download-artifact@v3
+        with:
+          name: build
+          path: .
+
+      - name: 'Set up Java 8'
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'zulu'
+          java-version: 8
+          cache: 'maven'
+
+      - name: 'Coveralls report'
+        run: |
+          mvn -V --batch-mode coveralls:report \
+          -DrepoToken=$REPO_TOKEN -DpullRequest=${{ github.event.number }}
+        env:
+          REPO_TOKEN: ${{ secrets.COVERALLS_TOKEN }}
+  sonar-pre-check:
     needs: build
     runs-on: ubuntu-latest
+    outputs:
+      HAVE_SONAR_TOKEN: ${{ steps.step1.outputs.HAVE_SONAR_TOKEN }}
+    steps:
+      - id: step1
+        name: 'Check secret access for fast fail'
+        run: |
+          echo "HAVE_SONAR_TOKEN=$HAVE_SONAR_TOKEN" >> $GITHUB_OUTPUT
+          echo "HAVE_SONAR_TOKEN=$HAVE_SONAR_TOKEN" >> $GITHUB_STEP_SUMMARY
+        env:
+          HAVE_SONAR_TOKEN: ${{ secrets.SONAR_TOKEN != '' }}
+  sonar:
+    needs: sonar-pre-check
+    if: needs.sonar-pre-check.outputs.HAVE_SONAR_TOKEN == 'true'
+    runs-on: ubuntu-latest
     steps:
       - name: 'Restore directory from build'
         uses: actions/download-artifact@v3